Slashdot Mirror
Github Finally Agrees Public Repos Should Have Explicit Licenses
WebMink writes "After strong criticism last year, Github has finally accepted the view that public repositories with no open source license are a bad thing. Self-described as the 'world's largest open source community,' a significant number of GitHub projects come with no rights whatsoever for you to use their code in an open source project. But from now on, creators of new repositories will have to pick from a small selection of OSI-approved licenses or explicitly opt for 'no license'. In Github's words, 'please note that opting out of open source licenses doesn't mean you're opting out of copyright law.'"
A quick scan of their new choose a license site reveals at least a few flaws: they present simplicity, caring about patents, and sharing improvements with others as mutually exclusive points when they clearly are not (e.g. the Apache license and the GPLv3 both help with patent concerns, but only Apache is mentioned; and the MIT/X license is listed as the simple license when BSD-style is more prevalent). They also imply it is entirely optional to actually note your copyright in your files, when it is really bad practice not to unless you really want to make it impossible for people to understand the copyright history when e.g. merging your code into another project. Their list of licenses does provide a nice overview of the features of each, but regrettably encourages the use of the GPLv2 (without the "or later version" clause), listing the GPLv3 and all versions of the LGPL in league with seldom used licenses like the Perl Artistic license.
I'm surprised GitHub didn't require one to specify a code license of some kind when publishing code. The default if no license is specified is not "public domain", but private with all rights implicitly reserved for the owner of the code.
I do not fail; I succeed at finding out what does not work.
lets say i wrote something, included code from proprietary but free to use in private, and want my own sourcecode to be gpl'd?
We've seen what happens with screwball licenses: anyone remember why qmail, djbdns, and daemontools never made it into major software distributions, despite being noticeably better than their alternatives? Because Dan J. Bernstein saddled them with a license where you couldn't publish your modified code or binaries from it, you had to publish *his* source and your diffs against it and let people build their own binaries locally. He finally got a clue and released it all as public domain, but it was too late. Inferior products (such as Postfix, BIND, and systemd) had evolved to the point where it wasn't worth investing any effort in Dan's technically and conceptually superior tools. I was in a stack of meetings where I had to explain that we couldn't get vendor support from those tools on our operating systems because Dan's license prohibited the vendors from shipping the tools.
Hooray for reducing license wackiness!!!!!
No need for copyright notice on every file, a single LICENSE file is enough. If people want to merge files or copy parts of the code, then they can note the licensing. This attitude isn't helping when you imply that people aren't doing enough, even when they write open source code and license it appropriately.
tomorrow who's gonna fuss
The lack of mention of GPLv3's patent-fighting provisions is the major bungle.
It's hard to find a good name for non-copyleft licences since there are various versions of "the BSD" licence, and some are non-free. "MIT" is also ambiguous since that university surely has written various licences. "The licence of X Windows" is non-ambiguous, but not very recognisable.
LGPLv3 is the only other licence I'd considering adding to that mix, with a link to FSF's own Why you shouldn't use the Lesser GPL for your next library. It would be good to encourage the AGPLv3 too, but that could be an opt-in checkbox in a later screen.
Expert in software patents or patent law? Contribute to the ESP wiki!
I don't think it's "regrettably" that the classic GPL (v2) is featured over v3. Many, many GPL projects have decided v3 is a bad license, so newbies shouldn't be pushed in that direction.
The wording of the patent clause is broader than most of those who participated in the drafting intended, in a way that could be problematic for most companies. The GNU project themselves, the creators of GPL. v3, have had to disavow the plain language of the license, claiming it doesn't say what it does.
I think most people intended that if you release code under GPL, you give up patent rights related to the code you contribute. The wording is broader than that, though. The way GPL3 is actually worded, if a company contributes to any GPL project a third party can use that project to nullify other patents from some other division of the company, arguably. The issue hasn't been tested in court, but it's enough of a risk that many companies won't touch GPLv3 code. It could cost Apple, Samsung, or Google tens of millions of dollars if that loophole allowed competitors to nullify their patents, rather than having to cross-license them.
I'm using SourceForge.net and am happy with it, although there are some minor things I don't like about it: heavy use of JavaScript, the web layout is weak (size set in pixels, no attention made to accessibility, etc...) but overall I didn't find anything better short of hosting myself. I considered Google code, Launchpad, Savannah and Github and found SF.net to be the most complete and advanced source hosting service. I found some advantages in using Google code, Launchpad and Savannah. I'm using Launchpad for translations, since it's the only one that does it. Launchpad is nice because it can sync with an external SCM like SF.net. I found Google code to be less featured but I like the clean layout and overall site performance. Savannah is poorly featured too but does not have advert and is very clean. I found Github to be like SF.net, with the same weak points but less featured. I'm curious to know why people would use Github. Is there any advantage over SF.net?
"By downloading this software, you agree that you will gawk while I unzip, touch, head, and fsck some tail ..."
I am officially gone from
Nope, github by default lets you "view" and "fork" the code. No "use" rights were granted.
- David A. Wheeler (see my Secure Programming HOWTO)
Releasing software as free software is always good, but noting a file's copyright status in that file is simple and it's much easier for the author to do.
The author can write "Copyright, 2013, me, released under GPLv3 or any later version". It's much harder for someone else to confidently write that, and it's hard to be confident of a file's copyright if the author of the copyright notice is some unrelated third-party.
Then there's the problem of mistakes. If the author makes a mistake in his copyright notice, she says oops, silly me, I've fixed it now. If someone else makes that mistake you get a flame war about hostile takeovers and passing of MY software as being licence X when it's really licence Y.
I mean, were talking about twenty seconds of effort here per file that you'll spend hours writing. It's not worth creating legal problems for other people.
Expert in software patents or patent law? Contribute to the ESP wiki!
We can thank the RIAA and MPAA for the contempt many people have for copyright law. And I agree that copyright law needs a serious overhaul.
But releasing code without a copyright license isn't "sticking it to the man", it's polluting the world with software that is not legal for users to use. Even if YOU won't sue, no one can be sure of that. If you die (see: Seth Vidal), whoever controls your estate can sue your users.
Releasing software without a license is just another way of setting up an extortion scam. It may be unintentional, but that's still the effect. We already have patent trolls, porn trolls, and so. Really, we have enough extortion scams, thank you.
- David A. Wheeler (see my Secure Programming HOWTO)
Anon wrote: ...when I'm writing a library, what I want most of all is...
>
The LGPL is a tactical compromise. The aim is to get as many people using that library, but still encourage those software developers to contribute to free software projects.
It's an admission that a firmer stance is likely to backfire.
Conversely, when a firmer stance won't backfire, when it will instead lead to more people contributing to free software, then compromising is needless and self-defeating.
For example, Glibc is LGPL'd because FSF knows that if it was GPL'd, then some Unix vendor would push projects to ignore Glibc and use their proprietary libc instead. That would be a loss, so FSF compromised and used the LGPL so that Glibc will still be used, even by companies that don't want to contribute to free software.
It's a good essay, worth a read: https://www.gnu.org/licenses/why-not-lgpl.en.html
Expert in software patents or patent law? Contribute to the ESP wiki!
Default to BSD license or Public domain. Simply run a query that if one is not set, set it to Public domain.
That will fix everything.
Do not look at laser with remaining good eye.
Can somebody point to (or write) an open source license chooser?
Heck, back in 1998, I got a dog and Excite had a dog breed chooser at the time that was useful. There are also useful ones for cell phones. I'm guessing that if it existed already GitHub would have used it, but if that's not so, they should know about it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
> As opposed to using the free libc that's part of clang/LLVM?
Apple and other proprietary software companies would love everyone to move to LLVM. That's why Apple's funding it: LLVM's success benefits Apple (and other companies that don't want to compete against free software).
Funding LLVM is a tactical compromise that Apple was forced into. FSF's use of the LGPL succeeded in making it too hard to get everyone to move away from free software, so Apple has to settle for undermining the copyleft system that encourages people to contribute to free software.
Apple's doing an embrace, extend, extinguish.
1. We love this free software compiler. We fund it. It's free. We're friends.
2. We've developed an amazing extension module. It's proprietary but it's sooo slick.
3. Sure, everyone has the choice of using the free code. It makes slower binaries and doesn't support modern debugging and won't work on our latest hardware, but it's still there.
If we want free software to exist in ten or twenty years time, we have to support copyleft today.
Expert in software patents or patent law? Contribute to the ESP wiki!
Copyright doesn't allow your git or text editor examples, but I would agree that those two situations would be wrong. Tools shouldn't be able to tell users what they can do. It'd be like pencil's coming with terms and conditions.
But it's also not true that GPL'ing a library would cause its terms to apply to code you had nothing to do with. The third-party coder has a choice: write his own library, or use yours and share-alike. That's just fair. Nobody's forced.
If proprietary developers can ask for payment in the same conditions, why is it wrong for freedom coders to ask for a code contribution that's going to be shared with everyone? It's not even selfish.
LGPL isn't about being fair, it's about doing less for freedom in certain circumstances when we're in a weak bargaining position.
Expert in software patents or patent law? Contribute to the ESP wiki!
Evalimine is a publication, on github, of the software the Estonian government uses for electronic voting. Confusion has arisen on that project ( see the issues ) about the license the guys used who put that code on github: they chose Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License which basically forbids forking. Strange.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
In the simple case:
If you don't care what others do with it, make it public domain.
If you want recognition and copyright but still have others able to use it, make it BSD.
If you want others to get access to changes people make in the code you wrote, make it LGPL
If you believe in the Free Software movement, make it GPL
They also imply it is entirely optional to actually note your copyright in your files, when it is really bad practice not to unless you really want to make it impossible for people to understand the copyright history when e.g. merging your code into another project.
I'm not going to shit up my code with copyright notices. I barely recognize copyright law as it is.
I can't tell you the sheer number of hobby programmers who have no idea that that code they put on the internet to share can't actually be used by anyone until they go out and copy paste an appropriate license into their github.
Just look at Minecraft. Hundreds of mod projects on github, less than a quarter are licensed, even less have open source licenses.
Distribution is only part of the story. IANAL, but let's focus on US law, starting with the software-relevant portions of 17 USC 106:
A common interpretation is that copies from storage to RAM are copies, and thus, you have to get a copyright holder's permission to run the software. I HATE this interpretation, I think it's a vile distortion of the original intent. However, it was upheld in "MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 (9th Cir. 1993)". For more about this controversial but widespread interpretation, see A new perspective on temporary copies: The Fourth Circuit's Opinion in Costar v. Loopnet (Band and Marcinko). After the MAI decision, Congress then added 17 USC 117: "it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided: (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, ..." Basically, Congress said that even if copying to RAM would be considered a copyright violation (which it pointedly did not rescind), there's a special exception that it's okay to do if you're the owner of a copy of a computer program.
But wait! That means you have to be the "owner of a copy of a computer program" to use the program (or get the owner's permission). Did github say you were the owner of a copy? No, it said that you could "view" and "fork". "View" sure isn't "owner of a copy", and it's dubious that "fork" means that either. Note that the github TOS doesn't define "fork", so it has no clear legal definition. Yes, technically there's no "use" right in copyright law, but under at least some common US law interpretations you can't use the software in US if the code is just posted on github. Many software EULAs claim you aren't the owner, and then grant you permission to run the program through contracts, but if there's no license you can't claim that a license gave you such permission.
If you don't clearly give a right in a copyrighted work you create, then some judge gets to decide what rights (if any) are granted to users. You will probably not like what the judge says, especially since most judges don't understand software at all (there are glorious exceptions, but they're exceptional). Maybe "fork" gives users enough rights... but I wouldn't count on it. And since legal cases cost a lot of money, wise users will avoid software without licenses; they're not worth the legal risk. I hope that the "RAM copy as copy" interpretation is completely overturned someday, but that has not yet happened, and I wouldn't count on it happening soon.
Lots of people have worked out software licenses for sharing software. Just pick a common open source software license (MIT, BSD 3-clause, Apache 2.0, LGPL 2.1 or 3, GPL 2+ or 3+).
- David A. Wheeler (see my Secure Programming HOWTO)
We're speaking in the context of Github. Github, specifically, makes the improbable "exploit" of this loophole much more probable. Maybe not particularly
likely, but likely enough to be a risk that should be considered.
As part of my job, I contribute to an open source project, using Github. I sync my Github to upstream so it's up to date, and commit our changes to it.
That way, our contributions are publicly accessible. In fact, they are publicly accessible in the context of a complete copy which includes our contributions.
That last sentence is key. What Github users publish on Github is a copy of the devel branch with their contributions added (but also including all contributions
from anyone else, including contributions not yet approved for the release version.)
Suppose I work for SpaceX, maintaining the SpaceX blog via Wordpress.
Using Github, I make our contributions to Wordpress public (as part of a complete Wordpress devel tree.)
Someone else at SpaceX invented a widget which is patented.
Orbital Science, a SpaceX competitor, could commit a Wordpress plugin which somehow relates to the patent.
My Github would automatically fetch their commit.
Now my company, SpaceX, is distributing code related to the patent, without ever having heard of Orbital Science's plugin.
Our patent is therefore nullified by the terms of GPLv3, if Wordpress were GPLv3.
That's WHY Wordpress is not GPLv3, but GPLv2, because v3 says:
Each contributor (SpaceX) grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version (including the Orbital Science plugin they've never heard of, but which was automatically mirrored).
Note that the license includes the right to modify it, such as by deleting 99% of it, leaving only the Orbital Science code, without any other part of Wordpress.
Therefore, Orbital Science can force SpaceX to license their code just by doing a Github commit to any project that SpaceX has a Github for.
Is it likely that Orbital Science would do that? Would some judges follow the actual text of the license and allow OR to pull that trick?
Maybe, maybe not. If you've committed $20 million in R&D to _anything_ you have a patent on, would you want to risk a competitor doing a sneaky trick like that?
One defensive solution, if you HAVE to contribute to a GPLv3 project, is to explicitly leave copyright with the individual author, who publishes it on his personal Github rather than having the company post it on Github. Assuming the author doesn't have any patents and never will, that works okay.
It actually does. I guess it might depend on which jurisdiction you're in but usually you as a copyright holder can set any term you like, more or less. Some software is even licensed different specifically for open source work, like for example IntelliJ IDEA which you usually have to pay for but can get it for free if you're using it for open source. That's the same way that Microsoft can sell you a cheaper copy of Office which you agree should not be used commercially.
> but regrettably encourages the use of the GPLv2 (without the "or later version" clause)
The GPLv2 is a much simpler and easier-to-understand license without the market/use-based restrictions of the GPLv3, and the "or later version" clause allows other people to relicense your code with you having no control of the terms (it basically involves trusting whoever ends up running the FSF for the remainder of the copyright term of your code,
So, I don't think that encouraging the GPLv2 without the "or later version" clause is in any way regrettable.
This is a misleading statement of the holding in MAI Systems v. Peak Computer; at the time, US software law already had an exception for the owner of a copy of a copyright-protected work making a copy as necessary to use the work (as is the case with making a copy to RAM from storage), which was put in place specifically because this kind of thing was clearly viewed as copying before MAI Systems even if it had never been an issue in a case; the real substantive issue with regard to copyright law was that Peak was *not* the owner of the copies in the machines storage, since it was a third-party repair/maintenance firm. (And, a new exception was created specifically to address this case in response to the MAI Systems v. Peak ruling.)
A hack is not a fix, true. The fix (from this viewpoint) is to change all copyright laws, worldwide, so that the default is no copyright. That will not happen in less than 20 years, and I bet it'll take even longer. If it even happens.
Would your users rather you "hack in" a solution now, by adding a license file? Or would your users rather wait 20+ years, with no guarantee it'll ever get fixed, and risk getting sued?
I don't even think it's a hack. All you're doing is making it clear to everyone what they can do. That's making things clearer, not a hack.
- David A. Wheeler (see my Secure Programming HOWTO)
The cowboy contractor my company hired to write the first version of our flagship software used an unlicensed library he found on Github. (Actually there is a license file; it says "All Rights Reserved.") I've been trying to convince my bosses that this opens us to liability and we need to replace/rewrite that part of our app. But they're like... "whatever, it's open source."
This is really good news. Github has started to get seriously polluted with unlicensed software. Since copyright by default gives everyone else NO rights, this should help clean up things. I'm sure there are ways to improve their license info, but making it more obvious that people need to pick licenses is a good first step.
- David A. Wheeler (see my Secure Programming HOWTO)
That section says that if you give someone a device with software that's supposed to come with the freedom to run, study, modify, and redistribute, then you can't prevent them from modifying the software on that device and running it.
Where's the controversy?
The only problem is that some mega corps don't want to give those freedoms to users. If some companies won't keep their side of the deal, why should free software developers help them?
GPLv3 didn't create the problem of locked down devices. It's part of the solution but we've a long way to go.
Expert in software patents or patent law? Contribute to the ESP wiki!
> That section says that if you give someone a device with software that's supposed to come with the freedom to run, study, modify, and redistribute, then you can't prevent them from modifying the software on that device and running it
Well, no. It says that a product sold in a certain market that comes with GPL-licensed software must come with the tools to enable running modified software on the device.
> Where's the controversy?
"Controversy" wasn't an issue. "Anti-business" was. And that restriction is anti-business.
> GPLv3 didn't create the problem of locked down devices.
No, it just adopted a mind-bogglingly stupid approach to addressing them. It doesn't require certain features in certain markets for software integrated with GPL software, it requires legal freedoms and availability of the preferred form for making modifications, without regard to markets.It could have taken an open-hardware approach for hardware integrated with GPL software, which would have been sane and connected to software freedom, but instead it adopted a system of market-based restrictions on features, which isn't just anti-business (as, to an extent, any mechanism of preventing the continuation of an emerging business model is likely to be), but also anti-software-freedom, as it constrains the utility of GPL-licensed software for particular uses.