The economics of package management

The economics of package management

The JS package commons is in the hands of a for-profit entity. We trust npm with our shared code, but we have no way to hold npm accountable for its behavior. A trust-based system cannot function without accountability, but somebody still has to pay for the servers. How did we get here, and what should JavaScript do now?

In 2013 the JS community made a critical decision via inaction: we let our package registry be owned by a for-profit entity. Scale is expensive & requires reliable funding. A VC-funded registry has let us share code at a rate unimagined by most language communities. However, we don't have control of our commons. Is this a good tradeoff? Until now our collective answer has been yes, but we have rarely considered the implications of our decision & how we could choose differently.

0a356ffe066d3d8bf05be73fa57c0a44?s=128

C J Silverio

June 01, 2019
Tweet

Transcript

  1. The economics of package management

  2. C J Silverio @ceejbot

  3. you are in this story

  4. a story about money

  5. a story about power

  6. remember Yahoo? ypm was its package manager

  7. JSConfEU 2009 node.js announced

  8. early node had package managers plural

  9. one got official status

  10. Joyent bought node

  11. Joyent did not buy node's package manager

  12. open-source doesn't mean open ownership or control

  13. node grows through 2013

  14. success is a catastrophe you need to survive

  15. the package registry is centralized

  16. centralization has advantages

  17. centralization has been the trend

  18. centralization of costs

  19. servers cost money who pays for them?

  20. donations work when you're small

  21. success is expensive (for centralized services)

  22. npm needed money

  23. this is not a novel problem

  24. founding a company was a novel choice

  25. the node project decided this was fine

  26. you decided this was fine

  27. not everybody thought it was fine

  28. money changes everything

  29. I decided this was fine

  30. I was employee number two

  31. those large numbers sure are large

  32. let's talk about money

  33. open source generates a lot of value

  34. capitalism does not reward open source authors

  35. most of us give away source code not expecting money

  36. open source vs free software

  37. capitalism loves open source

  38. one person in this story didn't give his stuff away

  39. javascript's commons

  40. commons: the resources available to everybody

  41. the language spec

  42. all our shared code

  43. our common registry of shared code is owned by a

    private company
  44. Ryan Dahl was here again last year

  45. It’s unfortunate that there is a centralized (privately controlled even)

    repository for modules. --Ryan Dahl
  46. what are the consequences of private control?

  47. no input into registry policies

  48. no input into registry features

  49. the registry is what matters not the clients

  50. the management of our commons is opaque to us

  51. there is no trust without accountability

  52. you had no way to hold me accountable

  53. so is npm evil? mu. ask a different question.

  54. npm is a financial instrument

  55. financial instruments are monetary contracts

  56. npm Inc is a means for turning some money into

    more money
  57. companies don’t love you not even ones that make things

    you like
  58. npm does not love you

  59. nobody believes it anymore

  60. how did the fall happen?

  61. It's 2018. Packages flow like water.

  62. packages cost money even if you're not paying for them

  63. VCs want to go big or go home

  64. npm is obligated to its owners not us

  65. make money or raise money by telling a story about

    spending money to make money in some kind of money-ception. you can't fool me; it's money all the way down
  66. they hired a CEO who made some, um, interesting moves

  67. the centralized registry is expensive

  68. the situation today is uneasy & probably short-lived

  69. this was not the only option

  70. what are we going to do about it?

  71. do nothing?

  72. imagine npm run by a non-benevolent entity

  73. maybe we'll be saved by some large company

  74. I agree with Ryan Dahl

  75. do you think that's impossible?

  76. I believe in giving source code away

  77. Chris Dickinson @isntitvacant & I have an announcement

  78. entropic: a federated package manager https://www.entropic.dev

  79. Apache 2.0 licensed entirely open source (sorry RMS)

  80. new cli & new api decentralized: many registries

  81. no, don't use entropic yet

  82. but we do want your help github/entropic-dev

  83. entropic's goals

  84. first, prove we have power

  85. second, share our expertise

  86. third, promote federation

  87. take back the commons

  88. go do something amazing

  89. ❤ from ceej & chris