Microsoft isn't asserting any sort of ownership - colors.js is licensed under MIT. Microsoft is free to make whatever changes they like and redistribute said changes. (But as was already mentioned, they merely dropped the broken versions and set the last working version as "latest".)
The person who holds the copyright doesn't own the storage for the repo. They agreed to a terms of service, which they almost certainly violated by pushing malicious code. Microsoft undid a change; that's not even derivative, it's literally the same code that the author published. To claim that Microsoft can't remove content from GitHub is wild.
While I agree that Microsoft has every right to deny service to the developer, ban their account and remove all of their repos, that doesn't mean that Microsoft has the right to forcibly seize the developers IP.
What action here constitutes the seizure of IP? The code was licensed under MIT. The developer is free to host it elsewhere and Microsoft retains no rights other than the ones explicitly granted to them.
Being the copyright owner of a piece of OSS doesn't give you control over every location where that software is hosted. For example, the developers of Python can't update the Python package in Debian's apt repo, Debian decides when to pull in new versions. (And if they want to add custom patches.) This doesn't mean Debian is declaring ownership of Python, they're simply distributing it in accordance with the license.
Just because NPM allows developers to self-publish doesn't mean that's a guaranteed perpetual right, and it doesn't mean MIT-licensed packages can't be published on NPM against the developer's wishes.
Licensing code under the MIT license (or any common FOSS license really) is the wrong move if you want to control where your software is distributed, and by who.
Who owns repo? The author has a right to package code, but he doesn't want have the right to use other people's platforms to distribute it. This is a lot like twitter bans isn't it?
The MIT license explicitly gives the entire world the right to distribute and modify and project licensed under it. The author isn't allowed any takesie-backsies. Everyone is well within their rights to host copies of faker and colors and any other MIT-licensed project in existence regardless of whether or not the author objects to it.
If the author didn't want third parties redistributing copies of their code, they shouldn't have released it under the MIT license.
Well I didn't explicitly license my tweets to allow that, so maybe not. But they probably are, anyway.
What's really the difference between "fork the repos and change the fork" and "seize and modify somebody else's IP without permission". It just comes down to the specific reference/name on GitHub and npm. I don't think there are any IP issues involved. I am pretty sure that those platforms have given themselves unlimited rights to do whatever they want with the identifiers inside their platform. You don't "own" a username on social media.
Maybe the worst that could be said is that they are impersonating someone, which might be illegal? IANAL as should be obvious.
I live in a country where copyright is automatic and inalienable, so I am aware. But what does seize mean in this context?
What is the difference, as far as the MIT License is concerned, between "fork the repos and change the fork" and what Microsoft is doing here? They are not seizing the copyright, if such a thing is even possible.
Licensing your code under an open source license is not the same thing as giving up ownership of your code.
Here's an example where a huge open source project must get permission from every coder who ever contributed before they can make a change to the licensing.
GitHub has always owned 100% of the project from the day the developer created their account. The developer owns the code, yes, but the account itself and the actual GitHub project structure is 100% owned by GitHub. From a legal perspective, it is a 100% GitHub-owned project that's a derivative work of the developer's code. Legally, the website is a derivative work, and derivative works are owned by the creator of the derivative work, not by the owner(s) of whatever the work is derived from. There are restrictions on what the owner of a derivative work can do based on the licensing of the original work (for example, GitHub can't merge GPLv2-licensed code and Apache2-licensed code hosted on their platform) but GitHub still owns the derivative work entirely.
For example, if I were to stand up a website using Apache httpd using PHP and Drupal, then the website is 100% mine but it contains code owned by the Apache Software Foundation, Dries Buytart, and Zend Technologies. None of those three have any rights over my website, even though they own the code I built it on. I still have to respect the licenses to the code I use—I can't make my own fork of httpd containing code I copy-pasted from a GPLv2-only project, for example—but the website is still my website.
Or for a non-code example, let's say I were to write Lord of the Rings fanfiction. As a derivative work, the fanfic is 100% mine even though it contains characters copyrighted by the Tolkien estate. I can't legally distribute my fanfic to people without getting a license from the Tolkien estate (but thankfully the Tolkien estate is willing to look the other way), but it's still mine, and the Tolkien estate can't just yoink my fanfic and publish it in an anthology unless I give them permission either.
NPM/MS/GitHub are distributing code consistent with the terms of the license provided to them. The developers (current lack of a) relationship with his (former) service provider doesn’t have any bearing on that.
If one doesn’t way service providers to distribute code they’re licensed to if other relationships are terminated, one should include those terms in the license under which they rel,ease their code.
