Potential Licensing issues with npm
What most developers using node may not realize, and that NPM has not shared with the community, is that we entered into a changing legal landscape for the use of our own packages recently. With the 4.2.0 LTS release, additional terms were inserted into the client package by NPM that include acceptance of NPMs terms of service, whether we use it or not. This also affects node 5.x.x stable. Versions of npm@2.14.0 or greater include the changed terms.
Rather than simply accepting a software license as had been the case in the past for the CLI software, everyone is now entering into broad and changing terms of service agreements without consultation, acknowledgement, or consent. It is deceptive and unfair on a number of levels.
https://github.com/npm/npm/commit/c2aa8b38ca4cb02b233113c6d926a0528c93bd4c
Further, additional terms are being incorporated with additional restrictions and providing NPM with additional rights including those of restricting or denying access to the repository service.
https://github.com/npm/policies/commits/master/open-source-terms.md
This is deeply troubling. I am requesting the the TSC discontinue bundling NPM in 5.x.x until this is sorted. I believe there are also legal issues being assumed by the Foundation to include the NPM client on the basis users were not adequately informed of the changes nor what it meant when we downloaded what we believe to be MIT licensed software. It appears we are now entering into wholesale acceptance of NPM terms without our knowledge or consent.
This includes use of your software for any reason or purpose whether it is open or closed source:
You own Your Content, but grant npm a license to use it free of charge.
That license allows npm to do whatever it needs to do with your content,
within reason, to provide and improve npm Services, for you and other users.
That license lasts, for each piece of Your Content, until the last copy disappears
from npm's backups, caches, and other systems, after you delete it from the
Website or the Public Registry.
I am also asking the TSC's legal team to provide advice to users of Node concerning the insertion of these terms that may change without our notice at any time. What does this mean for the LTS since the terms have undergone further changes since the release? Is the agreement enforceable on the basis this was done without our knowledge?
Simultaneous to this, I have requested the TSC to begin examining a decentralized approach to module distribution which I believe is the future. Systems like dat can be used to to provide scale for module distribution without centralizing control over our software under a single commercial provider. I see a possibility of this working in a way that is analogous to apache mirrors. dat is completely decentralized and works in a similar way to git except for binaries and can be used to fetch dependencies.
https://github.com/nodejs/node/issues/3955
NPM is currently an upstream project and the TSC has no control over it other than deciding whether to continue bundling NPM or not even when there are issues that impact its users.
https://github.com/nodejs/node/issues/3949
This is unacceptable in many ways since package management is critical to the node user experience. A decentralized approach (as opposed to what today is centralized) for module distribution is safest at scale. The Web itself was designed around this philosophy and it is a useful model for the scale of node.
I believe it is better for the TSC to determine the future of node – where the community and not NPM is at the center of determining and applying metadata standards that serve the interests of developers. This future can evolve with es6 and with the purpose of moving away from a legacy of being served by a single upstream service that puts developers, module delivery and the node project at odds with each other.