6 votes

The economics of open source by C J Silverio | JSConf EU 2019

4 comments

  1. ryanatkn Link
    C J Silverio, former CTO of npm Inc., tells the story of npm and the historical choice and consequences of putting the JavaScript commons under the control of venture-funded company. She announces...

    C J Silverio, former CTO of npm Inc., tells the story of npm and the historical choice and consequences of putting the JavaScript commons under the control of venture-funded company. She announces entropic, a work-in-progress federated package registry created with Chris Dickinson.

    Video description:

    The JS package commons is in the hands of a for-profit entity. We trust npm with our shared code, but we have no way to hold npm accountable for its behavior. A trust-based system cannot function without accountability, but somebody still has to pay for the servers. How did we get here, and what should JavaScript do now?

    3 votes
  2. [3]
    9000 Link
    One thing she mentions in the talk is that by distributing the cost of maintaining infrastructure across the community, we can create more sustainable systems than centralized providers can. I...

    One thing she mentions in the talk is that by distributing the cost of maintaining infrastructure across the community, we can create more sustainable systems than centralized providers can. I think that's wise, but I'm not sure if even federation gets us far enough.

    For instance, I would expect that default or major providers would become rather centralized, since it's much easier as a dev to offload the task of maintaining a server to someone else. Most people don't want to host, update, and generally maintain a server just to publish software. And even if they did, this means that if Dominic Tarr's package becomes super important for the ecosystem, his node will get hit with a lot more requests, which is expensive. This is true even if there is some mirroring to other servers (like entropic will have), because ultimately, his is canonical. Finally, I don't see anything on their project page about verifying the code. If servers will duplicate dependencies, how can you as a user trust these servers to not poison your dependency code? If it is going to be content-addressed, like they claim, how is that verified? It looks currently like it is actually location addressed, given the dependency schema.

    In contrast to a lot of these issues, I personally like the idea of a package manager built on a P2P system like IPFS or Dat, which would provide even more decentralization and mirroring, while also providing cryptographic proof of authorship. You can still have a server pin your resource, but then any other host or user who mirrors it shares in the burden of providing that resource. The addresses tend to be significantly less readable than DNS, but we could use a solution like the Beaker Browser uses, and bootstrap off of DNS by checking /.well-known/.

    The only projects I know along these lines are gx and dat-installer (which, granted, is an app store not a package manager). These are not endorsements, just a list. I'd be excited to hear if anyone knew of any other similar resources!

    2 votes
    1. [2]
      ryanatkn Link Parent
      That's an interesting point about the weaknesses of federation. I could see a small number of large companies being the most-used hosts. I'm guessing cryptographic security is going to be...

      That's an interesting point about the weaknesses of federation. I could see a small number of large companies being the most-used hosts.

      I'm guessing cryptographic security is going to be included, because she mentions code signing in the video as an example of what npm is not incentivized to proactively provide. She talks about how npm may only develop certain features reactively due to existential threats, while entropic is built for the users. (as opposed to $)

      This issue on the entropic repo has some good discussion about IPFS and Dat.

      2 votes
      1. 9000 Link Parent
        Yeah, I know that the Debian project has historically had a bit of a struggle to distribute load across all of its mirrors. That's why I am concerned. That's a good point! I had forgotten about...

        I could see a small number of large companies being the most-used hosts.

        Yeah, I know that the Debian project has historically had a bit of a struggle to distribute load across all of its mirrors. That's why I am concerned.

        I'm guessing cryptographic security is going to be included, because she mentions code signing in the video as an example of what npm is not incentivized to proactively provide.

        That's a good point! I had forgotten about that. I'd be interested in seeing how they solve the key passing/validation problem while still being user friendly. Just because they're community run does not mean they'll suddenly have good solutions to all of these problems.

        This issue on the entropic repo has some good discussion about IPFS and Dat.

        Thanks! I hadn't seen that! I'm glad people are talking about it. It's too bad neither of those projects is really ready yet. I've been watching them in anticipation for a long time. I still think it might be worth exploring one of those projects anyway, since it's one of the best ways I know to encourage sharing network resources.

        I'm not really a JS programmer, but I'll keep watching this project!

        2 votes