It seems like the problem here stems from the project owner taking the source code as-is and essentially re-licensing it as proprietary, which is a big no-no.
For context, when NodeBB faced this possibility, we simply contacted every single contributor and asked nicely if they'd assign over their ownership of their contribution to us (note the use of the word "assign", not "license", a license is revocable, an assignment is not).
Future contributions by new parties required signing of the same Contributor Assignment Agreement.
All in all it took us under a week to secure the assignments, and any who did not sign we simply rewrote their lines of code, or we would have, but everybody signed.
The bar of effort to clear is so low to avoid this kind of controversy!
Reason we went this route: we wanted the flexibility to deliver a proprietary version of NodeBB for those clients that needed it. We get asked often whether there's a difference between the proprietary version and the open source version, but there isn't, it's just for legal reasons.
> All in all it took us under a week to secure the assignments, and any who did not sign we simply rewrote their lines of code, or we would have, but everybody signed.
I've always heard about this possibility but I wonder how one would rewrite code, should the need arise. Wouldn't it be hard to do without effectively making a derivative work?
Suppose that you remove the code, reimplement it but end up with something that's extremely similar to the original (which is very likely since after all you're doing the same thing). Couldn't the original author argue that it's still their code? How do you prove that you did the work and just happened with the same code because that's just the most straightforward way to do it?
It seems like the only way to avoid the problem altogether would be to have some sort of clean room design:
- Dev A reads the code to be removed, writes a spec for the functionality.
- Dev A removes the code.
- Dev B takes the truncated code and the spec and implements the feature.
But that seems very painful to do cleanly, in particular one could argue that B should be a third party who is not intimately familiar with the codebase, otherwise it could be argued that they knew the previous code.
> I've always heard about this possibility but I wonder how one would rewrite code, should the need arise. Wouldn't it be hard to do without effectively making a derivative work?
This is an issue GNU has faced, they recommend optimizing for different things:
> If you have a vague recollection of the internals of a Unix program, this does not absolutely mean you can’t write an imitation of it, but do try to organize the imitation internally along different lines, because this is likely to make the details of the Unix version irrelevant and dissimilar to your results.
> For example, Unix utilities were generally optimized to minimize memory use; if you go for speed instead, your program will be very different. You could keep the entire input file in memory and scan it there instead of using stdio. Use a smarter algorithm discovered more recently than the Unix program. Eliminate use of temporary files. Do it in one pass instead of two (we did this in the assembler). — https://www.gnu.org/prep/standards/standards.html#Reading-No...
> The Symbolics source code was available at MIT, where I was entitled to read it, and at first that's how I found out about their changes.
> But that meant I had to make a special effort to solve each problem differently, in order to avoid copying Symbolics code. After a while, I concluded it was better not to even look. That way I could write code in whatever way was best, without concern for what might be in Symbolics' code.
> How do you prove that you did the work and just happened with the same code because that's just the most straightforward way to do it?
This was a factor in Intel's case with NEC over the microcode of their 8086 clone, and the judge ruled in NEC's favour, finding that similarities dictated by functional constraints were (subjectively) not creative expressions i.e. copyright did not apply.⁽¹⁾
Note this relates to copyright, does not extinguish patents, and actually relying on this precedent may require bottomless legal resources.
We debated internally about what this would look like, and in the end we decided that should the need arise, the process would be:
1. A commit to plainly remove the functionality (or lines of code)
2. A developer would rewrite the code with a set of variables they cannot use, but I suppose they'd also code without the original implementation as reference.
Each individual developer's implementation should be different enough that it would be easy to tell that it was independent crafted, although something like this hasn't been tested in court (at least to my knowledge!)
The way this is sometimes done in industry, when the copyright owner is known to be litigious, is for developer A to read the code and write a spec. Developer B writes the new implementation based on the spec. If B has any questions, she cannot take to A directly, the questions are routed through a lawyer to make sure that nothing copyrighted is exchanged. (that last part might be overkill, but if the other party is Oracle you might want to use it).
If the developer who does the rewrite uses the original as a reference, it will be likely that enough of the structure will creep through that the project will be at legal risk.
Something that always gives me pause: what would happen if a developer removed a bunch of code? That can of course take a significant amount of time/energy/skill in itself, and is presumably copyrightable work. But, how could it possibly be re-done?
This is an interesting question. I'm certainly not a lawyer, but it's not obvious to me whether or not removals of code would be copyrightable. If Dev A writes 1000 lines of code, and Dev B carefully removes 20 specific lines that are unnecessary or introduce bugs, the resulting codebase consists entirely of Dev A's code, but Dev B might justifiably claim to deserve credit for their effort. I'd like someone more familiar with copyright law to chime in.
Here's my understanding. I'm not a lawyer and don't know a lot about copyright or derived works either, but the "creativity" thing comes up in discussions sometimes.
If you give me a sequence of integers from 1 to 1000 (which is not a creative work and therefore not copyrightable), and I selectively delete some of the integers such that the differences between adjacent numbers contains a fun message in ASCII, and publish that sequence, the result is copyright because those particular deletions add a creative element.
But if I just deleted every alternate number in the sequence, that wouldn't be copyrightable because it's not creative. (Although you can imagine some scenario when doing so might be creative, it would need some reason why it was.)
Basically, if Dev B does a change that passes some threshold of creativity, then they have a claim. If they just go through and delete all the blank lines and reformat in a standard way, they probably don't.
In your example, I think it would depend on which 20 lines and whether they were trivial changes to figure out.
Thanks! We did this with guidance from a lawyer, but didn't check to see how other projects handled it. I'm glad to see we followed the lead of other similar projects.
There is no Dev A and Dev B, just Dev 1 renaming the variables so none of the words are the same LOL. Could probably make a plugin for IDEs to do this automatically called "uncopywrite" or "breaklicense" which does it automatically. Maybe it already exists? I kid... but doesn't it all seem a bit ... stupid?
> It seems like the problem here stems from the project owner taking the source code as-is and essentially re-licensing it as proprietary, which is a big no-no.
> For context, when NodeBB faced this possibility, we simply contacted every single contributor and asked nicely if they'd assign over their ownership of their contribution to us (note the use of the word "assign", not "license", a license is revocable, an assignment is not).
This is certainly the correct way to do hit. However, in this specific case, it appears that as of the current code, not many external contributions remain.
The author of the original issue in the meantime forked the repo and continued to document the issue there [1] as it was being constantly closed, but as is evident from his own `git blame` analysis, most of the contributions are from staff, and the external contributions are basically negligible.
There's one author with 30 LOC, one with 10 LOC, and the remaining 12 contributors average less then 4 LOC each.
With some of these minor contributions there is probably a debate about threshold of originality to be had: something that's not protected by copyright is in the public domain.
IANAL, but my understanding is that simply reverting the contributions by these folks, and then independently reimplementing them should make the full copyright to be owned by the original author.
Could anyone comment here? What's the threshold for this?
I am also not a lawyer, but I have heard conflicting advice from different lawyers about what qualifies as "independent" so if the stakes are high, tread carefully.
If you wrote most of the code yourself and received only minor contributions (which is common for most OS projects) it is possible to remove those contributions and rewrite them, legally it would be hard to challenge.
We almost had to do this once for our own proprietary codebase as we discovered during due diligence that we didn't have a proper copyright transfer agreement from several of our interns. Fortunately we were able to resolve this with them (by paying them some extra money to sign a CLA), if it wouldn't have worked we would've removed and rewritten the code instead. It's silly but legally it's doable.
Of course this strategy doesn't work if a large part of your codebase originates from third-party contributors, but from my experience Github projects receive mostly small/cosmetic PRs from non-core developers (not saying that those contributions are not valuable btw).
I had the same when I ported the gruvbox theme (that was for vim) to emacs. I used the same license and also added full credit, since the elisp was mine but the selection of colours wasn't.
One contributor decided to fork straight away and then link to it in an issue rather than adding a pull request. Eh, whatever, I didn't like it so much at the time but we came to an agreement, and the person who forked did a great job maintaining the theme.
It became popular enough that some more prolific emacsers caught wind, and the project became more integrated. As you might know, emacs is hardcore GPL, so this basically demanded a relicense. This was a few years after I started the project back in 2013 (I think), but I got pinged on the issue and messaged privately, and that was enough.
Turns out it wasn't necessary at the end of it all, but the process was quick and easy. Everything was cordial and I still have my name attached to it, which I guess is nice.
> Nit: Licenses are not by definition revocable. They can be revocable or irrevocable.
Not: Gratuitous (not contract) licenses are, by strong legal precedent, revocable by notice at will by the licensor. The content and context of the license (including the statement that it is irrevocable) may impact the effect given to revocation due to other legal principles, particularly promissory estoppel, but those are separate from revocability.
It's perfectly possible to take in software project contributions under license, rather than assignment, without fear of losing rights at the drop of a hat. Apache does it. Eclipse does it. Nearly all the major companies stewarding open projects do it.
I'm not aware of any substantive distinction in the words "revocation", "termination", or the like, except with specific reference to 203. The question is whether you can show license if they plead infringement. In practice, they'll often plead breach, too.
Bare copyright licenses are largely theoretical here. If the terms of a unilateral grant include assurance of irrevocability, thats a strong fact for reliance and estoppel. If there's any question what the terms meant, it will be resolved by rules of contract construction, because it's not a public statute, and contract rules are the rules we have. There is a default rule, when the terms are silent, but it's just a default.
I don't have a horse in this race, but I've become curious. Can you identify the cases and jurisdictions that provide this strong precedent? I.e. who has successfully cancelled a permanent irrevocable license, even having provided it gratuitously? If true, your claim would seem to make some of the principles open source licenses are based on untenable. I would think I would already be aware of that.
Replying to myself after a very brief search (IANAL, so responsible readers should be skeptical). This seems to have been a common concern around the turn of the century (sufficient to prompt 'abundance of caution' warnings to require copyright assignment in GPL'd projects from none less than Eben Moglen), it seems to no longer to be thought likely to succeed in litigation. Bruce Perens seems to feel that Jacobsen v, Katzer is the dispositive precedent in US. Useful layperson's summary at https://www.zdnet.com/article/what-happens-if-you-try-to-tak...
The question of whether or not you can revoke an open source license would go away if the people writing the licenses would say in their licenses that they are irrevocable or perpetual or in perpetuity.
I have not been able to figure out why so few major ones do. Of the OSI approved licenses, I think the only ones that say so are AFL-3.0, AGPL-3.0, APL-1.0, APSL-2.0, Apache-2.0, CATOSL-1.1, ECL-2.0, EUDatagrid, EUPL-1.1, GPL-3.0, LiLiQ-P-1.1, LiLiQ-R-1.1, LiLiQ-Rplus-1.1, MulanPSL-2.0, NPOSL-3.0, OCLC-2.0, OSL-1.0, OSL-2.1, OSL-3.0, RPSL-1.0, SimPL-2.0, Simple-2.0, UCL-1.0, osl-1.0, osl-2.1, and the Unlicense.
Only AGPL, GPLv3, and Apache 2 from that list are really widely used.
Much less talked about than whether or not you can revoke a license, but probably as important for most open source licenses, is what happens if rather than trying to revoke the license you try to stop issuing new licenses?
Take GPLv2. Suppose I license some code I own to Alice under GPLv2. Later Alice gives a copy to Bob. Where does Bob's license come from?
GPLv2 says, "Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions". GPLv3 has similar language.
If I say that I'm no longer going to issue licenses, and sue Bob for copyright infringement, what will his defense be?
He could argue that my license to Alice obligates me to issue a license to him. That falls under an area of law called the law of third party beneficiaries. Commonly you run into that in situations such as life insurance. I enter into a contract with a life insurance company to benefit specific third parties named in the contract, and that gives them some rights to sue to enforce the contract even though they are not a party to it.
I haven't seen much analysis of how the law of third party beneficiaries would work when applied to an open source license, but I'm not optimistic it would do much. Third party beneficiary rights tend to be weak at best if the third party is not a specific entity that the contract was made specifically to benefit. Someone downstream from Alice might be too vague to be a third party beneficiary, and it probably gets worse the farther downstream they are.
How about Alice? She could probably intervene to force me to honor my license to her and issue Bob a license. That's still going to put a damper on downstream redistribution. If you want to use the code without much legal worry, you'd need to make sure you got it from someone who would be willing to intervene if you got sued by me.
As with the revocation question, this too could be avoided be better drafting of the licenses. It's not a problem for Apache 2, for example, because the Apache 2 license grant is "a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form".
The key in there is "sublicense". When Alice gives Bob a copy, Bob can get his license directly from Alice via her use of the sublicensing right I gave her.
I think that the only widely used open source licenses that do this are Apache 2 and MIT.
The GPL family specifically says that you cannot sublicense. I think they did this because they did not want people using sublicensing to give out licenses that did not include all of the GPL rights. Better would have been to allow sublicensing but to explicitly say that when you sublicense you must include all the rights that were in the license you received from upstream.
>>> Take GPLv2. Suppose I license some code I own to Alice under GPLv2. Later Alice gives a copy to Bob. Where does Bob's license come from?
There is some case law around that in France. A software company makes GPL software or library, a contracting firm uses/modifies it, reselling the result to some clients.
In 2 cases I am aware of, the final client was the government and sued the contracting firm for breach of contract (the GPL is a contract) and won. (Winning is relative of course because the client can't use the software they paid for anymore and years are passing by in court).
The contract creates a chain of contractual responsibility, which I am not an expert in, but as far as I understand it opens any party to being sued by any other party.
Yes it means that GPL developers, by giving an open contract to anybody who is willing to take it, are pretty much opening themselves to be sued by the entire world.
In practice you sue for a purpose (maximizing damages :D) so the purpose guides whom to pursue on which grounds.
Now to answer your question... what happens if you decide to cancel the license? Well, you can't unilaterally cancel a contract on a whim.
> The question of whether or not you can revoke an open source license would go away if the people writing the licenses would say in their licenses that they are irrevocable or perpetual or in perpetuity.
Since the entire issue is that gratuitous licenses are, as a matter of law, revocable by notice regardless of their surface conditions, no, it wouldn't.
Such terms may make downstream licensees more secure that, in the event of revocation, courts will limit the effect of that revocation to avoid them incurring undue loss based on their reasonable reliance on the promises in the licenses while it was being offered under principles like promissory estoppel, though.
You keep making the claim that it's settled law that, regardless of license terms like permanence and unrevokability, any gratuitous license is trivially revokable by the copyright owner. Once again, I ask that you cite the jurisdiction, case law and precedent that you're basing that on.
Edit: it just occurred to me that even if that is true, its salience here might depend on what "gratuitous" means and whether it applies to the license in question. (I reiterate that IANAL, so usual cautions). Proponents of copyleft licenses would claim that licensor and -ee are both receiving value. The licensor receives the value of improvements and enhancements to their original work while the licensee gets access to the base system and permission to modify it to their needs as well as sharing the licensor's protections and value on their own contributions. There seems to be a plausible argument (reminder: IANAL!) that an exchange of value has occured.
Heather Meeker has written about "direct licensing", without rights to sublicense, in at least one of her books. I'm sure she's mentioned it somewhere online, too.
The Blue Oak Model License takes reliability a step beyond even Apache 2 and GPLs, with an express statement of irrevocability (in plain terms) and an express statement that terms are both conditions and contractual obligations. https://blueoakcouncil.org/license/1.0.0
If you're really down in the weeds, probably best to send me up an e-mail.
> I would also like to hear that. It sounds almost like if Linus wanted to cash in, he could just revoke the license? I doubt that.
That would be the implication only if Linus was the sole copyright owner.
As it is, no one is asked to assign their copyright when contributing code to the Linux kernel, and the amount of code still remaining in the kernel that Linus has personally written himself is a rather small portion.
So if Linus were to "take his ball and go home" as it were, the affected code could be replaced.
That said, the multiplicity of contributors that retain their copyright to their contributions is also why relicensing the kernel to GPL 3 is largely a non-starter, even if Linus weren't opposed to it (and he is).
Note that "license" is a US concept that does not exist in Europe. Licenses here are systematically interpreted as full fledged contracts and fall under contract law.
Have to point out how this seemingly minor point in parenthesis really highlights how the comment is wrong and misplaced for a good chunk of the world.
P.S. Not trying to criticize here, just pointing out that copyright is vast and complex.
Well, it exists in the UK and, I'm fairly certain, Ireland.
> Licenses here are systematically interpreted as full fledged contracts and fall under contract law.
Do contracts in your jurisdictions not require mutual consideration or are licenses without mutual consideration facially defective? And is this gratuitous licenses in general don't exist or just in copyright?
Long story short. US contracts (common law) require consideration (both parties give something to the other). License couldn't be contracts because they give rights without getting anything in return. That's why it's a separate concept.
European contracts (civil law) don't require consideration. Thus there's no need for a separate concept of license. (Allow me to skip the Europe vs UK debate for brevity ^^)
In practice, we don't think much about failures of consideration in the US, at least outside of law school. Even without any stated exchange in the terms of a license, courts have obligingly found one for the licensor-plaintiff in surrounding circumstances. See Jacobsen v Katzer way back when, Artifex v Hancom more recently.
We do have rules for unilateral contracts and induced reliance, but they don't seem to come up much.
Jacobsen v. Later found a lot of interesting things, but the existence of a contract based on what otherwise would appear to be a gratuitous open source license doesn't appear to be one of them (at least in the Federal Circuit decision where that doesn't appear to have been an issue in dispute; there is a passing reference to consideration when discussing another issue, and it's clear that the District Court ruled -- and the Federal Circuit reversed on this point -- that the case should be resolved under contract rather than copyright terms, but it's not clear from the Federal Circuit that the District Court ruled this way basses on the existence of a contract or based on the general legal principle that, but for the areas of legal distinction between bare licenses and contracts, licenses are applied based on contract law. And the Federal Circuit reversal wasn't based on anything which would distinguish those, but on finding that the conditions in the Artistic License were valid as conditions rather the covenants, leaving bare copyright claims available in the event the terms were violated.
Artifex v Hancom also doesn't seem to offer much, since that there was a contract doesn't appear to be a point in dispute.
From the Federal Circuit Jacobsen opinion, summarizing the action below, which to that point was motion practice on preliminary injunction:
> ... The District Court found that Jacobsen had a cause of action only for breach of contract, rather than an action for copyright infringement based on breach of the conditions of the Artistic License. Because a breach of contract creates no presumption of irreparable harm, the District Court denied the motion for a preliminary injunction.
>
> Jacobsen appeals the finding that he does not have a cause of action for copyright infringement. ...
The appellate court vacated and remanded.
In its analysis:
> Traditionally, copyright owners sold their copyrighted material in exchange for money. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties. For example, program creators may generate market share for their programs by providing certain components free of charge. Similarly, a programmer or company may increase its national or international reputation by incubating open source projects. Improvement to a product can come rapidly and free of charge from an expert not even known to the copyright holder. The Eleventh Circuit has recognized the economic motives inherent in public lenses, even where profit is not immediate. See Planetary Motion, Inc. v. Techsplosion, Inc., 261 F.3d 1188, 1200 (11th Cir.2001) (...).
Summing up the issue at bar:
> The heart of the argument on appeal concerns whether the terms of the Artistic License are conditions of, or merely covenants to, the copyright license.
In construing the terms of the license, the Federal Circuit explicitly references state contract law:
> Under California contract law, "provided that" typically denotes a condition.
Artifex v. Hancom is important in part because there wasn't any real dispute on contract enforcement. But the license at issue was GPLv2, whose author, the FSF, had long insisted it was just a license. From the terms:
> You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
In the order on motion for partial summary judgment, the court notes:
> The license was not free in the sense that there was no consideration owed under the agreement.
It then cites Jacobsen on "lack of money changing hands".
Later:
> Plaintiff gave away its Ghostscript program in consideration for the user making its software open source, which Defendant does not dispute it did not do. The record supports a finding that Defendant received a benefit (the use of Ghostscript) at Plaintiff's expense by depriving Plaintiff of the value of having Defendant's software open source.
Oops. Artifex was a GPLv3 case, not a GPLv2 case. GPLv3 section 9 is a little different:
> You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
Speaking generally, the vast majority of writing I've seen about "bare licenses" that aren't also contracts comes from theory, and particularly early, FSF-affiliated theory. Not practice. Not courts.
There was activist fear about the dark power of contract law, as opposed to just copyright. And some political lobbying about the kinds of rules copyright owners should be able to impose and enforce under copyright law. They wanted to distinguish EULAs and NDAs—contract, bad—from licenses—good. Arguably, Moglen and friends were overtaken by legal decisions on both fronts.
Nimmer, our go-to treatise on copyright law, more openly acknowledges the deep links between copyright and contract law. Despite the fact that in the US, copyright law is federal (national) law and contract law is primarily state law.
For the vast majority of people and firms, all of this is political trivia.
If a project is licensed under the AGPL, does that mean contributions to it are also licensed under the AGPL?
Hypothetically if all the contributions were public domain code included in an AGPL project, then wouldn't the maintainer be within their rights to include those contributions in a closed-source version of the project?
You cannot change the license on code that is copyrighted by another party, unless that other party has already licensed you to do so (e.g a release under version x of some license may permit licensing under the terms of later versions.). The whole point of open source licensing is to prevent future releases from being under more restrictive licenses. Copyright holders always have the option to change their own licensing, but they do not have such freedom if their code is a derivative work, especially if their access to the other work was through an open source license.
That much I understand, but what's the default license if the contributors didn't specify a license with their contributions? Is it implied that their contribution is licensed according to the full project's license?
Much of the discussion is assuming that because the project was AGPL, then the various contributions were AGPL as well. Whether or not that's the case is my question.
IANAL, but my understanding is that if their contribution is a derivative work (as most would clearly be), they would be subject to the same license restrictions that restricted their access to the original project. I.e. they had no permission to create the derivative work, and thus no right to release it under any license. If the contribution isn't a derivative work, then the project shouldn't be accepting it without a copyright assignment or license.
If you contribute to a GPL project, your contribution is licensed under GPL, but it's your copyright, not the project owners. The Contributor License Agreement transfers the copyright from you to the project owner, so they may re-license (or dual license) in the future.
Assuming the project specified the license as AGPL, the contributions would be under AGPL as well.
Note that the project currently doesn't state any license (there's no license.md). No idea if there was a license specified before when the contributions were made.
> The whole point of open source licensing is to prevent future releases from being under more restrictive licenses.
That a point of copyleft licenses. It's not a point of permissive licenses. Providing a certain degree of freedom to the direct licensee is the common shared point of open source licenses, permissive and copyleft.
There is no canonical set of purposes behind any license, copyleft or permissive. The license drafter had their own goals in mind, but their terms get repurposed by others.
Even very popular permissive licenses have been written with contribution front-and-center in mind. See, for example, the contribution-related terms of Apache 2. The definition of contribution. The built-in CLA. The compromise on scope of the patent grant.
Fair point on the semantic vagueness of "open source", I'll exercise more caution. However, I think it was clear in context what category of licenses I and the main conversational thread are referencing.
Can you please cite some examples of copyright licenses which were revoked unilaterally at will and in what circumstances. Note not legal theories to the effect that this is so, actual cases of revocation.
> For context, when NodeBB faced this possibility, we simply contacted every single contributor and asked nicely if they'd assign over their ownership of their contribution to us (note the use of the word "assign", not "license", a license is revocable, an assignment is not).
1. Could you expand on how you asked the contributors and what reasons (and justifications) you gave them for it?
2. Didn’t they feel like their work was being “stolen” (sorry for using such an extreme word) for proprietary use?
> All in all it took us under a week to secure the assignments, and any who did not sign we simply rewrote their lines of code, or we would have, but everybody signed.
IANAL, but this doesn't make much sense. Changing all lines that come from a single author can still result in a derivative work. In fact that even seems like a probable outcome, assuming that author's contributions were copyrightable in the first place.
I guess the proper process here is that one starts with the code as it was before the contribution, with a ticket describing what needs to be done, and writes the missing code. Preferably this is done by a person who never saw the contributed code. Then you merge all future commits on top of this.
If there are merge conflicts, it can be a lot of work for small (== no) gain, but it would put you in clear.
Barring something like a `git revert` (which depending on age of the commit might not even be possible), I would imagine a manual revert done to the best of your ability (followed by a rewrite) would be considered a good faith attempt.
Whether or not this would get you into legal trouble is left as an exercise to the reader. IA(also)NAL.
Something I wonder, doesn't require copyright assignment reduce the number of contributions? What is the philosophical standpoint behind requiring copyright assignment, wrt. being part of the OSS community?
A copyright assignment gives power to the project owner to end up relicensing all those contributions as proprietary, effectively extracting free labor from contributions that were originally written under the implicit social contract of being part of the OSS community and all the Good Things that come with it.
Some larger companies are concerned that they will be 'caught' by the Open Source licences and either be forced to release their proprietary code or face a legal challenge. As a result, some companies have a blanket rule that any code has to either be written in house, or come with a clear purchased licence granting them the right to use it.
I can't recall who it was now, but I remember reading about an open source project that makes considerable money from selling these licences, even though they weren't necessary (the licence was MIT). The licence even had an explanation around it stating (paraphrasing) "Hey, this isn't required, but if it makes you feel better, you can pay for it".
Was it sqlite that you were thinking of? It's public domain, but offers licenses.
> The core SQLite database software is in the public domain. No license is necessary to use SQLite or to build SQLite into your products. However, licenses are available to satisfy the following needs:
> - You want indemnity against claims of copyright infringement.
> - You are using SQLite in a jurisdiction that does not recognize the public domain.
> - You are using SQLite in a jurisdiction that does not recognize the right of a authors to dedicate their work to the public domain.
> - You want to hold a tangible legal document as evidence that you have the legal right to use and distribute SQLite.
Your legal department tells you that you have to purchase a license.
It makes sense to nearly everyone who has contributed to GNU projects, as GNU makes that a requirement for significant contributions (i.e. those that aren't likely already owned by GNU as trivial and thus derivative changes). Remember that if what you are creating is a derivative work of the original, which it very likely is, you copyright on your portion of the work--if it even exists--is of little value to you outside the context of the project.
One other concern that is important here is that if the need or desire to litigate the license ever occurs, inability to clearly show ownership hampers an effective argument (or at least makes it less clear) and might make the license terms expensive or impossible to enforce. As copyright owner, it's your decision about whether and on what terms you want to participate in a project, but the project does get to decide on what terms it requires of contributors. I'd argue that a strong reluctance to share one's work under fairly common terms in the Open Source community only means that you're not a good candidate for working on such projects. Not that there's anything wrong with that.
Correct me if I’m wrong, but I don’t believe you need full ownership to show standing. It would be sufficient to show partial ownership from some of the copyright holders just to establish standing.
i'm not competent to explain standing requirements, but I did say that it would be more difficult, not impossible. While I certainly agree that license issuer probably has standing to sue or defend, I also think that any complexity around who owns what would necessarily complicate discovery, potentially add other litigants to the case, and provide an opponent with more colourable arguments that they don't have standing. The goal of litigation is frequently just to make even a doomed case too expensive to continue (far too often! lobby for Anti-SLAPP in your jurisdiction). I'd think complex ownership questions would be a boon for that sort of cynicism.
I should also mention that there is another remedy to that concern (which I don't necessarily agree is that big of one) is another cultural component of the OSS world: forking. If the party you assigned your copyright to (and remember this would almost always be to a project not an individual), you have the option to carry on (or lobby for other developers to carry on) the project from that point under the GPL, one of whose main points is to guarantee your right to do that. Given the way the community would tend to react to such an attempt, a forked project would almost certainly end up being the new de facto standard.
I use GPL precisely so that others cannot appropriate the work without contributing back. If I was okay with the outcome you describe, why not just use MIT in the first place?
Because with the GPL you can still obtain the source code for any changes made to your original work if they want to put any software made for it public. GPL'd software is required to have the source available under GPL to anyone it is distributed to. You can merge any of this code back into your work, as it has to be GPL licenced.
With the MIT licence they can distribute proprietary software based on your work and not have the source available, as this is not required with the MIT licence. So you have no way to get the changes or improvements other parties have made if they choose not to give them to you.
Take what I am saying with a pinch of salt, others can give a better explanation. I'd suggest looking it up yourself.
If you assign copyright to the other entity (the hypothetical under consideration) they have no obligation to follow the GPL and release sources for their later proprietary additions.
Hi! I want to respond to you personally, because we did have someone raise a bit of hell about our CAA for these reasons. They did not have any contributed code, however. They were just a vocal third party.
In the end, if they have opposition to the CAA, they don't sign it, and we make sure that we don't merge pull requests whose contributors have not signed the CAA.
You have a moral opposition to the concept of the CAA or a CLA, and that's perfectly fine, it just means you will not be able to contribute to NodeBB. Unfortunate, but our butts are protected and your rights are not potentially infringed upon.
Why do you need a CAA/CLA? The common reason given is to have standing in an infringement dispute. But for that you just need some ownership, which you have. The reason for full ownership is to be able to relicense. That’s what I object to, and I don’t see why a project specific group with partial ownership like NodeBB needs that. What protections are you seeking?
To be clear though, the context was that you found your own work had included the work of others and THEN went out and sought their copyright assignment. This isn’t someone seeking contribution. I fail to see why they would agree to that.
You seem to be asking "why not do something harder instead of something easier." If that's not what you mean, try rephrasing? If it is what you mean, the answer should be obvious.
No, this is not what I meant. Alternatively, I'd consider full rewrite as potentially an easier action than untangling individual rights.
Imagine a person A worked on a project together with persons B, C..., and over time they all have dependence on each other code. If B, C etc. at some moment changed licensing of their code, but person A didn't, 1) A's work will become at least partially meaningless, as it depends on B, C... work 2) B, C... would be in violation of previous agreement with A (as at least some of their code depends on A's code).
Even worse, assume A doesn't want to significantly modify the project structure, and starts talking with B, C... asking them not to change the license. While it's formally possible to find last modifier for each line, it doesn't usually make much sense from programming logic point of view. So, NodeBB seem to get quite lucky getting everybody - at least everybody with complex contribution - simultaneously changing their license terms in accord. I'd assume in general it could be easier to rewrite all code.
Because we value the work our contributors have made to NodeBB. To rewrite to code would be (besides being hard) essentially to replace the attribution of the code from the original owner to a company employee, etc.
When a contributor assigns their contribution to us, we own it in a legal sense but we still very much want to let others know that they did it.
As someone who has over the years participated in and released many an open source project, and still maintains one, I don't like the framing in some of these HN comments of the Octotree maintainer as The Bad Guy.
Obviously, it is unethical and most likely illegal to unilaterally, summarily claim copyright or relicense other people's contributions, and I appreciate the matter-of-fact tone taken by the issue opener and the other commenter.
However, I think it's obvious this isn't a scammer using open source as some kind of get-rich-quick scheme, putting in minimal effort into a fake open source project to attract highly valuable contributions in order to relicense them and make money off of other people's hard work. This someone who in all likelihood put blood, sweat, and tears into their project, gave it away for free on GitHub, accepted code contributions from people who in all likelihood were deriving a lot of value from Octotree (or else they wouldn't have had a pet issue they needed fixed in the first place), and has since grown frustrated by the time and effort costs, and the comparatively paltry returns.
Is their frustration causing them to lash out in a damaging and unproductive way? Certainly. Is it okay to renege on the implicit agreement with contributors that their contributions be under the terms of the AGPL license, and act as if those contributions were of negligible value? Certainly not. Is the maintainer right in their feeling that the value of those contributions is most likely less than the value given away for free to those contributors? I mean...probably.
I must really commend the noncombative, factual tone taken by the issue opener. And I hope the maintainer comes to their senses and deals with this problem the right way, by simply asking people nicely: https://news.ycombinator.com/item?id=24954772
I agree with nearly everything you've said, except I would suggest that the maintainer himself started the framing of him as The Bad Guy.
The thread has changed a lot since I first saw it, but right out of the gate the issuer opener was matter of fact and mostly respectful, and the maintainer called him a spammer and a troll and deleted his and other's stuff.
I can't imagine you could do much better if you wanted people to think you're The Bad Guy.
It's been my observation over the years that there are people who troll for this sort of thing and they are good at saying things nicely but then they don't actually meet the criteria of being anyone who had their "rights" violated or are willing to do anything other than "go away" when the license is finally reapplied after harassment over a minutia with no actual harm being proved to an individual. They may be technically correct about the license concerns, but the absoluteness and blaming they do isn't worth the outcomes.
I just closed the repo I'm working on to the public and will not be making it Open Source moving forward as I originally intended. I've been through this before myself, and it's just best to leave my code unlicensed and copyrighted by me. I'm grateful this ugly beast reared its head and reminded me how much vitriol non-contributors can deliver.
I just closed the repo I'm working on to the public and will not be making it Open Source moving forward as I originally intended.
I'm really sorry to hear that, and while it is obviously 100% up to you, I hope you to reconsider.
Every contribution to The Commons furthers the public good. Unlike the busybodies who care more about lecturing people about following the "rules" of "Open Source" to the letter, than about the spirit of fostering contributions to The Commons to further the public good, you clearly understand what actually matters.
Don't let the annoying minority keep you from doing something you know will make a positive difference in the world. If you set clear boundaries and stay matter-of-fact, the public overall will back you.
In the same spirit as the 4 "non-Free-Culture" Creative Commons licenses, I encourage you to check out non-open-source PolyForm software licenses, including a noncommercial license, a free trial license, etc: https://github.com/polyformproject/polyform-licenses#license...
Every contribution to The Commons furthers the public good, regardless of whether it's technically "Open Source" according to the Debian mailing list.
A DMCA takedown can only be sent by the owners or someone acting on their behalf. (Though, microsoft is more than fine on making exceptions for the RIAA in the case of youtube-dl I doubt they will make an exception of individual devs)
Legal twist: Since the project is under AGPL, this technically makes anybody who downloads/uses the project a copyright owner (you have the right to make copies), thus anybody could send a valid DMCA request to the repo.
Obviously we're a bit in uncharted territory and there's some nuances and things vary by jurisdiction, it should be receivable one way or another, and it would take 10 years in court to really determine it.
That is absolutely not how the AGPL nor (US) copyright law works. If I license someone else to make copies, they do not become a "copyright owner". You are allowed to make copies of the versions of the work released under AGPL, but not newer versions not released under those terms.
>>> ... but not newer versions not released under those terms.
That's exactly where shit gets really complicated ^^
1) The software couldn't be relicensed in the first place because there are parts for which they don't own the copyright. Can't relicense something you don't worn. The attempt to change the license of the software is void at best.
2) The AGPL is contagious, forcing all future contributions to be AGPL as well. Their claim that contributions started being under another license at some point is void, because these contributions were necessarily under AGPL.
Notice there's an interesting conundrum in how the two elements interact and create a deadlock. It's on purpose, the GPL/AGPL is meant to prevent relicensing.
It's copyright violations all over the place. There's gotta be a thousand and one ways to make them accountable. You could personally start redistributing/reselling the software assuming it's AGPL so you get some grounds and go after them for saying it's not.
I have never heard of octotree before this, I haven't used it before, I don't plan to use it, and I don't have any stake in the outcome.
Thus, that said, as a completely disinterested party, the Octotree maintainer really does appear to be doing his best to come off as The Bad Guy. All of his behavior in the relevant Github issues looks like someone who is having a tantrum and wanting to take his ball and go home.
So, while I pretty much totally agree with everything you've written, especially the part about "I must really commend the noncombative, factual tone taken by the issue opener" it's also hard for me to fault others who are letting their annoyance show when simple, factual requests are met with tirades of assholery.
I share your view in part, but I think you've ignored the basis for which the maintainer is reasonably understood as a malicious actor: it's not the overreaction, it's the deceit.
They said that they had conducted a complete rewrite. There is no reason to do this other than to mislead and create a self-serving false narrative.
And what is the malicious act? To get rich off of the highly profitable code in those pull requests?
The "deceit" is saying whatever to get people to go away, not to hurt anyone, or to profit off of anyone else's hard work. The right thing to do is just to ask people to assign copyright (see eg https://news.ycombinator.com/item?id=24954772 ), but lacking the maturity do what a responsible adult needs to do is just immaturity, not malice.
You're correct that the motive is important in assessing the act, but so is the willingness to correct the issue when notified of it, and the manner in which one responds. "Immaturity" rapidly loses any cachet of innocence when it persists in the face of experience.
More important than motive is the real impact caused by the act. And the realistic harm caused by the refusal to ask people nicely for copyright assignment or to rewrite those contributions, other than to this person's own reputation, is pretty insignificant.
This person just wants everyone to go away. It's disrespectful to the community, ill-mannered, and utterly graceless, but I find it hard to call it malicious.
Copyright ownership is not a matter of your opinion. It is settled law, mutually recognized by the 179 countries (out of the 195 in the world) who have signed the Berne Convention [1]. Copyright ownership is established as soon as a work is "fixed in a tangible medium of expresssion" [2]—in other words, as soon as the contributor wrote it on their laptop. The "author" entry in the package.json file is irrelevant.
> The author IMHO can relicense their code to whatever their like.
Assume it's true and consider what it can lead to. Person A writes code under GPL. Person B extends that code significantly, also under GPL. Person A relicenses his code to a closed source.
Now person B, of course, is the rightful owner of his own extensions, but they don't make sense without person A's code. So suddenly person B's work greatly decreases in value.
I'd assume it's not as simple as just relicensing one's own code; other contributions, depending on that, should be taken into account. Or you can't just relicense.
While broken, I suppose this is what would happen:
1. Person A writes project X under GPL
2. Person B extends project X under GPL
3. Person A removes all traces of contributions from project X and releases under non-GPL
4. Person B rightfully continues to use project X under GPL, possibly even hosting a fork and continuing collaboration.
(I'm not sure if step 3 is feasible - while person A is free to use their own copyrighted work however they please, it might not be possibly to legally erase all trace of foreign contributions.)
---
What normally should happen is that Person A needs to contact all contributors, and have them agree to the relicense their contributions. If all authors agree, then there is no issue. However, step 4 still applies - everyone receiving the code under GPL is free to keep using (and distributing) it under GPL.
Only contributions done to the relicensed work will be uniquely protected by the new license.
If you have released a work under GPL, that work stays under GPL. The term "relicensing" here means that going forward, new new works will be released under new licenses. So version 1 can be GPL, but version 2 can have other terms. We often don't think of new software releases to be independent works, but they kind of are.
Nothing can change the fact that version 1 was released under the terms of the GPL, but that does not mean you can use version 2 released under different terms.
Edit: this is assuming the maintainer is the primary author of the code. The current guidance from the FSF and other organizations that you need support from the authors of 95% of the work.
My understanding is that such relicensing rapidly becomes impossible once there are more than a very few significant contributors. Most proponents of Open Source licenses would consider this a feature, not a bug. In any event, this is one of the reasons that maintainers of major projects (including GNU, IIRC) frequently require copyright assignment as a requirement for copyrightable contributions.
> Most proponents of Open Source licenses would consider this a feature, ...
Indeed ...
> ... maintainers of major projects (including GNU, IIRC) frequently require copyright assignment as a requirement for copyrightable contributions.
... and many folks, including myself, refuse to agree to any such agreements.
Personally, I'd prefer BSD, MIT, or similar anyways but... if a project is GPL, one of the best ways to ensure that it remains GPL is for individual contributors to retain their copyright on any contributions.
Take those paragons of open source, VMware [0] and the "open-vm-tools" [1] project, for example. For a variety of reasons, various components are under different licenses:
> The code is being released under GPL v2 and GPL v2 compatible licenses. To be more specific, the Linux kernel modules are being released under the GPL v2, while almost all of the user level components are being released under the LGPL v2.1. The SVGA and mouse drivers have been available under the X11 license for quite some time. There are certain third party components released under BSD style licenses, to which VMware has in some cases contributed, and will continue to distribute with open-vm-tools.
Okay, so it sounds like it's all open source and should remain that way so I shouldn't have any concerns about contributing bugfixes, enhancements, patches, etc., right? Wait for it...
> Do I need to sign something before making a contribution?
> Yes. We have a standard contribution agreement that covers all contributions made to the project. It gives VMware and you joint copyright interests in the code you are contributing. The agreement also gives VMware flexibility with licensing and also helps avoid any copyright/licensing related issues that may arise in the future.
There it is. Nice choice of wording, by the way: it gives VMware "flexibility" with licensing and "helps avoid any copyright/licensing related issues".
VMware certainly is fond of "flexibility with licensing"' as history has shown.
--
Besides all of the other arguments, I think it's completely absurd that an individual should be required to enter into a one-sided legal agreement with a large corporation just to contribute some code -- even just two or three lines -- that they've already written and just want to give away.
Person A still have the IP of the software IMHO, so person A can do whatever with the software. Person B still have the latest-before-relicensed software, person B can fork or create new software based on latest-before-relicenced software.
Similarity like Qt software company doing the relicenced thing and Illumos project keeping latest-before-relicenced software.
This is not true: person B owns the copyright to his/her contributions. As soon as person B added code, the copyright of the project no longer belonged solely to person A. And that's not a matter of opinion but legal fact.
It would however be possible for person A to remove all contributions of person B (and possibly rewrite the same functionality).
If you have received any contributions, no matter how small, then you are no longer the sole author.
All copyright holders must agree in order to relicense unless all such holders signed a contributor license agreement which signs over all rights to the original author, and as multiple contributions have been made.
Every single contributor must be contacted, and they must all agree.
(Also, of course note that relicensing does not invalidate previous licenses - if I have a copy from when it was under AGPL, then nothing will ever change that.)
I didn't flag your comment below, but just to be clear, at least in the US the law considers any individual contributor to be the copyright holder of their own code. They can assign or license it to someone else, but they're the original copyright owners of that code.
the deletion notices in my screenshot were from streaming updates, hence why it shows the deletions but also the comments before the deletions. I've been watching the thread since it was posted to HN, and I can say that there is no deleted comments at the time of when that archive was made
Discord attachments are deleted (almost) immediately from the CDN when you delete the message that included them, so these links aren't very stable. I tried archiving them through Wayback Machine but you can't archive image links, so I uploaded them to Imgur as well.
Right, but when you delete an image from imgur you know the image is going away.
Years ago Discord wouldn't delete images uploaded as part of a post, they'd just get garbage-collected at some random future time. (And some would leak indefinitely) Thus, people got used to sharing these around and not caring about the original message.
Now it's near-instant as the message delete operation sends a Google Cloud delete API immediately. But people still share these around without knowing that. We don't know where those links originated so it's both a disclaimer and a mirror.
Posting that you don't respect the underlying license really is a great way to look guilty as hell:
> This is not true. If it was true, just use the code from master and make the "small changes" yourself and stop with the spams, simple, isn't it?
Completely ignoring that they are stealing other's contributions that were AGPL licensed to use in their proprietary application.
Even worse in the now deleted comment where they pull a "we didn't, but if we had it would have been fine", which is pretty obviously the defence of a guilty party.
Edit: Now they are claiming that they paid "most" of the other developers who contributed, further underlining the fact that they don't have the copyright for at least some of those code they are using.
This is precisely why even if you accept 5 lines of code from someone else (and they're not willing to get compensation from you), you can't change the license of that code. This is what CLAs are for. (IANAL)
Ahh, is that when you need a CLA - when you want to later change licence? I was wondering about this (unrelatedly) earlier - since it's generally only large companies with a spattering of big non-company-owned projects that want CLAs.
Does it matter if the change is to a more or less restrictive licence, or just any change?
For most big-company CLAs, when you sign the CLA you either give up copyright of your contribution or you explicitly provide an irrevocable license to the target to use your contribution in any way they want, depending on the precise wording of the CLA. (The latter is more common these days.) In either case, you don't get to complain if your contribution is relicensed later.
And no, it doesn't matter what the new license is.
If the people from Octotree is reading this, I would recommend you address the accusations rather than deleting people's comments and calling them "trolls."
Even if you are totally innocent, you've made yourself look like an asshole at best, but really, really guilty at worst with the way you are handling this.
> The old source code in master is no longer under AGPL because it's been the reason of this week's trolling comments
"I re-licensed code you wrote without permission because some other people were trolling me." is certainly an interesting admission, even if you take "trolling" at face value, when they appear to use it to mean "calling out our breaking of the license".
Can they even pull the AGPL license? The re-licensing of current/new code is one thing, but removing the license on the old code? How is that possible? What about copies elsewhere, are those no longer validly licensed? That's not how I thought licenses work.
These guys just appear to go from bad to worse, ignorantly making shit up as they go (on a road to certain self-destruction, if you'd ask me).
Also, why don't I hear more people about how GitHub was used to not at all host any code, but instead only as a (marketing) referral point for proprietary stuff somewhere else? I said goodbye to GitHub a while ago, so I wasn't aware this this had become acceptable practice.
Anyways, if this was a court case .. this would probably be the point where a judge would look these fellows straight in the eyes and say something along the lines of: "With arrogant behavior you so clearly displayed, you yourselves have squandered any of the sympathy, lenience, and benefit of a doubt I usually give to defendants, and will hereby sentence you to the harshest possible punishment. Not only to give a clear indication that your behavior is in no way acceptable. But also to serve as a reminder for any future parasites, whenever they think of making up their own rules as they see fit".
Either way, I think this shit is going to haunt these guys. Unless I got it all completely wrong, probably well deserved too.
Good grief, the (moving) discussion is terrible and is not getting better.
The maintainer looks embarrassed and is doubling down, has not had an opportunity to save face and this looks quite humiliating. Gah. We have to let people save face, maybe several times. A public discussion like this is just awful.
> Over the years, it has been a waste of time to explain ourselves why we need to charge for our labor. This is the last time I say anything about this. Trolls will be blocked.
How badly does someone need to misunderstand a topic to write something like this? No one mentioned charging being bad.
The fact they claimed it was a complete rewrite shows they don't misunderstand: they knew they were doing something wrong and tried to hide it, just now they are caught they are just trying to gaslight their way out and claim they are the victim here.
I absolutely buy some people were shitty about them deciding to create a commercial product. That in no way justifies stealing from others who contributed to the project, which is the reality here.
> I absolutely buy some people were shitty about them deciding to create a commercial product. That in no way justifies stealing from others who contributed to the project, which is the reality here.
100x this. I'm super supportive of them making a living via a commercial product, especially one based on AGPL code. My only frustration is that they're pretending that it isn't AGPL code and refusing to respect the contributors whose code they're using.
> My only frustration is that they're pretending that it isn't AGPL code and refusing to respect the contributors whose code they're using.
But what I don't get is: how do you even know this with such confidence? How do you know they don't have some legal agreement with those people? How do you even know they didn't contact those contributors? How do you know the other contributors' contributions weren't trivial enough (for all I know they could've even just been formatting/indentation) and not warranting any action? How do you know the contributors aren't fine with it?
And how does everyone somehow know other contributors want them to seek some sort of justice on their behalf?
> But what I don't get is: how do you even know this with such confidence?
Because instead of saying "yes it's based on the AGPL code, I have consent" they're saying "no it's not based on the AGPL code, it's a complete rewrite", which is an easily provable lie.
>> But what I don't get is: how do you even know this with such confidence?
> Because instead of saying "yes it's based on the AGPL code, I have consent" they're saying "no it's not based on the AGPL code, it's a complete rewrite", which is an easily provable lie.
First, note that no one has any obligation to you (or me) to reveal any of their contracts or business dealings. It's not our business, quite literally. It is (or was, earlier in the discussion) entirely possible they have a license, the parties are fine with it, and they just don't want the rest of the world to know or care.
Second, you literally have contributors themselves starting to come to defend him against you:
> I’m @{name} in your CC list and I was hired to work on Octotree. I’m no longer involved, but I was there when we rewrote Octotree. Just so you know.
Is it possible some people may have been wronged here? Sure. Is it possible they haven't? Yes. We don't know, but even before you even knew some were paid and all that, you'd already leveled an accusation against them of bad faith and gotten people all across the world piling on. Given you've gotten at least part of this wrong so far, one would think maybe a less confidence in your accusation might've in fact been warranted, especially given you're just a bystander?
> First, note that no one has any obligation to you (or me) to reveal any of their contracts or business dealings. It's not our business, quite literally. It is (or was, earlier in the discussion) entirely possible they have a license, the parties are fine with it, and they just don't want the rest of the world to know or care.
This is total nonsense. The code was licensed, publicly, under AGPL. Like the GP said, they could have easily said it's based on the AGPL code and they have consent, but you seem to be OK with the maintainer lying that it's a total rewrite.
Yeah, and unless they depend on similarly licensed code that imposed restrictions on them (in which case someone should mention this to the maintainer in the beginning so he knows he has a legal obligation he's not fulfilling), it can be taken down and/or licensed differently moving forward however the contributors want to, without them owing you, me, or anybody else a notification or explanation.
Even whom exactly that set of people is is not your business (nor mine). They may well not even want to divulge their relationships with each other to you, and they would have every right not to want to. You're neither a party to the matter, nor their lawyer, nor part of law enforcement, to try to seek justice on their behalf. If you're trying to be helpful, you can notify them privately and let them deal with it, or see if they want you to help. If they have a problem, they'll follow up. If they don't, that's the end of it. You can save your pitchfork for problems you're actually a party to.
> Like the GP said, they could have easily said it's based on the AGPL code and they have consent
Or they could have not, because it's quite literally their business, and not your business to intervene (or mine).
> but you seem to be OK with the maintainer lying that it's a total rewrite.
No, this is what's complete nonsense. There are a heck of a lot of things I'm not OK with in this world, but I hold my peace on most of them and let those who are responsible deal with it. The fact that you don't see me trying to publicly crucify everyone who's ever lied to me does not mean I'm OK with people lying. It just means I don't think that every time someone does something wrong it is or should be my business to take justice in my own hands and get the rest of the world to publicly wreck them.
Suppose what you're saying were true. Why would then this buunguyen respond to the GH issue in this way? Why go on the offensive, calling people trolls? Why lie about having rewritten the code? If what you say is true, he could simply say so.
This is not the behavior of an innocent person respecting the software's license. It's the behavior of a very guilty person. Or a clown. Or both.
I don't know, I don't think either is impossible, but let's say they are guilty. I repeat my question: how does anyone here know the contributors aren't fine with this regardless (maybe they don't feel their contributions were minor enough not to justify casting a spotlight on them, raising a public feud over a trivial issue, and cancelling this guy)? How does everyone here somehow know the contributors want vigilante justice? It's as if we're trying to play out https://xkcd.com/386/ except we're replacing "wrong" with "violating someone else's copyright"...
A deleted comment in the github issue was a contributor stating that they didn't know but didn't care.
It's fair for people to not like this because the contributors were not made aware of this. Thus the only people who were wronged did not even know of it.
GUESS -there are two ways to make money: charge for something; avoid paying others. The original Octotree author, thinking of business as a whole, blurred the ideas of "we charge for our product" and "we pay nothing to anyone"
Contrary to most people here, I don't think the author of Octotree has much to worry about. While there is a long list of contributors to the project, only 10 have contributed 10 lines of code or more. My understanding is that a change consisting of less than 10 lines of code can be seen as trivial and hence does not need a copyright assignment (at least that's how the FSF handles it, and they're pretty strict with this stuff).
Of these ten people, six were hired to work on Octotree, so he should have copyright for those. The other four together wrote less than 100 lines of code. If he has removed or rewritten these lines, he should be fine. (Even if he hasn't, I would consider this a very minor violation.)
Maybe he could indeed pull off the relicensing for the reasons you suggest. He's still in deep shit: nobody will touch this project with a 3 m pole anymore, and any forks based on the last AGPL version will have a field day of attention. Soon enough, the original project will be irrelevant. Independently of whether he's right or not, this guy just killed his project (or his control of the project).
Oh, he handles this situation very poorly, no question about that. That doesn't change the fact that he and his team wrote the vast majority of the original code. The long list of contributors does not reflect that.
And from the latest comment on this issue (https://github.com/christianbundy/octotree/issues/1#issuecom...): It seems that the project switched from MIT to AGPL around 2016, so all the contributor commits before that doesn't matter. Excluding those, there's only 10 commits from people outside the team, which frankly isn't a big deal.
Anyways, it's frustrating that the author is kinda acting a bit scummy for something that might not have been even a problem. If he was a bit patient and had just got permission from those people beforehand... (I don't really think any of those 10 people would object to it since the commits aren't that big, unless one of them is a free software movement purist perhaps) And people generally agree on Mozilla's "95% author coverage" line so I think this controversy might have been a bit overblown.
Looks like the author is upset, but doesn't explain or refute anything. In any case, it seems it's true -- the author should follow the original AGPL terms here, otherwise it's a violation.
Well, now what? I bet nothing will happen -- the only way these licensing violations pique the lawyers' interest is when they are perpetrated by a high profile company with some money in the bank.
Well, if they don't fulfill the license conditions and keep distributing theirs they're violating copyright. Would a DMCA takedown from one of the authors be valid?
Bonus question, since mozilla has made themselves the single trust root of all addons, could one request that they refuse code-signing (something something contributory infringement) of the extension as part of the DMCA process?
One thing will happen. If you do a web search for Buu Nguyen, this cesspit will come up. I think Buu Nguyen just made himself unhireable for life, at least by any organization which values IP.
That's probably a much worse outcome for Buu than a DMCA notice or otherwise.
Obviously. If your rights haven't been hurt you don't get to do anything about it. Rather the point that DCMA doesn't need "lawyers involved" if a contributor has a legit complaint.
I don't know the details of this project but if he is the sole author of the software then he owns the full rights over it and can decide to do whatever he wants.
Of course a major issue is that such projects often accept submissions from other people, which creates major headaches if a change a license is later sought.
Edit: an issue that it is very often not discussed or clear on what basis people can make contributions, and I think that the default position must be that they retain the copyright over their contributions (but is it implied what licensing they are agreeing with?)
Edit 2: I understand that he is not the the sole author, but that does not make anything I wrote incorrect or irrelevant. A lot of drama for some reason...
If the maintainer wants to remove the AGPL without copyright infringement, I think they'd need to delete most/all of pjax.js and have someone else write a clean-room implementation that isn't built on contributions from someone else.
The reason people do cleanroom is to eliminate risk of liability, it's simple, and it's foolproof. You can't mess it up. It also eliminates other potential issues (like tortious interference with someone who signed an NDA).
Legally, it's overkill. It's like using a thermonuclear bomb to swat a fly.
If you're going up against Microsoft, overkill absolutely makes sense; you might be legally right, but it will take millions of dollars in legal fees to show that. Programmers are cheaper than lawyers.
In the general case, though, you can just rewrite the old code and be done with it. Yourself. Looking at the old code too, so long as you don't borrow it. You want to be a little bit careful since it's not just the literal words (you can break copyright on a novel if you rewrite the same plot in your own words; same thing with code), but "a little careful" suffices.
It's a bit harder to transform a piece of code into something non-infringing, rewriting section-by-section, but most lawyers say that's not impossible either.
(Of course, clearly, none of that happened in this case)
Here's the contributors page[1]. He's clearly the core contributor, but there are a handful of other significant authors and dozens of minor contributions[2].
I'm confused, is there anyone with a stake/standing in this who is complaining, or did some outsider just come and accuse a random project owner of breaching a contributor's license?
If that's the case, this raises two questions:
(a) How do they know a priori that the project owner hasn't cleared the license (maybe via a contract that they have no interest in publicly disclosing, or by believing [for whatever reason] they're too minor/fair use), and
(b) Why are so many bystanders piling on and stirring up conflict in public trying to cancel this guy? Wouldn't it make sense to just let concerned contributors speak for themselves?
1. That wasn't what was being challenged. The challenge was whether there was, in fact, a "complete rewrite", since the output files matched the AGPL source 1:1.
2. Do you mean me (Christian Bundy)? I asked a question because I was unhappy seeing the maintainer lie to one of my friends about the "complete rewrite". Lies bad, truth good. The licensing is the reason for the lie, not the reason for the investigation.
First, it's far from clear to me he's lied (which is not equivalent to saying he didn't). So far as I see, it may well have been that (a) he honestly forgot there were some old lines still remaining that they didn't rewrite, (b) or he did know that, but he felt any vestiges of old code were insignificant and not enough to justify changing the sentence. If he rewrote like ~99% of the code, you might disagree about whether the remaining <1% was insignificant or not to justify calling it a "complete" rewrite, but surely you can also understand this might not be an instance of bad faith, but rather an instance of merely having a different threshold for "complete" than you?
Second, let's just assume he had bad faith and lied about it being a complete rewrite; I don't know, but for all I know he might have. It's possible he's been trolled a lot by other people recently (sounds like he has, though I haven't checked the history) and he thought lying would get people to stop. Or maybe he's an awful guy. I have no idea. In any case, unless they had a dependency with a viral license, have distributed something based on that dependency, and that dependency's license required them to provide source code with it... they simply don't have any obligation to provide you with any source code, in which case you still wouldn't get anywhere, right? Are there such grounds for you being entitled to the source code at all? If there are, it seems this should be mentioned explicitly in the beginning so he understands he has an actual obligation he's not already fulfilling?
> 2. Do you mean me (Christian Bundy)? I asked a question because I was unhappy seeing the maintainer lie to one of my friends about the "complete rewrite". Lies bad, truth good.
In (2) you're referring to (b) in my post, right? I actually didn't mean you (I meant everyone else on the internet who just piled onto your post afterward), because I didn't think that's something you had control over, but now I'm seeing you're the one who specifically went out of your say to submit the post on HN too... which is begging for people to pile on and cancel this guy because you (or I guess your friend) didn't get the source code you wanted. All because you (who apparently aren't even the person who was wronged?) are upset because you think he lied to one of your friends, and you think contributors who might be ones to have a stake in this might also be on your side and might want you (whom they don't even know) to seek vigilante justice on their behalf? Isn't this how Twitter justice works...? Do we really need this on HN? Is this kind of public cancellation really making the world a better place?
> Based on package.json only one author mentioned, Buu Nguyen <buunguyen@gmail.com>
If I distributed the linux kernel with a text document stating I was the sole author it wouldn't make it so. The author wont suffer legal consequences unless someone with a stake in the matter proves in a court of law where all the appropriate protections apply but the court of public opinion is both more fond of drama and less kind. To answer (b) first people are speculating on this topic for the same reason people follow news stories that have zero chance of ever effecting their lives because it has piqued their interest. Describing this as "canceling" reveals more about your perspective than it does about the issue.
To answer the more substantial (a) the facts on the ground seem to suggest that the author is sputtering, floundering, and lying. He lied about it being a rewrite. He lied about it being "ok" even if it wasn't a rewrite (which is it?) After saying he had rewritten it all he then said it was ok because he had either written or paid for "most" of the original code to be rewritten when it ought to be obvious that "most" wouldn't be strictly correct in any case.
The obvious conclusion is that he broke or didn't understand the law in the first place and never chose to hire someone who did or took their advice.
I am surprisingly incensed by my interpretation of your questions as being cavalier and disingenuous. As far as I can tell, you mean to dismiss by misdirection or fallacy. I suggest you've got the wrong end of the stick, and leave it at that.
Up until 30 minutes ago, I was an octotree customer. Do I have standing? Do I need someone's permission to care about this? I'm not a concerned contributor; I'm a former supporter now concerned with what my subscription has enabled. I cannot address the money that is already under the bridge, but I can certainly stop dropping it in the river.
I'm not upset about the question re: AGPL inclusion, I'm upset about the very, very poor series of answers and actions by the maintainer, whatever form they've individually taken.
Should the whole mess of a posteri license reassignment get addressed cogently and comprehensively, I'll reconsider. Even a mea culpa would be sufficient, should it be followed by Doing The Right Thing[s].
> I am surprisingly incensed by my interpretation of your questions as being cavalier and disingenuous. As far as I can tell, you mean to dismiss by misdirection or fallacy.
No, and I'd reply to your points, but I'm quite offended by your comment (and you're breaking the site rules).
As someone who works on open source AGPL'd products it is pretty obvious to me what is going on. He has someone sniffing around to buy the entirety of the intellectual property. He wants to cash out.
Too often people choose licenses for their projects without giving enough thought to potential implications. AGPL and GPLv3 in particular seem to be the kind of licenses you should think really, really hard about before choosing to use them.
No – think really, really hard before accepting contributions under those licenses. If you're worried about not being able to take it proprietary, have some kind of Contributor Agreement saying “you need to hand over the copyright to get pull requests merged”.
I'm not trying to say that some licenses are better than others. They just have different implications. And I often see that people fail to properly think about those. Yes, MIT implies that anyone can just take your code and run with it. But so can you.
APGL on the other hand requires more upfront thought about how you're going to organize the project in general and what you might do with it later on.
That is a very odd framing of the choice. Using the MIT license is not a zero-sum game. If AppGooFaceSoft choose to use your software without paying you anything, the only costs would exist within your own mind and depend entirely on your beliefs, not some external standard.
When I use (L)GPL license, a) I want to use their fixes and contributions to my code for free, even if they prefer not to share, and b) I don't want for them to limit my freedom to modify MY code in THEIR product.
AGPL and GPL3 do allow for a proprietary alternative that has clearly separated modules that use only the GPL3/AGPL code as binaries. They could have done something similar to the qt licensing scheme.
I think the developers who change the licenses of this repo have bad faith and yes, I agree, they deeply misunderstood the licenses or they planned all along to ride the 'free software' banner for adoption to then make money out of it. They could have done it in a more elegant way.
Is there a recommended way to license a project as permissively as possible? I like the MIT license because it's widely accepted and short enough that it can be read and understood but what if you're OK with someone using a small (but large enough to be a copyrighted work) piece of your code without bothering to maintain the license.
There's the WTFPL License (https://en.wikipedia.org/wiki/WTFPL) but that doesn't seem like a great option either. For my project (https://github.com/argosopentech/argos-translate) I dual licensed under the MIT and CC0 licenses even though CC0 isn't really designed for software but it seemed reasonable. It seems surprisingly difficult to release code with no conditions besides limiting liability.
If it is your own project, which doesn't depend on other's, then you can simply change it anytime you like if you decided GPLv3 no longer suited your needs. It is typically problematic when you are using someone else's program released under GPL; they released it under GPL hoping for what GPL entails.
You're trying to make this scarier than it is with the word "implications". The only thing you can't do is to create a non-free work that uses other people's copyleft code. What you should think really, really hard about doing is writing non-free software at all.
@sircmpwn Sort of implies [0] he'd need a contributor in order to fund a lawsuit (really puts his money where his mouth is on open source & privacy issues, at least, truly admirable) - but is that actually the case? Doesn't AGPL grant the user (casual observer even?) the right to view the source, not just the contributor to have it be available?
(Perhaps he just means that he's supportive but doesn't care enough to pursue it alone - absolutely fair enough if that's the case, not trying to suggest he should do something, just checking my understanding.)
The AGPL says, roughly, that in order to be allowed to use the code you have to give all users the right to see the source. If they refuse to do this, the legal problem is that they're not allowed to use the code anymore -- in other words, they're violating the contributors' copyright. And to sue for copyright infringement, the plaintiff needs to be someone who holds the copyright.
That's my non-lawyer understanding of why Drew needs a contributor to start a lawsuit.
I meant user of the (erroneously) proprietary version - aren't they supposed to receive/be enabled to access the source code for the original work and by extension the derivative (erroneously proprietary) work in their own right?
I'm also a non-lawyer, but I believe Drew is mistaken in his claims that that he can get sue for the code. All he can do is sue for damages due to the infringement. (Your comment seems to be correct, FWIW.)
5 hours later buunguyen's absolutely puerile response to the issue is worth considering. Instead of addressing the concern directly he attributes the issue to trolling, locks the issue as spam, and deletes all comments but the initial issue (likely because you cannot delete it) on the grounds that people are "trolling" him for his choice of license.
The behavior strongly suggests the code is stolen.
There is still the last AGPL version. The most effective retaliation is to make a fork that is much, much better than the closed version. Less drama, more work, I know.
Given the original maintainer's attitude toward copyright, I wouldn't be surprised if he just took the changes anyway, thus putting us back in the same situation we're in now, where only a DMCA takedown will stop him.
He may do that, but users will use the free version.
Since it is free software, many user-friendly changes are possible that tend to conflict with commercial interests. (Indeed, someone already made a post about the author's privacy policy changes, making the commercial software less valuable with zero lines of code.)
While the author may make a few bucks, that kind of thing will not pass any due diligence, so his success may be quite limited.
Obviously, this is a complicated topic but I was wondering about how well are the projects like Postgres protected when people make contributions to them? They don't require any CLA signing etc, and their only defense seems to be "you should have read our policy", which isn't obvious to a casual contributor, or easy to discover (it's mentioned in a policy regarding archival of emails [1]).
> Additionally, source code submissions to mailing lists such as pgsql-hackers are considered submissions to the PostgreSQL project, falling under the project's PostgreSQL licence. Please make sure you have permission to share information with these lists before sending your message.
Not requiring CLA signing greatly lowers the barrier to contributing. As a conscientious employee I had to get my company's lawyers' permission when one project asked me to sign their CLA-like document. I can only imagine how hard it can get for a prolific contributor, if they also happen to start care about legal issues.
The author of this repo has blocked me from using GitHub's native fork functionality because I so much as suggested that I planned to fork Octotree due to the author retroactively making existing features paid.
First, you have to have standing meaning the only people who have any claim or could take action would be the "other contributors".
At that point, the best likely path forward would be a claim of partial ownership resulting in a DCMA takedown request.
However, the vast majority of contributions to this repo are insignificant one liner commits. While a nuisance for the repo owner, those commits could likely be undone and re-implemented.
That leaves it up to a handful of more active participants to take any action (likely DCMA related).
I would be shocked if anyone (other than with support from the FSF) takes actual legal action other than a cease and desist letter.
Even then, finding an interested prosecutor/attorney is going to be a challenge. By some estimates only 1 in 100k software crimes are ever prosecuted and some guy who stole 100 commits by changing an open source license is not one of them.
I believe any user should be able to raise a claim, the software is deceitful and violating its license which raise a number of problems.
One problem though is that the software doesn't indicate a license at all. I can think of multiple angles of attack if they were reselling it or distributing it under another license (MIT/BSD/GPL/other), that'd instantly give you the right to sue them, but because it doesn't have any license and doesn't claim anything, I don't know.
It could probably be considered to be defacto AGPL since the AGPL is contagious so there's nothing to complain about. It's tricky ^^
edit: The other thing is what's the purpose of attacking? You attack for a purpose, usually damages and/or shutting down the project. There's nothing to gain here. For reference the last GPL cases I've seen were self-defeating for the defendants, the user/customer/client sue the contractor/company/vendor who gave them modified GPL software, the defendant wins but loses the right to use the software they paid for, which is dumb!
> I believe any user should be able to raise a claim, the software is deceitful and violating its license which raise a number of problems.
This isn’t true, though... they aren’t violating their license, they changed the license. You are allowed to change a license for code you wrote at any time.
The only issue is if they included other code that was licensed, either via a PR written by someone else that they merged or via a dependency that was licensed.
You can’t violate your own license... even if I write code and release it as GPL, I am free to use a modified version in my own proprietary code (again, as long as you don’t use code licensed by someone else)
They do, and there are potentially 60 or so contributors.
However, only those 60 people have a dog in this fight (or legally only they have "standing"). It is up to one of them to do "something" as none of us (anyone other than those 60) have any sort of actionable claim other than to shame them. You and I might not like the fact that they are altering / violating the license but that is moot.
It's my understanding that software with multiple copyright holders, especially when their work is all mushed together and being derivative of each other's work, is a major headache scenario. There's a reason the FSF requires that contributions to FSF-owned projects include a transfer of copyright.
I'm not a lawyer. As far as I understand copyright though, any copyright holder, aka any of the contributors, could take action (eg sue or submit a DMCA claim).
Absolutely true. But the cost to prosecute an IP related civil case on average with less than $1 million USD at stake is $250k USD. With out the financial / legal support of lets say the FSF are any of the 60 or so 3rd party contributors willing to put up $250k USD to protect their 1 line commits? Are they willing to risk a quarter million in legal fees on the chance that the repo owner proceeds to trial without undoing their one line commits the night before making their claims moot?
Without financial/legal support from someone like the FSF, the only way this would proceed is if the aggrieved parties were independently wealthy or could find a lawyer to take the case pro bono.
It'd presumably have to be a contributor who wrote some of the code they can show is in the new product.
Of course, in a normal situation, I imagine no one would care unless they'd contributed a significant amount. Acting this way sure seems like the best way to get someone to persue it on principle though.
Tangentially to this, I submitted an Ask HN about enforcing CLAs on a big Open-Source initiative that encompasses a large number of projects, to get some insights about how good or bad are the Harmony CLAs: https://news.ycombinator.com/item?id=24906816
Can someone explain me like I'm five what's going on and where is the problem? Is author using his own old AGPL license version of code or it contains 3rd-party AGPL licensed code?
The code allegedly includes third-party code as well as contributions that were initially accepted into AGPL code, which from what I understand are technically owned by the contributor and licensed to use under AGPL.
What the guy here did is to disregard all of this and relicense it autonomously.
You can relicense your code at any time, but if I have an AGPL licensed copy of your source code of that version I can still share it under that license, right?
The lesson learned should be that copyright still applies to copyleft code. If you plan on changing the license, ensure that you have the rights to all of the code that you are changing the license for. People will still complain, but they won't have a leg to stand on.
There are also lessons to be learned about conflict resolution, particularly about the consequences of escalating a conflict.
They are not the sole copyright holder, there were many contributions under the AGPL license. Unless there was an explicit copyright assignment signed by each of them then they are also copyright holders and would have to approve any change in license.
The other contributors were mentioned in the issue before it was sterilized:
It is not so simple I'm afraid; he allowed outside contribution from people who thought they were contributing to free software. He deserves the backlash. If he wanted to make money, he could have created a sub-project using octotree binaries and extended modules under new licensing terms.
Original authors have natural non revocable ownership of their intellectual work. Now IANAL, but the original author can always - assuming they didn’t sign away all exploitation rights (because that’s all you can give away) - take their ball and walk away.
Anyone is free to continue with the last GPL drop, but from that point on they’re on their own
For context, when NodeBB faced this possibility, we simply contacted every single contributor and asked nicely if they'd assign over their ownership of their contribution to us (note the use of the word "assign", not "license", a license is revocable, an assignment is not).
Future contributions by new parties required signing of the same Contributor Assignment Agreement.
Here's the CAA if you're interested in reading legalese: https://cla-assistant.io/NodeBB/NodeBB
All in all it took us under a week to secure the assignments, and any who did not sign we simply rewrote their lines of code, or we would have, but everybody signed.
The bar of effort to clear is so low to avoid this kind of controversy!
Reason we went this route: we wanted the flexibility to deliver a proprietary version of NodeBB for those clients that needed it. We get asked often whether there's a difference between the proprietary version and the open source version, but there isn't, it's just for legal reasons.