uWebSockets.js — beware of conspiratory morons and fake news
When old, wild internet speculation is your only “source” for yet new speculation, we end up with nonsensical conspiracy theories and slanderous allegations. Let’s correct them by using rational thinking.
Five years ago I created this project called “uWS”. Three years ago I moved it from NPM to GitHub, where it has remained since. The project has never been better off than what it is right now. By now I have developed and released 18 major versions in total, all available free of charge for anyone to use. Commercially or not. Performance and security has never been better, and features are more now than ever.
Unfortunately, still to this day, some people are spreading speculative, nonsensical and slanderous stories regarding this departure from NPM. Even though I have publicly explained all of this before, many still prefer gathering around the sensational speculation and conspiracy-like theories. It seems way more entertaining to subscribe to a sinister conspiracy theory than to think rationally.
Manuel Astudillo has written a very confident post, based on nothing but angry Reddit speculation and his personal hatred for my leadership. He is speculating based on a speculation. This is garbage journalism. This is how fake news and slander happen. Unfortunately his post has spread, and has gotten way more attention than what it deserves.
Let’s go over his nonsense of a post and correct it by using rational thinking and reliable, credible sources. Who can reliably explain my own reasoning? Me? Or Manuel? Who is Manuel? Did he ever work with the project to begin with? Hilariously, no, he is entirely foreign to the project and has no inside information. Nobody does. He is not a credible source, and neither is an angry Reddit post.
Whomever made the decision to stop using NPM should know why. I made the decision, and I know exactly why I did so. The reason is far more logical and sane, than the reason Manuel Astudillo is presenting:
If you are active in the Node.js community you have probably heard of a dispute between the author of a websocket library called uWS (https://www.npmjs.com/package/uws) and the NPM maintainers.
The dispute arose because the author was not willing to accept one of the core policies in NPM, that is, that all releases must be immutable. Implying that if you happen to screw it up and make a broken release you better do a new release as fast as possible to resolve the problem from the previous one.
The reason for departing from NPM was their Terms of Service. I find it repulsive, from a purely legal standpoint. Further on I find NPM to be a technically inferior platform. Remember five years ago? NPM used to take AGES AND AGES installing anything. That’s why Facebook made Yarn. Today NPM is slightly better, technically, but my decision was not made today and I still find their legal contract unacceptable.
The issue with NPM’s Terms of Service lies in their way of blackmailing publishers — you as publisher are to indemnify NPM without limit, yet you still have to trust NPM to make the right decision for you whenever, if ever, legal trouble comes your way. They ask you to hold a live grenade while their blind dog may or may not try to defuse it, instead of letting you defuse it yourself (which of course may or may not mean simply throwing the grenade to avoid being blown up!).
This alone is the main reason I left their platform. Anything else is made up nonsense and retold Reddit speculation (on Reddit, nonsense with high enough amount of upvotes automatically gets promoted to “truth” even though it’s nothing but a snowballing misunderstanding. People upvote what is already highly upvoted because, well that’s how mob mentality works).
Despite this inconvenience, immutability is a core feature of the npm ecosystem and for good reasons: without it you could not trust any package. How could you be confident of using a given library, if suddenly the version that you are using in your products and services could change in your next deploy? Not only could this break things, it could also introduce malicious code, trojan horses, or viruses. Remember that a npm package has the same restrictions on what code it can execute as your main program depending on it.
Here we can already see Manuel go down a path of arguing for something that nobody is arguing against. He is drawing incorrect conclusions based on incorrect speculation and ends up arguing about something nobody is opposed to.
Nobody here wants mutable releases. Nobody here is proposing mutating releases. This is a failure to comprehend the actual reasoning, and connect the dots properly. Manuel Astudillo is connecting the dots in a short-circuited way, skipping important considerations such as law and legal risk.
uWS’s author, in some kind of childish act of vengeance, tried to consciously break all dependent libraries and services by publishing an empty version of the module, fortunately, the team behind NPM manually removed it and locked the package so that no further damage could be inflicted to its users.
Now we are speculating our pants off. None of this makes any rational sense. What would my motive be? What would I have to win from doing what Manuel claims I did? What would I lose? For “vengeance” to appear there must have been something I lost? What did I lose, Manuel?
When you cut and paste internet quotes from different chronological events, with bolted-on context, I can understand your total confusion. You can’t make any sense of it, but you still have this narrative fueled by hatred to complete, so you make up a story that paints a sinister enough picture.
You believe not what is logical and rational, but what feels the most accurate to your hatred and disgust of me as a person. Of course you won’t believe a logically sane story about a businessman wanting to minimize legal risk as his product becomes way more popular than he anticipated at first. No because that story would make too much sense.
History clearly shows that I did not lose anything. I still own the NPM account, I control it. If Manuel would take just one second to actually follow his own link he would clearly see this. Who published the last version? What does it say? When was it published?
What happened in reality was that I had decided to stop using NPM, because of above mentioned legal issues. So instead of just leaving without any trace (I had no other social media) — I published a new release containing the README file, saying in big bold black ink “I don’t publish to NPM anymore, find me elsewhere”. Further on I had consulted with Libraries.io, gathering statistics for how many people were on what version. The statistics led me to believe almost everyone was on a fixed version (like they should have been either way).
As you probably can infer, my intention was to keep my user base by letting them know about the change, not to destroy it. Manuel has the story upside down, severely tainted by his sinister, slanderous narrative. Why would I want to destroy something I had built by myself for the last two years? It makes no sense.
This message worked great, many people got it and followed me to the new platform, GitHub. I also got in contact with many companies at this point. All in all I and the project gained a lot from transitioning like this, and most users experienced no issues, like I had planned. Many people have expressed their understanding.
However, a few users blindly shoved my text message in production without doing any kind of A/B testing, review or even a smoke test. So of course they got a temporary outage. These people were utterly irresponsible and I think this outcome speaks more of them and their lacking testing, than what it speaks of me. These are the people who scream the loudest in angry Reddit posts.
My code is free of charge, comes with no warranty whatsoever, and at the time was known to be of “unstable” status. Sure, my actions were somewhat unorthodox but they worked like magic. You might argue this was a mistake by me, I can agree to some degree, people make mistakes. I wouldn’t do this again, knowing what I know today. The important takeaway is I did what I thought was the best for the project at the time, not the worst.
This event alone says a lot of its author and should be taken as a warning sign in case you get seduced to use any of his libraries.
Whomever is to blame (no warranty), this happened three years ago. The majority of uWS has existed after this event. There hasn’t been any hiccup for the last three years and the project is better off now than ever. At some point you will have to let things go.
Some time passed since this incident, and recently a new version of the package, with a complete new API has been released by its same author.
Yes, three years have passed and the project now has 55 million downloads and runs in many successful companies and is widely praised as an excellent project. It keeps on getting new releases at a consistent pace, half a decade after initial release.
I will not enter in the attitude problems the author has with the people writing issues or simply not agreeing with him. Insults and the like are the norm in his way of treating people, and ultimately he will ban you or delete complete issues if they are exposing any flaws in his library or how he behaves.
I, as owner of the project, will delete anything I find irrelevant, harassing or in any way annoying. It is a complete and utter lie that I would delete reports exposing flaws in the code. I welcome any such report with open arms. The best thing I know is when people find and post well written reports with AddressSanitizer failures. You can find several of those publicly available in the GitHub repository.
The project has received thousands of USD from Google for its open handling of security issues. We have a 95% fuzzing coverage and we use all sanitizers, even the optional ones. All security issues are handled publicly by Google and I have no ability to delete these. Your claims are entirely pulled from thin air to fit your narrative.
A typical example is with the very first issue https://github.com/uNetworking/uWebSockets.js/issues/155#issuecomment-504773584
Which was deleted when it was pointed out that some measures must be taken in order to have safe installs. With the history track of its author, I think that any measure you take is more than justified, where any production solution that depends on his library is at high risk of breaking at any time, and in worst case scenarios introduce trojan horses, viruses or the like.
I remember that issue. You posted about binaries being evil, and fanatically insisted on using NPM instead of the planned solution to use GitHub tags. I banned you because you wouldn’t shut up about your fanatical views of how NPM is the only true distribution channel and that all other ways are “impure”.
I’m sorry you didn’t get the message, but I banned you because you acted like an asshole and annoyed me greatly — not because I wanted to “hide any flaws in the library”. You are a true fanatic and there is no way in reasoning with fanatics. I would ban you again if I could.
Now that we have corrected the initial nonsense of Manuel Astudillo’s post, let’s look at his main argument, the meat of his post:
So without further ado lets go through the main problems. It boils down to this:
For newer developers this may look like a harmless way of installing a package. However it must be pointed out that this is not installing the package from the NPM registry, but from the private github repository of the package author.
Right, it is not installing from the NPM registry because that was the whole idea of this transition — to not end up with balls-stuck-in-vice as per the NPM Terms of Service. You are correct, I do not publish to NPM.
The main implications of this is that, 1) the repository can be deleted at any time (not very unlikely considering past events), and 2) the tag pointing to a version can be changed to point to a different commit (not very unlikely either since this was the reason for the original dispute with uWS).
Ignoring the fact you haven’t understood the underlying reasoning for moving away from NPM -
Arguing that a Git repository can be deleted or changed is like arguing Bitcoin can be deleted or changed. It is like arguing The Pirate Bay can be deleted. I know this takes a few brain cells to comprehend, of which you may be lacking, but the entire idea of Git is to act much like a blockchain — it achieves immutability not by central enforcement but by distributed, cryptographically verifiable clones.
You cannot “delete” or “change” something that is verifiable with a chain of SHA-1 hashes, is distributed and stored to/on every continent on the planet, has thousands of “forks”, is stored 250 meters into an Arctic mountain on Greenland and is used by many companies who have significant stake in it.
I have no intention to remove this GitHub repository, but because of the distributed nature of Git, you don’t have to trust me (or even GitHub). You can simply move your mouse cursor up to the upper right corner and click “fork”. It takes five seconds or less. Now you have your own, distributed clone only you can manage. You are king and dictator of your own clone. Hundreds of people have already done so and you can clone their clones if you need to.
By referencing your own fork instead of mine, you are as safe as can possibly be. Of course you can also simply download the project and ship as part of your app. Nobody is twisting your arm here. The possibilities are endless.
This project is free of charge and you may do whatever you wish with it, as long as you obey the licensing terms. Nobody has an evil complex plan to destroy the world here. If you don’t like it, go away.
Also note, the “No compiler needed” text. The author provides precompiled binaries, which, while being convenient for some users and platforms has the added risk of not knowing if the binaries really correspond to the source code or a specific version of the source code.
Again with the brain cells; believing that binaries are some kind of magical containers of evil, concealment nobody can verify or understand, is exposing your severe incompetence in this, Manuel Astudillo.
You have the source code, you have the binaries. Let’s try and put two and two together here — what happens if you compile your own binary and diff it against the precompiled one? Do you think they will match? Of course you will never try this because you never do research.
The code being sponsored by companies of dubious legal and moral business such as “bitfinex” (https://en.wikipedia.org/wiki/Tether_(cryptocurrency) ) do not make the thing more trustworthy either.
I do not think it is sound of you to present allegations of third-party as if they were confirmed fact. Besides, this supposed argument reeks of envy and has no relevance to your main point.
If you still decide to use uWebsockets.js in production, you can minimize some the risks by:
Fork the main uWebsockets.js repo and its 2 dependencies (uWebsockets and uSockets).
Build the package yourself instead of using the prebuilt binaries.
I agree with you on this, Manuel Astudillo. I would say it is enough to click “fork” as described above, but people are free to make their own decisions here.
Alright, this was fun.
Yeah, I really recommend everybody to read the post above, it states perfectly the nature of the character. Honestly, no pun intended, I think you need to seek for mental help.
Fabulous response, Manuel Astudillo!