Project includes a dependancy that has a license that forbids its use(github.com)
github.com
Project includes a dependancy that has a license that forbids its use
https://github.com/dapr/dapr/issues/3563
244 comments
>>> I also think it shows that licenses really don't matter all that much as some people think, they are not computer code.
They matter as long you're willing to enforce them, and have the time and money to do so.
In that case, you may be able to submit some form of take down request to GitHub against that project and other projects who are using your library.
https://github.com/search?q=bouk%2Fmonkey&type=commits
edit: wow, one of the projects that depended on your library was arduino up to 2020. https://github.com/arduino/arduino-cli/commit/09b4e8804fbd61...
edit2: was also used by AWS up to last week when they removed it. https://github.com/awslabs/karpenter/commit/d84365e8c44178ea...
They matter as long you're willing to enforce them, and have the time and money to do so.
In that case, you may be able to submit some form of take down request to GitHub against that project and other projects who are using your library.
https://github.com/search?q=bouk%2Fmonkey&type=commits
edit: wow, one of the projects that depended on your library was arduino up to 2020. https://github.com/arduino/arduino-cli/commit/09b4e8804fbd61...
edit2: was also used by AWS up to last week when they removed it. https://github.com/awslabs/karpenter/commit/d84365e8c44178ea...
update: hit the jackpot
the library is currently in use by Heroku/SalesForce to build deploy java apps (or something like that) https://github.com/heroku/java-buildpack/blob/master/go.mod
I wonder what sort of settlement you could get if you were to send them a lawyer for real.
the library is currently in use by Heroku/SalesForce to build deploy java apps (or something like that) https://github.com/heroku/java-buildpack/blob/master/go.mod
I wonder what sort of settlement you could get if you were to send them a lawyer for real.
They will be happy to cease use of the code.
The damages probably amount to $0. "Don't use this code, no seriously don't" isn't exactly an advertisement of the value it provide.
The damages probably amount to $0. "Don't use this code, no seriously don't" isn't exactly an advertisement of the value it provide.
They may already have, looks like that archived repository has been replaced with: https://github.com/heroku/heroku-buildpack-java
which doesn't even use go.
And they'd like you to even move away from that replacement to an ever newer replacement: https://github.com/heroku/buildpacks-jvm
which doesn't even use go.
And they'd like you to even move away from that replacement to an ever newer replacement: https://github.com/heroku/buildpacks-jvm
There could be many reasons for having an injunction against using code.
I'm no lawyer, but don't you usually have to show damages?
Damages would be loss of revenue. He was deprived of the ability to negotiate terms of use for payment.
This is why the GPL is more developer friendly than other licenses. If a business doesn't like the GPL you can offer to relicense your code, ... for money. And money is the restitution you seek when the license is violated.
This is why the GPL is more developer friendly than other licenses. If a business doesn't like the GPL you can offer to relicense your code, ... for money. And money is the restitution you seek when the license is violated.
I'm curious how damages would be calculated in a case like this. Obviously you can't get away with saying "I would have charged them $10 billion for this code, so that's what they should owe me." But on the flipside, should they be able to say they wouldn't have been willing to pay anything for it, therefore they owe zero?
I am curious as well. Since it's not a typical work for hire relationship, it could be a (modest) percentage of profits, or a business contracting fee of ~$500k or so.
Statutory damages can apply, but in the US statutory damages for copyright infringement require registering the copyright prior to the infringement.
The blog post and the README both seem to encourage use of the project. And a license that prevents all use including personal is very rare and not exactly in the spirit of GitHub. So I’m curious why both the blog and your README don’t mention explicitly that you don’t want allow use or explain why. Would it be worth putting something at the top of the README?
> And a license that prevents all use including personal is very rare and not exactly in the spirit of GitHub
Non-free licensed code has been on GitHub for quite some time. It's not only about free software and you should not assume so, as in all software.
Edit: changed FOSS to "free"
Non-free licensed code has been on GitHub for quite some time. It's not only about free software and you should not assume so, as in all software.
Edit: changed FOSS to "free"
[deleted]
Just to clarify, FOSS has significant provisions above and beyond allowing personal use. The term non-free is very different from "not allowed to use at all".
Yeap, you're right. There are lots of terms to describe free and non-free software. I meant "free" in any capacity, for clarification.
So what of it? Show me a court verdict that throws the license out of the window because README led you to believe something.
It would be an interesting precedent, forcing companies to comply with everything their advertisements say and doing away with any sort of fine print and ToS. I’m all for it, in fact. Total Ankh-Morporkization!
It would be an interesting precedent, forcing companies to comply with everything their advertisements say and doing away with any sort of fine print and ToS. I’m all for it, in fact. Total Ankh-Morporkization!
OP said: "I also think it shows that licenses really don't matter all that much as some people think". I doubt they would be unable to sleep at night because of a license violation.
I'm glad that I can now say that I've contributed Windows support to a project which I probably violated the license of while working on :P
By technicality, the license has been violated by quite a large variety of corporations: Microsoft, AWS, Heroku, Bilibili, Baidu, Apache, Arduino, etc. [0~6], and much much more [7]
Crazy.
[0]: https://github.com/microsoft/bedrock/blob/a0ab244a80a94133cb...
[1]: https://github.com/awslabs/karpenter/pull/609
[2]: https://github.com/heroku/java-buildpack/blob/master/go.mod#...
[3]: https://github.com/bilibili/overlord/blob/b524449801b5411583...
[4]: https://github.com/baidu/openrasp/blob/f992962207bec063eda6f...
[5]: https://github.com/apache/camel-k/issues/2067
[6]: https://github.com/arduino/arduino-cli/issues/740
[7]: https://sourcegraph.com/search?q=context:global+%28bou.ke%7C...
By technicality, the license has been violated by quite a large variety of corporations: Microsoft, AWS, Heroku, Bilibili, Baidu, Apache, Arduino, etc. [0~6], and much much more [7]
Crazy.
[0]: https://github.com/microsoft/bedrock/blob/a0ab244a80a94133cb...
[1]: https://github.com/awslabs/karpenter/pull/609
[2]: https://github.com/heroku/java-buildpack/blob/master/go.mod#...
[3]: https://github.com/bilibili/overlord/blob/b524449801b5411583...
[4]: https://github.com/baidu/openrasp/blob/f992962207bec063eda6f...
[5]: https://github.com/apache/camel-k/issues/2067
[6]: https://github.com/arduino/arduino-cli/issues/740
[7]: https://sourcegraph.com/search?q=context:global+%28bou.ke%7C...
I've considered making a license that is basically MIT/BSD, but requires that anyone using an automated license checking/compliance system (any corporate users) to pay a fee to use the software.
Why do you think that only corporate users use an automated license checking/compliance system?
If you do personal projects that are open source it's equally important to know what licenses your dependencies have if you release those projects to the public.
If you do personal projects that are open source it's equally important to know what licenses your dependencies have if you release those projects to the public.
The primary difference is that as an individual, you can easily add that new licence to your allowlist. In an enterprise, it might be easier to fork over the money rather than convincing legal to allow your use of the software.
License checking is like code coverage. A part of our profession. It is not only for corporate users.
Individuals run license checkers too.
I would describe an end user count, revenue size, etc in order to apply special circumstances to corporations. Drone.io does a great job of this.
I would describe an end user count, revenue size, etc in order to apply special circumstances to corporations. Drone.io does a great job of this.
Instead of doing that, why not dual-license your program under CC-BY-NC and AGPLv3, and then sell exceptions?
A lot of legal departments have a mental image of AGPL (and GPL) as a bogeyman that will steal all the company's code if allowed anywhere near the building. I've sat through a presentation one time that tried to paint these licenses as something only basement dwellers use for personal projects. I spoke to the presenter afterwards and told them about projects like Linux and Mongo, and how even AGPL is not as scary as they thought.
The lawyer seemed genuinely surprised and said they would read up on it. I'm pretty sure my bringing this up in a friendly manner caused them to question their assumptions. Had I picked a fight during the presentation I'd just be labeled a basement dweller.
However, this lawyer also told me something interesting. To some extent it doesn't matter whether I was able to change his mind. As long as other lawyers in the field have this bogeyman concept in mind, the use of GPL will get flagged in due diligence, etc. and it's easier to simply not use a component with strong copyleft when developing a product (unless it's as irreplaceable as Linux).
This is a long-winded way of saying that selling exceptions will likely scare off potential purchasers long before they are in a position to consider the purchase. Most shops have a blanket "no GPL ever" policy and a dev won't even bother with the component even for a prototype.
The lawyer seemed genuinely surprised and said they would read up on it. I'm pretty sure my bringing this up in a friendly manner caused them to question their assumptions. Had I picked a fight during the presentation I'd just be labeled a basement dweller.
However, this lawyer also told me something interesting. To some extent it doesn't matter whether I was able to change his mind. As long as other lawyers in the field have this bogeyman concept in mind, the use of GPL will get flagged in due diligence, etc. and it's easier to simply not use a component with strong copyleft when developing a product (unless it's as irreplaceable as Linux).
This is a long-winded way of saying that selling exceptions will likely scare off potential purchasers long before they are in a position to consider the purchase. Most shops have a blanket "no GPL ever" policy and a dev won't even bother with the component even for a prototype.
My personal experience as a developer and owner is that it is very difficult and time consuming to understand the risks and to comprehend the *GPL licences.
For example, using an LGPL based JavaScript library just leaves me confused every time. I read the LGPL 3.0, read some stack overflow answers, and read the GNU website. Yet I am left without being 100% certain that I can minify the LGPL JavaScript into a single file with my own source code (because JavaScript is not object code, and because sending JavaScript to the browser is distribution).
With BSD/MIT licences everything is clear and less ambiguous, and if I get something wrong then it is usually something easy to fix.
If I were a general counsel, I wouldn’t trust all my developers to follow the GPL licenses properly nor would I trust developers to correctly avoid simple mistakes. A default ban limits liability, reduces risks of negative publicity, and anyone that needs an exception has to justify it.
Idealistically, I love the GPL, and I truely believe in the goal of share and share alike.
Practically I understand why following the *GPL licences is difficult and that it involves multiple risks for a business, and so many commercial businesses sensibly prefer to avoid the costs.
For example, using an LGPL based JavaScript library just leaves me confused every time. I read the LGPL 3.0, read some stack overflow answers, and read the GNU website. Yet I am left without being 100% certain that I can minify the LGPL JavaScript into a single file with my own source code (because JavaScript is not object code, and because sending JavaScript to the browser is distribution).
With BSD/MIT licences everything is clear and less ambiguous, and if I get something wrong then it is usually something easy to fix.
If I were a general counsel, I wouldn’t trust all my developers to follow the GPL licenses properly nor would I trust developers to correctly avoid simple mistakes. A default ban limits liability, reduces risks of negative publicity, and anyone that needs an exception has to justify it.
Idealistically, I love the GPL, and I truely believe in the goal of share and share alike.
Practically I understand why following the *GPL licences is difficult and that it involves multiple risks for a business, and so many commercial businesses sensibly prefer to avoid the costs.
There was a funny Microsoft license for Xlsx.js (a lib that read Excel files in browser): It was allowed to distribute freely… as long as it runs on Windows:
> (F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the software or derivative works that (1) are run on a Microsoft Windows operating system product, and (2) are not Excluded Products.
So you could not deliver it on Safari, but also not on Chrome if it ran on Mac.
Aaaand that is why the JSXLSX implementation was developed, exactly the same as xlsx.js but without the restriction.
https://github.com/stephen-hardy/xlsx.js/issues/8
> (F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the software or derivative works that (1) are run on a Microsoft Windows operating system product, and (2) are not Excluded Products.
So you could not deliver it on Safari, but also not on Chrome if it ran on Mac.
Aaaand that is why the JSXLSX implementation was developed, exactly the same as xlsx.js but without the restriction.
https://github.com/stephen-hardy/xlsx.js/issues/8
Why not license it so that any individual or business below $X revenue can use it, but others have to pay a fee?
The issue here is that you're a well-poisoner, putting out code that can't be used, as a joke, while also making a popular blog post and making the software easy to use as a library. Now that it's being used, it's also hard for folks to remove your library and implement something similar without it being considered a derivative.
Sure, it's funny, but it's a joke at the expense of everyone else. This is like going to a party and walking up to every person and making a joke at their expense. Were the jokes funny? Maybe. Does everything think you're an asshole? Almost certainly.
Sure, it's funny, but it's a joke at the expense of everyone else. This is like going to a party and walking up to every person and making a joke at their expense. Were the jokes funny? Maybe. Does everything think you're an asshole? Almost certainly.
If anything, it’s raising awareness of the fact that just because it’s on GitHub doesn’t mean it’s FOSS, and that developers need to pay attention to licensing before snatching someone’s work up for their own personal & commercial benefit.
In this case the license was silly, but if this library had been GPL, it’d still have been a massive violation by most of those big companies, and that’s something we need to pay more attention to.
In this case the license was silly, but if this library had been GPL, it’d still have been a massive violation by most of those big companies, and that’s something we need to pay more attention to.
One important difference is he didn't walk up to anybody, they walked up to him. He owes nothing to anybody, it's not like he ran a media campaign.
He wrote a blog post that was quite popular at the time. He's in this thread explicitly saying he did it for the lulz. The repo doesn't clearly say not to use it, only the license does.
People shouldn't use software without checking the license, but if you're making a joke, for a pattern that's actually something used in the industry, because you believe that pattern is bad, yeah, you should label it a joke.
People shouldn't use software without checking the license, but if you're making a joke, for a pattern that's actually something used in the industry, because you believe that pattern is bad, yeah, you should label it a joke.
He's not a well-poisoner, someone just decided to chug from a bottle clearly marked "do not drink".
If someone spends the time to integrate mystery code without taking the time to check the license allows it then frankly they dug that hole themselves.
If someone spends the time to integrate mystery code without taking the time to check the license allows it then frankly they dug that hole themselves.
On the Internet, unless you sprinkle your words with emoticons, it is hard to convey irony or amusement using text alone.
You absolutely have the power to end the controversy by switching to a more mainstream license then adding a clear disclaimer like “use at your own risk”.
GitHub currently lists 465 projects that depend on your library, which means more than a handful of devs find it useful.
You absolutely have the power to end the controversy by switching to a more mainstream license then adding a clear disclaimer like “use at your own risk”.
GitHub currently lists 465 projects that depend on your library, which means more than a handful of devs find it useful.
I'm all for FOSS, but I fail to see how saying something like "There would be no problem if you accepted to release it with a less restrictive license" differs from saying that to a GPL library developer because proprietary code was found using it.
Why should the first be considered "a controversy" but not the second ?
License aren't computer code, they are social code. That matters more, not less, than computer code, at least until we're all disembodied brains in a large VR matrix - because usually people run code for people purposes, not the reverse. Coders frequently ignore this aspect, but not everybody has this luxury.
I see no reason why disembodied brains wouldn’t find a need for social agreements as well, it’s not like the absence of élan vital would cause them to cease being social. The content and mode of expression of those agreements might be quite different, of course.
(We fleshbags could probably use more widespread application and understanding of formal language and notation as well—the most cumbersome description of linear interpolation I’ve ever seen was in the section on a real estate tax hike in the tax code; it had paragraphs! I mean, I feel for those who didn’t have a good time in high-school algebra, but I don’t see how they could reasonably deal with that monstrosity either.)
(We fleshbags could probably use more widespread application and understanding of formal language and notation as well—the most cumbersome description of linear interpolation I’ve ever seen was in the section on a real estate tax hike in the tax code; it had paragraphs! I mean, I feel for those who didn’t have a good time in high-school algebra, but I don’t see how they could reasonably deal with that monstrosity either.)
"Someone told me that each equation I included in the book would halve the sales." -- Stephen Hawking
Algebrophobia apparently is a thing.
Algebrophobia apparently is a thing.
Medically, I’m entirely willing to believe there’s an X-phobia for any X. I just doubt this particular one would cut off more people than avoiding unreasonably long phrasing would include (let alone the weird French lingo the English-speaking world seems to insist on), and making a text accessible as is to literally everyone is plainly impossible. For regulations you’ll have to arrange special accommodations for some groups in any case—it’s only a question of which ones; for contracts it’s just another thing to negotiate.
Culturally, yes, and I can’t help but be awed at how stupid and self-inflicted it is. (See “Mathematician’s lament”, et al.) Introducing algebra into legal practice now would probably be a spectacularly bad idea even if it were possible. That’s why I mentioned “more widespread application and understanding of formal language”. Passing this hurdle is a massive ordeal—if I meaningfully contributed to it and knew that, I could probably die a happy man—but, I mean, we were talking disembodied brains in VR here.
By the way, can anyone explain what it is people actually like about A Brief History of Time? I went on to study some of this stuff, but the book appears both unnecessarily convoluted and surprisingly stingy with actual information compared to my preferred pop sci fare. I like me some enigmatic promises of explanations, but Hawking’s were left mostly unfulfilled, or so it seemed to me.
Culturally, yes, and I can’t help but be awed at how stupid and self-inflicted it is. (See “Mathematician’s lament”, et al.) Introducing algebra into legal practice now would probably be a spectacularly bad idea even if it were possible. That’s why I mentioned “more widespread application and understanding of formal language”. Passing this hurdle is a massive ordeal—if I meaningfully contributed to it and knew that, I could probably die a happy man—but, I mean, we were talking disembodied brains in VR here.
By the way, can anyone explain what it is people actually like about A Brief History of Time? I went on to study some of this stuff, but the book appears both unnecessarily convoluted and surprisingly stingy with actual information compared to my preferred pop sci fare. I like me some enigmatic promises of explanations, but Hawking’s were left mostly unfulfilled, or so it seemed to me.
Yeah, I looked at your project, and immediately wondered why the fact that someone merged a patch using it at all wasn't the suspect issue...
Eh, I feel like rewriting function pointers is a pretty standard trick, amusing (and definitely amusing that people are actually using it) but not terribly novel to the audience that finds these hacks amusing. Combined with the fact that the headline and issue is about the license/it takes multiple clicks to even find out what the library does, and it's not surprising that that's the focus.
Someone posted the actual project here: https://news.ycombinator.com/item?id=28266515 - but since both the url and the title of the OP are specifically about the license, it's not surprising that that was the topic.
[deleted]
That's because this thread is specifically about the license.
Well done! It also made me think GitHub should do more to highlight the license in their UI.
[deleted]
CyberRabbi(4)
From the explaining blog post [0]
> If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here.
Also
> Wrapping it up in a nice library
> I took the above code and put it in an easy to use library. It supports 32 bit, reversing patches, and patching instance methods. I wrote a couple of examples and put those in the README.
Then in the README[1]:
> Make sure you read the notes at the bottom of the README if you intend to use this library.
Either the author is confused or has decided that he doesn't want to maintain an hack. Anyway license is pretty clear.
There was an HN thread[2] when it was released.
[0] https://bou.ke/blog/monkey-patching-in-go/
[1] https://github.com/bouk/monkey
[2] https://news.ycombinator.com/item?id=9290917
> If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here.
Also
> Wrapping it up in a nice library
> I took the above code and put it in an easy to use library. It supports 32 bit, reversing patches, and patching instance methods. I wrote a couple of examples and put those in the README.
Then in the README[1]:
> Make sure you read the notes at the bottom of the README if you intend to use this library.
Either the author is confused or has decided that he doesn't want to maintain an hack. Anyway license is pretty clear.
There was an HN thread[2] when it was released.
[0] https://bou.ke/blog/monkey-patching-in-go/
[1] https://github.com/bouk/monkey
[2] https://news.ycombinator.com/item?id=9290917
The author is not confused, it's like an actually enforcable version of "use it at your own risk" because it includes legal risk. It's clever and funny
Gonna have to disagree that it's funny.
Why not? Do you feel entitled to a warranty?
I just don't think "here's a neat thing... tee-hee you can't use it!" Is funny. I don't know if "neener neener" was ever funny to me, even as a child. I understand that it's important to you to bandy about "subtle" accusations by using words like "entitle" so you can feel like you have a point, but there's nothing more there. If I felt entitled I would just ignore the license and use the code anyway.
I have no idea what you’re talking about.
I have a hard time believing that the word "entitle" was accompanied by no judgement, but if not, then I apologize for making assumptions. I find feelings of entitlement to be largely the result of selfishness or delusion, and so when I hear it applied to me, that's what I think is being said.
It's satirical
It seems that you're not interested in suing anyone over this. However, you still don't give people permission to use, not even in small throwaway tests. Which is fair.
But your blog post[0] language suggests that you are okay with and even incentivizes people trying this out (even if trying it out might be technically illegal, because it infringes your rights).
I think you should have mentioned something about the license in your blog post. As it stands, "If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here." is misleading. If the user wants to do monkey patching, they better not look at your code and program their own solution.
[0] https://bou.ke/blog/monkey-patching-in-go/
But your blog post[0] language suggests that you are okay with and even incentivizes people trying this out (even if trying it out might be technically illegal, because it infringes your rights).
I think you should have mentioned something about the license in your blog post. As it stands, "If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here." is misleading. If the user wants to do monkey patching, they better not look at your code and program their own solution.
[0] https://bou.ke/blog/monkey-patching-in-go/
Pretty funny right?
Not really. The JSLint license is funny because objecting to the "The Software shall be used for Good, not Evil." requirement looks like an admission of malintent. Doubly funny that it compelled IBM to ask for explicit permission to use JSLint for evil.
Your project, on the other hand, just looks like it was designed to waste people's time. Congrats I guess?
Your project, on the other hand, just looks like it was designed to waste people's time. Congrats I guess?
No, don't screw around with people legally. It makes you look dishonest.
He does not look dishonest. He looks like the hero we all deserve. Dial it back a bit, would you?
I think his satire is excellent. Look at how these silly licenses are simultaneously taken very serious and frankly not taken seriously at all. I think he has proven something really quite interesting, and in a pretty amusing way.
How is he screwing around with anyone legally? Has anyone been sued over this? Most of this stuff is unenforceable in any meaningful way. Worst case is really some nasty emails.
I think so. There is also second-order funnyness from all of the very serious nerds who don't find it funny at all. I'm loving it ahah!
Not in the slightest, but I guess that’s your kick.
I mean you trolled a lot of devs and they are now salty over this silly thing and uhmm I think it's my poor sense of humor but I don't usually find practical jokes that funny.
I found it really funny!
Has anyone ever tested in court whether a license has to be made in good faith to be binding?
Well, if it isn't binding, then there's no right to reuse it (beyond certain fair use exceptions) under the copyright law that applies by default.
For me the question is whether the misleading blog post would be found by a court to be an implicit license separate from the one in the codebase. My guess is that it would depend on several factors including the specific circumstances of the accused infringer and the specifics of contract/copyright law in the relevant jurisdiction, but probably at least sometimes yes.
For me the question is whether the misleading blog post would be found by a court to be an implicit license separate from the one in the codebase. My guess is that it would depend on several factors including the specific circumstances of the accused infringer and the specifics of contract/copyright law in the relevant jurisdiction, but probably at least sometimes yes.
TIL something can be implicitly licensed. Well the term is implied license https://en.wikipedia.org/wiki/Implied_license
An open source licence generally only gives additional rights. If it's not binding, then default copyright would apply, meaning you're still not allowed to use it.
[deleted]
Yes, I had a chortle, particularly at the reactions in this thread. :D
Though I'm an anarchist who thinks people give the law as written far too much weight. (As opposed to what the population as a whole thinks is good or bad)
Though I'm an anarchist who thinks people give the law as written far too much weight. (As opposed to what the population as a whole thinks is good or bad)
[deleted]
What is it satirizing?
Or is this just a post-hoc "its just a joke bro. Y u mad?"
Regardless, its your code, do what you want.
Or is this just a post-hoc "its just a joke bro. Y u mad?"
Regardless, its your code, do what you want.
Ding ding ding. There is no satire to be found here.
Have you checked how many projects depend on Monkey? It seems the blog post has been translated and reposted many times. Satire does not translate well.
Satire doesn't work very well on the internet in textual context. That's why emoticons were invented.
It crossed my mind...
Thanks for chiming in and clear the misunderstanding.
Thanks for chiming in and clear the misunderstanding.
You can also check the revision dates and see that the license was updated a year after the readme, which would imply any encouraging language in the readme is simply out of date.
Presumably revision 697673d58359af7ebdcad66f99b81d011359d8ef and earlier is perfectly fine to use, lacking a LICENSE.txt and with the README encouraging use
If no license is present, the default is actually “all rights reserved.” This is the same level of restriction.
https://choosealicense.com/no-permission/
https://choosealicense.com/no-permission/
That said,
> If you publish your source code in a public repository on GitHub, according to the Terms of Service, other users of GitHub have the right to view and fork your repository.
https://docs.github.com/en/github/creating-cloning-and-archi...
> If you publish your source code in a public repository on GitHub, according to the Terms of Service, other users of GitHub have the right to view and fork your repository.
https://docs.github.com/en/github/creating-cloning-and-archi...
The actual term (D.5 from https://docs.github.com/en/github/site-policy/github-terms-o... )
> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users.
This allows you to browse and use the fork button to create a repository. It's unclear if the second paragraph is clarifying, or adding to the first term. If it's additive, then you might also have permission to host your own private repo off service.
Nowhere does it give you a license to _use_ the contents of the repository in your software. Nor does it allow you to publish the contents outside github - the first paragraph does not address publishing, and the second makes it clear that paragraph only applies "through Github's functionality".
> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users.
This allows you to browse and use the fork button to create a repository. It's unclear if the second paragraph is clarifying, or adding to the first term. If it's additive, then you might also have permission to host your own private repo off service.
Nowhere does it give you a license to _use_ the contents of the repository in your software. Nor does it allow you to publish the contents outside github - the first paragraph does not address publishing, and the second makes it clear that paragraph only applies "through Github's functionality".
> Nowhere does it give you a license to _use_ the contents of the repository in your software. Nor does it allow you to publish the contents outside github
To clarify, I did not mean to say that it does; I merely wanted to make people aware of the fact that some "default" restrictions are lifted when you publish on GitHub (just like when I type this comment on HN).
To clarify, I did not mean to say that it does; I merely wanted to make people aware of the fact that some "default" restrictions are lifted when you publish on GitHub (just like when I type this comment on HN).
The idea that the Github terms of service negate "All rights reserved" in any public repository is a bold claim indeed.
You're granting GitHub the right to display your content to other users, and to make additional copies of it ("forks"). Those seem like reasonable rights to assign to Github when agreeing to their terms of service. I think it's completely clear that putting "all rights reserved" doesn't allow you to opt out of certain parts of the ToS, any more than the "I do not allow Facebook to use my content..." pseudo-legalese borderline-sovereign-citizen nonsense that goes viral every time Facebook change their privacy policy.
Side note, but for all the people saying this is absolutely godawful and the license is OK because no one in their right mind would use it in production, this project from MS does basically the same thing: https://www.microsoft.com/en-us/research/project/detours/
Recently open sourced, but has been used for twenty years in real products from MS and others. It's not so crazy as you might think!
An example of a real use I had for it: redirecting messages from OutputDebugString to a log file. AFAIK that is the best way to do it, when you only want the output from your one process. "Why not just call a proper logging function directly instead?" Because the OutputDebugString calls were coming from inside my GPU driver. Real life is not some ivory tower of perfection. An imperfect world requires imperfect solutions.
Recently open sourced, but has been used for twenty years in real products from MS and others. It's not so crazy as you might think!
An example of a real use I had for it: redirecting messages from OutputDebugString to a log file. AFAIK that is the best way to do it, when you only want the output from your one process. "Why not just call a proper logging function directly instead?" Because the OutputDebugString calls were coming from inside my GPU driver. Real life is not some ivory tower of perfection. An imperfect world requires imperfect solutions.
I've done a lot of work with Detours and have written my own trampoline injection thingies in Python and Ruby, and this approach is not really a reasonable way to build production software. A proof-of-concept Detours implementation posted as an illustration for an amusing blog post may be the most perfect possible use case for a "you are not allowed to use this for anything" license, maybe rivaled only by the code you post for a cipher you designed yourself.
The key difference being that Detours is a library written by Microsoft engineers with access to the Win32 team and the ability (if not drive) to ensure that Detours functions correctly as changes are made. Those changes are also probably pretty rare, given Win32’s famously stable ABI.
This library patches a third party runtime, one that explicitly forbids this kind of instrumentation and has a famously unstable ABI.
You can do whatever you want to get your job done, and this is certainly one way to do it, but it’s absolutely a dangerous hack.
This library patches a third party runtime, one that explicitly forbids this kind of instrumentation and has a famously unstable ABI.
You can do whatever you want to get your job done, and this is certainly one way to do it, but it’s absolutely a dangerous hack.
To anyone else confused as I was, "this project from MS does basically the same thing" is referring to monkeypatching a running executable, not having a license that forbids use of the software.
Quite an unusual, but effective, way to mark something as a proof of concept that's dangerous to use:
From [1]: "This is as unsafe as it sounds and I don't recommend anyone do it outside of a testing environment."
[1]: https://github.com/bouk/monkey#i-thought-that-monkeypatching...
From [1]: "This is as unsafe as it sounds and I don't recommend anyone do it outside of a testing environment."
[1]: https://github.com/bouk/monkey#i-thought-that-monkeypatching...
> … I don't recommend anyone do it outside of a testing environment.
… which is exactly dow it is used in dapr
> This is only used in the test (and thus not.compiled and distributed in our binaries).
(source: https://github.com/dapr/dapr/issues/3563#issuecomment-901563...)
… which is exactly dow it is used in dapr
> This is only used in the test (and thus not.compiled and distributed in our binaries).
(source: https://github.com/dapr/dapr/issues/3563#issuecomment-901563...)
> > … I don't recommend anyone do it outside of a testing environment.
> … which is exactly dow it is used in dapr
Eh... There's a difference between "a testing environment" as used in that quote and "as part of an automated test" as you mean here.
To me the former implies an experimental and/or ad-hoc environment, while the latter implies a stable, production environment.
> … which is exactly dow it is used in dapr
Eh... There's a difference between "a testing environment" as used in that quote and "as part of an automated test" as you mean here.
To me the former implies an experimental and/or ad-hoc environment, while the latter implies a stable, production environment.
There's a teeny bit of a difference between using it to explore monkey patching a go executable and using in the test suite of a released project.
You don't have the right to use it, even in a testing environment. The license denys you the right to use it.
Yes, but at the same time demonstrates the code clearly so you could implement it yourself. I'd say this is code sharing aiming at zero reuse.
What worries me the most about these comments is: 1) how many software developers that do not understand how licenses and copyright work 2) how many software developers that feel entitled to use someone else's code and default to feeling offended when they feel they've been mislead 3) how many software developers that are not focusing on the most important thing, which is how embarrassed you should be that you imported this code in your codebase to begin with.
I wholeheartedly agree. It feels a bit like a debate about speed limits: "I'm really only a couple kph/mph over it. The speed limit here is stupid anyway."
I am however glad this issue came up. The author does not appear to want to screw anyone over legally on this - so why not take it as a lesson learned and go from there?
I am however glad this issue came up. The author does not appear to want to screw anyone over legally on this - so why not take it as a lesson learned and go from there?
No problem, just start typing code like it and let Github Copilot handle the rest
Even better, Fairuseify[1] will repackage a fair-use version of the library for you automatically.
[1]: https://fairuseify.ml/
[1]: https://fairuseify.ml/
Ingenious!
It only needs some build-in YouTube and Getty-Images browser to select fairuseify targets. (It should work for all kind of media, of course).
I think we've solved the copyright issue right now finally for good, didn't we?
It only needs some build-in YouTube and Getty-Images browser to select fairuseify targets. (It should work for all kind of media, of course).
I think we've solved the copyright issue right now finally for good, didn't we?
I never imagined that there would be a license designed so that only copyright violators have access to your project, but I support it and will probably use it. Any project I write that I think would be useful but is bad and I would never want to see shitting up Debian repos might get this.
I like a license that says that I reserve the right to sue whoever I feel like suing. If you use it, make sure I don't feel like suing you (e.g. make no money) or that I can't catch you (i.e. be an outlaw.)
I like a license that says that I reserve the right to sue whoever I feel like suing. If you use it, make sure I don't feel like suing you (e.g. make no money) or that I can't catch you (i.e. be an outlaw.)
One of the best things about people in software is (in my perception) they tend to want to share and share alike with open source and open licenses. Paid licenses also make sense to me, but it really bums me out in a way that I can't fully atriculate that the "neener neener" license is also apparently appealing to some people.
License reads:
> "Copyright Bouke van der Bijl
I do not give anyone permissions to use this tool for any purpose. Don't use it.
I’m not interested in changing this license. Please don’t ask. "
Used by counter on GitHub is at 464. The way it's worded would imply that they are all violating the license? How can this be enforced for inconsequential small pet projects? Is this really something to worry about, particularly with what (seems to me) to be a sort-of spurious license?
> "Copyright Bouke van der Bijl
I do not give anyone permissions to use this tool for any purpose. Don't use it.
I’m not interested in changing this license. Please don’t ask. "
Used by counter on GitHub is at 464. The way it's worded would imply that they are all violating the license? How can this be enforced for inconsequential small pet projects? Is this really something to worry about, particularly with what (seems to me) to be a sort-of spurious license?
Yes. You take something you do not own (even down the tree). You have to check if you are allowed to. It does not matter if it is a small pet project or the Linux Kernel.
Sure you can ignore him and wait for him to lawyer up and make your life miserable. Considering that IT specialists which have capacity to contribute to open source are typically not poor or have idealogical interests, I would not take the bets.
Respect the wishes of the people you take code from.
License checking is like code coverage. If you are a professional you take care of it.
Sure you can ignore him and wait for him to lawyer up and make your life miserable. Considering that IT specialists which have capacity to contribute to open source are typically not poor or have idealogical interests, I would not take the bets.
Respect the wishes of the people you take code from.
License checking is like code coverage. If you are a professional you take care of it.
> You have to check if you are allowed to. It does not matter if it is a small pet project or the Linux Kernel.
Actually it does matter and you don't have to. In practice pet projects are basically never going to be sued, it's simply not worth it. As a side note, a lot of techy people struggle to separate the law as written with the law as practiced.
The ethics question is more interesting, but for something like this which is clearly satirical? No harm, no foul.
Actually it does matter and you don't have to. In practice pet projects are basically never going to be sued, it's simply not worth it. As a side note, a lot of techy people struggle to separate the law as written with the law as practiced.
The ethics question is more interesting, but for something like this which is clearly satirical? No harm, no foul.
The "pet project" was the dependency in my example which license would be violated.
The contextual author does not care for sure. But generally it is an ethical problem like you said but also a practical one. Once you stack enough pet (or should I say lpad) projects together something bigger comes out. And the liability is hidden three layers down the dependency tree.
The contextual author does not care for sure. But generally it is an ethical problem like you said but also a practical one. Once you stack enough pet (or should I say lpad) projects together something bigger comes out. And the liability is hidden three layers down the dependency tree.
> Used by counter on GitHub is at 464. The way it's worded would imply that they are all violating the license?
Yes. My read of the situation is not that it's a license that intends to stop people from using it, but rather that it's a license that selects for a specific target audience that doesn't care about copyrights or is anti-copyright.
In my opinion, that's a perfectly valid audience to select for, although a license that specifically prohibited any licensee from ever filing a lawsuit over a copyright claim or sending a DMCA takedown might be a funnier way to accomplish it.
Yes. My read of the situation is not that it's a license that intends to stop people from using it, but rather that it's a license that selects for a specific target audience that doesn't care about copyrights or is anti-copyright.
In my opinion, that's a perfectly valid audience to select for, although a license that specifically prohibited any licensee from ever filing a lawsuit over a copyright claim or sending a DMCA takedown might be a funnier way to accomplish it.
I’m anti-copyright.
I still wouldn’t use this code, because I don’t want to break the law. Being anti-copyright doesn’t mean you also need to be against due process.
I still wouldn’t use this code, because I don’t want to break the law. Being anti-copyright doesn’t mean you also need to be against due process.
Being willing to break the law doesn't mean you're against due process. Due process is what happens afterwards, that safeguards you from being punished for doing something you have not done.
Copyright Bouke van der Bijl
I do not give anyone permissions to use this tool for any purpose. Don't use it.
I’m not interested in changing this license. Please don’t ask.
I do not give anyone permissions to use this tool for any purpose. Don't use it.
I’m not interested in changing this license. Please don’t ask.
If it keeps this out of production in even a handful of companies, that's probably a good thing in aggregate.
It's a neat blog post, shows interesting internals, and no - you should not do it.
It's a neat blog post, shows interesting internals, and no - you should not do it.
https://github.com/bouk/monkey/blob/master/LICENSE.md
Then why publish the blog post and put it into a package??
Then why publish the blog post and put it into a package??
[deleted]
Look, don’t touch.
clearly satire
Which part and in what way? Clearly the blog post is not satire, since the method works, and the license cannot be satire as it seems like it would be legally sufficient to prevent people from using it, which is exactly the stated purpose of the license. It's also implied that the author has received requests to change the license so others can use the package, which have been denied. The author even went so far as to remind people in this comment thread that they don't want it to be used! The license is serious on its face and in practice. Where is the joke?
Your reaction is the joke
You're a joke.
Sure. It is a "joke" until you're tempted to sue a big enough fish that falls for it and get some people fired. Pathetic.
Hilarious.
[deleted]
Somebody with codepilot to check it out?
You have the right to use this project via git submodules. The GitHub terms of service requires code owners to allow forking and linking to their public repositories, regardless of license.
It does not appear to grant (or attempt to grant) use of the software. So sharing and forking are fine, but not necessarily anything else.
> 5. License Grant to Other Users
> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users
> 5. License Grant to Other Users
> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users
> So sharing and forking are fine, but not necessarily anything else.
Did I imply otherwise? Git submodules are just links. Please explain how linking to a submodule is not allowed.
Did I imply otherwise? Git submodules are just links. Please explain how linking to a submodule is not allowed.
Well, I thought the purpose of linking in git submodules was to compile the source code and then use it. The "using it" is not granted by the GitHub license. Did I misunderstand your original point? If not, the verbiage "use this project via git submodules" which uses the word "use" was the source of my confusion.
Was someone disputing the right of OP to share a link to the blog post or the repository?
Was someone disputing the right of OP to share a link to the blog post or the repository?
You said it yourself: GitHub users can use GitHub projects on GitHub. Git submodules stay on GitHub, so it's allowed.
> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)
You can run the code on GitHub Codespaces & GitHub Actions, you can fork the code to make changes, and you can dynamically link/embed the code in other projects on GitHub through git submodules.
> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)
You can run the code on GitHub Codespaces & GitHub Actions, you can fork the code to make changes, and you can dynamically link/embed the code in other projects on GitHub through git submodules.
> You can run the code on GitHub Codespaces
I think this would fall under "use" which I dispute the GitHub TOS allows.
> and you can dynamically link ended the code in other projects on GitHub through git submodules.
Sure. As long as you do not compile and run it, you can link it until you turn blue in the face.
I think this would fall under "use" which I dispute the GitHub TOS allows.
> and you can dynamically link ended the code in other projects on GitHub through git submodules.
Sure. As long as you do not compile and run it, you can link it until you turn blue in the face.
[deleted]
> As long as you do not compile and run it, you can link it until you turn blue in the face.
With GitHub Codespaces and GitHub Actions you aren't compiling or running the code, GitHub is.
From my understanding, this satisfies the following:
> solely on GitHub as permitted through GitHub's functionality
With GitHub Codespaces and GitHub Actions you aren't compiling or running the code, GitHub is.
From my understanding, this satisfies the following:
> solely on GitHub as permitted through GitHub's functionality
I told the judge that I didn’t kill anyone, the hitman I hired did! For some reason, he didn’t see it as you do.
Performing those actions on GitHub isn't important because it allows you to technically bypass a restriction by having a third party do it (which I agree is a poor defense) but because the author explicitly relinquished some rights by putting the project on GitHub.
the author does not relinquish rights to run the code. running it on a third party service does not magically launder the license.
> does not relinquish the rights to run the code
I don't think anyone who's posted so far is a lawyer, but the claim is precisely that GitHub's ToS do relinquish the rights to run the code, so long as you only do so on GitHub and through their published interface.
GitHub ToS> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking).
> running it on a third party service does not magically launder the license
Totally agreed. By uploading to GitHub publicly you've granted an _additional_ license and asserted that you had the legal right to do so. It's kind of like when open source projects will also sell a proprietary license on request -- companies aren't magically beholden to the GPL'd version just because it exists somewhere; they get to choose which of their available licenses they'd prefer to use.
I don't think anyone who's posted so far is a lawyer, but the claim is precisely that GitHub's ToS do relinquish the rights to run the code, so long as you only do so on GitHub and through their published interface.
GitHub ToS> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking).
> running it on a third party service does not magically launder the license
Totally agreed. By uploading to GitHub publicly you've granted an _additional_ license and asserted that you had the legal right to do so. It's kind of like when open source projects will also sell a proprietary license on request -- companies aren't magically beholden to the GPL'd version just because it exists somewhere; they get to choose which of their available licenses they'd prefer to use.
I don't really know much about CodeSpaces but yeah, if it is always run in a service provided by the GitHub ecosystem, you can probably run it. I don't know how useful that is. Also, it says you can fork it. It does not say you can modify it.
This is just mean! The documentation definitely reads like the library is meant for use, but the author forbids all use in the license.
Why is it mean? The author can use whatever license they like. If you don't like it, you're more than welcome to release your own code under a more permissive license.
It's misleading to present the project as being for use by others and then forbid any use in the legal print?
Is it misleading to present a project as free and then have the (A)GPL license? Here I thought it was free, now suddenly there are all these conditions...
The "legal print" in this case is five lines long, written in (contrary to most licenses) very plain english, located in the root of the repository, in a file named 'LICENSE.md'. It's not exactly hidden where a reasonable person might overlook it. "We didn't know" isn't a very convincing defense.
The "legal print" in this case is five lines long, written in (contrary to most licenses) very plain english, located in the root of the repository, in a file named 'LICENSE.md'. It's not exactly hidden where a reasonable person might overlook it. "We didn't know" isn't a very convincing defense.
Normally such fact is advertised in the readme, and the github sidebar will recognise and display the title of such a license in the sidebar.
It's commonly understood that open source software may be copyleft.
I think not mentioning a license that says "No use permitted" amongst some instructions on how to use it is deceptive.
> "We didn't know" isn't a very convincing defense.
Good thing "mean", is a matter of subjective perception and not of law, then. Or do you suggest everything legal is automatically good?
It's commonly understood that open source software may be copyleft.
I think not mentioning a license that says "No use permitted" amongst some instructions on how to use it is deceptive.
> "We didn't know" isn't a very convincing defense.
Good thing "mean", is a matter of subjective perception and not of law, then. Or do you suggest everything legal is automatically good?
Yes. It is misleading to advertise software as Free and Open when it's actually Copy Left.
He can but it's still mean. It's like I can call you an autist bitch and still be mean :(
It is clearly meant for use. Those two things are not in contradiction and it's quite often that good software is spoiled with bad license. If you have to know, the secret is not to respect the made up license. Pls give downvote, copying is stealing.
Using monkey patching is an awful idea and always means your code architecture is bad. Will not be surprised if this message was the original author's intent.
Edit: it actually was: https://news.ycombinator.com/item?id=28265605
Edit: it actually was: https://news.ycombinator.com/item?id=28265605
I'm completely baffled how people work. Something like that can't actually happen. At least if you assume people working on software can read. But it seems not even this can be safely assumed nowadays.
How can someone include some dependency without checking the license? That's actually the very first thing to do, before you can even consider using something!
Not doing this is extremely unprofessional. Additionally it's stupid and very dangerous: You can bring yourself and/or your company into serous trouble. Really serous trouble.
Do people really pull in some random stuff without even looking a little bit what it is? This would make the old write-up¹ about someone placing the ultimate backdoor everywhere a certainty by now.
Sorry for ranting but this whole thing is a real-world satire, imho. The license was a joke, OK. But that it didn't fool only some random hobby hacker but alleged professionals at big corps is truly egregious. I can't stop shaking my head…
¹ https://medium.com/hackernoon/im-harvesting-credit-card-numb...
How can someone include some dependency without checking the license? That's actually the very first thing to do, before you can even consider using something!
Not doing this is extremely unprofessional. Additionally it's stupid and very dangerous: You can bring yourself and/or your company into serous trouble. Really serous trouble.
Do people really pull in some random stuff without even looking a little bit what it is? This would make the old write-up¹ about someone placing the ultimate backdoor everywhere a certainty by now.
Sorry for ranting but this whole thing is a real-world satire, imho. The license was a joke, OK. But that it didn't fool only some random hobby hacker but alleged professionals at big corps is truly egregious. I can't stop shaking my head…
¹ https://medium.com/hackernoon/im-harvesting-credit-card-numb...
I highly doubt most devs check the license of every dependency 3 layers deep from their UI framework. create-react-app, vue-cli sets up several hundred dependencies. If you tell me >50% of devs investigate each dependency manually, or run a license checker on that, I don't believe you.
Where I work for we have automated license scanners for this reason. They would flag such a use. But this open source project, and apparently 467 other cases, missed that. Maybe the contributors assumed the author had done their due diligence, maybe they just don't check in general, it's hard to know.
Where I work for we have automated license scanners for this reason. They would flag such a use. But this open source project, and apparently 467 other cases, missed that. Maybe the contributors assumed the author had done their due diligence, maybe they just don't check in general, it's hard to know.
Automation is of course very helpful.
But my point wasn't about transitive deps (directly). The point is about pulling something new into your project.
At the point you include something that something needs to tell you the license for itself and for all its dependencies. If it doesn't that's already fishy in its own rights (and you should turn back or start investigating for real). You need to look at the provided license lists of course.
Yes, I see more and more projects that don't list licenses for their deps. But that's usually already a license volition on its own! You can't use something like that, it's obviously problematic.
Having some tools that download random stuff form the internet may be OK when you're doing something for yourself. But at the moment you want to publish that something you're obligated to check the licenses. That's a know thing. If you don't that's very shoddy work, and actually you could get sued for all resulting damages.
So no matter what it's actually impossible to include code with a problematic license, given no botchers were involved anywhere deeper in the chain.
And here we're at the core of what I've said:
It's completely baffling to me how something like that could possibly happen. At least as long as I try to believe that no complete idiots work in the industry, people who aren't even capable of reading, and don't know even the most basic things about the job they try to do. People that therefore shouldn't be allowed to touch anything as they could create great danger for their surroundings and for themself!
But OK, maybe I just have to accept that the software industry is not different to this here:
https://www.youtube.com/watch?v=FfyPLTIn2D8
But my point wasn't about transitive deps (directly). The point is about pulling something new into your project.
At the point you include something that something needs to tell you the license for itself and for all its dependencies. If it doesn't that's already fishy in its own rights (and you should turn back or start investigating for real). You need to look at the provided license lists of course.
Yes, I see more and more projects that don't list licenses for their deps. But that's usually already a license volition on its own! You can't use something like that, it's obviously problematic.
Having some tools that download random stuff form the internet may be OK when you're doing something for yourself. But at the moment you want to publish that something you're obligated to check the licenses. That's a know thing. If you don't that's very shoddy work, and actually you could get sued for all resulting damages.
So no matter what it's actually impossible to include code with a problematic license, given no botchers were involved anywhere deeper in the chain.
And here we're at the core of what I've said:
It's completely baffling to me how something like that could possibly happen. At least as long as I try to believe that no complete idiots work in the industry, people who aren't even capable of reading, and don't know even the most basic things about the job they try to do. People that therefore shouldn't be allowed to touch anything as they could create great danger for their surroundings and for themself!
But OK, maybe I just have to accept that the software industry is not different to this here:
https://www.youtube.com/watch?v=FfyPLTIn2D8
The npm circus is crazy. How anyone can consider himself a dev and then depend on packages like
is-odd, 486.139 downloads weekly
is-even, 206.628
is-windows, 17.329.418
is-empty, 176.643
true, 504 too many
false, circa 700
is-number, 46.806.043 (!!!)
is-promise, 10.282.368
left-pad, 3.014.769
These are the one I hate more, but it's full of unnecessary one-line packages. Some of them are even used by the big players. I just don't understand...
is-odd, 486.139 downloads weekly
is-even, 206.628
is-windows, 17.329.418
is-empty, 176.643
true, 504 too many
false, circa 700
is-number, 46.806.043 (!!!)
is-promise, 10.282.368
left-pad, 3.014.769
These are the one I hate more, but it's full of unnecessary one-line packages. Some of them are even used by the big players. I just don't understand...
A valid license does nothing to prevent supply chain attacks.
A long time ago I implemented a similar (less flexible) thing for C, also as a sort of goofy learning experience:
https://github.com/mgraczyk/fast_check_once/blob/master/fast...
There's something really appealing about replacing code at runtime to "hack" the bypass normal behavior of the language. For testing/mocking this can even be useful.
https://github.com/mgraczyk/fast_check_once/blob/master/fast...
There's something really appealing about replacing code at runtime to "hack" the bypass normal behavior of the language. For testing/mocking this can even be useful.
This post inspired me to try writing some SQL that downloads all the LICENSE files of declared go mod dependencies: https://askgit.substack.com/p/query-for-go-dependency-licens... using a project I maintain.
Some flaws, but was able to download a bunch of licenses :)
Some flaws, but was able to download a bunch of licenses :)
Technically, that is not a license, since a license is something that grants permissions and that statement expressly does not.
So there is no grant of copyright to distribute copies of the dependency, but what about useyright? The dependant project just uses the the dependency to run a test. Supposing it didn't distribute it as part of the release, is that still allowable?
The conflicting license states
>I do not give anyone permissions to use this tool for any purpose. Don't use it.
So no use rights either.
>I do not give anyone permissions to use this tool for any purpose. Don't use it.
So no use rights either.
But the granting of rights to redistribute is governed by the applicable copyright law, as far as I know there is no equivalent body of law governing usage. You can't give someone information but attach conditions to its use, except in specific circumstances. You can certainly make someone sign a contract before agreeing to give them the information, but that's not what's occurring here.
>You can't give someone information but attach conditions to its use, except in specific circumstances.
Wouldn't that effectively bar the use of DRM? If I buy a blu-ray, I can't legally watch it unless I have a player capable of unlocking the content.
That may be one of the "specific circumstances," as there is a law that specifically forbids bypassing DRM.
Wouldn't that effectively bar the use of DRM? If I buy a blu-ray, I can't legally watch it unless I have a player capable of unlocking the content.
That may be one of the "specific circumstances," as there is a law that specifically forbids bypassing DRM.
> If I buy a blu-ray, I can't legally watch it unless I have a player capable of unlocking the content
Depends on jurisdiction.
Depends on jurisdiction.
IANAL but these specific circumstances of ‘use’ typically include copyrighted music and drama, which cannot be performed in a public or commercial setting without permission or compensation. The Beatles may own Yesterday but they can’t stop me from whistling it.
Where I think this case gets murky is that the item in question is not distributed or used by users of the software, but is part of the production process for it.
Where I think this case gets murky is that the item in question is not distributed or used by users of the software, but is part of the production process for it.
Copyright law governs the right to generate and use copies of a work, whether they are for distribution or your own use. It’s right there in the name: “copy” right.
If you can figure out how to use software code that someone else wrote, without making your own copy of it first, I suppose that would not be in violation. I’m not aware of any way to do that, though.
If you can figure out how to use software code that someone else wrote, without making your own copy of it first, I suppose that would not be in violation. I’m not aware of any way to do that, though.
I have heard lawyers argue that, because to run a computer program (or play a DVD or whatever) it must be copied into memory, software that doesn't grant you the right to use it cannot legally be used.
This argument doesn't make sense to me (under US law) given that
> (a) Making of Additional Copy or Adaptation by Owner of Copy.—Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
> (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
https://www.law.cornell.edu/uscode/text/17/117
> (a) Making of Additional Copy or Adaptation by Owner of Copy.—Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
> (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
https://www.law.cornell.edu/uscode/text/17/117
(a) doesn't hold because you aren't the owner of a copyrighted work that is licensed to you. You're also not even being given a license in this context.
Read GitHub's TOS, they explicitly state you give them the right to copy your work in order to allow for forking because their lawyers KNOW they have no rights otherwise and could be sued.
Read GitHub's TOS, they explicitly state you give them the right to copy your work in order to allow for forking because their lawyers KNOW they have no rights otherwise and could be sued.
(a) doesn't refer to owning the copyright, it refers to owning the physical copy (the hardware which the information is saved on, the paper and ink in a book).
GitHub's TOS requires permission to copy, because github is not just executing your code.
GitHub's TOS requires permission to copy, because github is not just executing your code.
> as far as I know there is no equivalent body of law governing usage. You can't give someone information but attach conditions to its use
There is, and you can. It's called patent law. If the author of this license also had a patent, they could deny others the ability to use it. But unlike copyright, you are not automatically granted a patent for your creations.
There is, and you can. It's called patent law. If the author of this license also had a patent, they could deny others the ability to use it. But unlike copyright, you are not automatically granted a patent for your creations.
Copyright does not give authority over use, only over redistribution.
If I put up a message on a billboard, with a copyright notice denying the permission to read it aloud, would that be legitimate license?
It would be a silly license. I imagine reading aloud a message on a billboard would be ruled fair use. Republishing of your message by an unauthorized party could be infringement, but your license doesn't change that; the default ("no license") is "all rights reserved" so redistribution is already forbidden.
Does that make it law? What if he typed “Every time you run this code you owe me 5 bucks” ?
This feels like "Left-pad 2: Electric Boogaloo"
edit: Although, "This is only used in the test (and thus not.compiled and distributed in our binaries)." https://github.com/dapr/dapr/issues/3563#issuecomment-901563...
edit: Although, "This is only used in the test (and thus not.compiled and distributed in our binaries)." https://github.com/dapr/dapr/issues/3563#issuecomment-901563...
Is the "I do not give anyone permissions to use this tool for any purpose. Don't use it." actually a forbidding, strictly speaking?
No. It's probably intended satirically, but in practice it's a null statement since there's no grant of anything nor an exchange of value. It's equivalent to the default of "All rights reserved". This includes any fair use rights you might have, however, and any rights due to Github's ToS, so you can likely review and discuss the code, and quote from it, but if incorporated into a product or service then it's actionable; the author has the option of asserting their rights.
There's no assertion that the method is patented so you'd probably be free to also use the technique, as long as you don't reuse or incorporate the original work. If your code consequently looks like the author's then that's usually fine too, c.f. NEC v. Intel (1989), although actually relying on this precedent is a question balancing your access to legal resources vs how much the author really gives a shit.
There's no assertion that the method is patented so you'd probably be free to also use the technique, as long as you don't reuse or incorporate the original work. If your code consequently looks like the author's then that's usually fine too, c.f. NEC v. Intel (1989), although actually relying on this precedent is a question balancing your access to legal resources vs how much the author really gives a shit.
The default is that you’re not allowed to use it. There needs to be an explicit grant of license to change that, and there’s not.
It's crazy to me that people would intentionally introduce monkey patching into a language where it's not supported.
I dont know how that could be surprising as sometimes monkey patching is the best (only?) way to do something.
GitHub terms of service [1]:
"If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)."
I think these override it?
[1] https://docs.github.com/en/github/site-policy/github-terms-o...
"If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)."
I think these override it?
[1] https://docs.github.com/en/github/site-policy/github-terms-o...
No it does not. This statement is exclusively for the fact that GitHub and a reader is not liable for showing/reading your copyrighted code.
The only weak spot is GitHub Actions/Code spaces/etc for dev tools I guess. Because that falls under "GitHub service" and is a functionality of it.
The only weak spot is GitHub Actions/Code spaces/etc for dev tools I guess. Because that falls under "GitHub service" and is a functionality of it.
No, this would also seem to protect users who click the "fork" button on Github. It would not, however, allow them to clone the software to their local computer or use it for any other purpose.
The Github terms do not indicate that the license is transferable. Github can display the code, but even if someone downloads from Github, they still can't use it.
I am not a lawyer... There may be an argument here that
1. GitHub has a valid license to distribute it (as a result of their TOS)
2. Running the downloaded code is not copyright infringement (or not obviously so, and hasn't been established as so in any court that I am aware of)
3. Using the APIs is not copyright infringement (see Oracle v Google, if that was fair use this almost certainly is)
Thus no copyright infringement has occurred.
Still, keeping this in the codebase is at best boobytrapping your code to create accidental future instances of copyright infringement, and it's an interesting case of people not checking licenses (since it's pretty clear they didn't realize this in advance).
1. GitHub has a valid license to distribute it (as a result of their TOS)
2. Running the downloaded code is not copyright infringement (or not obviously so, and hasn't been established as so in any court that I am aware of)
3. Using the APIs is not copyright infringement (see Oracle v Google, if that was fair use this almost certainly is)
Thus no copyright infringement has occurred.
Still, keeping this in the codebase is at best boobytrapping your code to create accidental future instances of copyright infringement, and it's an interesting case of people not checking licenses (since it's pretty clear they didn't realize this in advance).
Github has a valid license to distribute it but you are not Github so that doesn't give you a right to anything.
In particular it doesn't give you a right to download it.
> In particular it doesn't give you a right to download it
That sentence is wrong, GitHub’s terms of service explicitly give users a right to download, and also run, the code of any project that is publicly visible. Please read the terms, especially section D “5. License Grant to Other Users”. https://docs.github.com/en/github/site-policy/github-terms-o...
That sentence is wrong, GitHub’s terms of service explicitly give users a right to download, and also run, the code of any project that is publicly visible. Please read the terms, especially section D “5. License Grant to Other Users”. https://docs.github.com/en/github/site-policy/github-terms-o...
Those terms don't say anything about a right to "download and also run" code:
> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality
(emphasis mine)
> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality
(emphasis mine)
“Display”, “Use”, and “View” are all terms that are all talking about downloading. “Perform” means to run the code. You are still using the GitHub service when you clone a GitHub repo locally, that is part of GitHub’s functionality. What it’s not saying is that the only way to view a project is via an http connection through a browser to github.com.
"Perform" means to run the code THROUGH GitHub and its services (i.e. Actions). You are NOT allowed to run the code on any hardware YOU own. Downloading is an implementation detail of performing your right to "Display", "Use", and "View" the content ON GitHub and its services. You are forbidden from downloading the content for any other purpose.
> You are NOT allowed to run the code on any hardware YOU own.
Sure you are, that is just not true.
> You are forbidden from downloading the content for any other purpose
The rights GitHub grants allow a copy to be made. What you can’t do is redistribute the code, that part is clear. But what you do with it on your machine when not showing it to anyone else is not prohibited by GitHub’s terms, nor by copyright law. I’ve read both. If you have too, and believe otherwise, please cite the relevant sections.
Sure you are, that is just not true.
> You are forbidden from downloading the content for any other purpose
The rights GitHub grants allow a copy to be made. What you can’t do is redistribute the code, that part is clear. But what you do with it on your machine when not showing it to anyone else is not prohibited by GitHub’s terms, nor by copyright law. I’ve read both. If you have too, and believe otherwise, please cite the relevant sections.
> 1. GitHub has a valid license to distribute it (as a result of their TOS)
From the GitHub TOS someone posted:
"... license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)"
I'm not sure if cloning from GitHub to your local computer falls under "reproduce Your Content solely on GitHub as permitted through GitHub's functionality" (due to "solely on GitHub" part).
From the GitHub TOS someone posted:
"... license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)"
I'm not sure if cloning from GitHub to your local computer falls under "reproduce Your Content solely on GitHub as permitted through GitHub's functionality" (due to "solely on GitHub" part).
I'm not completely sure either, I don't think you would get a definitive answer short of litigating it (and let's be honest, no one is litigating over this).
(Again, not a lawyer, not super familiar with this part of copyright law, but...) I'd argue that the copy is made on githubs server and then sent to me, and I simply move the sole copy around (or to the extent that I make a new copy it is a lawful copy of the network traffic for archival purposes under 17 USC 117 (a) (2)). That "git clone" is clearly a integral part of githubs service so the license is clearly intended to cover it. That "git clone" is not meaningfully different from "wget" from "a web browser" - again the license is clearly intended to cover this. That any liability that does exist falls on GitHub as the party making the copy.
I'm not sure which if any of those arguments would convince a court though
(Again, not a lawyer, not super familiar with this part of copyright law, but...) I'd argue that the copy is made on githubs server and then sent to me, and I simply move the sole copy around (or to the extent that I make a new copy it is a lawful copy of the network traffic for archival purposes under 17 USC 117 (a) (2)). That "git clone" is clearly a integral part of githubs service so the license is clearly intended to cover it. That "git clone" is not meaningfully different from "wget" from "a web browser" - again the license is clearly intended to cover this. That any liability that does exist falls on GitHub as the party making the copy.
I'm not sure which if any of those arguments would convince a court though
Regards (3): have not they have a dependency on the implementation? Oracle/Google was about the interface and the design of the API interface not the implementation.
They do, it's not an entirely identical situation, I believe it is analogous though.
The question I'm addressing in 3 is whether or not the source code becomes a derivative work of the dependency (meaning writing it in the first place would be illegal). The only portion of the dependency that the source code copied was the names of a few functions/modules (part of the API). Copying that part of the API into the work seems very analagous to the Oracle/Google case, except even less was copied and it is even less of a market place competitor (but again, I'm not a lawyer).
The question I'm addressing in 3 is whether or not the source code becomes a derivative work of the dependency (meaning writing it in the first place would be illegal). The only portion of the dependency that the source code copied was the names of a few functions/modules (part of the API). Copying that part of the API into the work seems very analagous to the Oracle/Google case, except even less was copied and it is even less of a market place competitor (but again, I'm not a lawyer).
The license forbids use. The project is (or was) clearly using it. GitHub is irrelevant.
The license has no legal authority to forbid that which is not forbidden by law and/or permitted by other licenses the author has granted. (See other discussions here for arguments as to whether or not it has that legal authority)
github TOS do not grant you use of others code. it grants distribution. those are two very different things.
See this sibling thread: https://news.ycombinator.com/item?id=28265245
I am contending (with citations to the law) that you simply don't need a license to execute other peoples code once you legally have a copy of it.
I am contending (with citations to the law) that you simply don't need a license to execute other peoples code once you legally have a copy of it.
The core question is whether downloading code from GitHub legally gives you a copy of it.
The answer is likely no (within the U.S. at least), based on conversations I’ve had with lawyers who specialize in intellectual property law.
While arguing on HN is a fun intellectual exercise, I would encourage anyone to talk things over with a lawyer before putting financial resources at risk by intentionally violating the expressed license (or lack thereof) in published software code. Even if it is published on GitHub.
The answer is likely no (within the U.S. at least), based on conversations I’ve had with lawyers who specialize in intellectual property law.
While arguing on HN is a fun intellectual exercise, I would encourage anyone to talk things over with a lawyer before putting financial resources at risk by intentionally violating the expressed license (or lack thereof) in published software code. Even if it is published on GitHub.
I wonder what happens when I upload to GitHub code that I have permission to distribute, but that I don't own, that GitHub doesn't have permission to distribute and I don't have permission to give others permission to distribute.
Then you cannot grant such right to GitHub, thus, you cannot post to GitHub.
I do wonder about things like the linux kernel being uploaded to github though... it doesn't seem like all the contributors consented to giving GitHub this license.
Those rights are a subset of those granted by the GPL2, aren't they ?
I don't believe so, since the GPL (like most licenses) conditions those rights on things like keeping the license intact. Also the GPL doesn't actually say anything about performance or display (which may or may not matter).
I think GitHub gives you the right to download or fork the repo, but the license explicitly states that you can't use the code. That might mean running it on its own is technically illegal.
The license literally says "you can't use this". How are so many people confused about the license in this thread?
The license literally says "you can't use this". How are so many people confused about the license in this thread?
> That might mean running it on its own is technically illegal.
Based on what law/authority?
Copyright law forbids making copies, derivative works, etc. Not using things. You're allowed to read a book without a license.
Moreover copyright law makes an explicit exception for the copies required to run a computer program on a machine that aren't used in other ways (i.e. copying it to ram/registers): https://www.law.cornell.edu/uscode/text/17/117
The author may say "you can't use this", but it is not clear to me that he has any legal authority to do so.
Based on what law/authority?
Copyright law forbids making copies, derivative works, etc. Not using things. You're allowed to read a book without a license.
Moreover copyright law makes an explicit exception for the copies required to run a computer program on a machine that aren't used in other ways (i.e. copying it to ram/registers): https://www.law.cornell.edu/uscode/text/17/117
The author may say "you can't use this", but it is not clear to me that he has any legal authority to do so.
Quite so. As written, it's a null statement. To be enforceable, a license has to be written by one party such that another party may acquire rights in exchange for accepting the terms. This is how licenses become contracts.
Simply reading the words "Don't use it" does not bind you, because there is no grant of use; there is no offer or exchange of value, so no contract has been formed, and the statement is at best advisory. It is equal to writing "All rights reserved", which is to say, you retain whatever rights pre-existed under statutory and common law, such as right of fair use and so forth, and anything due to Github's ToS.
Engineers often fall into the trap of thinking the law is a programming language. It isn't, mercifully.
Simply reading the words "Don't use it" does not bind you, because there is no grant of use; there is no offer or exchange of value, so no contract has been formed, and the statement is at best advisory. It is equal to writing "All rights reserved", which is to say, you retain whatever rights pre-existed under statutory and common law, such as right of fair use and so forth, and anything due to Github's ToS.
Engineers often fall into the trap of thinking the law is a programming language. It isn't, mercifully.
As pointed out in other comments, music and drama are exceptions to this where their ‘use’ is protected by copyright. You can read a play aloud if you like, but you can’t perform it publicly without permission (or royalties).
That's the typical outcome, but not by exception to this analysis; if a work of music or drama included an equally poorly worded "license", then the rights and obligations of all parties would similarly fall back to the terms of service of the platform through which the work was acquired, with a backstop of the Berne Convention, TRIPS agreement, TPPT, and various EU directives (or rather more specifically, the local implementation of those, assuming your jurisdiction is a signatory to any).
[deleted]
That is not a blanket exemption. It is for "the owner of a copy of a computer program".
If you stole a copy of Microsoft Office on CD from a shop (back when that was a thing) it seems clear that using the software would have been a copyright infringement because you wouldn't have been the owner.
In this case you have the right to download the software (via the github agreement) but how does that relate to ownership and the legal exemption? I've no idea.
If you stole a copy of Microsoft Office on CD from a shop (back when that was a thing) it seems clear that using the software would have been a copyright infringement because you wouldn't have been the owner.
In this case you have the right to download the software (via the github agreement) but how does that relate to ownership and the legal exemption? I've no idea.
I believe "owner" here is just referring to classical property rights, you literally own the magnetized platter which encodes the program, like you literally own the ink and paper that makes up a book. Once you've downloaded the software you have a version of it on your hard disk (or ssd) that you literally "own" (but you don't own the copyright to it).
[deleted]
It's due in part to the absurdity of of publicly sharing something and then declaring "neener neener you can't use this." It's seemingly contradictory to open-source something that you forbid the use of.
This would have been a mostly benign comment had you not thrown in the bad take about Oracle v. Google. There are enough of those on the Internet already.
Care to share your objection to it?
Not particularly. For further inquiries, refer to the about section of my HN profile.
You can also refer to this thread and pay particular attention to toyg's response.
<https://news.ycombinator.com/item?id=27687960>
You can also refer to this thread and pay particular attention to toyg's response.
<https://news.ycombinator.com/item?id=27687960>
> Unlikely to respond to replies. (A tip for the intellectually dishonest: you can seize this opportunity to get the last word in.)
Lol (quoting your profile here since I think it's fair to give other people the expectation that you won't engage)
> toyg's response.
I both agree with his reponse and would categorize my use of the case here as within that (the only code copied out of the dependency is API related).
I can't force you to debate this, but I also have to say I don't think casting vague aspirations without an explanation is a useful form of comment.
Lol (quoting your profile here since I think it's fair to give other people the expectation that you won't engage)
> toyg's response.
I both agree with his reponse and would categorize my use of the case here as within that (the only code copied out of the dependency is API related).
I can't force you to debate this, but I also have to say I don't think casting vague aspirations without an explanation is a useful form of comment.
Why did I not spell this out in the blog post? For my own amusement. I also think it shows that licenses really don't matter all that much as some people think, they are not computer code.