Hi! CTO of npm here. I haven't been reading HN today because we were trying to fix the SSL thing, so I was genuinely taken aback to see this article.
We didn't censor any comments; we did no moderation of any kind today. I have no idea what happened to his comment, but nobody at npm did anything to it.
Tough to give benefit of the doubt, but we're talking about Disqus here and I've had this sort of thing happen to me in the past. Willing to believe it could be an honest mistake. At least you know now to tread lightly if you were ever thinking of doing something like this.
I know you don't know me, but if you ever meet anyone who does, you can ask them about my personal attitude towards censorship of any kind. The idea that I would stoop to censorship for something as petty as somebody voicing legitimate complaints about a technical screwup of mine is laughable.
Sounds like a lot of misplaced "outrage" about nothing. You've done nothing wrong, don't let yourself feel like you did.
The internet is a weird place like this, where mobs can assemble in hours and stick you on their pitchforks for an imagined slight before you know what's going on. That's just the way it works, unfortunately, and the tech crowds are no exception.
To those who actually appreciate what these guys are doing: now would be a good time to pipe up and show that you support them and are not represented by the vocal minority who's currently getting all the spotlight!
Because their business interest very clearly align with HN readership not believing that they swept this comment under the rug, regardless of if they actually did.
NPN's business interest is very clearly aligned with making sure that HN readership understand how seriously some people regard this. It is clearly in their interest to publicly address the issue - anything that hints at trying to hide from that is against their business interest.
IMHO the allegedly moderated comment didn't have anything that hasn't been said in hundreds of other places (except perhaps the cheap shot about them smoking something)
Nobody is really talking about this massive betrayal of trust by the npm maintainers.
Make a mistake and deploy a backwards-incompatible change? Thats negligent. However, mistakes happen and I understand that. (An apology would be nice.)
But deleting the most important and insightful comment is damn-near unforgivable. Especially when such a note was so reasonable, even-tempered and had such empathy for the npm maintainers.
As of today, I don't really trust npm, and trust is considerably important for package managers. If they expect to earn any of my respect back, it would take a sincere apology.
Your outrage seems rather misplaced. They screwed up their certificates, which caused a problem for people running the non-latest-stable nodejs.
They then posted how to fix this, and apologised for the problem.
Note to the wary: if you are running software that is version 0.10.25 in production, and complaining that things aren't "Ready for enterprise" then all I have to say is "no shit, look at the version number!"
If you aren't ready/willing to deal with a fast moving deploy target, then stick to Ruby/Python or better still JVM/.Net!
You're right, I was far too indignant. I can't say that I don't trust npm. I am a javascript developer, after all. For the most part, I have had a great experience working with Node.js and npm. Further, we were not affected by the bug at my company.
I hadn't seen the seldo's apology when I posted, but they do seem very honestly apologetic. Like I said, I have nothing against them messing something up time and again, especially something that shouldn't break responsible production environments. Everybody makes mistakes.
The big red flag to me was the deletion of Rob's criticism. I know they must have been very stressed out, but it wasn't a good move. The industry needs to question if we can rely on these people, and kneejerk reactions like that don't earn any trust.
Nobody can deny that trustworthiness is a touchy subject as npm transitions into a real company. Node developers rely on the reliability of thier development stack, and the reputation of node is largely in the hands of this organization. As npm changes and becomes more opaque, it will become harder for the open alternatives to keep up. If npm gets messed up, node does too. For developers working on production node projects, there is certianally something to loose. If the time comes that npm does need to be forked, the path forward will certianally be a bumpy one.
For the time being, I continue to trust npm for my js modules (and even with my "life", considering I have a few -g installed modules.) Like I said, developers working on node projects don't have much choice, but after reading their apologetic response I will continue to trust npm.
As per semantic versioning, 0.x.y is for development. That's not to say that code quality will be necessarily lower, but the API and functionality is expected/allowed to fluctuate prior to 1.0.0.
Your point regarding npm itself being beyond 1.0.0 is fully valid, I just wanted to clarify the reason for certain expectations existing based on version number.
Having looked, I can't find any link citing that one way or the other, but that doesn't change the fact that enough things these days do adhere to semantic versioning that many people expect certain things based on the version number.
node.js decided uses very non-semantic versioning. It's genarally understood that a 0.x release isn't production-ready, but node.js is widely considered production-ready and in fact every even-numbered release below 1.0 is considered stable. That's a pretty arbitrary and nonsensical scheme if you ask me, but you're not. The bottom line is that backwards incompatible changes aren't expected for a 0.x.y release where x is even.
But "enterprise readiness" (whatever that means) which is what Rob the random commenter was talking about in his comment, seems silly on a runtime that is below version 1.0
Yes npm is 1.4.4, but node is 0.10.25. So an expectation of ANYTHING being "production ready" on a non-production ready runtime seems fraught.
I get that nodejs is high quality and it is run in production all over the place (I myself run it, and even meteor in production applications). But I understand there are risks and it's a fast moving target.
You're probably ritht. I feel the original article was itself in poor taste, but that is no excuse for me stooping down to the same lack of taste. Apologies.
Sometimes a technology's biggest detractors are its most fervent adherents. The drama, fuss, immaturity and irrationality is just off-putting and screams to everyone else "Do you enjoy drama? Do you want to be in the middle of trolling wars on Twitter? Please join us, just Node.js it all comes with it as part of the package!".
This is isn't the only thing. The drama with Joyent fake firing that person who didn't want to accept some doc updates. Is that all, I maybe wrong, but there is just no end to immaturity and drama. The people and culture associated with this technology is off-putting to me. Maybe others love it, good for them.
Passionate people create drama... which technology stack are you in that doesn't have drama? Because I can't think of a modern one that doesn't have some amount.
And the catch all is of course Steve Balmers sweaty speech...
C, Go, Erlang, Python -- none have this level of drama and immaturity. Passion people who are immature create drama. Passionate people who are mature don't create drama.
Python had "fork my dongle"... Two people got "actual fired" over an innocuous comment made between friends at a conference.
C is a different kettle, I suspect it had it's drama time, but the internet wasn't around to amplify it.
Go and Erlang combined communities are a fraction of Node, python, ruby ones (individually).
Those that read into internet ranting and call it drama or immaturity, are simply displaying their own maturity. The vast majority of people in these communities are mature professionals... now and then you get a blowup, that isn't a reflection on the technology or community but the individuals involved.
I wouldn't hire him. In fact, I think he goes on an explicit no-hire list. And I definitely would have deleted the comment and banned him from making further comments.
The mass of people coming to his defense is a great example of why I can't take the JavaScript community seriously. The very first line of the comment screams "arrogant jackass" who won't play well with others and prefers to make his points through mockery and derision.
> I decided not to fight for changing something for the better today and quit. Why do companies lie? Why do ppl fear change?
I am not wise enough to be called a source of wisdom...but if you are in IT, and your company is not actively poisoning children or criminally violating you, do not quit out of professional principle without a backup plan.
Yikes. He seems to be in a really bad place right now. I don't think tweeting and acting like that are going to help his prospects though. He seems like a passionate person but I'm not sure he is communicating that passion in the best of ways. Hopefully things get better for him.
Oh, boy. A DSL line isn't sufficient to handle 150 people accessing the site right now. It may be slow, but it's not going to go down. It's powered by Node, the nodejs process is only using 56MB of RAM and about 40% CPU. I'm fine. My bandwidth is simply depleted. Have patience, and thank you for visiting. I need some bandwidth and a budget. Wow.
I'll never understand this when a $5 digital ocean VPS could perform far better, and probably a lot cheaper than the extra electricity he's burning at home.
According to a document published by the government where Rob lives [1], electricity rates are around 0.08 USD/kWh. We can assume Rob uses a computer at home anyway, and would have his DSL modem on anyway, so the extra electricity should be computed based on a single desktop being on for the extra hours per day that it might otherwise be put to sleep. Typical power consumption for a desktop box is around 90W if it is somewhat active vs. sleeping. There are about 730 hours in a month, but his computer would be on say 30% of the time anyway, so that's 511 extra hours per month. That comes to 46 kWh per month of extra electricity, which in his area costs about 3.68 USD per month.
So the price is slightly less, but the value for money isn't good with the home solution. Then again, unemployed people are sometimes known to make suboptimal economic decisions in terms of expected value, because they're optimizing for other things (e.g. being able to switch off a cost mid-month).
Because hosting it yourself is so much nicer and you learn so much more from it. It's not nicer in terms of connection speed (although unlimited bandwidth counters that a bit), but you just have everything under control. You can do and put anything on the server while being assured there is no BOFH nosing in your data, or someone social engineering the support team. I would not feel entirely safe storing private keys on a VPS.
I agree that from a business perspective, a VPS is the obvious winner. You don't get redundant hardware and fast internet at home for the same price as you can with a VPS. And if something goes down, you needn't be the one on call: your host fixes it all for you. But for personal hosting that doesn't need someone on call, I prefer hosting my own stuff.
And, especially on DSL internet, it's much nicer to have your data and backups in the LAN instead of having to up/download it all through that pipe. So if you have a server at home anyway, no need to get another VPS really.
Please, make it better. The last thing the JavaScript community as a whole needs is more fragmentation. You know JavaScript, why don't you contribute to NPM?
When that security bullshit happened with RubyGems a year ago, many members of the Ruby community pitched in and helped the RubyGems team get the site back in order, even making Chef scripts so the whole thing is repeatable. Now, RubyGems is more secure and runs faster than ever.
Thank you for posting this. I completely agree. We already have a package manager, there's no need to fork it and have to have 2 competing things when it's all open source and those with knowledge can contribute to make npm better.
The site’s hosted on a machine in his house, and is served over a DSL connection.
He says Node and/or Pulsar are doing well enough (150 connections using ~50 MB of RAM and 40% CPU)- apparently he just doesn’t have enough bandwidth to get everything out to everyone.
Hosted my own blog on DSL for years, I know the issues. He just shouldn't try to serve up half a megabyte of javascript over that connection. The Javascript is required though, so I'm not sure you can't blame Pulsar.
Not sure why, but HN user "IsaacSchlueter", who purports to be the comment thread moderator, posted an explanation/rebuttal/apology to the OP in this comment thread an hour ago.
> We didn't moderate away anything. I am literally the only person who CAN moderate those comments, and I was at a conference all day. 100% of my online time was spent working with my team to figure out the fastest path to a fix. We didn't realize the extent until way too late, and that's bad on us. I apologize. I didn't delete your comment. I'll look at the moderation queue and see if maybe disqus is set to auto-hide after some time or something. I'm sorry for the confusion there.
I was wondering if the rate of voting or the absolute value of the post's rating (it had a ton of upvotes) triggered a Disqus protection thinking it was a flame war, similar to flamewar protection on HN.
Funny. I saw this earlier on NPMjs.org and it had 22 upvotes, 0 downvotes. Does it say anywhere why, exactly, it was deleted, or do they just delete anything they don't like?
It's somewhat amusing to see him brag about how he's a self-sufficient bad-ass that can keep his site running because he doesn't use any hosting services and he wrote his CMS himself, and then when the site doesn't actually stay up he starts backpedaling and saying it's because it's on his home network and he threw the whole thing together in two weeks only spending a few hours each week and making it better isn't really a priority.
"I'm awesome because I built this kick-ass system."
"Yes, well, this system isn't working very well."
"Well it's not like I tried very hard."
The comment thread on his post is a trainwreck. The guy needs to learn when to shut his mouth. He even comes across as a total hot-head in the description of his last job on his resume. I'd feel kind of bad for him if he wasn't being such an asshole.
"I have been free riding on this piece of technology that is completely open and that I, if I were able, could help make better. Instead I'll just be condescending to the people who have spent countless hours of their personal time because something didn't work as I want/understood it to. Go me."
We didn't censor any comments; we did no moderation of any kind today. I have no idea what happened to his comment, but nobody at npm did anything to it.