Placeholder Image

字幕表 動画を再生する

  • >> All right!

  • You're tired?

  • You're hot, it's been a long day.

  • Shake it out a little bit.

  • Shake it out.

  • All right.

  • Here we are.

  • So, I'm going to talk about economics of package management, and more specifically in open

  • source.

  • It's - I'm going to tell you a story about who owns the JavaScript language commons,

  • how we got into this situation with the JavaScript language commons is by someone, and why we

  • need to change it.

  • This is a story about money, ownership, and control, as much as it is about JavaScript.

  • I am going to tell you this story.

  • I'm going to tell you the version of the story I know how to tell.

  • I'm one human being with imperfect knowledge as a point of view, so this story is not the

  • only story anyone could tell about it - not by a long way.

  • I could tell you a good version of one slice of this story because I was part of it.

  • I was at its heart, because, until last year, I was CTO of NPM Inc.

  • This gives me an expertise on the topic few people in the world have.

  • It also comes with a point of view, and I'm going to invite you to keep my point of view

  • in mind as you hear this story.

  • You're in this story.

  • Yes, you.

  • I bet you didn't know you were part of this story.

  • You will know why you're part of it, and you will know why your participation matters when

  • I'm done with this story.

  • It's a story about money, people who have money, and people who make money from open-source

  • software are not the people who - it's the story of an accidental decision that you made

  • without knowing about it, and one that I made consciously, and how that decision working

  • out today.

  • So it's a story about ownership, control, and their consequences.

  • It's also a story about power: who has it, how much of it you have, and what you can

  • do with it.

  • Are you ready?

  • [Cheering].

  • All right.

  • Here we go.

  • Do you remember Yahoo!

  • A story kind of starts with Yahoo back in its glory days in the mid-2000s.

  • JavaScript was the heart of a lot of JavaScript activity back then.

  • It employed a lot of thought leaders like Douglas Crockford, if it was pushing state

  • of the art forward.

  • It might not have had a good business plan but it did have a good tech stack.

  • It had a package manager called YPM and it did neat things.

  • People who used it liked it.

  • About at the same time all this was happening, and, you know, action and Yahoo, JavaScript

  • was itself kind of taking off, and in an interesting way, thanks to things like jQuery, and browser

  • makers deciding to adhere to a common spec for once.

  • JavaScript exploded.

  • Server-side JavaScript was starting to be a big topic, and it was here in 2009, ten

  • years ago, where Dahl announced node.js and that turned out to be the JavaScript platform

  • we wanted on the server.

  • Now, the early Node community was a happening place.

  • It was a scene.

  • It swept up a whole bunch of interesting people from systems programming and web programming,

  • and people who really enjoyed being at a bleeding edge ecosystem where a whole lot of stuff

  • hadn't been invented yet.

  • Several of the people involved early on figured out earlier on that package management would

  • be a pretty great thing, and there were a bunch of package managers, plural, being written

  • - yeah, more than one.

  • One of these people was a Yahoo employee.

  • He was super into Node.

  • He quit his job so that he could write something inspired by the Yahoo package manager but

  • for node.js, and this particular programmer was clever in a couple of really useful ways.

  • For one thing, he got really super involved with Node, and this let him work on the Node

  • side implementation and his package manager at the same time.

  • He could make installer work right, and he really championed the common JS implementation

  • that Node has.

  • He did other stuff to beat other package managers, going around to other managers to support

  • pull requests of his rather than the other one.

  • Pretty smart.

  • His was good enough and useful enough, the right solution, supported well enough so that

  • it won, so that the node package manager, or npm, was put along with node rather than

  • a third-party thing that you downloaded.

  • Official status granted by the Node Project continues to today.

  • Right about this time, bought Node from Dahl for a paltry amount of money.

  • You notice we're already in interesting economic territory.

  • The man who invented node.js, the tool used by everyone in this room, and millions of

  • people daily to develop JavaScript, made a few tens of thousands of dollars from it.

  • Whoever is making money from Node today, it's not its inventor.

  • He did at least make a living after selling it, because he was hired, which is pretty

  • good, and the joint also hired the programmer who made Node's package manager, but, important

  • plot point, he retained ownership of it.

  • He retained ownership of the npm domain name and source code.

  • He didn't turn it all over to it Joyen the way the Node source had been.

  • This decision matters later, so, in the it.

  • The open source doesn't mean open ownership or control, it means you get to read the source

  • for something.

  • And the ability to read part of the source from something doesn't mean you can change

  • that source.

  • It doesn't give you any control over it, what it does, or what it .... The story moved forward,

  • you've probably heard this part before, 2012, Dahl leaves the npm project.

  • Right up about here is where all of you start appearing on the scene, or some of you anyway.

  • You're JavaScript programmers.

  • You like writing JavaScript.

  • If you can write a tool in JavaScript, you will.

  • So you started writing JavaScript with Node, and you liked it.

  • Meanwhile, people like me, who are kind of mixed about JavaScript - don't tell anyone!

  • - I figured out that Node was handy for writing I/O multiplexing services and thought this

  • is fun.

  • As 2013 went on, more and more people got on the Node train and Node got popular.

  • It meant npm got pretty popular.

  • That's great.

  • Right?

  • Well, no.

  • Success is a catastrophe for a lot of projects.

  • It's a catastrophe you need to survive, and success for npm was a catastrophe.

  • Here's why: npm's package registry is centralised.

  • It is not just a CLI tool that grabs the code and puts it to to your hard drive and do modules.

  • The CLI probably is the least important part of the machinery despite how frequently you

  • interact with it.

  • Npm is most importantly to all of you a centralised package registry and a repository.

  • Right from the beginning, the registry was there running inside a Crouch DB database

  • on the same domain it is today.

  • Registry is just a list of all the packages you can install, their authors, anywhere names,

  • their versions.

  • The repository part is the part that stores all those packages in a centralised spot.

  • This is pretty great, because it makes installing them fast and reliable.

  • Someone is work on making that central repository zippy.

  • There's a lot to unpack there.

  • Centralisation is what we are talking about here, and centralisation has some advantages.

  • The npm registry is centralised.

  • It comes with usability wins.

  • You only need to go to one place to look for something.

  • That one place can enforce some rules about the things you're looking for that they all

  • look the same, that they provide the same kind of information, maybe they don't even

  • vanish on a whim when their owner gets board.

  • Centralisation has advantages that matter to you.

  • I've been doing a Go programming lately, and it's weird.

  • It's very strange to try to find Go packages, because they're everywhere, and the only way

  • to find them is Google them.

  • You look at these old-fashioned lists of really exciting Go packages, the thing that Yahoo

  • used to do, like a hand-made list of things.

  • When I install these packages, I is that you will from GitHub repos I can just vanish.

  • So I have expectations that come from having used npm for eight years, and Go decent meet

  • any of those expectations.

  • The absence of a central registry for Go has helped me understand what NPM provides every

  • JavaScript programmer.

  • Centralisation is such an advantage that it is a trend.

  • Blogs were something you used to host on your own.

  • You used to buy your own domain name and spin up a server and host a blog.

  • Through the last ten years, there's been this big trend towards centralised hosting platforms.

  • You know, things that can provide a reliable place for you to put your blog, like MySpace.

  • Yes, Tumblr medium, social media centralised, Twitter and Facebook, and open source is even

  • centralised.

  • So, okay, npm is a centralised registry for the node packages.

  • In 2013, it wasn't great.

  • Why?

  • Downside of centralisation is that costs are costs are centralised.

  • Downside of npm's registry is that all that use centred on a single database with a ... inside

  • it.

  • Here's a fact of the world: servers cost money.

  • Who pays for them?

  • For years, Node manager ran on donated hosting.

  • It was written with help from some of the people involved in implementing CouchDB, and

  • it free loaded on a bunch of CouchDB hosting services, treated as an ad for Couch - they

  • continued to host Node's package manager, and then it wasn't so cheap.

  • Success, the catastrophe, is expensive.

  • You all started using Node and that ad stopped being cheap the other various lazy short cuts

  • in implementing the registry starting have an effect once the registry saw some real

  • use.

  • The registry was down more than it was up in 2013.

  • Npm needed money.

  • It needed a maintainer who didn't ignore it for a day job.

  • This is not a particularly new problem.

  • Every language ecosystem at some point if they have a centralised package registry also

  • has this problem.

  • Ruby Gems cost money to run too, they run on donations.

  • CPen, they solved their problem 20 years ago with a network of mirrors, a lot of smaller

  • language ecosystems, some by free loading on GitHub, public repos, like Cocoa Pods and

  • others.

  • What npm's owner decided to do was pretty novel: he decided to found a company.

  • This is possible because he still owned it.

  • He found his company, npm Inc, and he takes seed funding.

  • And here's our decision point: Node Project decided this was fine.

  • They continued to give npm special privileges something they bundle along.

  • I don't know if there was internal controversy about this because I wasn't part of it.

  • Node Project was entering its moribund period around this time, so maybe decision was made

  • through inaction, I don't know.

  • They continued to affirmatively decide that's what they want to do every year since then.

  • You decided this was fine.

  • You voted with your feet.

  • You kept using the npm registry.

  • But CJ, I hear you say, I wasn't around then.

  • You weren't around, then.

  • Then.

  • You inherited this decision.

  • You don't know it was a decision.

  • Npm is out there as a fun question fact of JavaScript life.

  • You might not have known it was a company at all, right?

  • At the time, it was pretty controversial president the company that had been hosting npm was

  • really pissed off about it.

  • They ended up raising a bunch of money the same time the VC money came in, and there

  • were lawyers involved.

  • I don't know much about this.

  • I just know that npm exited the node messily.

  • Later, npm exited Joyant's hosting because they were also fighting.

  • I don't know, money: it changes everything.

  • Friendships made when it is all just open source fun, end under the strain of competing

  • for dollars.

  • Here's another thing: I decided this was fine.

  • I decided to let JavaScript's language commons be owned by venture capitalists.

  • I didn't frame it that way to myself, though.

  • The decision I told myself I was making was the decision to contribute what I could to

  • making Node successful.

  • As a huge Node fan.

  • I really liked programming in Node.

  • I still do.

  • That was the first place I had ever participated in open source.

  • So, npm Inc is a company, has VC money and started hiring people.

  • The first person they hired at - I second hire was me.

  • I wanted to make it go better.

  • I told the story - I was told the story by the owner that we would to make it self-sustaining

  • take, and the servers would hum along happily dispensing packages for the masses forever

  • and every.

  • I ended up leading npm engineering team.

  • You know this part of the story.

  • Large numbers are very large.

  • You install lots of packages.

  • Npm was successful, it scaled, and Node exploded as a result.

  • You started using Node to do everything, and npm is now an unquestioned part of your work

  • flow.

  • You reinvented web development in ways you wouldn't do before npm was there, reliable,

  • providing shared code.

  • Lucky it's some kind of utility.

  • It's the highlight of an excellent career.

  • I'm still pretty proud of it.

  • Let's pause here.

  • We're at the zenith of node's package manager.

  • Let's talk about money.

  • I love money.

  • Why isn't Ryan Dahl living on a tropical island?

  • Why isn't James Halliday retired on a tropical island he lives on now?

  • Why isn't Dominic Tar living in a yacht instead of a sailboat?