Interesting project, especially using the blockchain as a distributed package store. But automatically distributing payment according to the dependency chain worries me - it seems prone to abuse, and may deform code. E.g. one could split a project into needlessly many smaller projects, to capture more of the per-dependency disbursed payment. On the other hand, it encourages reinventing the wheel, minimizing your own projects' dependencies, to prevent sharing your payment with them.
While funding for open source is badly needed, we must be very cautious of how it changes motivations.
I can’t see what chain they’re going to use but I see that Binance is an investor. That makes me worry that this will run on the Binance Smart Chain, which may be a low-energy chain, but isn’t decentralized and may give Binance too much control.
This is a concern with any blockchain that is chosen based on the number of validators and the staking mechanism.
Most PoS chains that are live today have a high degree of centralization. This may actually be best suited as a validium with known actors providing data availability (and companies self-hosting a node to hold the data themselves).
I certainly did. The whole thing is terrible: its has a false premise, its purported benefits are lies, and ultimately it will be a far worse system that what we have today.
> This has numerous benefits due to the inherent benefits of blockchain technology:
> Packages will be immutable (no more left-pad incidents)
This is a non-argument. Left-pad-tier pissing contests aren't really a problem anymore since NPM changed their deletion policy in direct response to the left-pad incident. The requirements to unpublish an entire package (not just one specific version) on NPM are now [0]:
> no other packages in the npm Public Registry depend on
> had less than 300 downloads over the last week
> has a single owner/maintainer
Can left-pad incidents still occur? Yes, but their blast radius is extremely limited. And I'd argue that this is an acceptable trade-off since the ability to unpublish packages is something worth keeping around for accidental screw-ups [1].
The real problem facing node (and other package-heavy ecosystems) is one not addressed by this in any capacity: malicious actors can easily compromise some tiny, insignificant package that nobody pays attention to but which is used by thousands of others by way of dependency creep, maintained by a dev who doesn't use 2FA (or who uses their cell phone for 2FA), and bam, you've just screwed up thousands of CI systems [2]. Imagine what could happen if malicious actors started using container escape vulnerabilities.
If your system is immutable, you just have to accept the fact that malicious actors can only be stopped by the developers regaining access to their accounts and publishing new versions of packages which roll back the changes, and that accidental screw-ups cannot be undone. This is a system which explicitly hands over power to those acting in bad faith, and is a complete regression from what we have now.
> Packages will always be available (we’ll use decentralized storage)
Again, see above with regards to immutability. But more than that, what exactly are they using? I checked the website but couldn't find out, but I'd bet that it's IPFS or similar, in which case, who's paying for pinning? Torrents are also immutable but there are millions (if not billions) already lost to time. How will this fare any better? Immutability means squat when half your files become inaccessible due to link-rot.
> Releases will be signed by the maintainers themselves (rather than a middleman you are told you can trust)
To this, I'd point out that supply-chain attacks are only becoming more common. If multi-national corporations can't secure their signing keys [3][4][5][6], how do you expect ordinary developers without a dedicated security team to?
And that still doesn't prevent disgruntled developers from trashing thousands of pieces of software by just uploading bad code - if you have the signing key, that's all that matters to the blockchain since you've followed the rules of the program.
> Note that no portion goes to us. We’re not like the other app stores.
Where does the money come from, then? Obviously, chain fees take care of that side of things, but someone has to pay for the website. (And web3 tends to attract absolute scumbags, but I'm not going to harp on that since I don't know Max's ultimate intentions.)
I find this system interesting since cryptobros typically speculate use cases and make wild claims for areas that they have no experience with, but Max Howell wrote Homebrew, so clearly he has some ideas as to the challenges of package management...
> I went back over all my old ideas looking for a startup idea I could turn into a business
Oh right, money talks louder than any morals he might have.
In any case, while funding for open source is a subject worth discussing, at the end of the day, the problem is corporations are acting in their own self-interest: why pay for something you can easily and legally get for free?
> we’re not changing the nature of open source. It’s still free. web3 has enabled novel new ways to distribute value, and with our system people who care about the health of the open source ecosystem buy some token and stake it.
People who care are the ones already contributing financially. You know what would really help open source? UBI. If you don't need a steady stream of income from randos on the internet to support your work (or work at a company who doesn't restrict you from contributing to FOSS in your spare time), it's a lot easier to contribute or even make open source your day job.
Hyper-capitalism will not solve the problem of funding open-source. If anything, it'll just make the problem worse because now you're depending on generous randos on the internet who know how to buy crypto and who are willing to spend it on FOSS (which will eliminate a lot of corporate donations). More equitable distribution? Perhaps. But overall, far less money will go into the system than does today.
This reminds me of something that was on HN a while ago: something about how they made functions immutable, and the whole programming model came from that?? And then this gave rise to a bunch of packages with references, and a new way of thinking about dependencies...
> relax, we’ll use a low-energy proof of stake chain
But someone will need to put up stakes. How long before you can bid to buy “is-odd” and everyone wanting to use it paying you a small fee. Crypto style libertarianism and open source freedom are not compatible….
While funding for open source is badly needed, we must be very cautious of how it changes motivations.