Can someone please tell me what the fuck is going on with licensing
No-one cares about it.
Microsoft is training AI systems to generate proprietary code on open source and unlicensed codebases. Few distributions, toolset builders, etc. even care about licensing (as per this article). Large companies flagrantly violate open source licenses without any consequences.
All of this is exactly why I decided to just stop licensing my software.
Ultimately speaking, I’m never going to have the material circumstances to be able to fight an individual on this matter – nor would I want to. Nor am I going to have the material circumstances to be able to fight a community or a company on this matter. They could easily win the legal battle by attrition and bleed me dry, so it is just not worth it.
I also am not able to explicitly find out how my work is used in proprietary or individually used codebases, and I don’t really wish to bother with making it my life’s work to find out how my life’s work is being used.
So it’s not something I feel is worthy of dedicating time to. A large company can use my work without me knowing and without me having any recourse, an individual can use my work without me knowing and without me having any recourse, so why would I care about giving them permission when they can already do it?
In addition, I as a trans woman believe that the current rise of fascism being a “politically acceptable thing” and the current targeting of trans and queer people by people who feel that it is acceptable, means that we have to push people to feel that “morally good” minor crimes are something that they can do. Something that anyone can do. Something that someone must do for the greater good. If someone “steals” my code for an individual project, then they are a better person for realising that breaking a law does not equal breaking a moral boundary, and hopefully they will feel more able to shelter my kind when the time comes.
With GitHub CoPilot, Microsoft has already started doing these “morally good minor crimes”, but I don’t see this grow into a “you can use any code however you like”, but rather into “you can use publicly available code however you like regardless of license, or lack thereof”.
While I agree that “stealing” code for your small project is not a problem, normalizing it means that Microsoft can start doing the same with GPL’ed code. But the reverse won’t happen; using leaked Windows source will always remain a crime, and it will always be viewed by society as a crime, so nobody will be surprised if you get into trouble for doing it; suddenly law applies again because they’re big.
Because of this, I’m not confident that encouraging stealing code is a net-good for anyone but large companies; it will normalize stealing from individuals and small companies, but it won’t normalize stealing code from the most powerful.
Great point. Lawyers will fight your fight for enough $$$, and a crime is only recognised as such if you have the necessary funds to win the court case.
But that’s already the case, as you pointed out. Microsoft is only able to do that because they changed the terms of GitHub. It has nothing to do with copyright itself, and a copyright license – ANY copyright license, is meaningless in the face of that.
Furthermore, as mentioned elsewhere in this comment group, companies en masse are already stealing. So my argument about the lack of effectiveness of a license has born fruit – is it worth the hard disk it is written on if it non-enforcable? Why do we bother with this charade when all it is doing is stopping small fish and making honest individuals suddenly fear for the existence of their side project?
What my approach gets me is:
a small social shift among individuals that as it is normalized, will hopefully translate to broader forms of this (internet piracy, etc.)
an assurance that for the companies who have legal departments, no money can be made from my software
for companies that are stealing, there’s no net loss or change except now they cannot justify it to themselves as easily
the possibility of prosecuting Nazis and xenophobe snitches like ICE, and thus the possibility of removing their ability to do work
a small social shift among individuals that as it is normalized, will hopefully translate to broader forms of this (internet piracy, etc.)
Re: internet “piracy,” this is already pretty normalized; most places there’s not really any stigma around just downloading a torrent of some big budget film. At least, not among people who are going to pay any attention to what random FOSS developers are doing.
an assurance that for the companies who have legal departments, no money can be made from my software
I’m confused…. I thought your position was “Screw it, I can’t fight them anyway if they use my stuff and profit, so I’m not going to bother with a license”…. which means money can be made from your software, no? Or did I miss the point?
EDIT: Having read a bit more, I think what you are saying is something like: If I don’t include a license, then Big Corps’ legal depts won’t let them use your code, or at least if they do they have to live with a potential threat of a lawsuit, which, tbh, you won’t bring, but hey, you could, you never know. Whereas individuals can still use it, and while technically the would labor under the same threat, their potential risk is way lower and (wink, wink, nice individuals) you’re definitely not going to ever sue them, but they just gotta trust that by knowing you and understanding why you don’t have license….
I’ve heard this referred to as “civil disobedience” and it is a wonderful thing. However, I don’t really see how encouraging ignorance and carelessness/disrespect for other people’s wishes is going to be helpful in any way.
In addition, I as a trans woman believe that the current rise of fascism being a “politically acceptable thing” and the current targeting of trans and queer people by people who feel that it is acceptable, means that we have to push people to feel that “morally good” minor crimes are something that they can do. Something that anyone can do.
The trouble there is defining what is “morally good”. If you ask random people on the street, you will sadly find the vast majority of their “morally good” is in violent conflict to your “morally good”.
We both knew this already so I am not sure what point you are making here?
No snark intended and I empathize and support your plight; sorry if I am unable to clearly convey my point.
we have to push people to feel that “morally good” minor crimes are something that they can do. Something that anyone can do
My point was you want some people to do minor crimes concerning your specific definition of “morally good”.
If you write it as you did, as a general sounding rule, any reader of your post on this public forum or of your license file will apply it to themselves and their morals, which statistically is not what you want, since the morals of the majority are conflicting to yours.
If you write it as you did, as a general sounding rule, any reader of your post on this public forum or of your license file will apply it to themselves and their morals, which statistically is not what you want, since the morals of the majority are conflicting to yours.
Well you introduced yourself as a trans woman, which in my mind puts you in a minority in society, one that has been specifically a target of prejudice and discrimination, most of the time in the name of “morality”. For those people that discriminate and hate, “morally good” is specifically an opposite morality than yours.
Of course my understanding is much more limited than yours and based mostly on news and wikipedia articles [1]. Sorry if I offended in any way, was not my intention. I’m off topic and perhaps I should have not started this whole morality tangent which is at best just nitpicking on a sentence of your otherwise interesting post, and not related to software licensing.
[later edit, added to clarify]: Just so I’m clear, I understand what you mean by morally good, and I’m sure I have the same values as you do. I was simply pointing out how relative “morality” is, and that most humans would not agree with what you (and me, and other readers of this forum) define as “morally good”.
You’re right that “for people that discriminate, ‘morally good’ is an opposite morality to yours”, but up until recently, the majority of people have an attitude that restricts them from committing violent acts in public, because the violent act itself is seen as morally wrong. Most transphobes local to my region simply shout slurs, but if you actually walk up to them, they won’t do shit – and they’re in the broad minority of people.
The truth is, most people simply do not give a shit one way or another about transgender people. The Welsh “anti-trans protest” outside the Senedd had to bus people in from England and Scotland simply to have enough people there to protest, and they were far, far outnumbered by even the number of trans people attending any local event. The majority of TERFs, while holding gross amounts of political power as a group, are aging men (fun fact: despite their spokespeople being women, the majority of TERFs by makeup are men!). Local encounters include slurs, but more often than not it’s just some poor sod who can’t even get the confidence to slur at you, so they just mutter something like “adult human female” as you go by.
Thus the most dangerous thing present for me, at the moment, from my perspective, is the idea of being “legislated out of existence”. The most dangerous presence against trans people in Britain at the moment is the fact that the newly elected Prime Minster is a TERF, and likely to act on those beliefs either through continuing and progressing the gatekeeping around medical support, or just continuing to push trans people into a “minority” role in the same way that immigrants have, and then pushing the overton window such that violence becomes acceptable towards us.
So my genuine hope is that more people get comfortable with breaking rules that they know are wrong, or just “bypassing” them. In the same way that most people know that, a mother stealing bread for her family is “morally correct”, most people know at least on some level, that rules around the existence of trans people are awfully similar to those around gay people in the 1980s, or jewish people in the 1920s and 30s.
since the morals of the majority are conflicting to yours.
I’m not sure if it’s the case in any specific instance. But in general, if social rules are at least correlated with a majority view, it follows that appealing to any group to break rules is statistically likely to be appealing to a minority.
There are many places on earth that operate without effective collective rule making, which we call “lawless.” Oddly, people don’t flock to these places in pursuit of individual liberty; empirically, that is not the result. While rules often exist to benefit the powerful, the absence of rules unequivocally benefits the powerful.
we have to push people to feel that “morally good” minor crimes are
something that they can do. Something that anyone can do. Something
that someone must do for the greater good. If someone “steals” my code
for an individual project, then they are a better person for realising
that breaking a law does not equal breaking a moral boundary, and
hopefully they will feel more able to shelter my kind when the time
comes.
Beautifully expressed. That nearly brought tears to my eyes for being
so on-point.
(some? all?) Startups care about it. During any funding round or acquisition process, the founders will sign pieces of paper regarding intellectual property and license compliance, which can come with significant (personal) penalties for omission of details or inaccuracy.
Due diligence of transitive dependencies is a complete pain. Software exists to make this easier (for the different software ecosystems) but it is a complete pain.
You have to keep on top of it as you go. You tell the devs to check the license of stuff they pull in and you also need to (periodically) check the transitive dependencies. You can try and build a culture of “tell person X when you pull in a dependency so they can do the legwork”, but it is important to make that async so the devs can crack on. If you find a license landmine, you are only X days of effort lost.
It’s a similar situation to dev’s own work out of hours. Most contracts contain sweeping assignment of copyright to the startup, including software developed out of hours, on their own equipment etc. Those clauses aren’t there to be mean and aggressive, they are there to ensure no nasty surprises surface during due diligence. The places where I have had an influence have issued explicit waivers on request for any side projects which don’t materially overlap with the company’s work. The intent is not to claim the out of hours work of the devs, but to “fail safe” by assigning IP to the company if there is no communication on the subject.
Licensing allows you to specify the conditions where your labor can be used. The default in the United States is you can’t use work that you have not been granted permission to use.
Some people care about using your labor in morally reasonable ways. Publish it under MIT if you don’t care about how this happens.
Honestly it’s just the physics of the situation. It’s why we need to start being more careful about who gets to access what information.
Ideally, it’s like at a party; you tell a secret to someone you’re bonding with, ten minutes later everyone knows.. guess who you don’t trust with a secret anymore? The internet is not like this and it’s a UI/UX problem.
Very few people (most of them here I suppose) are fixing it and I just don’t get why. Even the most selfishly motivated person can see that building valuable stuff will be rewarded with political influence and since in many ways the internet is already the world government then there are many competing visions for how this thing should be structured.
Still, the game theory of it would seem to suggest that the mutual distrust plus the ridiculous resources required to develop software at scale will make the most economical option to agree on a shared platform that everyone thinks is secure (so we can play the governance game without worrying about stupid stuff like computer programs). Especially now that the cryptobubble is all but over.. I would think that the psychopath software engineers should be flocking to the free-est of free software in a bid to be powerful voices on the platform that is fated to win … but it seems no one is ready to shift reference frames just yet and they all work in their silos on slave-ware. I just don’t get it.
Anyone who pays attention to copyright and software licensing will quickly discover that most of the open-source world is totally clueless on the subject, and small businesses are even worse. The only places that consistently get this right are big companies that can pay a small army of IP lawyers to review any dependency on third-party code.
Example 1: Someone on a Slack I visit was asking for advice about their co-worker’s use of https://gitlab.com/kokizzu/gokil, which is written in what could be called “non-idiomatic” Go. I brought up that besides the code style issues, that library had no license and it would therefore be inadvisable for this company to be building their product on it. Their response was:
it’s not like we have IP lawyers who are going ot enforce a clean-room rewrite or anything
I’d rather remove it on its merits, than on a technicality.
Example 2: Last week the project Objective Smalltalk was posted on HN (comments). One poster noted that the code was not open source:
Not sure why you think the presence of copyright makes something [ed: not] open-source. All open-source licenses depend on copyright, otherwise the code would be in the public domain.
Anyway, to this post’s question of “Can someone please tell me what the fuck is going on with licensing because I am losing my goddamn mind” – it’s not you, it’s them. They’ve internalized the YouTube meme of “no copyright intended”. The only thing you can do about it is write tooling to discover this stuff automatically, and try to contribute to projects like Debian that will at least take a copyright bug report seriously.
Your second callout is wrong. The chap you quote has a good point: copyright and licensing are not the same thing. They are interrelated but not the same. In order to define the license for something you have to be the copyright holder in the first place.
Taking a picture vs. looking at something with your eye is (in my opinion) a difference with regards to copyright - at least in Germany. I do not know about France. § 15 UrhG says that the author has the sole permission to create copies; § 16 UrhG defines a copy as a transfer of the work to a medium that is designed to replay the work.
When you take a picture of a work you transfer it to a medium that is designed to replay it, e.g. on a computer.
§ 15 lists different rights that only the author has (he can transfer them to someone else, e.g. selling these permissions): copying, distributing, exhibiting, publishing, broadcasting, and some more. Publishing is only one of many rights.
Copying, though, in Germany usually has an exception clause for private use. So, for private use it is usually allowed, which in effect would make your statement true in Germany (again, I do not know about France). But I think I read that it’s the same with the Eiffel tower illumination: For private use you are allowed to photograph it.
There are also other related exceptions. I think again in Germany, we have the exception that everything that is permanently visible from the street can be freely photographed and even distributed and published (Freedom of panorama). France seems to also have this exception in some form since 2016, but seemingly the illumination is not covered by it. I think in Germany freedom of panorama was heavily discussed for some temporary arts installations like the Wrapped Reichstag by Christo.
All in all, copyright is a very interesting topic :-)
This is what the official website says: “The Eiffel Tower’s lighting and sparkling lights are protected by copyright, so professional use of images of the Eiffel Tower at night require prior authorization and may be subject to a fee. Professionals should therefore contact the Eiffel Tower’s management company to learn about conditions for using the images depending on the case.” [source]
Pretty weird, IMHO. No idea if it’s been tried in court though.
The license issue is a little exaggerated.
I never imagined anyone would find use for that code.
And two years ago, the original issue was plainly lost in a never-ending stream of notifications.
By contacting me directly using my profile’s email address, the problem could be easily resolved.
personally i would have felt just the opposite - that it would be rude of me to harry the author over email when they had not addressed a request via github bug report.
Mmmm, seems I didn’t my due diligence on tea for Nixpkgs (maintainer here). Any idea of what is the proper way going forward ? Fixing the license upstream to proprietary or removing the package ?
I assumed that hydra wouldn’t publish the proprietary binaries in the NixOS cache. If it does, then… they have problems. (publishing just the “how to build” instructions for any license is fine)
Sigh, I keep running into that one from time to time. The annoying part is that it really is your responsibility as a maintainer. Even if I raise an issue (https://github.com/RJVB/afsctool/issues/56) responding that yeah it’s my code and it’s fine to use is not enough and won’t get past the legal team. So as a maintainer I have to have the “what would my past Corp employer’s legal say about it” approach to be safe…
Arch doesn’t have that great policies. I don’t think we have anything explicitly written down except for how we should include the relevant license in the package. Usually we just list and include the top-level dependency as you would with dynamically built packages. For statically built packages this doesn’t really hold up. But at the same time I think traversing the licenses of dependencies are going to put you as a downstream distributor in an awkward spot because few, if any, developers check for license incompatibilities before pulling new dependencies.
When was the last time you though about this issue before you pulled a new dependency? I personally never do this and I package this stuff :)
Ensuring we have SPDX License Identifiers, or support Expression, would come a long way keeping these things more manageable for Arch. But generally this entire issue boils down to the fact that people usually don’t care this much about licenses.
But at the same time I think traversing the licenses of dependencies are going to put you as a downstream distributor in an awkward spot because few, if any, developers check for license incompatibilities before pulling new dependencies.
Which puts the distribution as whole under risk, e .g., as someone could bring the mirrors down for distributing “illegal” packages. Modern programming language ecosystems make it easy to vet the licenses, including the transitive ones in case of static-linked only languages, by providing tools like go-license (I believe a similar tool exists for Rust too). There is really no excuse to “just state the top-level license” here. And there is, for statically linked binaries, no other option to listing all licenses. It is pretty simple actually.
Modern programming language ecosystems make it easy to vet the licenses, including the transitive ones in case of static-linked only languages, by providing tools like go-license (I believe a similar tool exists for Rust too). There is really no excuse to “just state the top-level license” here. And there is, for statically linked binaries, no other option to listing all licenses. It is pretty simple actually.
It’s not really that simple as I tried to illustrate. Arch isn’t capable of listing licenses correctly nor specific enough so adding more nonsense license identifiers isn’t really going to help the situation.
EDIT:
I also see burntsushi is pointing out how the automated tools can’t be trusted. So I don’t think this solution is automagically solved by including ecosystem specific tooling to the problem.
Most automated tools are not 100% correct. But they, especially in this case, provide a good starting point to take a step in the right direction. Which seems important if you are currently standing on a field which is labelled “declare incomplete licensing information that may gets you into legal trouble.”
Arch isn’t capable of listing licenses correctly
That sounds like a serious problem for arch.
….nor specific enough so adding more nonsense license identifiers isn’t really going to help the situation.
Nobody is suggesting to add nonsense license identifiers. But you should state the correct licensing information.
Arch isn’t capable of listing licenses correctly nor specific enough
Can you elaborate on this? The license variable is an array, so you can list out all licenses which apply, or use ‘custom’ and put the applicable licenses in /usr/share/licenses/$pkgname/. The only scenario I can think of where this wouldn’t apply would be dual-licensed software (OR instead of AND).
Can you elaborate on this? The license variable is an array, so you can list out all licenses which apply, or use ‘custom’ and put the applicable licenses in /usr/share/licenses/$pkgname/.
Which is not being followed nor checked to any large degree. The BSD 2 Clause license can be listed as any form of BSD, custom:BSD, BSD2, custom:BSD-2-clause (and so on) Which is.. confusing and not great.
And that is because what you should use for license identifier when the license is not part of the common license package isn’t specified nor clarified by anyone.
The only scenario I can think of where this wouldn’t apply would be dual-licensed software (OR instead of AND).
That is why I want support for SPDX License expressions :)
OK, so when you say “support” you mean… tooling? You can use SPDX identifiers right now. I’m guessing namcap would complain, but is that it? Given the variety of ways packages specify their license, presumably nothing can depend on the exact format right now. Do you have something in mind which would depend on the format?
We have a licenses package we need to adapt, and we need to decide if the format is spdx:GPL-3.0-or-later, or implicit in the string. We also need to decide if and how we are suppose to support SPDX license expressions. All of this mostly boils down to an RFC and figure out if we need to improve the pacman support for more complicated license fields.
I think both me and Allan have written up a half-way draft on this really :p Me with mockups for expressions and Allan with only identifiers.
I’m not sure I’d consider this “illegal”, but I also am not a lawyer.
Distributing a binary that incorporates object code derived from source code that isn’t licensed to permit that distribution is clearly illegal. It violates copyright law in the same way as hosting (for example) a pirated copy of Photoshop. It might also be a crime, depending on the jurisdiction and the facts of the situation.
I’m also not a lawyer, but none of this stuff is magic. If someone can read an API reference manual they can read a statute. Lawyers are mostly useful for when (1) you’re going to be doing something that might be illegal and you want to be very careful about what is or isn’t allowed, or (2) someone is accusing you of having done something illegal and you’d prefer that the judge/jury disagree with them.
Sadly that bit about statutes is only partly true. Precedent plays an important role in common law, which in practice results in a very tangled web of implicit dependencies. As in: important considerations are not specified in the statue anywhere; you need to be familiar with that entire body of law and its history. :(
That’s generally only if you want to get close to the edge of what the law allows, or get a definitive(-ish) answer to an ambiguous case.
Let’s say it’s currently 2015, and you’ve recorded a cover of a song whose author passed away in 1946. Is it legal for you to distribute that recording? The statute says it’s not currently legal, because that song won’t enter the public domain until January 1st 2017 (author’s year of death + 70 years).
But if I ask about the specific song “Happy Birthday” and the date is December 3rd 2015, then the answer is “yes it’s legal”, due to the ruling in Marya v. Warner/Chappell.
The law provides the defaults, and precedents provide special-cased overrides, but those special cases only end up being argued in court because they’re weird. You don’t need to study the case law and keep up-to-date with rulings to stay within the bounds of the statute, you only need that if you want to go beyond what the statute says, and still be OK.
I’m also not a lawyer, but none of this stuff is magic.
Yes, which is why saying this is “illegal” is silly. No one will ever be convicted of accidentally mislicensing a free product. There’s no actual legal liability here. It’s just people getting mad about stuff that doesn’t matter.
The author’s use of the term illegal seems to be solely reserved for the distribution of the unlicensed library. That code is surely not copyrighted as well. That doesn’t meet what I consider to be a clear violation of the law. This seems to be a grey area to me.
I agree we don’t need lawyers to read the statutes. Where lawyers help a lot is that they know more of the statutes and the established rulings around them. There is a lot of precedent in the decision of what is illegal, as another comment points out.
The author’s use of the term illegal seems to be solely reserved for the distribution of the unlicensed library. That code is surely not copyrighted as well.
Creative works written by individuals are copyrighted by default, and distribution requires permission from the copyright holder. It’s a “default deny” model.
I think you’re interpreting “illegal” as “likely to be punished by the legal system”, which is not what it means.
If I were to write a big post about some widget and post it on my blog for free, then someone re-hosting it on their own site would be committing copyright infringement. The same would be true even I posted it on Github instead of my blog. The act of distributing my copyrighted work without permission would be illegal, regardless of whether I was charging money for it, or had registered it with the US copyright office.
Consider an author in Europe, who has just published their first book. If someone in the USA bought it, scanned it, and posted it online, that would be illegal even if the author had never stepped foot in the USA and had never even heard of copyright.gov. Again, the model is “default deny”. If someone doesn’t have permission (such as via an open-source license, or Creative Commons, etc) then distribution is illegal.
No, I’m interpreting illegal exactly as you do. I’m also claiming that the author’s use of it in this case is a bit hyperbolic and over the top.
Illegal doesn’t mean much if it’s not enforceable nor enforced. Worrying about something being illegal that can’t be enforced is not worth the effort in my opinion.
My non-lawtalker understanding is that copyright violation is a civil issue not a criminal one, so while possibly actionable, I would hesitate to say infringement is illegal per se. (IANAL but I’ve read techdirt daily for a couple of decades now.)
If someone deliberately posts their code unlicensed to Github, I find it pretty hard to believe that any court in the US is going to enforce a copyright claim later because the normal assumption is that by posting it in public, you’re waiving your rights. It’s like leaving stuff on the curb in front of your house: yeah technically you should sign some document saying that you’re giving up possession, and there are cases of people ganking something from a curb that wasn’t intended to be ganked, but it’s hard to imagine making a successful lawsuit about an honest mistake.
The bit about “static linking” is also very dumb. If someone changed Go to build as a series of DLLs instead of a single binary, suddenly the licensing situation would be totally different, lol. Who cares? Static vs dynamic linking is just a proxy for code-you-happen-to-use vs code-core-to-the-product, and in Go, it’s a poor proxy because everything is static.
because the normal assumption is that by posting it in public, you’re waiving your rights
That’s really not how copyright works. And lost legal cases of “The image was posted online, I thought I could use it” aplenty.
suddenly the licensing situation would be totally different, lol.
Not really? What would change is that the executable without the dependency would be differently licensed, but for the complete package nothing changes (and thus the first part doesn’t matter all that much, what good is an executable without a required dependency).
And lost legal cases of “The image was posted online, I thought I could use it” aplenty.
That’s totally different from code. If you post a picture, the assumption is that you retain your copyright because that’s how all of photography as a business works. People have to look at pictures for them to have value.
If you post your code to a site that exists to share code and accidentally a license, then the good faith interpretation is that you meant it to be public domain but forgot or didn’t bother to explicitly license it. You have to put a photo online to use the photo. You only put code online so you can give it away. There’s no other reason to upload it publicly.
It’s like someone driving away with an unlocked car on your curb. You can’t drive away with a car even if it’s unlocked because it’s a car, and this is even though it would be totally legitimate to haul off a TV or whatever.
I believe that your interpretation is wrong. Unless you know what license the author intends, you have no way to use it safely. There are plenty of reasonable reasons to put a piece of code public without “giving it away” or “putting it in the public domain” (which isn’t actually possible in many places of the world). They may, for example, have in mind a “shared source” sort of thing where the source is available for study but not anything else.
Because why we else would they have uploaded it in the first place?
Maybe they’re too cheap to get private git hosting. Maybe they wanted to publish it for educational reasons. Maybe so they can link to it from their resume.
You could argue the same that people only put photos on Flickr to give them away, that doesn’t make it any more true. If Github wanted to be a purely “give code away for others to use” site, they’d require you to license it.
It really depends on your usage. You could likely easily get away with that for some hobby project. But once you start a company that distributes software relying on other libraries and one of them is “i guess public, i hope”, the risk of getting it wrong just doesn’t make sense. Especially once you start earning serious amounts and may be sued for damages.
Sure. This is why Google kicked all packages without licenses off of the Go online documentation viewer. But people are getting really carried away in this case. It’s obvious that the point of uploading go-diff to Github was to give it away. It turned out that when contacted, the author added an MIT license. Did we really all need to freak out about something that had essentially $0 in liability implications?
Did we really all need to freak out about something that had essentially $0 in liability implications?
It’s not just about this particular package, but about the fact that so many distros “illegally” packaged it without thinking. This points to a systemic issue.
I think the static linking comes down to the conflict with the policies of the distributions. They’re in a bind for sure, if they want to follow the letter of the law.
In the Debian ecosystem the Go model also conflicts with their packaging policies themselves. Debian goes to great lengths creating packages for every individual Go library, before a binary can be built using Go. They effectively ignore and break the modules system in order to shoehorn Go applications into a system built for dynamically linked applications.
I was just pondering this the other day, as I was deciding what to put for org.opencontainers.image.license for a Go app that I was building a container for. Now I need to run golicense and see what it says about all the dependencies.
This program is illegally packaged by N distributions
While this is about copyright, it’s hardly impressive if you think about patents.
Consider that for example in order to use h.264 (the video format), you’re supposed to have a permission to use its patents. The thing about patents, as opposed to copyright, is that this obligation applies to absolutely any implementation of it, actually any copy of an implementation of it! But fear not, MPEG LA is pretty fair, reasonable and non-discriminatory about licensing – you can buy a license for just 0.1 USD. It’s just that nobody does that when they type apt install vlc. You might say that the licensing model is incompatible with the open source ecosystem.
At least, most distros don’t distribute these things in their normal repositoryes, but that just shifts the responsibility to other repositories. I don’t actually know if the distributor or recipent is the responsible part here (the sure thing is that the patent is infringed at the moment when a “method and apparatus” does the patented thing). And before someone points out that software patents are disallowed in EU: They are never software patents, because they always make sure to put a computer in there, and they aren’t disallowed – I have seen pages and pages of listings of what you would call software patents in EU member countries.
The good thing about h.264, though, is that most of its patens will expire next year (in WTO countries). But it’s far from the last royalty bearing format. It has even become extremely hard to come up with new video formats that don’t do anything already patented.
Maybe a silly question (or hot take) but… do these situations actually matter in the real world? In other words, outside of theoretical legalities and philosophical debates, are there any recent real-world examples of small, non-profit, non-corporate lawsuits due to an individual not respecting another individual’s license?
Sort of. It’s like the story of Van Halen’s brown M&Ms – if the distribution is including code they clearly aren’t allowed to, then where else have they messed up?
Older hackers have memories of lawsuits in which a corporate entity claims its code was included in an open-source project without permission, especially:
It would bad if (for example) some person published their company’s source code on Github[0][1], then it got used in an open-source package which was then distributed by Arch or Debian. If the company was something like Oracle or Disney, with an aggressive IP enforcement policy, it might be a disaster.
Busybox especially had multiple legal conflicts with companies distributing it while ignoring the license.
Also, serious large corps do have legal teams making sure the right licenses are used. I had to validate a bom/license spreadsheet like that at HP in the past.
Whether these situations matter is debatable. It’s easier to file a bug report and/or write up a nasty piece that could affect someone’s reputation to get them to comply than going the (expensive!) route of hiring a lawyer to get a court to say “yes, they should put up a copyright notice”. Even in those situations, a lawyer is more likely to first send an imposing letter to the infringer to get them to comply before actually going to court. And who is willing to going to court over something as trivial as this, especially if they know they’re in the wrong?
Only companies who are making a profit and don’t want to reveal their “trade secrets” (ie shitty code patches) would go that far. That’s why gpl-violations.org is (or used to be) a thing - so even FOSS people without the private means to do so can still sue companies into compliance.
No-one cares about it.
Microsoft is training AI systems to generate proprietary code on open source and unlicensed codebases. Few distributions, toolset builders, etc. even care about licensing (as per this article). Large companies flagrantly violate open source licenses without any consequences.
All of this is exactly why I decided to just stop licensing my software.
Ultimately speaking, I’m never going to have the material circumstances to be able to fight an individual on this matter – nor would I want to. Nor am I going to have the material circumstances to be able to fight a community or a company on this matter. They could easily win the legal battle by attrition and bleed me dry, so it is just not worth it.
I also am not able to explicitly find out how my work is used in proprietary or individually used codebases, and I don’t really wish to bother with making it my life’s work to find out how my life’s work is being used.
So it’s not something I feel is worthy of dedicating time to. A large company can use my work without me knowing and without me having any recourse, an individual can use my work without me knowing and without me having any recourse, so why would I care about giving them permission when they can already do it?
In addition, I as a trans woman believe that the current rise of fascism being a “politically acceptable thing” and the current targeting of trans and queer people by people who feel that it is acceptable, means that we have to push people to feel that “morally good” minor crimes are something that they can do. Something that anyone can do. Something that someone must do for the greater good. If someone “steals” my code for an individual project, then they are a better person for realising that breaking a law does not equal breaking a moral boundary, and hopefully they will feel more able to shelter my kind when the time comes.
With GitHub CoPilot, Microsoft has already started doing these “morally good minor crimes”, but I don’t see this grow into a “you can use any code however you like”, but rather into “you can use publicly available code however you like regardless of license, or lack thereof”.
While I agree that “stealing” code for your small project is not a problem, normalizing it means that Microsoft can start doing the same with GPL’ed code. But the reverse won’t happen; using leaked Windows source will always remain a crime, and it will always be viewed by society as a crime, so nobody will be surprised if you get into trouble for doing it; suddenly law applies again because they’re big.
Because of this, I’m not confident that encouraging stealing code is a net-good for anyone but large companies; it will normalize stealing from individuals and small companies, but it won’t normalize stealing code from the most powerful.
Great point. Lawyers will fight your fight for enough $$$, and a crime is only recognised as such if you have the necessary funds to win the court case.
But that’s already the case, as you pointed out. Microsoft is only able to do that because they changed the terms of GitHub. It has nothing to do with copyright itself, and a copyright license – ANY copyright license, is meaningless in the face of that.
Furthermore, as mentioned elsewhere in this comment group, companies en masse are already stealing. So my argument about the lack of effectiveness of a license has born fruit – is it worth the hard disk it is written on if it non-enforcable? Why do we bother with this charade when all it is doing is stopping small fish and making honest individuals suddenly fear for the existence of their side project?
What my approach gets me is:
a small social shift among individuals that as it is normalized, will hopefully translate to broader forms of this (internet piracy, etc.)
an assurance that for the companies who have legal departments, no money can be made from my software
for companies that are stealing, there’s no net loss or change except now they cannot justify it to themselves as easily
the possibility of prosecuting Nazis and xenophobe snitches like ICE, and thus the possibility of removing their ability to do work
Re: internet “piracy,” this is already pretty normalized; most places there’s not really any stigma around just downloading a torrent of some big budget film. At least, not among people who are going to pay any attention to what random FOSS developers are doing.
I’m confused…. I thought your position was “Screw it, I can’t fight them anyway if they use my stuff and profit, so I’m not going to bother with a license”…. which means money can be made from your software, no? Or did I miss the point?
EDIT: Having read a bit more, I think what you are saying is something like: If I don’t include a license, then Big Corps’ legal depts won’t let them use your code, or at least if they do they have to live with a potential threat of a lawsuit, which, tbh, you won’t bring, but hey, you could, you never know. Whereas individuals can still use it, and while technically the would labor under the same threat, their potential risk is way lower and (wink, wink, nice individuals) you’re definitely not going to ever sue them, but they just gotta trust that by knowing you and understanding why you don’t have license….
Did I get it right?
Yup!
https://asternova.top/LICENSE.txt
I as an individual could not use this.
Then it’s working as intended! Congrats on the naziism/xenophobia/racism!
I’ve heard this referred to as “civil disobedience” and it is a wonderful thing. However, I don’t really see how encouraging ignorance and carelessness/disrespect for other people’s wishes is going to be helpful in any way.
The trouble there is defining what is “morally good”. If you ask random people on the street, you will sadly find the vast majority of their “morally good” is in violent conflict to your “morally good”.
We both knew this already so I am not sure what point you are making here?
Yes, this is the danger of any and all participatory action in society. Doesn’t mean we shouldn’t try though.
Hell I even wrote a license file for it:
https://asternova.top/LICENSE.txt
No snark intended and I empathize and support your plight; sorry if I am unable to clearly convey my point.
My point was you want some people to do minor crimes concerning your specific definition of “morally good”.
If you write it as you did, as a general sounding rule, any reader of your post on this public forum or of your license file will apply it to themselves and their morals, which statistically is not what you want, since the morals of the majority are conflicting to yours.
Are they?
Well you introduced yourself as a trans woman, which in my mind puts you in a minority in society, one that has been specifically a target of prejudice and discrimination, most of the time in the name of “morality”. For those people that discriminate and hate, “morally good” is specifically an opposite morality than yours.
Of course my understanding is much more limited than yours and based mostly on news and wikipedia articles [1]. Sorry if I offended in any way, was not my intention. I’m off topic and perhaps I should have not started this whole morality tangent which is at best just nitpicking on a sentence of your otherwise interesting post, and not related to software licensing.
Mea culpa.
[1] https://en.wikipedia.org/wiki/Transphobia
[later edit, added to clarify]: Just so I’m clear, I understand what you mean by morally good, and I’m sure I have the same values as you do. I was simply pointing out how relative “morality” is, and that most humans would not agree with what you (and me, and other readers of this forum) define as “morally good”.
You’re right that “for people that discriminate, ‘morally good’ is an opposite morality to yours”, but up until recently, the majority of people have an attitude that restricts them from committing violent acts in public, because the violent act itself is seen as morally wrong. Most transphobes local to my region simply shout slurs, but if you actually walk up to them, they won’t do shit – and they’re in the broad minority of people.
The truth is, most people simply do not give a shit one way or another about transgender people. The Welsh “anti-trans protest” outside the Senedd had to bus people in from England and Scotland simply to have enough people there to protest, and they were far, far outnumbered by even the number of trans people attending any local event. The majority of TERFs, while holding gross amounts of political power as a group, are aging men (fun fact: despite their spokespeople being women, the majority of TERFs by makeup are men!). Local encounters include slurs, but more often than not it’s just some poor sod who can’t even get the confidence to slur at you, so they just mutter something like “adult human female” as you go by.
Thus the most dangerous thing present for me, at the moment, from my perspective, is the idea of being “legislated out of existence”. The most dangerous presence against trans people in Britain at the moment is the fact that the newly elected Prime Minster is a TERF, and likely to act on those beliefs either through continuing and progressing the gatekeeping around medical support, or just continuing to push trans people into a “minority” role in the same way that immigrants have, and then pushing the overton window such that violence becomes acceptable towards us.
So my genuine hope is that more people get comfortable with breaking rules that they know are wrong, or just “bypassing” them. In the same way that most people know that, a mother stealing bread for her family is “morally correct”, most people know at least on some level, that rules around the existence of trans people are awfully similar to those around gay people in the 1980s, or jewish people in the 1920s and 30s.
I’m not sure if it’s the case in any specific instance. But in general, if social rules are at least correlated with a majority view, it follows that appealing to any group to break rules is statistically likely to be appealing to a minority.
There are many places on earth that operate without effective collective rule making, which we call “lawless.” Oddly, people don’t flock to these places in pursuit of individual liberty; empirically, that is not the result. While rules often exist to benefit the powerful, the absence of rules unequivocally benefits the powerful.
Beautifully expressed. That nearly brought tears to my eyes for being so on-point.
(some? all?) Startups care about it. During any funding round or acquisition process, the founders will sign pieces of paper regarding intellectual property and license compliance, which can come with significant (personal) penalties for omission of details or inaccuracy.
Due diligence of transitive dependencies is a complete pain. Software exists to make this easier (for the different software ecosystems) but it is a complete pain.
You have to keep on top of it as you go. You tell the devs to check the license of stuff they pull in and you also need to (periodically) check the transitive dependencies. You can try and build a culture of “tell person X when you pull in a dependency so they can do the legwork”, but it is important to make that async so the devs can crack on. If you find a license landmine, you are only X days of effort lost.
It’s a similar situation to dev’s own work out of hours. Most contracts contain sweeping assignment of copyright to the startup, including software developed out of hours, on their own equipment etc. Those clauses aren’t there to be mean and aggressive, they are there to ensure no nasty surprises surface during due diligence. The places where I have had an influence have issued explicit waivers on request for any side projects which don’t materially overlap with the company’s work. The intent is not to claim the out of hours work of the devs, but to “fail safe” by assigning IP to the company if there is no communication on the subject.
Yes! Licensing is some capitalist bullshit that just makes it harder to produce software. It serves no purpose.
If you don’t want your code shared don’t share it.
In my humble opinion.
Licensing allows you to specify the conditions where your labor can be used. The default in the United States is you can’t use work that you have not been granted permission to use.
Some people care about using your labor in morally reasonable ways. Publish it under MIT if you don’t care about how this happens.
Honestly it’s just the physics of the situation. It’s why we need to start being more careful about who gets to access what information.
Ideally, it’s like at a party; you tell a secret to someone you’re bonding with, ten minutes later everyone knows.. guess who you don’t trust with a secret anymore? The internet is not like this and it’s a UI/UX problem.
Very few people (most of them here I suppose) are fixing it and I just don’t get why. Even the most selfishly motivated person can see that building valuable stuff will be rewarded with political influence and since in many ways the internet is already the world government then there are many competing visions for how this thing should be structured.
Still, the game theory of it would seem to suggest that the mutual distrust plus the ridiculous resources required to develop software at scale will make the most economical option to agree on a shared platform that everyone thinks is secure (so we can play the governance game without worrying about stupid stuff like computer programs). Especially now that the cryptobubble is all but over.. I would think that the psychopath software engineers should be flocking to the free-est of free software in a bid to be powerful voices on the platform that is fated to win … but it seems no one is ready to shift reference frames just yet and they all work in their silos on slave-ware. I just don’t get it.
Anyone who pays attention to copyright and software licensing will quickly discover that most of the open-source world is totally clueless on the subject, and small businesses are even worse. The only places that consistently get this right are big companies that can pay a small army of IP lawyers to review any dependency on third-party code.
Example 1: Someone on a Slack I visit was asking for advice about their co-worker’s use of https://gitlab.com/kokizzu/gokil, which is written in what could be called “non-idiomatic” Go. I brought up that besides the code style issues, that library had no license and it would therefore be inadvisable for this company to be building their product on it. Their response was:
Example 2: Last week the project Objective Smalltalk was posted on HN (comments). One poster noted that the code was not open source:
The author of the project replied:
Anyway, to this post’s question of “Can someone please tell me what the fuck is going on with licensing because I am losing my goddamn mind” – it’s not you, it’s them. They’ve internalized the YouTube meme of “no copyright intended”. The only thing you can do about it is write tooling to discover this stuff automatically, and try to contribute to projects like Debian that will at least take a copyright bug report seriously.
Your second callout is wrong. The chap you quote has a good point: copyright and licensing are not the same thing. They are interrelated but not the same. In order to define the license for something you have to be the copyright holder in the first place.
This is the same mistake as mpweiher made. The problem is not the copyright notice, it’s the “all rights reserved” written afterward.
Okay fair enough. It wasn’t clear what part your were criticizing but yes that last phrase is more about licensing than copyright. I stand corrected.
(and as far as I can tell not even a “all code here licensed under XYZ” statement elsewhere, unless I missed it?)
law enforcement is as clueless: Paris cops tell tourists it’s forbidden to take photos of the Eiffel tower due to copyright (e.g. during events).
Taking the picture is what your eyes do, too – you just may no make it publicly available.
Taking a picture vs. looking at something with your eye is (in my opinion) a difference with regards to copyright - at least in Germany. I do not know about France. § 15 UrhG says that the author has the sole permission to create copies; § 16 UrhG defines a copy as a transfer of the work to a medium that is designed to replay the work.
When you take a picture of a work you transfer it to a medium that is designed to replay it, e.g. on a computer.
§ 15 lists different rights that only the author has (he can transfer them to someone else, e.g. selling these permissions): copying, distributing, exhibiting, publishing, broadcasting, and some more. Publishing is only one of many rights.
Copying, though, in Germany usually has an exception clause for private use. So, for private use it is usually allowed, which in effect would make your statement true in Germany (again, I do not know about France). But I think I read that it’s the same with the Eiffel tower illumination: For private use you are allowed to photograph it.
There are also other related exceptions. I think again in Germany, we have the exception that everything that is permanently visible from the street can be freely photographed and even distributed and published (Freedom of panorama). France seems to also have this exception in some form since 2016, but seemingly the illumination is not covered by it. I think in Germany freedom of panorama was heavily discussed for some temporary arts installations like the Wrapped Reichstag by Christo.
All in all, copyright is a very interesting topic :-)
interesting indeed, §15, Abs 1, Satz 1 UrhG [1] says “Der Urheber hat das ausschließliche Recht, sein Werk in körperlicher Form …” – physical form!
And according §21 a non-physical reproduction is ok for private use.
[1] https://www.gesetze-im-internet.de/urhg/
Your mention of the Eiffel tower made me curious.
This is what the official website says: “The Eiffel Tower’s lighting and sparkling lights are protected by copyright, so professional use of images of the Eiffel Tower at night require prior authorization and may be subject to a fee. Professionals should therefore contact the Eiffel Tower’s management company to learn about conditions for using the images depending on the case.” [source]
Pretty weird, IMHO. No idea if it’s been tried in court though.
IMO the “professional use” is the important part.
Indeed – good point. Would still be interesting to know if this reasoning would hold up in court.
The saying goes “In court and on the high seas, you are in God’s hands.”
Looks like a license was added to godiff in response to this.
interestingly, the author says
personally i would have felt just the opposite - that it would be rude of me to harry the author over email when they had not addressed a request via github bug report.
Mmmm, seems I didn’t my due diligence on
teafor Nixpkgs (maintainer here). Any idea of what is the proper way going forward ? Fixing the license upstream to proprietary or removing the package ?Nix accepts nonfree licenses so you should be fine changing it to proprietary… and possibly all downstream ones too :-(
You don’t even know if you have permission to redistribute. No license means all rights reserved.
I assumed that hydra wouldn’t publish the proprietary binaries in the NixOS cache. If it does, then… they have problems. (publishing just the “how to build” instructions for any license is fine)
Hydra does not build packages marked with an unfree or non-redistributable license.
Thank you. I was fairly sure that’s the case, but went to check and couldn’t find anything spelling it out.
If it makes you feel better, it’s not just you. It’s everyone. Distribution package managers cope horribly with the GitHub pandora’s box.
Everyone minus Gentoo it seems 😉
Sigh, I keep running into that one from time to time. The annoying part is that it really is your responsibility as a maintainer. Even if I raise an issue (https://github.com/RJVB/afsctool/issues/56) responding that yeah it’s my code and it’s fine to use is not enough and won’t get past the legal team. So as a maintainer I have to have the “what would my past Corp employer’s legal say about it” approach to be safe…
Funny that a package I maintain is listed… :)
But yes, Licensing Is Hard™.
Arch doesn’t have that great policies. I don’t think we have anything explicitly written down except for how we should include the relevant license in the package. Usually we just list and include the top-level dependency as you would with dynamically built packages. For statically built packages this doesn’t really hold up. But at the same time I think traversing the licenses of dependencies are going to put you as a downstream distributor in an awkward spot because few, if any, developers check for license incompatibilities before pulling new dependencies.
When was the last time you though about this issue before you pulled a new dependency? I personally never do this and I package this stuff :)
Ensuring we have SPDX License Identifiers, or support Expression, would come a long way keeping these things more manageable for Arch. But generally this entire issue boils down to the fact that people usually don’t care this much about licenses.
Which puts the distribution as whole under risk, e .g., as someone could bring the mirrors down for distributing “illegal” packages. Modern programming language ecosystems make it easy to vet the licenses, including the transitive ones in case of static-linked only languages, by providing tools like go-license (I believe a similar tool exists for Rust too). There is really no excuse to “just state the top-level license” here. And there is, for statically linked binaries, no other option to listing all licenses. It is pretty simple actually.
It’s not really that simple as I tried to illustrate. Arch isn’t capable of listing licenses correctly nor specific enough so adding more nonsense license identifiers isn’t really going to help the situation.
EDIT: I also see burntsushi is pointing out how the automated tools can’t be trusted. So I don’t think this solution is automagically solved by including ecosystem specific tooling to the problem.
https://news.ycombinator.com/item?id=32546791
Eventually this problems boils down to the entier “Software Bill of Materials” issue people have been working on the past couple of years.
Most automated tools are not 100% correct. But they, especially in this case, provide a good starting point to take a step in the right direction. Which seems important if you are currently standing on a field which is labelled “declare incomplete licensing information that may gets you into legal trouble.”
That sounds like a serious problem for arch.
Nobody is suggesting to add nonsense license identifiers. But you should state the correct licensing information.
Can you elaborate on this? The license variable is an array, so you can list out all licenses which apply, or use ‘custom’ and put the applicable licenses in
/usr/share/licenses/$pkgname/. The only scenario I can think of where this wouldn’t apply would be dual-licensed software (OR instead of AND).Which is not being followed nor checked to any large degree. The BSD 2 Clause license can be listed as any form of
BSD,custom:BSD,BSD2,custom:BSD-2-clause(and so on) Which is.. confusing and not great.And that is because what you should use for license identifier when the license is not part of the common license package isn’t specified nor clarified by anyone.
That is why I want support for SPDX License expressions :)
OK, so when you say “support” you mean… tooling? You can use SPDX identifiers right now. I’m guessing namcap would complain, but is that it? Given the variety of ways packages specify their license, presumably nothing can depend on the exact format right now. Do you have something in mind which would depend on the format?
Tooling and the “hows” of it really.
We have a
licensespackage we need to adapt, and we need to decide if the format isspdx:GPL-3.0-or-later, or implicit in the string. We also need to decide if and how we are suppose to support SPDX license expressions. All of this mostly boils down to an RFC and figure out if we need to improve the pacman support for more complicated license fields.I think both me and Allan have written up a half-way draft on this really :p Me with mockups for expressions and Allan with only identifiers.
Every time there’s a chance I’d use something licensed as agpl by accident for things that are not explicitly Foss.
I applaud your rigor :)
Wait, how is this rigor? This is like… the most basic, 101-level common sense.
This entire discourse evolves around how this isn’t the most basic, 101-level common sense though.
That’s one interpretation.
Another interpretation is that many packagers don’t have even a basic understanding of how to package things without breaking the law.
That’s a sad and dim view of packagers.
I’m not sure I’d consider this “illegal”, but I also am not a lawyer.
Seems like licensing is just broken in the age of dozens of libraries statically compiled into a single binary. There seem to be no good solutions.
Distributing a binary that incorporates object code derived from source code that isn’t licensed to permit that distribution is clearly illegal. It violates copyright law in the same way as hosting (for example) a pirated copy of Photoshop. It might also be a crime, depending on the jurisdiction and the facts of the situation.
I’m also not a lawyer, but none of this stuff is magic. If someone can read an API reference manual they can read a statute. Lawyers are mostly useful for when (1) you’re going to be doing something that might be illegal and you want to be very careful about what is or isn’t allowed, or (2) someone is accusing you of having done something illegal and you’d prefer that the judge/jury disagree with them.
Sadly that bit about statutes is only partly true. Precedent plays an important role in common law, which in practice results in a very tangled web of implicit dependencies. As in: important considerations are not specified in the statue anywhere; you need to be familiar with that entire body of law and its history. :(
That’s generally only if you want to get close to the edge of what the law allows, or get a definitive(-ish) answer to an ambiguous case.
Let’s say it’s currently 2015, and you’ve recorded a cover of a song whose author passed away in 1946. Is it legal for you to distribute that recording? The statute says it’s not currently legal, because that song won’t enter the public domain until January 1st 2017 (author’s year of death + 70 years).
But if I ask about the specific song “Happy Birthday” and the date is December 3rd 2015, then the answer is “yes it’s legal”, due to the ruling in Marya v. Warner/Chappell.
The law provides the defaults, and precedents provide special-cased overrides, but those special cases only end up being argued in court because they’re weird. You don’t need to study the case law and keep up-to-date with rulings to stay within the bounds of the statute, you only need that if you want to go beyond what the statute says, and still be OK.
Yes, which is why saying this is “illegal” is silly. No one will ever be convicted of accidentally mislicensing a free product. There’s no actual legal liability here. It’s just people getting mad about stuff that doesn’t matter.
Thanks, this was the point I was getting at. Strong words are being used but this is far from settled law, and likely never will be.
The author’s use of the term illegal seems to be solely reserved for the distribution of the unlicensed library. That code is surely not copyrighted as well. That doesn’t meet what I consider to be a clear violation of the law. This seems to be a grey area to me.
I agree we don’t need lawyers to read the statutes. Where lawyers help a lot is that they know more of the statutes and the established rulings around them. There is a lot of precedent in the decision of what is illegal, as another comment points out.
Creative works written by individuals are copyrighted by default, and distribution requires permission from the copyright holder. It’s a “default deny” model.
I still think this is a grey area. If someone copies it, the author may have a hard time proving they are the original creator. If they even are.
In the US, just having the copyright from creation doesn’t grant you the right to sue over it. It must be registered.
https://www.copyright.gov/help/faq/faq-general.html
I think you’re interpreting “illegal” as “likely to be punished by the legal system”, which is not what it means.
If I were to write a big post about some widget and post it on my blog for free, then someone re-hosting it on their own site would be committing copyright infringement. The same would be true even I posted it on Github instead of my blog. The act of distributing my copyrighted work without permission would be illegal, regardless of whether I was charging money for it, or had registered it with the US copyright office.
Consider an author in Europe, who has just published their first book. If someone in the USA bought it, scanned it, and posted it online, that would be illegal even if the author had never stepped foot in the USA and had never even heard of
copyright.gov. Again, the model is “default deny”. If someone doesn’t have permission (such as via an open-source license, or Creative Commons, etc) then distribution is illegal.No, I’m interpreting illegal exactly as you do. I’m also claiming that the author’s use of it in this case is a bit hyperbolic and over the top.
Illegal doesn’t mean much if it’s not enforceable nor enforced. Worrying about something being illegal that can’t be enforced is not worth the effort in my opinion.
What do you mean by that?
In the US, if you have not explicitly registered your copyright with the Copyright Office then you have no standing to sue.
That’s incorrect. All it does is protect against an innocent infringement defence (e.g. “I didn’t know it was copyrighted”). https://www.law.cornell.edu/uscode/text/17/401
https://www.copyright.gov/help/faq/faq-general.html
The registration can occur after the infringement. (You will be restricted to actual damages if you do this, though.)
While true as stated (https://www.bfvlaw.com/copyright-registration-required-to-sue-the-supreme-court-clarifies/), the registration need not be immediate or even pre-infringement.
Yeah this doesn’t surprise me. It still requires the author to explicitly act.
Yes, but this has nothing to do with whether the work is copyrighted or not. It only affects how the court case would turn out.
that’s not the same as the code not having copyright
My non-lawtalker understanding is that copyright violation is a civil issue not a criminal one, so while possibly actionable, I would hesitate to say infringement is illegal per se. (IANAL but I’ve read techdirt daily for a couple of decades now.)
“Illegal” means it violates the law, civil or criminal. If something violates criminal law, it’s called a “crime”.
If someone deliberately posts their code unlicensed to Github, I find it pretty hard to believe that any court in the US is going to enforce a copyright claim later because the normal assumption is that by posting it in public, you’re waiving your rights. It’s like leaving stuff on the curb in front of your house: yeah technically you should sign some document saying that you’re giving up possession, and there are cases of people ganking something from a curb that wasn’t intended to be ganked, but it’s hard to imagine making a successful lawsuit about an honest mistake.
The bit about “static linking” is also very dumb. If someone changed Go to build as a series of DLLs instead of a single binary, suddenly the licensing situation would be totally different, lol. Who cares? Static vs dynamic linking is just a proxy for code-you-happen-to-use vs code-core-to-the-product, and in Go, it’s a poor proxy because everything is static.
That’s really not how copyright works. And lost legal cases of “The image was posted online, I thought I could use it” aplenty.
Not really? What would change is that the executable without the dependency would be differently licensed, but for the complete package nothing changes (and thus the first part doesn’t matter all that much, what good is an executable without a required dependency).
That’s totally different from code. If you post a picture, the assumption is that you retain your copyright because that’s how all of photography as a business works. People have to look at pictures for them to have value.
If you post your code to a site that exists to share code and accidentally a license, then the good faith interpretation is that you meant it to be public domain but forgot or didn’t bother to explicitly license it. You have to put a photo online to use the photo. You only put code online so you can give it away. There’s no other reason to upload it publicly.
It’s like someone driving away with an unlocked car on your curb. You can’t drive away with a car even if it’s unlocked because it’s a car, and this is even though it would be totally legitimate to haul off a TV or whatever.
I believe that your interpretation is wrong. Unless you know what license the author intends, you have no way to use it safely. There are plenty of reasonable reasons to put a piece of code public without “giving it away” or “putting it in the public domain” (which isn’t actually possible in many places of the world). They may, for example, have in mind a “shared source” sort of thing where the source is available for study but not anything else.
In this case, the go-diff author added an MIT license after being bugged about it. Because why we else would they have uploaded it in the first place?
Maybe they’re too cheap to get private git hosting. Maybe they wanted to publish it for educational reasons. Maybe so they can link to it from their resume.
You could argue the same that people only put photos on Flickr to give them away, that doesn’t make it any more true. If Github wanted to be a purely “give code away for others to use” site, they’d require you to license it.
It really depends on your usage. You could likely easily get away with that for some hobby project. But once you start a company that distributes software relying on other libraries and one of them is “i guess public, i hope”, the risk of getting it wrong just doesn’t make sense. Especially once you start earning serious amounts and may be sued for damages.
Sure. This is why Google kicked all packages without licenses off of the Go online documentation viewer. But people are getting really carried away in this case. It’s obvious that the point of uploading go-diff to Github was to give it away. It turned out that when contacted, the author added an MIT license. Did we really all need to freak out about something that had essentially $0 in liability implications?
It’s not just about this particular package, but about the fact that so many distros “illegally” packaged it without thinking. This points to a systemic issue.
I think the static linking comes down to the conflict with the policies of the distributions. They’re in a bind for sure, if they want to follow the letter of the law.
In the Debian ecosystem the Go model also conflicts with their packaging policies themselves. Debian goes to great lengths creating packages for every individual Go library, before a binary can be built using Go. They effectively ignore and break the modules system in order to shoehorn Go applications into a system built for dynamically linked applications.
I was just pondering this the other day, as I was deciding what to put for
org.opencontainers.image.licensefor a Go app that I was building a container for. Now I need to rungolicenseand see what it says about all the dependencies.you can, but then you are liable and everyone else can use the familiar terms until you resign.
While this is about copyright, it’s hardly impressive if you think about patents.
Consider that for example in order to use h.264 (the video format), you’re supposed to have a permission to use its patents. The thing about patents, as opposed to copyright, is that this obligation applies to absolutely any implementation of it, actually any copy of an implementation of it! But fear not, MPEG LA is pretty fair, reasonable and non-discriminatory about licensing – you can buy a license for just 0.1 USD. It’s just that nobody does that when they type
apt install vlc. You might say that the licensing model is incompatible with the open source ecosystem.At least, most distros don’t distribute these things in their normal repositoryes, but that just shifts the responsibility to other repositories. I don’t actually know if the distributor or recipent is the responsible part here (the sure thing is that the patent is infringed at the moment when a “method and apparatus” does the patented thing). And before someone points out that software patents are disallowed in EU: They are never software patents, because they always make sure to put a computer in there, and they aren’t disallowed – I have seen pages and pages of listings of what you would call software patents in EU member countries.
The good thing about h.264, though, is that most of its patens will expire next year (in WTO countries). But it’s far from the last royalty bearing format. It has even become extremely hard to come up with new video formats that don’t do anything already patented.
Maybe a silly question (or hot take) but… do these situations actually matter in the real world? In other words, outside of theoretical legalities and philosophical debates, are there any recent real-world examples of small, non-profit, non-corporate lawsuits due to an individual not respecting another individual’s license?
Sort of. It’s like the story of Van Halen’s brown M&Ms – if the distribution is including code they clearly aren’t allowed to, then where else have they messed up?
Older hackers have memories of lawsuits in which a corporate entity claims its code was included in an open-source project without permission, especially:
It would bad if (for example) some person published their company’s source code on Github[0][1], then it got used in an open-source package which was then distributed by Arch or Debian. If the company was something like Oracle or Disney, with an aggressive IP enforcement policy, it might be a disaster.
[0] https://www.itmedia.co.jp/news/articles/2101/29/news107.html
[1] https://github.com/github/dmca/blob/master/2021/03/2021-03-08-ntt-data-getronics.md
https://wiki.fsfe.org/Migrated/GPL%20Enforcement%20Cases
Busybox especially had multiple legal conflicts with companies distributing it while ignoring the license.
Also, serious large corps do have legal teams making sure the right licenses are used. I had to validate a bom/license spreadsheet like that at HP in the past.
Whether these situations matter is debatable. It’s easier to file a bug report and/or write up a nasty piece that could affect someone’s reputation to get them to comply than going the (expensive!) route of hiring a lawyer to get a court to say “yes, they should put up a copyright notice”. Even in those situations, a lawyer is more likely to first send an imposing letter to the infringer to get them to comply before actually going to court. And who is willing to going to court over something as trivial as this, especially if they know they’re in the wrong?
Only companies who are making a profit and don’t want to reveal their “trade secrets” (ie shitty code patches) would go that far. That’s why gpl-violations.org is (or used to be) a thing - so even FOSS people without the private means to do so can still sue companies into compliance.
With regards Debian, nobody has bothered to file a bug to report the copyright problem.
Take control of your source code.