Response to Nodejitsu NPM Trademark

gistfile1.md

I've known people at nodejitsu for years, since before the company even existed. I still consider many of them friends. That said, somebody over there has lost their mind.

Trademarks are an important part of open source. They protect the integrity of the trust that is built by any project. A classic example of why this is the case is Firefox. Suppose that a malware producer takes the Firefox codebase, which is free and open source, packages up their malware with it and then releases it as "Firefox". Then they buy search advertising and suddenly their bad and malicious version of Firefox is the first result on search engines across the web. This is clearly a bad thing for Firefox and open source everywhere, but what can Mozilla do to protect their community of users?

They can't enforce a software license since the use is permitted under the Mozilla Public License. They can, however, enforce on these hypothetical bad actors using their trademark on the word "Firefox". This means that the community of users is protected while still providing their code as open source to a (usually separate) community of developers.

When I started at Mozilla this was a fairly new and controversial policy. The reason for enforcing the trademark was people putting up their own builds of Firefox with adware and calling it Firefox.

Nodejitsu is trying to take the trademark away from its author and the new company owned by that author. This is more analogous to one of the adware pedlers attempting to register the Firefox trademark before Mozilla did.

It is important to reduce confusion between similar names. Like if, for instance, a nodejitsu employee tried to register an npm package named "npmjs" that was actually an alternate version of npm that pushed to nodejitsu.

The fact is that until last month Nodejitsu has run npm for over three years. We started the trademark process as a follow-up to the work with did with #scalenpm as a protective measure to the community. Nodejitsu was legally first to commercial use for npm so it is well within our right to file for consideration with the USPTO.

This is a pretty selective interpretation of the history. Since the first horrible, hacky, version of the npm registry I wrote, Jason Smith has hosted the registry. First through CouchOne and then through IrisCouch and continuing on to Nodejitsu when they aquired IrisCouch. Jason and Isaacs worked togther to support and maintain the registry.

Jason Smith is no longer at Nodejitsu.

Being the first company to try and monetize an open source project hardly means you own the intellectual property.

The objective of registering this trademark is to protect the community and will only be enforced to prevent possible malware masquerading as npm. While Isaac created the npm codebase itself, Nodejitsu (and IrisCouch) have been the corporate sponsor of npm since the beginning. It is only natural that we own the trademark as a process of doing business. npm Inc. was formed far after we started this process and we always intended to allow them to use the trademark which we rightfully own. On February 6th, Carr/Ferrell LLP (acting on behalf of npm Inc.) issued the following cease and desist to Nodejitsu.

Further, it has come to our attention that Nodejitsu is using the mark "private npm" and the npm logo, both without npm's permission or consent. We demand that you immediately cease using any of npm's marks or logo and also confirm in your reply letter that you will cease all use.

If it were "natural" for nodejitsu to own the trademark they already would have. It would have been a condition of hosting the registry. Clearly it wasn't.

To which we (partially) complied since we do recognize that we did not commission the current npm logo and have since ceased to use it. We are saddened by these latest developments but reiterate our commitment to Node.js, npm and a desire to work together with all other entities, such as npm Inc, in creating an even better and more vibrant ecosystem. The mistake that we made here was not bringing this to the attention of the community earlier and for that we are very sorry: it will not happen again. We will continue by your side (just as we've done for almost four years). It is the only thing that really matters to us.

A good commitment to a project would not be stealing intellectual property from the author. Nor is there any sane case to be made that nodejitsu is a better representative of the "community" for this intellectual property than its author.

Hosting something does not mean you own the IP, that's just about the craziest thing I've ever heard of. If that were true AWS would own nearly all the trademarks of every YCombinator startup.

Furthermore we are extremely saddened by the continued attacks on CouchDB. Lets make this clear, CouchDB is the technology that got npm to where it is today and many of the blanket statements being made are simply not true. We did and still do love CouchDB. While it's not perfect (what technology is?) we dedicated our time to make it better, through commitments to its core and building a great CouchDB multi-master setup that works. This is a great part of our npm offering, and you can use it at scale if want. We continue to work with CouchDB to make it even better for npm, and we believe improving CouchDB is something great to do on its own merits.

This is absolutely hilarious. The registry is on CouchDB because I wrote it on top of CouchDB while I was working at CouchOne. Turns out that serving millions of tarballs a day is not the ideal use case for CouchDB (my bad). Moving away from everything being in CouchDB is a sane path to scaling the registry. So was using a CDN.

Registry metadata is still in CouchDB, you can replicate it. You can also replicate a CouchDB database with all the tarballs in it. Nodejitsu has a few extra conflicts because they had to alter their configuration, big whoop.

Also, since when is using something a little less an "attack" on it?

As for comments on npm being more stable, we recognize that putting any caching layer on top of CouchDB would have done the same without the complexity and drawbacks of the new architecture. We support competition and wish npm Inc. the best, but we wish there had been a more thoughtful approach to the problem and that they had included the broader community in those conversations. We maintain an open doors policy to working with them to make the ecosystem better, and we want to work with them not against them. We welcome the friendly competition, but try our private npm product and we think you'll be convinced.

Why does this matter? You don't like someone's architectural decisions so you try to steal their trademark?

We count on you to make npm better and will continue to work with the community to drive things forward. Thank you for supporting us and keep being awesome!

Did you just tell me to go fuck myself?

+1

Does anyone else need a shower? I just feel dirty after reading the blog post.

@tanepiper Very good point. This is very destructive to an otherwise awesome project. If the companies really want to make this better and care about the community, they should start a foundation and sign all trademarks over to that foundation.

@maxogden you mean something like this https://gist.github.com/mikeal/8947417 :)

I'll address the "foundation" comments as a whole really quick.

If you've ever worked for a non-profit or public benefit organization you know, they are not free of politics and bickering. As much as it pains me to see people fight over ownership like this putting things in a group which "owns" the IP would actually lead to more interpersonal conflicts between the participants and the community, it would just contain it to a single organization. You might consider that a better alternative but my own experience with it leaves me pretty skeptical.

interesting post, isn't NPM on it's own now? not under Nodejitsu?

How do you like Nodejitsu as a service? I always used Heroku just because I was too lazy to register for a paid account with Nodejitsu (they don't have free accounts).

@mikeal Speaking as someone who is an adminstrator at PyPI which is owned by a foundation. I would never expect anything like what is going on with NPM right now to occur there. That particular foundation is for Python and all of Python.org of which PyPI is one of them.

You are absolutely right that there are still conflicts because that's what happens when you put a group of people together. However you remove some of the major causes of conflict, who "owns" what, who is making money off of what, etc.

As it happens, I'm an IP attorney (who uses Node for various personal and professional projects). I took a look at Nodejitsu's trademark applications, and I can imagine at least a couple grounds on which the trademark examining attorney might reject them. That said, if one or more of the applications is ultimately approved for publication, any party who believes it may be damaged by registration of the mark has thirty (30) days from the publication date to file either an opposition to registration or a request to extend the time to oppose. So, there could certainly be some entity out there that would have standing to assert colorable grounds for opposing registration of the marks.

Awesome writeup, thanks @mikeal.

@dtsufft sure, this specific issue could be avoided but there are other, new, issues that we'd trade for. Again, this is just my own experience. I think that these are conflicts within the culture and community and the more we treat them as issues of community and culture the better we can resolve them. When the conflicts are between company entities and individuals it's easy to have a fight, whereas institutions that "own" the fights externalize them and make it harder for the culture to participate.

Incidents like this are painful but in the long run can actually strengthen the community in a way that makes it able to endure bigger challenges.

I still haven't received my t-shirt for my scalenpm donation. Did anyone get theirs?

Great write up

I trust in a developer more than its employer

I do not mean that a developer should waste either what he did nor its employer ( this is the starting point of many software drama )
And I do not expect an employer to do same things

What I think when it arise is : I trust in a developer more than its employer
And you are right, an employer should not forget what its awesome developers did, even when it was clunky at first, but because it was there

Love, Thierry

I trust in a developer more than its employer

Couldn't agree more. (Saying this as a developer, and also an employer.)

It was clear from the start that the simple act of creating a company would give us some extra credibility with some parties, but cost us some credibility with others.

The only way to rebuild credibility is to be credible, repeatedly, over time. So that's what we're trying to do.

they were juggling too many things before they got all serious with npm, they should focus on making their service better, I jumped ship from Nodejitsu to Heroku awhile ago, and what i've heard recently only validates my decision

👍

+1

+1

+9001

So what's nodejitsu going to do with the 300k it raised for scalenpm? Has it just used the funds to bootstrap it's private npm offerings? Are they going to refund the donations now that it's not needed?

This all seems very much insane and from what I can see isaacs owns the name.

Here is the oldest prior art to npm I can find (Sep 29, 2009): https://github.com/npm/npm/blob/4626dfa73b7847e9c42c1f799935f8242794d020/README.md

Thats older than IrisCouch and nodejitsu have had a site even.

Charlie wrote a pretty great apology http://blog.nodejitsu.com/an-open-letter-to-the-node-community/

Couldn't agree more.

+1

I always thought Nodejitsu was actually working against the best interest of the Node.js community, now we have the proof of it

+1