Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of GitHub Code Unsafe To Use (If You Want Open Source)

Posted by timothy on from the but-they-said-to-download dept.

WebMink writes "GitHub is a great open source hosting site, right? Wrong. There's no requirement that projects on GitHub provide any copyright license, let alone an open source one, so roughly half the projects on GitHub are "all rights reserved" — meaning you could well be violating copyright if you make any use of the code in them. And GitHub management seem just fine with this state of affairs, saying picking a license is too hard for ordinary developers. But if you're not going to give anyone permission to use your code, why post it on GitHub in the first place?"

49 of 218 comments (clear)

  1. Because by OverlordQ · · Score: 5, Interesting

    Because it's a free place to store a git repo as a backup.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Because by Bieeanda · · Score: 4, Insightful

      And it's probably one of the first places that comes to mind, shows up on a cursory search, or is suggested by someone in passing. Given that the site maintainers are fine with the state of things, the issue would seem to lie with the assumption that all code there is OSS licensed, rather than its use as a catch-all repository.

    2. Re:Because by Anonymous Coward · · Score: 5, Insightful

      this. i've only used github for my personal projects. not everyone cares about contributing to open source projects, or making their code available to others. and there's nothing wrong with that. not everyone should be expected to share their work.

      shocking and unbelievable, i know, but it's true.

    3. Re:Because by 0100010001010011 · · Score: 2

      One semester I used it for my homework. Lots of .tex and .m files. I could do a problem, commit. Push go to a completely separate computer, pull and continue working.

    4. Re:Because by rbprbp · · Score: 5, Funny

      This has been my approach to homework (which is mostly .tex and .py). For all I care, I don't mind if someone forks my homework or does anything with it. Though I wouldn't mind them merging their changes back :)

      --
      They're there in their room. You're on your own.
    5. Re:Because by Mike_EE_U_of_I · · Score: 2, Insightful

      not everyone should be expected to share their work.

      Nor should Github be expected to host such repositories for free.

      That's true. However, if Github can afford to provide the service for free and chooses to do so, I see no harm in it.

    6. Re:Because by Short+Circuit · · Score: 3, Insightful

      If I understand what you're saying, you're expressing the same ignorance about downloadable material that people downloading warez and mp3s in the 90s had. "It's free, so it's probably legal, right?"

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    7. Re:Because by cheesybagel · · Score: 4, Interesting

      I only use GitHub for code I have written under non-commercial licenses. Mostly Linux ports of former commercial games. SourceForge won't host them. Icculus is a bit of a pain to convince to host your code. GitHub is one of the few choices available gratis.

    8. Re:Because by Runaway1956 · · Score: 2

      "It's free so it SHOULD BE legal."

      If it's not free for use for non-commercial use, then it shouldn't have been put up there without at least password protection, preferably encrypted as well. Basically, it's "in the cloud", so it's mine to use. Before anyone attempts to use code on github for derivative works or anything, then they really need to check the licensing. But for personal use? Phhhttt - screw the "rights holders"!!!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    9. Re:Because by Short+Circuit · · Score: 2

      And now we're back to a familiar analogy: "The door was open, so anything inside should have been mine to take!"

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    10. Re:Because by HairyNevus · · Score: 4, Insightful
      That's a false comparison; those mp3s weren't uploaded by the artist themselves. If a musician uploads a track today with a free download, and provides the link without any password protection or encryption so anyone can link to and download it willy nilly, then yes, it's free and you can run it on your computer and listen to it.

      I think they should put a warning up for people, that by downloading and compiling the code you could be in violation of the law,

      By analogy, this would be like the artist putting up a track for download and saying it's illegal to listen to.

      --
      You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
    11. Re:Because by Kergan · · Score: 4, Insightful

      A developer who downloads code for use in his project, without checking the licence first, shouldn't be coding in the first place. Seriously...

    12. Re:Because by amorsen · · Score: 4, Interesting

      In sensible jurisdictions, the act of running a program is not a copyright event, since it does not involve distribution. When you download, compile, and execute something from Github, the only copyright event is Github distributing the source file. The rest is not of concern to copyright law.

      Alas, when copyright was conceived, copying and distribution were practically one and the same, so "right to distribute" was unfortunately misnamed "copyright". Many jurisdictions later looked at computers and misunderstood any bit duplication to be a copyright event. Denmark is one of the most extreme cases, where every (ISP or otherwise) router is subject to copyright law whenever it moves copyrighted bits around. That level of absurdity is fortunately fairly rare.

      --
      Finally! A year of moderation! Ready for 2019?
    13. Re:Because by shipofgold · · Score: 2

      It is more complicated than that. This is all about what today's society expects and how people conform to those expectations.

      I believe a better analogy would be "I draw a picture, make a large number of copies, and leave them in a public building. Do I expect that people walking by won't pick one up?".

      The answer depends on how hard it is to make the copy, where in the public building the copies were left, what notices were posted at the door of the public building, what the passer-by intends to do with the copy, and whether the original producer is deprived of anything.

      If each copy was an oil painting on canvas I suppose you might reasonably expect a passer-by to leave them lie. Especially if that passer-by intends to pick up the entire stack and sell them on a street corner. After all each copy cost the original artist something in materials and time, and I would be depriving the original artist of those costs.

      If each copy was a photocopy, I can't see anyone assuming that they can't pick up a copy. Material/time costs to the original artist are minimal, so as a passer-by I won't feel that I have deprived anybody of anything by picking up a copy to take home and hang on my wall. In today's society a stack of photocopies in a public place implies they are to be taken.

      Of course, if I take that photocopy and publish it in my newspaper in order to sell more newspapers, The original artist might have cause to object, as that act isn't generally supported in today's society.

      In GitHub, if I put some sourcecode there, and make no attempt to protect it with password or license, I don't feel today's society would not allow me to object to people downloading it for personal use. But if I include it in a project for sale, I should take care to read the licenses and get the necessary permissions.

  2. That by M0j0_j0j0 · · Score: 3, Interesting

    Is only a problem in places where computer algorithms can be patented. and beside, anyone just grabbing code and pasting direct onto a product without audit or modification is asking for a nice backdoor.

  3. Not a new problem by MightyYar · · Score: 3, Insightful

    This certainly isn't a new problem. If you work for a corporation, you aren't going to use code without a clear license. At least, I hope you aren't. If you need clarification about a license, you can often just contact the author. Just because the website is called "Github" doesn't mean you should treat the code any differently than code you find laying around anywhere else.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  4. Unsafe? by Anonymous Coward · · Score: 4, Informative

    Code having a license term, you use it under that license. Whats the problem. So you can't cut an paste it. Good. But as a example of an implementation its still very useful/educational.

    The license chosen isup to the author, get over it. This militant 'I want it all for free and without me having to do anything' is your problem, not the authors.

    1. Re:Unsafe? by SwashbucklingCowboy · · Score: 5, Informative

      "But as a example of an implementation its still very useful/educational."

      And opens you up to the possibility of being accused of creating a derivative work, which violates "All Rights Reserved".

  5. Bitbucket by akeeneye · · Score: 3, Informative

    As is Bitbucket (bitbucket.org), with the added bonus that the private repos that you create there are free too.

    --
    The man who dies rich dies disgraced. -- Andrew Carnegie
    1. Re:Bitbucket by jez9999 · · Score: 2

      And you can attach files to your issues in the issue tracker (amazingly you can't on Github).

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    2. Re:Bitbucket by akeeneye · · Score: 2

      You're giving credence to a rant from 2008 by someone who doesn't even know how to turn off Apache directory indexing on his own user directory? FWIW, Bitbucket did a complete redesign of their site and released it on October: http://blog.bitbucket.org/2012/10/09/introducing-the-redesigned-bitbucket/ .

      --
      The man who dies rich dies disgraced. -- Andrew Carnegie
  6. Why? by gcnaddict · · Score: 5, Insightful

    But if you're not going to give anyone permission to use your code, why post it on GitHub in the first place?"

    Lets say I stumble across a fantastic utility, and the source is open for me to view. I'll dive through the code and make sure I'm comfortable with its functionality (i.e. it's not doing anything I don't want it to do) before grabbing the tool.

    I'm not using the code for my own projects. I'm just vetting the code. Plenty of developers throw code for small utilities up for exactly this reason, and the vast majority of the world is totally cool with it.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  7. Re:Conflating copyright and patent again... by smittyoneeach · · Score: 3, Funny

    conflating piracy and theft

    Who does that? Piracy requires an ocean, ships, and lots of brutal, hand-to-hand combat effort.
    Modern theft has been reduced to legislation.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  8. Why post it on GitHub? by Opportunist · · Score: 4, Insightful

    C'mon, it ain't that hard.

    1. Post it on Github
    2. Make everyone think it's free to use.
    3. Sue everyone you can get your hands on who do.
    4. Profit

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Why post it on GitHub? by Vasheron · · Score: 2

      C'mon, it ain't that hard.

      1. Post it on Github
      2. Make everyone think it's free to use.
      3. Sue everyone you can get your hands on who do.
      4. Profit

      You forgot the ???

    2. Re:Why post it on GitHub? by Neil_Brown · · Score: 3, Informative

      When in the recent past have you seen a court rule on copyright with common sense?

      I'm not sure that Usedsoft applied common sense, but rather some convoluted reasoning, but the outcome seems sensible enough. Picking on rulings relevant here, I think the US court's decision in Wallace v. IBM was common sense, as was the finding of the German court in Welte v. Skype.

      Perhaps look also at Griggs v. Evans — a pragmatic decision on the facts, to my mind.

      Sure, there are some odd judgments, but there are some sensible, practical judges out there too.

  9. Reading code can be useful on its own by Hentes · · Score: 2, Insightful

    The author seems to confuse open source with copyleft. Open source is not a legal thing. And a ban on redistribution of derivative works doesn't mean that it's useless. Knowing the source code of a piece of software is important if you want to use it for any security-sensitive work or if you want to implement some modifications of your own (which you don't intend to distribute). It's not unheard of even that a developer company only gives the source code to their paying costumers.

    1. Re:Reading code can be useful on its own by icebraining · · Score: 4, Insightful

      Open Source, as defined by the Open Source Initiative, is most definitively a legal thing.

      a ban on redistribution of derivative works doesn't mean that it's useless. Knowing the source code of a piece of software is important if you want to use it for any security-sensitive work or if you want to implement some modifications of your own (which you don't intend to distribute). It's not unheard of even that a developer company only gives the source code to their paying costumers.

      This is why the author says it's dangerous.

      Unlicensed code ("All rights reserved") is not a ban on redistribution. It's a ban on any copying, including forking the code to your machine. You most definitively can't modify the code, even if you don't intend to distribute it.

      --
      Dilbert RSS feed
    2. Re:Reading code can be useful on its own by micheas · · Score: 2

      ... or if you want to implement some modifications of your own (which you don't intend to distribute)

      IANAL, but I have been led to believe that code that is all rights reserved cannot be modified without consent of the author, unless it falls under the fair use exemption of copyright.

      The fact that your modifications could reduce the profitability of the copyright owners derivative works lead me to suspect that the courts would generally find that your changes are a copyright violation, even if they are not distributed.

      Copyright law is all about money and lost sales.

      My advice, get permission from the copyright holder, it is much cheaper and less confusing than attorneys.

      --
      Work bio at MMWD
  10. Sensationalist article stating the obvious by caseih · · Score: 4, Insightful

    Whether you are working on proprietary code or open source code, you can't just paste code from the net into your project without a license, regardless of whether it's GPL, BSD, or some royalty-free use grant. Unless the code has an explicit license, or states explicitly that it is in the public domain, you simply cannot use it without express permission from the copyright holder, because no law grants you that right. Plain and simple. So if code in a git repo is "all rights reserved," the you can look, and even download it, but you cannot put it into your own code. So I don't see what the problem is here. License always matters, whether you're a FLOSS person or developing commercial software.

    So of course half of all git repos are unsafe to use. Why does this warrant some big sensationalist article? Kind of along the lines of articles claiming the GPL is a threat to proprietary software companies because it will "infect" them somehow magically. Folks, a little bit of understanding of copyright law will go a long ways I think. Open source, even copyleft, depends on copyright to keep it as such. We should all have a basic understanding of it.

    1. Re:Sensationalist article stating the obvious by Neil_Brown · · Score: 2

      You can take any code which you find and put it into your project, or even combine bits of code with incompatible licenses.

      Distribution might be where GNU GPL 2.0 kicks in, but copyright certainly kicks in to prevent you from just taking code and putting it into your own project, at least in Europe — the restriction on "copying," for example. (You might have a defence of fair use in the US, but that's an affirmative defense, not an absence of copyright.)

      Whether anyone would find out, or consider it worth suing for, is perhaps another matter, but copyright is not just limited to distribution.

    2. Re:Sensationalist article stating the obvious by marcansoft · · Score: 2

      It is true that the law grants the copyright owner the right to restrict the creation of copies, but It can be reasonably argued that by posting the code on GitHub you've implicitly given consent to the mere creation of a copy (as would automatically happen if you view the code or download it). For most practical purposes, the limitation on distribution is what matters.

    3. Re:Sensationalist article stating the obvious by micheas · · Score: 2

      Distribution is where copyright law kicks in.

      Like when you distribute the program from your drive to your RAM?

      Now if the program is all rights reserved, and your modified version that you distribute mocks the original author, you could claim the parody exception for copyright. (Would you be successful? I don't know about that question, ask an attorney.)

      --
      Work bio at MMWD
  11. Missing the problem here by dugjohnson · · Score: 4, Insightful

    Github is a great place to store your repository. It is ALSO a great place to share code with people you want to work with who may or may not be really conversant with git.
    Github doesn't claim to provide a repository for open source software...just a place to store repositories which you (as an author) may or may not choose to attach a license to. But that doesn't remove the responsibility of the copier to determine what the license on that software may be. If I copy anything, I need to know if I have the right (copy right) to do that. The onus is and always has been on the copier. That said, the copyright owner is the one who will follow up with violations.
    Just because I choose to use github to store my repositories (and, in my case, I use and pay for private repositories for those things that I don't want to share) does not mean that I want everyone in the world to download and use my stuff. I'm an idiot if I am surprised when people DO use my stuff that I make publicly available, but without an explicit license allowing use of my code, it is protected in the US by copyright laws as soon as I write it...and IANAL.
    Github is just a great service for those of us who don't want to set up our own repository. They are not a guarantor of free software, nor a nanny to protect me.

    --
    My brain is overly lubricated
    1. Re:Missing the problem here by phantomfive · · Score: 4, Informative

      Just because I choose to use github to store my repositories (and, in my case, I use and pay for private repositories for those things that I don't want to share) does not mean that I want everyone in the world to download and use my stuff.

      Just so you know, in the terms-and-services you clicked on when you signed up for github, you actually gave permission to everyone in the world to download, view, and fork your stuff. So if that's not what you want, you might reconsider your use of github (Note: this only applies to the free public repositories).

      --
      "First they came for the slanderers and i said nothing."
  12. I don't see the story. by metrometro · · Score: 2

    GitHub allows creators to determine what license to publish under. The license is disclosed to downloaders. Some of it is under an open license. Some of it isn't.

    "Is this code using a license compatible to my project?" is a pretty normal thing to ask before dropping something into your work.

    Personally, I like having access to look at source on closed projects - projects I wouldn't otherwise have access to. You can learn stuff even if you don't copy/paste working code.

  13. Re:Daily reminder by icebraining · · Score: 2

    That depends on the definition of "open source" you use. If it's the one by the Open Source Initiative, it certainly does mean you can use and distribute the code.

    --
    Dilbert RSS feed
  14. Next on slashdot... by metrometro · · Score: 2

    Half of Coffee Shop Unsafe to Drink (If You Want Decaf)

  15. Terms of github by phantomfive · · Score: 5, Interesting
    From the terms of service from github:

    We claim no intellectual property rights over the material you provide to the Service. Your profile and materials uploaded remain yours. However, by setting your pages to be viewed publicly, you agree to allow others to view your Content. By setting your repositories to be viewed publicly, you agree to allow others to view and fork your repositories.

    If you use source code found on github, it's going to be hard for the author to win a copyright lawsuit. This is a non-issue. They've basically allowed you to fork the code (with the implication that you're going to modify it). I don't see them in any way being able to recover punitive or even statutory damages.

    The real danger with github, as with all open source, is ensuring that the project's owner hasn't stolen proprietary code from somewhere else. Imagine if Linus had grabbed some files from Unix, then IBM would have been in a lot more difficulty during the SCO case. Fortunately the only things Linus copied were semicolons and braces.

    But if you use someone's code through an open source project, you can be liable, even if you got the code under the GPL or BSD license, because the project's owner didn't have the right to give you that code.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Terms of github by phantomfive · · Score: 3, Informative

      You've got it backwards. If you sue me for copyright infringement, you need to prove that I infringed, I don't need to prove that I didn't. So good luck proving that by forking and redistributing the code that you put on github, I've made unjust profits or caused you losses.

      --
      "First they came for the slanderers and i said nothing."
  16. People misunderstanding the point of Github? by flimflammer · · Score: 3, Informative

    I think so!

    The public repository option for uploading makes no mention that you need to supply the code with a copyleft/copyright free license, just that the code is publicly listed and browsable. Why are people assuming that everyone is supposed to?

    Are people confusing open source (publicly browsable source) from Open Source (the movement)?

  17. Not only a problem with Github by SwashbucklingCowboy · · Score: 3, Interesting

    Lots of so called open source projects either don't provide a license or provide conflicting license information. For example, we recently looked at a project where the web site says it's MIT, but the code says it's public domain.

  18. StackOverflow is even worse! by zidium · · Score: 3, Informative

    Every question, answer, and comment on the StackExchange websites (StackOverflow, ServerFault, et. al.) is automatically licensed on something very akin to the GPL (the Creative Commons Share Alike License); if you use code from those sites, your entire application's source will legally have to be released.

    Just because no one is talking about that doesn't mean it isn't legit. Check it out: http://meta.stackoverflow.com/questions/25956/what-is-up-with-the-source-code-license-on-stack-overflow

    --
    Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
    1. Re:StackOverflow is even worse! by rasmusbr · · Score: 3, Interesting

      In order to have copyright you must first create a work. Most of the code examples that people post on those sites are so short and trivial that I doubt that very many of them (as published in isolation) would qualify as works in most jurisdictions. Even if you have a code example that is complex enough to qualify as a work you could still probably copy-paste a few lines from that work without breaching the copyright, especially if those lines are trivial or obvious or constitute best practice in the language.

  19. Re:So what ? by preaction · · Score: 2

    Lawyers. The EFF. The FSF. Anyone who makes a living on copyright.

  20. Re:So what ? by westlake · · Score: 2

    Take code from GitHub, copy/paste, re-implement ideas you find there, possibly implemented badly.... C'mon, who gives a damn about copyright on GitHub ????

    The owners. The courts. Your employers. Your clients, among others.

  21. Half is a bad estimate by bigstumpy · · Score: 2

    I have a bunch of projects on github and I'm too lazy to license many of them. If anyone ever emailed me wanting to use them I'd throw up a BSD3 license. I bet a lot of projects on github are lazy or simply don't know how to license a project, but would be happy to give permission to use the code.

  22. Re:I Have A Number of GitHub Projects... by dbc · · Score: 2

    I think you are looking for the BSD or MIT license.

  23. "All Rights Reserved." Is a meaningless phrase by imp · · Score: 3, Insightful

    The phrase "All Rights Reserved" is a totally meaningless phrase. It used to be required to retain certain rights in central american countries. It was created by the Buenos Ares convention, and once everybody in central and south america adopted the Berne convention, the phrase no longer had any recognized legal meaning.

    It has falsely been asserted that the phrase "All Rights Reserved" makes the Berkeley Copyright statement non-free. This is false because the copyright notices from the Berkeley Unix code base date to a time when the phrase had meaning.

    It's only use today is due to inertia.

    In short, this article is quite sensational in its ignorance.