Skip to content

Instantly share code, notes, and snippets.

@mikeal
Last active June 23, 2020 05:17
Show Gist options
  • Save mikeal/9242748 to your computer and use it in GitHub Desktop.
Save mikeal/9242748 to your computer and use it in GitHub Desktop.
Response to Nodejitsu NPM Trademark

I've known people at nodejitsu for years, since before the company even existed. I still consider many of them friends. That said, somebody over there has lost their mind.

Trademarks are an important part of open source. They protect the integrity of the trust that is built by any project. A classic example of why this is the case is Firefox. Suppose that a malware producer takes the Firefox codebase, which is free and open source, packages up their malware with it and then releases it as "Firefox". Then they buy search advertising and suddenly their bad and malicious version of Firefox is the first result on search engines across the web. This is clearly a bad thing for Firefox and open source everywhere, but what can Mozilla do to protect their community of users?

They can't enforce a software license since the use is permitted under the Mozilla Public License. They can, however, enforce on these hypothetical bad actors using their trademark on the word "Firefox". This means that the community of users is protected while still providing their code as open source to a (usually separate) community of developers.

When I started at Mozilla this was a fairly new and controversial policy. The reason for enforcing the trademark was people putting up their own builds of Firefox with adware and calling it Firefox.

Nodejitsu is trying to take the trademark away from its author and the new company owned by that author. This is more analogous to one of the adware pedlers attempting to register the Firefox trademark before Mozilla did.

It is important to reduce confusion between similar names. Like if, for instance, a nodejitsu employee tried to register an npm package named "npmjs" that was actually an alternate version of npm that pushed to nodejitsu.

The fact is that until last month Nodejitsu has run npm for over three years. We started the trademark process as a follow-up to the work with did with #scalenpm as a protective measure to the community. Nodejitsu was legally first to commercial use for npm so it is well within our right to file for consideration with the USPTO.

This is a pretty selective interpretation of the history. Since the first horrible, hacky, version of the npm registry I wrote, Jason Smith has hosted the registry. First through CouchOne and then through IrisCouch and continuing on to Nodejitsu when they aquired IrisCouch. Jason and Isaacs worked togther to support and maintain the registry.

Jason Smith is no longer at Nodejitsu.

Being the first company to try and monetize an open source project hardly means you own the intellectual property.

The objective of registering this trademark is to protect the community and will only be enforced to prevent possible malware masquerading as npm. While Isaac created the npm codebase itself, Nodejitsu (and IrisCouch) have been the corporate sponsor of npm since the beginning. It is only natural that we own the trademark as a process of doing business. npm Inc. was formed far after we started this process and we always intended to allow them to use the trademark which we rightfully own. On February 6th, Carr/Ferrell LLP (acting on behalf of npm Inc.) issued the following cease and desist to Nodejitsu.

Further, it has come to our attention that Nodejitsu is using the mark "private npm" and the npm logo, both without npm's permission or consent. We demand that you immediately cease using any of npm's marks or logo and also confirm in your reply letter that you will cease all use.

If it were "natural" for nodejitsu to own the trademark they already would have. It would have been a condition of hosting the registry. Clearly it wasn't.

To which we (partially) complied since we do recognize that we did not commission the current npm logo and have since ceased to use it. We are saddened by these latest developments but reiterate our commitment to Node.js, npm and a desire to work together with all other entities, such as npm Inc, in creating an even better and more vibrant ecosystem. The mistake that we made here was not bringing this to the attention of the community earlier and for that we are very sorry: it will not happen again. We will continue by your side (just as we've done for almost four years). It is the only thing that really matters to us.

A good commitment to a project would not be stealing intellectual property from the author. Nor is there any sane case to be made that nodejitsu is a better representative of the "community" for this intellectual property than its author.

Hosting something does not mean you own the IP, that's just about the craziest thing I've ever heard of. If that were true AWS would own nearly all the trademarks of every YCombinator startup.

Furthermore we are extremely saddened by the continued attacks on CouchDB. Lets make this clear, CouchDB is the technology that got npm to where it is today and many of the blanket statements being made are simply not true. We did and still do love CouchDB. While it's not perfect (what technology is?) we dedicated our time to make it better, through commitments to its core and building a great CouchDB multi-master setup that works. This is a great part of our npm offering, and you can use it at scale if want. We continue to work with CouchDB to make it even better for npm, and we believe improving CouchDB is something great to do on its own merits.

This is absolutely hilarious. The registry is on CouchDB because I wrote it on top of CouchDB while I was working at CouchOne. Turns out that serving millions of tarballs a day is not the ideal use case for CouchDB (my bad). Moving away from everything being in CouchDB is a sane path to scaling the registry. So was using a CDN.

Registry metadata is still in CouchDB, you can replicate it. You can also replicate a CouchDB database with all the tarballs in it. Nodejitsu has a few extra conflicts because they had to alter their configuration, big whoop.

Also, since when is using something a little less an "attack" on it?

As for comments on npm being more stable, we recognize that putting any caching layer on top of CouchDB would have done the same without the complexity and drawbacks of the new architecture. We support competition and wish npm Inc. the best, but we wish there had been a more thoughtful approach to the problem and that they had included the broader community in those conversations. We maintain an open doors policy to working with them to make the ecosystem better, and we want to work with them not against them. We welcome the friendly competition, but try our private npm product and we think you'll be convinced.

Why does this matter? You don't like someone's architectural decisions so you try to steal their trademark?

We count on you to make npm better and will continue to work with the community to drive things forward. Thank you for supporting us and keep being awesome!

Did you just tell me to go fuck myself?

@FLYBYME
Copy link

FLYBYME commented Jun 12, 2014

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment