Hey everyone - this is not just a one off thing, there are likely to be many other modules in your dependency trees that are now a burden to their authors. I didn't create this code for altruistic motivations, I created it for fun. I was learning, and learning is fun. I gave it away because it was easy to do so, and because sharing helps learning too. I think most of the small modules on npm were created for reasons like this. However, that was a long time ago. I've since moved on from this module and moved on from that thing too and in the process of moving on from that as well. I've written way better modules than this, the internet just hasn't fully caught up.
@broros
otherwise why would he hand over a popular package to a stranger?
If it's not fun anymore, you get literally nothing from maintaining a popular package.
One time, I was working as a dishwasher in a resturant, and I made the mistake of being too competent, and I got promoted to cook. This was only a 50 cents an hour pay rise, but massively more responsibility. It didn't really feel worth it. Writing a popular module like this is like that times a million, and the pay rise is zero.
I've shared publish rights with other people before. Of course, If I had realized they had a malicious intent I wouldn't have, but at the time it looked like someone who was actually trying to help me. Since the early days of node/npm, sharing commit access/publish rights, with other contributors was a widespread community practice. https://felixge.de/2013/03/11/the-pull-request-hack.html open source is driven by sharing! It's great! it worked really well before bitcoin got popular.
So right now, we are in a weird valley where you have a bunch of dependencies that are "maintained" by someone who's lost interest, or is even starting to burnout, and that they no longer use themselves. You can easily share the code, but no one wants to share the responsibility for maintaining that code. Like a module is like a piece of digital property, a right that can be transferred, but you don't get any benefit owning it, like being able to sell or rent it, however you still retain the responsibility.
I see two strong solutions to this problem...
- Pay the maintainers!! Only depend on modules that you know are definitely maintained!
- When you depend on something, you should take part in maintaining it.
Personally, I prefer the second, but the first probably has it's place. These arn't really mutually exclusive, anyway.
As to this particular issue, I have emailed npm support and suggested that they give the module to @FallingSnow and ar @XhmikosR
Well after thoroughly reading through a large portion of the original issue and this post here, I have a few things I'd like to mention to anyone who wants to take the time to read my short essay here. I hope it sheds some light for people reading. I also want to point out that I hold no ill will to the two users I am going to reply to. I just disagree with some of your points. (I should also mention that I have not personally been affected by this issue. I just see a lot of discussion about the moral responsibilities we have as programmers that are concerning to me.)
Firstly, @macfreek, I would disagree with your statements, too.
True, non-active authors shouldn't be expected to mark stuff as archived. They are non-active. But the OP is not non-active. He took the time to hand the project off. In regards to marking something archived for those who are actually non-active, I would think that should be something built into the ecosystem. NPM and GitHub should probably do that automatically after no maintenance has occurred for some period of time. But neither of those scenarios happened with the OP.
And with due respect to you, @chx, I believe you couldn't be more wrong here. You are making a claim that this guy is wrong, so you obviously believe in some kind of moral absolutes. But then you completely let the OP off the hook in a way that implies moral relativism saying his motivation was "fun", so that's what his motivation is, implying nothing else he did matters? If his motivation was fun, then why publish it online? You don't need to do that to have fun. Publishing online implies you want to help others by providing your software to them. He chose to do so. And we should definitely be thankful to @dominictarr that he did choose to share it, as it has clearly been used by a large portion of the community.
I'm not saying people aren't responsible for using his code. They certainly are. But to resolve @dominictarr of all responsibility makes no sense. Obviously, he is not legally responsible as most people have been saying. But he does hold some responsibility.
Life is full of responsibilities that we incur on ourselves and sometimes we have them thrust upon us without our consent. Think of it like this. If the OP was walking alone down the sidewalk and saw a toddler about to crawl onto a busy roadway, would it not be his moral responsibility as a human to stop the toddler from crawling onto the road? He did not ask for or want that responsibility, but I think any reasonable person would say he should be held responsible (as well as the irresponsible parent mind you) if he had the ability and opportunity to stop harm from coming to the child, yet chose not to do so. In the same manner, he created and offered this code freely online for anyone to use. He then chose to hand that code off to someone else. Whether or not he did any vetting of the guy or not, he chose that action. Then there is this:
He gave away the event-stream code, but decided to not do so for the 343 other modules, so he obviously realized abandoning them was a better option than giving them all away to a stranger. And he states when he was disowning them, he had already transferred event-stream. At any rate he obviously knows he made a bad decision. And I agree that nowhere in his statements (that I've seen at least) has he expressed remorse or apologized for making the bad decision. I think that's the biggest reason as to why so many people are angry with him. It's not that he made the bad decision, it's that he continues to defend himself without expressing remorse.
That being said, it is very easy to just want to defend yourself when you have so openly and on such a large stage been exposed to basically public lashing and vitriol by so many people. It's a very understandable response. But I hope that he will eventually just add that he made a mistake and that he is sorry for it. Explicitly stating it and showing vulnerability here would go a long way towards diminishing a lot of the hatred he's been shown. If you read this, @dominictarr, that's my only advice. But thanks for all the work you have done for the community.