1. 64

To give a bit of context: A company called Muse Group aquired the Audacity-project (and trademark), among others, back in April and introduced numerous questionable tracking-elements in the code.

This sparked a discussion in the community about how it was possible that an open-source-project could be aquired this way and shed a light on how CLAs can be problematic if granted to private entities. This fork by cookiengineer is one of a few removing telemetry and removing the CLA-requirement, but seems to be the one gaining the most attention.

There are multiple processes going on simultaneously, all visible in the GitHub-issues: Renaming (to prevent trademark issues), refactoring (because the codebase is pretty chaotic in many places and the original developers refuse PRs addressing this) and possible feature-extension.

It remains to be seen which direction the majority of the Audacity-community (and -developers) takes.

  1.  

  2. 30

    MuseScore recently became much better app when tantacrul (Martin Keary) started being involved in it.

    I was truly glad when I heard about Audacity joining Muse Group, hoping for modernizing and revamping it under his direction.

    It would be really sad if it all got diluted and effectively stopped due to these issues. CLA is not tantacrul’s idea, but as a head of the product, he may (and will) be blamed for this unwelcomed stuff nevertheless, unfortunately.

    I may state extremely unpopular opinion, but many users would prefer more polished product, regardless of its licensing details. If introducing CLA is a step that will allow Muse Group to ultimately gather more resources to accelerate Audacity development and improvements, I wouldn’t condemn them automatically, as many are seemingly doing. Yet I understand fear that CLA introduces, as it creates possibility of moving to non open source license later (which was exploited in the past already in other projects)..

    Hopefully Audacity mess will get resolved peacefully, without dividing efforts/resources for too long, like it was in case of ffmpeg and libav (2011-2019), OpenWRT and LEDE (2016-2018), etc. Reasons for forks may be different, but dividing community is rarely nice and is not always well understood outside of contributors and developers maintaining those projects. Still, there can be some positive outcomes from them, so maybe this will be the case here too…

    1. 11

      CLA is not tantacrul’s idea, but as a head of the product, he may (and will) be blamed for this unwelcomed stuff nevertheless, unfortunately.

      So does tantacrul have the power to decide whether to require a CLA? That’s the important question in assigning blame, not whether it was “his idea.”

      1. 2

        Though, whether he ought to be blamed for it and whether he will be blamed for it are two separate questions.

      2. 5

        I believe Audacity being FOSS can solve the issue. Every new feature of the MuseScore project can be ported to the fork. Because of the CLA the other way around is not possible. If enough pressure is applied by users and developers MuseScore must cooperate with the community.

      3. 23

        Sadly idiots online have made this effort harder for the team: https://github.com/temporary-audacity/audacity/issues/48#issuecomment-874555049

        1. 25

          It looks like the maintainer has resigned due to IRL harassment from channers: https://github.com/tenacityteam/tenacity/issues/99

          1. 9

            Based on their followup comment, seems like harassment is an understatement, they were assaulted. :((

            1. 4

              Assault with a knife and a running Investigation by the Federal Criminal Police Office. So it doesn’t actually matter anymore what 4chan might have bothered, I hope they really catch those guys for good.

              1. 6

                It’s likely that they’ll catch and convict the one person who did the assault, and that nobody else will have any liability. I say this as somebody who’s followed the activities of hate groups for years.

                1. 1

                  Well that would be at least something. If we can push such activity back to online harassment it’ll already be a win.. Or rather: I wouldn’t be surprised if they can’t find out where/who it was and the charge is so light for some technical reasons that nothing actually happens. I think it’s fair to convict at least the person that was ready enough to start going at people with a knife, these are ticking bombs anyway in my experience. But yeah, it’s probably not the last “raid” of 4chan.

              2. 2

                Is the context for this preserved somewhere? The comment is replying to @alicemargatroid but I don’t see any posts from them in that issue. Seems like GitHub may have Optimized our Experience.

            2. 4

              As near as I can tell in the five minutes I’m willing to spend looking in to this, the joke on 4chan was that the project should be named “Sneedacity”. Apparently “sneed” is some sort of meme, in-joke, or something. And instead of leaving it as just some joke comment people started “campaigning” to name it Sneedacity.

              🤷

              1. 5

                Huh. I assumed it was a play on Au (gold) vs Sn (tin) with “ee” filled in to make it pronounceable.

                1. 18

                  Your mind is operating on a slightly higher level than 4chan…

                  1. 4

                    I’m glad I’m at least operating on a different level, whether you want to call it higher or lower. Wow. When I first heard about the policy change announcements, I thought about grabbing the source from the last change set before the transition, tossing it into a git repo, and putting builds online for the platforms I use + Windows. ’Cause I use it regularly and generally build it from source for myself.

                    Now I’ll just keep building it for myself, and won’t jump into this fray. It’s not like I was really going to do any more maintenance than fixing the odd wx upgrade breakage anyway. Bleh

                2. 4

                  Apparently it’s 4chan-speak for “special needs”, though with the amount of fake symbol-recontextualizing 4chan does I’m not sure if I believe it.

                  1. 4

                    Formerly Chuck’s.

                    1. 1

                      Eh?

                      1. 4
                        1. 2

                          “Sneed’s feed and seed” “Formerly Chuck’s”

                      2. 4

                        I believe a poll organised by the dev for the name was won by “sneedacity” and the dev refused to use the name therefore starting this situation.

                        1. 14

                          Sorry, but this reads as blaming the victim. Sure, the dev decided not to use the name, but angry 4chan mob appearing in front of his place is way above any meaningful escalation.

                          1. 9

                            I am stating the facts as I know them, please read less into a single sentence.

                            1. 6

                              I don’t think it was intended like that at all: it was just establishing what happened exactly, not assigning blame. That’s how I read it anyway.

                            2. 4

                              The term “legitimately won” is basically meaningless when it comes to internet polls.

                              1. 2

                                Well yeah, but what I mean is that people came and voted and didn’t “hack” the result, whatever that is supposed to mean.

                        2. 10

                          IIRC the tracking was being done as a part of understanding how people use Audacity.

                          What’s always interesting to me is the lack of information actually being propagated in this kind of setup. If you only see which buttons someone clicks and at what times, how are you going to figure out what problem they are actually trying to solve? And how are you going to improve the UX if you don’t clearly understand the problem?

                          I felt there was some similar sentiment towards the Firefox redesign which moved features because they weren’t being clicked on as much.

                          1. 5

                            I would be much more interested to see the reasons why people aren’t using certain features. With widely used features, there’s usually enough natural feedback: you can learn about their deficiencies by looking at beginner questions, reading users’ rants and so on.

                            An unused features is a real puzzle. Is it broken in a way that doesn’t affect me but affects a majority of users? Is its UX so poor that people would rather use a workaround? Is there simply no need for that feature among the user community?

                            1. 2

                              That’s still hard to get from usage analytics, because an unused feature could also be the result of a lack of discoverability.

                              1. 2

                                I think I didn’t communicate my point clearly. That’s exactly what I mean: the hardest questions are also the questions that can’t be answered using analytics!

                                One way to answer them is in-depth user surveys.

                                1. 1

                                  I hear you!

                            2. 8

                              Amusing that the ostensibly benign reasons for data collection (which you should never believe) lead to concrete harms like disruptive UI redesigns, which are more acutely felt than loss of privacy.

                              1. 2

                                You can mostly figure out how to reproduce crashes that way

                              2. 10

                                I think it’s way too soon to say whether it’s gaining traction. It’s getting a lot of attention due the controversy, but actual traction needs committed maintainers and users who permanently switch rather than merely star a project in a knee-jerk reaction.

                                EDIT: also 4chan got interested in this, so the whole thing is becoming a dumpster fire.

                                1. 7

                                  Wait, why are we talking about tracking ? The last statement was that they only want crash reporting in their official builds (not in your linux distro) and with an option to turn it off. Also AFAIK you should put your context as a comment, no summaries etc in the post.

                                  1. 3

                                    As to context/summaries in lobster.rs posts, there’s in fact the very crucial distinction: summaries should not be put in a post, neither should opinions - they should indeed be moved to a “regular” comment thread. However context can be added, and in fact AFAIU that’s the reason why this field is even available for URL submissions. Sometimes the URL itself is hard to understand without a bit of extra info. Notably, when I do this (which is extremely rarely), I try very hard to be anally NPoV, looking at it purely as a utility/service for the readers, carefully avoiding taking sides, to give the readers freedom of forming their own opinion. In this framework, I personally do appreciate that the submitter did IMO a good job keeping their opinion to themselves and staying neutral. Maybe not a great job (I’d personally reconsider the words “questionable” and “problematic”, though they’re relatively mild, but I’d try to back off from the adjectives; in fact, changing e.g. “questionable” to “questioned by the community” would be IMO better, more fact-stating and descriptive vs. prescriptive), but a good one. Also, even a neutrally-inclined journalist/historian always still has the choice of facts to present, so they can hardly ever be 100% platonically neutral, but that’s a topic for a different discussion I think :P

                                    1. 1

                                      yeah it makes sense in hindsight, I think I just really disagree with the framing and “tracking” as a word

                                    2. 1

                                      You understand “tracking” in a sense that excludes crash reporting?

                                      EDIT: Regardless, the tracking goes well beyond crash reporting: https://github.com/audacity/audacity/pull/835

                                      1. 6

                                        Note that that PR was closed without being merged, and they later made very substantial changes to their planned tracking in response to the negative feedback. In particular, doing it all self-hosted.

                                        They also said the telemetry would be opt-in. I can’t think of any possible privacy issues that would be caused by a telemetry feature that you have to explicitly enable.

                                        1. 5

                                          this, opt-in crash reporting is not tracking, it’s crash reporting.. Otherwise you’re throwing analytics and usage data on the same level as this kind of crash reporting.

                                          1. 2

                                            opt-in vs opt-out is an important distinction, but there are no well defined limits on what data are sent in a crash report vs “analytics and usage data.” maybe crash reporting in this particular instance contains less information than in some other data collection schemes, but merely calling it “crash reporting” doesn’t ensure that.

                                          2. 1

                                            Yes the most harmful things have been beaten back, at least while the PR crisis is hot.

                                      2. 7

                                        All controversy aside, the part that people keep overlooking is the Audacity codebase is indeed… not in the best state, to put it mildly. There are also things like Nyquist (which, imo, is the most exiting part of Audacity) being designed to work around memory constraints of an era long gone, which results in it being extremely slow by today’s standards.

                                        I think at this point there are plenty of good reasons for forking the project and, as someone who uses Audacity on almost a daily basis, I would be very happy to see cookiengineer’s team succeed. I keep wondering though if the time and energy wouldn’t be better spent on writing a modern FOSS audio editor from scratch.

                                        1. 4

                                          Can the tracking not be disabled in the application’s preferences menu?

                                          1. 34

                                            It is in fact disabled by default. This whole thing has been full of misinformation from what I’ve seen. A popular post was claiming the new versions recorded you through your microphone. Others said it would phone home if it saw you editing copyrighted audio.

                                            1. 31

                                              This entire affair brought out the worst in the community. I’m embarrassed by it.

                                              I only read the CLA discussion some time ago, and it was horrible. The entire reason they wanted a CLA in the first place is to have some more flexibility in licensing: GPL2 is incompatibility with GPL3 and provides practical problems, and it prevents redistribution on e.g. Apple platforms.

                                              That this is an organisation that has built their entire business on GPL3 software should give them some benefit of the doubt. But nope! Random conspiratorial nonsense all over the place.

                                              Like most projects of this kind the people actually working on it are very few: 169 in the last 11 years (the furthest back the git repo goes), and this includes all the trivial “typo fixes” and such. The meat of the work is done by just 15 people or so, with most of it concentrated in just three. And all of the people who actually did the work actually signed the CLA.

                                              You have people commenting “I will not be contributing any code under those terms” or “I think most contributors will not be okay with this, can say so for myself right now” and you check, and they have not contributed a single line of code. What the hell are you talking about? You’re not contributing code already. In that entire discussion I could find only two people: a translator who threatened to remove their translations (which you can’t do…), and someone who made some substantial contributions in 2010-2011 who had a nuanced in-between position.

                                              The rest: just random people from the internet on a horse so high they need a space suit.

                                              It’s kind off ironic that the fork got “raided” by 4chan because something not too dissimilar happened to Audacity.

                                              1. 2

                                                I only read the CLA discussion some time ago, and it was horrible. The entire reason they wanted a CLA in the first place is to have some more flexibility in licensing: GPL2 is incompatibility with GPL3 and provides practical problems, and it prevents redistribution on e.g. Apple platforms.

                                                The project seems to be licensed under GPLv2 or later; wouldn’t that clear up any issues with GPLv3 compatibility? Also curious about the issue with Apple platforms: GIMP is GPL and works on Macs, so there is probably some nuance here.

                                                1. 2

                                                  The project seems to be licensed under GPLv2 or later

                                                  It’s not.

                                                  1. 6

                                                    Someone might want to tell them that, as their readme has said otherwise for (at least) the last 12 years:

                                                    https://github.com/audacity/audacity/blame/master/README.txt#L48

                                                    1. 2

                                                      The LICENSE text has just GPL 2 and there are no file headers, so 🤷 Lawyers can argue which one “applies more”, but probably best to avoid that.

                                                      Either way, the entire effort seems to be in good faith. I see no reason to doubt it.

                                                      1. 8

                                                        It’s not permissible to alter the GPL itself and still call it the GPL, so putting the “or later version” text in the statement of license in README and/or source files has been the long established practice. If there is some legal challenge to that, it would likely invalidate the intentions of many projects that use that. You’re right that’s a question for the lawyers if it comes to that, but my gut feeling is that they pretty clearly did exactly what people do when they intend to allow later versions, so would expect that to be the default interpretation.

                                                        I haven’t followed this enough to have any clear sense of whether I’d consider what’s happening “in good faith,” but I certainly don’t assume that when companies swoop in to pay a bunch of money to acquire a community run project rather than working to establish/improve the existing governance.

                                                        1. 3

                                                          putting the “or later version” text in the statement of license in README and/or source files has been the long established practice

                                                          It’s more than that - it’s described in section 9 of the GPL[v2] itself, which is what gives those READMEs force.

                                                          Agree that it’s unclear for Audacity in particular since different pieces of texts seem to be saying different things. I’m not at all familiar with this project, but the LICENSE.txt appears to explicitly indicate “version 2” with no “or later” clause for the last four years. Applying section 9 of GPLv2, prior to that point the user could have chosen GPLv3, but this change appears to negate that intention. https://github.com/audacity/audacity/blame/master/LICENSE.txt

                                                    2. 1

                                                      If the CLA discussion was based on that premise, it certainly would be horrible.

                                                  2. 2

                                                    “I only read the CLA discussion some time ago, and it was horrible. The entire reason they wanted a CLA in the first place is to have some more flexibility in licensing”

                                                    I don’t blame people who see this as hostile. What a company did yesterday is not a guarantee for tomorrow. Maybe MuseScore is staffed and owned entirely by people who are pure of heart and have nothing but the best intentions towards FOSS. It’s a company that can be acquired by another company at some point with less Good Intent. CLAs like this should be treated as radioactive.

                                                    The CLA says that you grant MUSECY SM LTD “the ability to use the Contributions in any way” which is not just flexibility, that’s “we can take this and distribute it as proprietary software.” If they only wanted flexibility to re-license under more acceptable FOSS licenses they could have written the CLA that way. Never sign a CLA or any legal agreement based on the assumption that the other party will Do The Right Thing. Assume that the other party is going to do any and everything the contract allows. In this case that would include deciding at some point in the future that they’re going to make Audacity closed source or open core or whatever.

                                                    “And all of the people who actually did the work actually signed the CLA.”

                                                    I wonder, did the people in question get paid for signing over this work? It might have something to do with their willingness to do so. (I’m not saying it’s bad for them to be paid. I’m happy to see people get paid for work on FOSS. But if we’re pointing to their signing the CLA as a justification for its goodness, it’d be good to know whether there was compensation for it or not.)

                                                    Yes, people on the Internet who haven’t contributed also have opinions about it. Users do have an interest in the direction that Audacity takes.

                                                  3. 1

                                                    @proctrap said that the crash reporting is opt-out, not op-in. Can we get some sources in here?

                                                    Also worth pointing out that Audacity does in fact record you through your microphone. A link to the post would make it possible to evaluate whether it was malicious misinformation, or a joke.

                                                    1. 9

                                                      Here is the original telemetry PR - the original implementation was opt-in.
                                                      Here is the followup to address the public reaction to #835

                                                      • They changed their plans to use 3rd-party data collection and moved to self-hosting
                                                      • They plan to introduce a dialog box on non-fatal errors where you can choose to send an error report
                                                      1. 2

                                                        Ignore me re: opt-in vs opt-out. I don’t have time to verify either way, but I had seen that correction posted several times elsewhere. And yes, I realize this is me doing what I complained about.

                                                        Re: the microphone, this is mostly bad phrasing on my part. The author has since deleted the tweet, but from memory it was roughly “PSA: If you don’t want Audacity to send your microphone input to their new owners then don’t upgrade to 3.0.”, followed by a link to a news article. It had >2,500 retweets some time yesterday. The author later admitted in a reply that they made that up.

                                                        1. 7

                                                          The opt-in is just in the telemetry PR, in the PR description, in big bold letters. It’s not hard to verify. In fact, it’s quite hard to claim anything else.

                                                  4. 4

                                                    I’m leaving for, and financially supporting, a fork because Muse told me to leave. My current use case for Audacity is helping my 9 year old son record and mix his own music, and according to the new privacy policy, that’s not allowed.

                                                    1. 4

                                                      My current use case for Audacity is helping my 9 year old son record and mix his own music, and according to the new privacy policy, that’s not allowed.

                                                      I’m building the old GPL source for myself anyway, so I’m asking purely out of curiosity. But do you have a link? What specifically forbids helping your 9 year old son record and mix his own music?

                                                      My outrage is much less concrete, presently, but one thing I’m using my builds from the GPL tree for is helping my 9 year old son make things… so I’d love to see a good citation here.

                                                      1. 8

                                                        It’s the new privacy policy, which AFAICT is necessitated by the introduction of analytics:

                                                        “The App we provide [Audacity] is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.”

                                                        In other words, they’re gathering analytics from the app that may not be legal in all jurisdictions to gather from minors.

                                                        In addition to being a large middle finger extended towards parents and the young, it’s also likely a violation of the GPL.

                                                        1. 10

                                                          In other words, they’re gathering analytics from the app that may not be legal in all jurisdictions to gather from minors.

                                                          The reason it’s in there is presumably because of the COPPA.

                                                          It doesn’t mean they’re doing anything nefarious; COPPA’s definition of “personal information” is really broad and covers even usernames (e.g. arp242). Lobsters is covered by it as well, and will have to ask parental consent for <13 year olds, and the FTC could fine Peter if he doesn’t (unlikely since it’s such a small site, but the FTC does actively enforce COPPA).

                                                          This is why a lot of websites just disallow access to those under 13; the usual way this is deal with this is to put something like this in the privacy policy and “don’t ask, don’t tell”. On Stack Exchange stuff like “I’m 12 and I’m learning to program in Python” would come up every now and then, and those accounts get deleted not because Stack Overflow hates children, but because COPPA compliance is just really hard and non-compliance can result in serious fines.

                                                          1. 3

                                                            That quote’s what I was looking for and couldn’t find a link to. Maybe they took it down.

                                                            In addition to being a large middle finger extended towards parents and the young, it’s also likely a violation of the GPL.

                                                            It’s clearly the former. Not sure it’s the latter unless they also try to forbid you from removing the analytics and distributing your analytics-free copy.

                                                            By my read, anyway, saying “I’m giving you this binary that I built from GPL sources, as well as the sources I used to build it, and it’s going to run analytics on you” is not itself a GPL violation.

                                                            It’s shitty, and saying “you can’t remove the analytics” would in fact be such a violation if you were distributing other people’s software, for sure.

                                                            1. 4

                                                              By my read, anyway, saying “I’m giving you this binary that I built from GPL sources, as well as the sources I used to build it, and it’s going to run analytics on you” is not itself a GPL violation.

                                                              Agree completely. But I believe that saying “oh and you’re not allowed to use it if you’re under 13 years of age” is a violation, because there is no provision in the GPL to support such a restriction, and there is no provision under the GPL to relicense the program to a license that would support it.

                                                              It’s also worth noting that the age restriction means that Audacity would no longer be OSI-approved, because the OSI definition includes:

                                                              “The license must not discriminate against any person or group of persons.”

                                                              1. 3

                                                                I think there is a difference between the software license and the privacy policy for the program. You can still obtain and run the program without agreeing to the privacy policy. @utz

                                                            2. 3

                                                              Afaict, this does not forbid the use of Audacity by under 13 year olds. It asks under 13 year olds to “please not use it”, which is about as far from a legal requirement as can be. To me that language used is a clear sign that Muse/WSM Group know they would be violating the GPL otherwise.

                                                              I’d much rather be concerned about their willingness to share data with

                                                              a potential buyer [emphasis theirs] (and its agents and advisers) in connection with any proposed [emphasis mine] purchase, merger or acquisition of any part of our business [emphasis mine]

                                                              or the fact that they intend to collect any unspecified

                                                              Data necessary for law enforcement, litigation and authorities’ requests (if any)

                                                              suggesting they would, for example, comply with a request to covertly record and share audio grabbed from a target’s laptop’s microphone.