Dear NPM: Your Hands Are Full With Left Pad But I Can Help

Centralized Javascript package registry NPM got pulled into a fight between the owner of a software package called kik and a chat program of the same name. The registry decided in favor of chat program and the unhappy developer removed all of his packages from the registry.  The result was that software that used his packages broke.

It's worrying that so much of the software ecosystem depends centralized software registries like npm, rubygems and pypi. They are sitting targets for motivated adversaries looking to insert rogue code into unsuspecting software projects by essentially putting a lot of eggs into one poorly defended basket.  They also create needlessly complicated situations where the registry gets put into the position of mediating disputes between third parties that otherwise would have other mechanisms for resolving their differences. 

Package naming systems should be built on trustless blockchains to remove the incentive to attack registries and force parties with disputes with package owners to resolve those disputes with the owners. A software package system built on the Bitcoin blockchain-powered Blockstack decentralized name system would be more secure and have more clearly-defined and defendable ownership rights compared to today's centralized systems.


Want to receive more content like this in your inbox?