Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: How to disincentivise selling packages to the highest bidder? #96

Open
balupton opened this issue Dec 15, 2018 · 9 comments
Open

Question: How to disincentivise selling packages to the highest bidder? #96

balupton opened this issue Dec 15, 2018 · 9 comments
Labels
article Need to spread this information stale? This issue is dusty, please take a look and consider closing

Comments

@balupton
Copy link
Contributor

Unlike traditional labor, where being a good actor is financially rewarding, with open-source labor, there is more monetary incentive in selling packages… and with the current state of open-source remuneration, there seems more incentive by bad actors than good actors to express monetary value for packages

How should this be addressed? Shall npm just disable access and ban any user who sells a package (regardless of good or bad actor)? Will there be a defensive fund by the foundation to outbid bad actors in auctions?
@ljharb
Copy link
Member

ljharb commented Dec 15, 2018

Is there any evidence that this has happened before, even once? I’d love to read more about it if it has.

@mcollina
Copy link
Member

Not in a hostile way, both Node.js and Express were bought. The only solution to this problem is to move projects into a Foundation.

@ljharb
Copy link
Member

ljharb commented Dec 15, 2018

hmm, that’s not how i remember things, but I’m sure I’m lacking info - could you elaborate?

@mcollina
Copy link
Member

Node.js was acquired by Joyent. Express was acquired by StrongLoop. None were hostile acquisitions, they just were (there is plenty of online discussions on this). Selling OSS is indeed an exit strategy for a maintainer, and the solution to that is to move important projects into a Foundation.

@ljharb
Copy link
Member

ljharb commented Dec 15, 2018

Gotcha. In those cases i agree that a foundation was a good idea; I’m not convinced it would be necessary in every case, nor that it’s a large enough problem to warrant being in scope for this group.

@aoberoi
Copy link
Contributor

aoberoi commented Dec 15, 2018
edited
Loading

It’s the change in ownership being “hidden“ to most users that is potentially an issue in those cases. I think surfacing the change in ownership was discussed a bit in #4.

@hutson
Copy link

hutson commented Dec 24, 2018

As a package maintainer, it's on me to vet my direct dependencies to protect my downstream users.

It's difficult to keep up with multiple dependencies and their ownership/control. There's a time investment required, and then there's the liability of assuming a dependency maintainer is trustworthy, but they turn out not to be.

A few dependency update tools have begun to look into this particular issue:

@jonchurch jonchurch added the stale? This issue is dusty, please take a look and consider closing label Jul 29, 2021
@jonchurch
Copy link
Contributor

I think this is likely out of scope for the group at this time? I think there could be a fascinating article written about this topic.

I've labeled this stale?, and inviting the group to revisit.

@thescientist13
Copy link
Contributor

I think there could be a fascinating article written about this topic.

➕ 1

@jonchurch jonchurch added the article Need to spread this information label Jul 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
article Need to spread this information stale? This issue is dusty, please take a look and consider closing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ljharb @mcollina @balupton @aoberoi @thescientist13 @hutson @jonchurch