ipmjs icon indicating copy to clipboard operation
ipmjs copied to clipboard

Published 20 hours ago verified publisher icon ipmjs

Have you thought about copyright infringement?

Open leomelin opened this issue 8 years ago • 14 comments

If someone publishes a package with copyrighted content, it must be eventually taken down breaking the idea of immutable package manager. Have you thought about that? Is there any ways around this?

leomelin avatar Mar 24 '16 06:03 leomelin

Also if any sensitive data gets published by mistake, people should be able to unpublish it.

ashnur avatar Mar 24 '16 08:03 ashnur

I think Wikipedia is a pretty good example of this.

You can't really remove anything from Wikipedia, it just goes to some sort of history/archive. Removing pages goes trough community filters such as voting.

https://en.wikipedia.org/wiki/Wikipedia:Guide_to_deletion

So deletion per-se might not be an issue at NPM, the issue is that rules for it aren't transparent.

simison avatar Mar 24 '16 09:03 simison

A person would be able to publish anything they want into ipmjs and they'll know that it'll never get removed. Any sort of illegal content could be published. This would be quite a legal problem for ipmjs.

gytdau avatar Mar 24 '16 11:03 gytdau

I assume this ecosystem will need some functionality to handle a situation where there is a malicious packages or material that is obviously copyrighted.

My hope is that these situations would be handled democratically, decided by the community, for the community.

I also hope we could partner with an non-profit organization that can help us out when we have to interact with lawyers.

This is an open discussion so please point out all stupid/non-functional things I say. :)

reimertz avatar Mar 24 '16 13:03 reimertz

@simison I think some sort of consensus system would be wise, maybe adopting some theory from blockchain (although they have their own problem with this sort of issue).

I think we have to realise that no matter how much we discuss it, there are some bare minimum requirements of a data-storage system that is open to the public. So for distributed networks, going back to blockchain, once some illegal data (wiki:Illegal_number) is injected into the distributed ledger, users have x hours from its discovery to remove it from their local node client's database.

I think the key factor with NPM is that it was a company making a few bad and heavy-handed decisions about someone else's work, but this isn't really them backstabbing the community, it's just how it has to be for them as a company and that can unfortunately alienate. I can see this same sort of problem happening with a Wikipedia-inspired consensus system as that still requires a centralised body to dictate the outcome, it is simply a decision made with the confidence of the public consensus. Decentralising the whole repo across everyone's nodes puts the illegal data in the hands of the node owner which means no one can make the sole decision to mutate a package and although this sounds scary I think we can offer a set of features that makes the process as transparent as possible.

lbennett-stacki avatar Mar 24 '16 14:03 lbennett-stacki

What about some kind of voting system to situations like this?

adelarsq avatar Mar 24 '16 14:03 adelarsq

There could be a git 'blame' type feature, but this blame feature would actually uphold a negative connotation as it would initiate a poll to vote for the denouncement of a specific immutable repo entry. Once the denouncement has been made, this potentially pushes out to the clients to inform them, just as it would with the votes. The blame should have full descriptions of the grounds of the requested removal, maybe some options to remove a whole namespace e.t.c? Lastly, this should somehow be accessible to the non-developer public?

Maybe this is a bit crazy.

lbennett-stacki avatar Mar 24 '16 17:03 lbennett-stacki

Lastly, this should somehow be accessible to the non-developer public?

I don't think so. May be necessary moderation for this. Moderators decide what to do in the end.

adelarsq avatar Mar 24 '16 23:03 adelarsq

I am agree with @reimertz that it would be better to partner with an non-profit organization that can help us out when we have to interact with lawyers.

How about Apache since they are now operating the reliable java package repository Maven. At least Apache is more reliable than NPM.

xzer avatar Mar 25 '16 06:03 xzer

Apache shall be ok. I agree with u @xzer .

rishantagarwal avatar Mar 25 '16 07:03 rishantagarwal

@xzer Apache plus Open Government would be great.

KlonD90 avatar Mar 25 '16 07:03 KlonD90

I'm curious what you think about today's npm update of the policy? http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy

For me voting won't work here. Either completely drop the "unpublish" feature. It is useful in some cases - yea better is to use the deprecate, but if you think it is too critical you should be able to choose what to do, and of course think it 10 times before do it. I kinda like this update that they do today, kinda. But yea, I'm fully 100% behind Azer move and decision.

Somewhere while reading the topics around the net about The Drama I remember one absolutely awesome and logical (i'm not quoting exactly as it was, sorry):

There should be two separate worlds - corporate and open source, both should live in parallel. Lawyers should not have job with open source. Both worlds should not have conflicts such as this.

I'll try to find it, really! It was more awesome than this above, but yea, very correct and passionate. I heard somewhere "namespaces by default", what matters? How namespaces or some kind of prefixes would help? These source code will again have some free/open source license - MIT, ISC, GPL, and etc. There will always have some name collisions - it's not a matter of that, it will be matter if exactly some package is super-mega-giga famous and used - then, okey, lawyers can come and knock-knock on your door. But they shouldn't have job with open source in general.

What's the difference if I publish package google instead of @tunnckoCore/google for example? It can again be famous, it will again be a source code, it again will be with MIT license (for example). How namespaces and such things helps? Okey, I can think for one answer: non-namespace package would be free and Google can publish it. But this not make sense for me. I mean... if you are strict and want to defend trademarks and copyrights, why you will fuck whole community for the non-namespaced package and won't fuck it if it is namespaced? Got the logic? If you are so anger defender of trademarks and copyrights (lawyer, patent person, whatever) these tricks such as namespacing won't help, imho.

So, we should find some balance.

And yes, I was totally shocked when this drama happened and still can't realize how big danger it is.

Sorry if you feel some hard tone - I'm not offensive, I'm just writing this way, it's kinda style, whatever. I don't have bad feelings. :) And English is not my mother tongue :100:

Cheers, Charlike!

tunnckoCore avatar Mar 29 '16 21:03 tunnckoCore

@tunnckoCore I think that is still necessary a project like this, since we have so many problems to solve, not only the unpublish question.

There should be two separate worlds - corporate and open source, both should live in parallel. Lawyers should not have job with open source. Both worlds should not have conflicts such as this.

I don't know, but I don't think that is always true. Maybe.

adelarsq avatar Mar 30 '16 13:03 adelarsq

I think that is still necessary a project like this

Indeed. Absolutely. I'm not saying that it's not needed, it would be great. I was just curious about the update and share my thought about the whole thing.

I don't think that is always true. Maybe.

Absolutely. It should be in very rare cases. :)

tunnckoCore avatar Mar 30 '16 17:03 tunnckoCore