> You are aware of a difference between writing a malware and deleting a project you own right?
You are quite correct; the npm ecosystem may be a special cade since it has been built on a huge amount of trust-assumption, and the real issue there was that trust model, not FOSS in general. Still, in that ecosystem, unpublishing a module unilaterally that so many systems relied upon was, at besst, negligent (morally not legally), showing a disregard for the concerns of those outside the fight with npm operators. In that context, the unpublish was more malicious than an adherence to the old "user beware" rule. Indeed, it would be hard for Linus to unpublish Linux, given the distributed nature of its hosting; unpublishing leftpad looks more like taking advantage of a mis-design in npm's package model to screw over thousands of third-parties.
The negligent part is relying on npm. If you want reliability then pay for it. Corporations crying about morality is just a smokescreen for them to avoid paying.
Most users of npm aren't corporations. They are individual developers or small operations taking advantage of a very clever ecosystem for distributed package management.
The leftpad stunt hurt everyone in that ecosystem. It was dropping a stink bomb at a party because the host had offended him, but everyone in the room got to suffer the consequences.
We all chose to trust because it allows us to look at ourselves in the mirror every morning and forget the free work we are exploiting. The problem is us. Not npm.
We chose to trust because it lets us all do more cool and useful things faster. All of us.
That's good! It's also necessary to operate at this scale, where any of us (not just corporations, but every hacker using a package manager) can operate with some minimum level of expectation that while packages might break from time to time, the breakage isn't malicious and everyone's incentives are aligned to minimize it and correct issues as quickly as found. Imagine what the ecosystem would look like if we couldn't make that assumption? The legal warranty allows for, say, Debian to start sneaking keyboard harvesters into the binary blobs that they publish alongside the source... What would happen to Debian users if they did? What would happen to the entire GNU/Linux desktop ecosystem if every package manager chose to do that?
If that trust were to break at scale (i.e. if stunts like leftpad's removal breaking everyone became common, or FOSS developers were to begin doing even more malicious things that the "as-is" legal providing technically allows)... We'd all do fewer cool and useful things, and companies with money would do more of them out of sight.
I don't think that's an improvement over what we have now.
So yes, the buck has always stopped with the last mile developer putting other people's software together into a solution. That is a necessary requirement to have an open source ecosystem at all in a legal environment that demands that blame be assignable somewhere. But if we all start acting like that legal constraint is the only behavioral constraint that matters, we don't actually get to have an open source ecosystem.
> We chose to trust because it lets us all do more cool and useful things faster. All of us.
Which is why I only use licenses from FSF: I want cool stuff I can use… I don't want my cool stuff to be used in cool stuff I can't use, or is used against me.
Anyway not inserting malware is not the same as "this is no longer maintained so I remove it to not be bugged about issues"
Good luck with that… your company has the skills to reimplement node?
> but it's generally assumed FOSS developers aren't in it to screw consumers of their offerings actively
It's generally assumed they are in it to get screwed actively… but often that isn't the case.
> Linus could sneak a very clever backdoor into Linux
You are aware of a difference between writing a malware and deleting a project you own right?