back to article NPM today stands for Now Pay Me: JavaScript packaging biz debuts conduit for funding open-source coders

NPM Inc, maintainer of the widely used JavaScript package manager npm, has taken a step toward fulfilling a promise made in August to help open-source developers seek compensation for their labor. Despite its own solvency concerns, the biz on Tuesday deployed code changes that add a "funding" command to the latest version of …

  1. chuBb.
    Meh

    Great more EULA not to read

    Well its better than CLI ads i guess, just dont see what value it adds to a package manager, dunno about everyone else but the only time i ever examine the meta data of a package is when i want to know where the packages project is hosted...

    Still i guess if you view like spam, in so much that it only takes one person to respond per million emails sent to call it a sucessful campaign, then it might help, just think things like github sponsors is a more natural fit for this sort of thing.

    Also whats the betting that in the next 6 months el reg reports on packages getting hacked to change the funding link to one not controlled by the authors, and whats the betting NPM's response is any more effective than shrugging and going meh??

    1. Claptrap314 Silver badge

      Re: Great more EULA not to read

      Glad to see that the FIRST comment exposed this gaping security hole.

      The only way this has even a chance of working is if they restrict the permitted hosts for funding & require significant vetting for changing the urls.

      OTOH, we're talking about a 21st century attempt at shareware. We'll see how that goes.

    2. Pascal Monett Silver badge

      Re: getting hacked to change the funding link to one not controlled by the authors

      Yup, when I read the words "all you need to do is set up a funding URL" I immediately thought "and all the hackers have to do is hijack that".

      I totally agree on the principle, but JavaScript being the most hijacked thing in the IT world, I can't see how that will not attract all kinds of scum.

      Still, at least they are trying something.

      1. Blackjack

        Re: getting hacked to change the funding link to one not controlled by the authors

        Yeah is a good idea in theory but way too easy to hack.

  2. sbt Silver badge
    Thumb Up

    A better approach than post install advertising, certainly

    There are no good answers to getting support for free software, and its not sustainable and will not compete with funded proprietary systems and platforms until we find one. I like that they've given this a go; it seems a pretty harmless experiment, if it fails.

    1. Roland6 Silver badge

      Re: A better approach than post install advertising, certainly

      A better approach would be to revert to the old/new way. Yes the source code is free - feel free to download from GitHub et al and compile...; but want the convenience of automatically pulling the latest version, binary etc. then there is subscription for this...

      1. Claptrap314 Silver badge

        Re: A better approach than post install advertising, certainly

        We had cron scripts for decades before git.

  3. karlkarl Bronze badge

    "to help open-source developers seek compensation for their labor"

    If a developer feels that donations are a form of "compensation", then they are not open-source developers. They probably also churn out shite that people shouldn't use.

    An open-source developer is often one who makes money with a day job (probably doing similar) but then works on a project of passion to develop it "correctly" rather than under rushed deadlines or budget constraints. This process is its own reward and does not need "compensation". Yes, donations for beer are still very much appreciated but not *expected*.

    I wonder what name we should give to developers who share their code (due to infrastructure requirements) but do not necessarily give any shites about it and just want money?

    1. Sir Awesome

      You do realise somebody receiving donations doesn't magically make code disappear from the public domain?

      1. JohnFen Silver badge

        Just a little nitpick here -- the overwhelming majority of open source software is not in the public domain. It remains under copyright and is issued under a license.

    2. Anonymous Coward
      Anonymous Coward

      If a developer feels that donations are a form of "compensation", then they are not open-source developers. They probably also churn out shite that people shouldn't use.

      Wow, get over yourself, nice sweeping generalisations there.

    3. Dan 55 Silver badge
      Meh

      An open-source developer is often one who makes money with a day job (probably doing similar) but then works on a project of passion to develop it "correctly"

      There just aren't enough hours in the day for that and you'll probably die of DVT or something by the time you hit 40.

      1. JohnFen Silver badge

        That's funny -- I've been doing exactly what karlkarl describes for decades, and am no worse for wear because of it despite being well beyond 40.

    4. chuBb.

      "I wonder what name we should give to developers who share their code (due to infrastructure requirements) but do not necessarily give any shites about it and just want money?"

      Honest, not some stallmanite nutjob, source available, pragmatic, loosly coupled to philosophy

    5. JohnFen Silver badge

      "If a developer feels that donations are a form of "compensation", then they are not open-source developers."

      What? Whether or not something is open source is unrelated to whether or not compensation is involved.

    6. Jamesit

      "I wonder what name we should give to developers who share their code (due to infrastructure requirements) but do not necessarily give any shites about it and just want money?"

      "Open source developers"

      Free software programmers respect the 4 freedoms. Open source programmers don't always respect the 4 freedoms.

      The freedoms are:

      (0) to run the program,

      (1) to study and change the program in source code form,

      (2) to redistribute exact copies, and

      (3) to distribute modified versions.

      Open source doesn't always guarantee the freedom to distribute exact copies or modified versions, or even the right to modify the software for private use.

    7. Steve K Silver badge

      Eh?

      If a developer feels that donations are a form of "compensation", then they are not open-source developers. They probably also churn out shite that people shouldn't use.

      This is incorrect.

      Bear in mind that many large companies are significant open source contributors (e.g. Red Hat), and the code that they contribute must therefore have been created by their employees who are paid a salary (a.k.a. compensation).

  4. vtcodger Silver badge

    Is there someplace I can go ...

    I'm not against paying for open source software. I've even been known to do so as well as contribute some spare change to Wikipedia and the Internet Archive.

    Javascript On the other hand ... Is there someplace I can go to donate to a fund to eliminate the menace of website scripting -- not just Javascript, but ALL web scripting -- from humanity's future? I appreciate that it is a complex issue. There are worthy things -- interactive maps for example -- done with web scripting that would otherwise probably need to be provided by browsers. But the internet has become a rather bad neighborhood. And it's getting worse. And Javascript is clearly one of the reasons the neighborhood is going downhill.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is there someplace I can go ...

      Removing any one means to be immoral has never 'fixed' morality. This is shallow thinking at its most obvious.

      1. vtcodger Silver badge

        Re: Is there someplace I can go ...

        "This is shallow thinking at its most obvious."

        Sorry my friend, but I expect you'll eventually, probably after many years, conclude that Thomas Hobbes "The life of man in the natural state is solitary, poor, nasty, brutish and short." was a lot clearer thinker than Ayn Rand.

        I'm sympathetic to Libertarianism. Any reasonable person is. I'd prefer a universe where Hobbes was wrong. But in practice, everybody does what they want and it all works out simply doesn't work. If you want problems solved, you tackle them -- mostly one at a time -- instead of throwing up your hands and saying "It can't be helped".

        Right now, malicious web scripting is a problem. A serious one. Not a simple one. And it's getting worse, not better. I expect that Google and others will eventually try to tame it. They employee some very clever people. Maybe they'll succeed. But my bet would be otherwise.

        But thanks for at least taking the time to express your viewpoint -- unlike the general population of apparently inarticulate and I suspect rather dimwitted downvoters around here.

    2. JohnFen Silver badge

      Re: Is there someplace I can go ...

      "Is there someplace I can go to donate to a fund to eliminate the menace of website scripting -- not just Javascript, but ALL web scripting -- from humanity's future?"

      Oh, how I wish!

  5. joeW Silver badge

    "NPM Inc at the time banned the use of post-install scripts to run ads"

    I was tinkering with React recently and one of the packages I npm installed had a post installation message telling me that its developer is looking for a job. Technically an ad?

    1. JohnFen Silver badge

      That's certainly an ad by any reasonable definition. But I don't know if it's an ad by NPM's definition.

  6. Anonymous Coward
    Anonymous Coward

    Oh great, so all a hacker now has to do is change the package.json with a malicious link into the funding field link to divert funds.

    Rather than going to the developers website and having a link off there to fund. After all, if I'm adding a module into the code, I want to know about it, find out how it's supported etc.

    Who would trust the npm fund ... command?

    1. Anonymous Coward
      Anonymous Coward

      "all a hacker has to do.."

      All a hacker has to do is change the account number on all the money transfers in a bank and he will own all the money.

      You talk like this can be done in a hand wave.

      A hacker would have to steal the module developer's private keys or alter files in NPMs repositry to be able to compromise the module. And if that happens the fact that the "fund" commands points somewhere else is the least of anyone's concerns.

      1. chuBb.

        The functionality makes the repos very tasty targets, especially any which accidently publish private keys (happens a lot) plus spear fishing the devs and contributors of the project (cheers git (OK you should have a dedicated git spam address but still...)). While targeting the package distribution service would yeild equally good results, so you can popularity as a target will sky rocket.

        Far better to leave funding a feature of the projects home page I think

  7. Anonymous Coward
    Anonymous Coward

    If there's money involved, there is sure to be people who will (at least try to) abuse it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019