Comment by Novashi
7 years ago
It's exactly how video game audiences are.
But honestly the stakes are higher than video games. If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part. That isn't how society runs so it's rather obvious when people get mad that there's a landscape full of anarchy when it should look more like modern civilization.
Like it or not, npm and the node community has not prioritized its reputation. And the mechanisms that keeps bad operators out of npm open source rely on a relatively small company considering the actual business livelihood that relies on npm integrity. It means the community is okay with continuing to use npm, and that means that the community doesn't have a healthy way to maintain itself and build trust. It's going to rot, I think (and hope). It's just going to be a bunch of tribal nomads moving from project to project until someone social engineers a compromise and they're off to find another huge dependency graph again.
At the very least, Clojure is telling people what it's about upfront.
Other package managers are not immune to this, btw. npm is just often the whipping boy.
> If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part.
I tend to agree with this. I've always had a great deal of sympathy with OSS devs and maintainers, but if you've gone out of your way to evangelise people onto your platform (OSS or otherwise), then leave them high and dry, resulting in a load of complaints/bitterness, you have to bear at least some of the responsibility for that outcome.
> If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part.
I'm not sure how much he advertised it.
This is part of the problem I have with things like npm, cargo, etc.
They defaults are set to try to suck up your work and get you to make it public.
Consequently, semi-useful things get loose probably long before people intended them to and probably long before people realize how much work they just signed up for.