Node Foundation as stewards of packages

[scriptjs]

The current situation with the distribution of node packages is unacceptable. NPM has provided evidence that there is a need for packages to be maintained by a non-commercial entity that can be trusted.
#3959

The issues raised in #3959 have led to other issues that need to be audited and reviewed in the relationship of the Node Foundation with NPM.

Regardless of what was in the license the fact that we didn't notice it was there is disturbing. We need to do a full audit and potentially change the way we distribute our LICENSE text to better match what compliance automation prefers.

Developers and companies that rely on the body of open source software require unrestricted access to the open source packages that were offered for distribution.

NPM is in the process of imposing terms that can restrict or discontinue your use at any time and has already included language that would allow changes to terms developers accept at any time without notice.

The changing legal landscape for accessing modules is made clearer by reviewing NPMs activity on policy changes here:

https://github.com/npm/policies
Most of what appears to affect users was the open source terms https://github.com/npm/policies/blame/master/open-source-terms.md.

You accept changes to these Terms by continuing to use npm
Services. npm may change, suspend, or discontinue npm Services at any
time without notice or liability to you.

Today, developers have no legitimate choice where to publish modules since all mirrors also replicate data from NPM. This is due to the fact that NPM grew organically with node. That said, it does not mean this cannot change or work in a better way for the future for the growing community of developers.

A repository operated by the Node Foundation appears the logical choice for this. This would bring module distribution closer to that of other open source languages and initiatives and provide greater control over manifest standards at the same time.

As a first step I am proposing that the Node Foundation seek donations for a CDN to host and distribute packages. PyPI for example is driven by Rackspace that has donated its bandwidth and space. From this first step, developers can begin developing resolvers and tools to retrieve the semantically versioned assets from the CDN to eliminate the dependency on NPM.

The community can respond in turn with search services and sites that involve the broader ecosystem using the APIs of the CDN. This would create a healthier environment for open source and eliminate the risks inherent in being manipulated by a sole commercial entity.

[jasnell]

@scriptjs ... please keep in mind that at this point we already have several open issues discussing this general topic. I understand that the npm license changes are a concern to you, but there's a point at which opening multiple issues becomes counter productive.

The npm license changes are on the agenda for the CTC call today and I'm sure will also come up on Thursday's TSC call.

[scriptjs]

@jasnell I was advised that #3959 was too broad. The topic of #3959 was changed to deal with the license issue. This issue is not a license issue but asks the Node Foundation to seek donation for a CDN so that it it is possible to bring package distribution in alignment with other open source initiatives like PyPI.

This issue is prefaced with a reference to #3959 because the insertion of terms without the knowledge of collaborators or informing the broader developer community is a signal that changes are needed in the ecosystem free of the manipulation of a sole commercial entity.

[Fishrock123]

This belongs on either https://github.com/nodejs/NG or https://github.com/nodejs/TSC. Could you please move it? We'd like to keep this issue tracker for core issues, preferably technical.

[scriptjs]

Sure, I can move this.