zlacker

I can think of exactly one rather popular one: left-pad.

The author should have been liable for the damage they caused. The industry self-regulated itself but that is a case that I can think of, specifically caused by negligence.

replies(4): >>sevagh+z >>rwj+r1 >>d_tr+q5 >>hcrean+5F

>>within+(OP)
Npm Inc. is the only party liable for left-pad.

replies(1): >>within+n1

>>sevagh+z
NPM wasn't the one who pushed the "delete project" button, knowing full well what would happen.

replies(1): >>d_tr+r6

>>within+(OP)
Except that all the people using left-pad weren't paying for left-pad, and didn't have a contractual relationship with the author. IANAL, but I'm doubtful the courts would find there is enough of a relationship for the author to be liable.

replies(1): >>within+m2

>>rwj+r1
That is what new laws are for.

replies(1): >>mjr00+b4

>>within+m2
No, they aren't. Even in the most liberal interpretation of the new laws, there's nothing specifying that you need to continue making your open-source package continually and indefinitely available.

replies(1): >>within+26

>>within+(OP)
This is a very dangerous line of thought, and frankly, appalling.

replies(1): >>within+28

>>mjr00+b4
I don't mean THESE new laws, just new laws in general.

> nothing specifying that you need to continue making your open-source package continually and indefinitely available.

There's a difference between making it available, and deliberately causing harm and untold productivity loss in a single day. This was a case of the latter.

replies(1): >>mjr00+Gl

>>within+n1
You knew all this before you decided to use it. Next time make better calls instead of blindly pulling shit like an idiot.

replies(1): >>within+x7

>>d_tr+r6
I never used it; I just knew about the situation and used it as an example.

>>d_tr+q5
How is holding people responsible for their actions "dangerous" or "appalling?"

>>within+26
Someone deleted a publicly accessible file off the internet, and it broke workflows of people with whom they have no existing contract. Good luck proving that was done to deliberately cause harm.

replies(1): >>within+cw

>>mjr00+Gl
In this case, they freely admitted to doing it with the intent to harm. A person slapping me in the face doesn’t have a contract with me, but they are still liable for that harm. This isn’t rocket science.

>>within+(OP)
Left-pad is a very good case study.

For most of my early career (Security focused), companies would download copies of packages for use, they would go through a rigorous security scanning and vulnerability management processes before being included into a whitelist of internally approved tooling for product dev. Licensing, regulatory compliance and international involvement in dependencies was reviewed at this stage.

In this type of environment, which is very good from a security perspective, it would be virtually impossible for the Left-pad removal to have the impact that it did. So the problem as I see it is not that the author of Left-pad did a naughty thing (he was well within his rights given the 'why' of it all), the problem is that generations of developers have been successfully trained to believe that all their assurance work has just magically been done for them: In many cases the modern ecosystems make it virtually impossible for them to verify and control packages themselves.