Rug pulls, forks, and open-source feudalism

Building the software you rely on from source by default is one way to reduce the impact these events have on you and shift the power dynamic. If you're installing binaries/images from a vendor (free or otherwise), transitioning to a fork may be an undertaking and a sweaty risk-assessment.

Switching your existing build-infra to sync sources from a new remote should be a snap.

Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.

You worldview is incredibly foreign to me, but I'll try to engage fairly with it.

> the US right wing looked like it was about to build a complete alternative internet for a while there

This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?

> they just partially marginalised when the censorship backed off.

Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?

> That isn't how feudal revolts work in my understanding; typically peasants just got squished by better armed, armoured and organised soldier classes.

I think it's interesting that you posit this as a fight between the "peasants" and the "soliders". I'm assuming, to make sense of your analogy, that the "peasants" in this case is the current president of the united states and Elon Musk. the "soliders" would then be "Jeff Bezos" and "Sundar Pichai"

>This would seem to imply that the established internet, what we had before this relenting, was somehow left wing.

I would omit the left-wing characterization as a debatable generalization. Perhaps it would be better described as the specific platforms being opposition partisans, rather than the Internet itself.

> Perhaps it would be better described as the specific platforms being opposition partisans

I'm sympathetic to such an argument, but it does beg the question: Which platforms? The original comments choices of singling out Rumble and Truth Social, would imply that YouTube and Twitter would at least be _among_ those "specific platforms" but neither of those platforms are, at least according to the left, particularly left wing. Both platform have repeatedly been criticized for creating and propagating structures that lead people down what was called "the alt-right pipeline" and has, historically, hosted some of the most active alt-right figureheads.

That's not to say either platform is or was right-wing either. I'm not the one making an argument. Though I'm not convinced they were particularly left-wing or partisan before the creation of Rumble and Truth Social.

Not sure why this is getting down votes but I agree. Also building from source doesn't have to be hard (see sqlite).

Exactly; there are many mechanism in-place that allow us (anybody) to create alternatives if the currently dominant players start to misbehave too much; they just have not

Depends on the actual software licence, many commercial vendors do provide source code, however the licence doesn't allow you to do whatever you feel like with code, even if technically it is possible to do so.

This happens a lot in commercial products where scripting languages are used, for example.

Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.

Just to be clear, I never said anything about the left wing. I don't think they were involved in that one. Suppressing speech is generally opposed by the leftists.

IMO if you're a technical decision maker, you should ignore fair source/business source stuff with extreme prejudice. These are fundamentally incompatible with the goal of having autonomy for your systems.

Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.

I believe there should be a broader family of terms besides rug pull for when the intentions of vendors and developers change over time to become extractive and negative. No, enshittification is not the right word.

> they're only sticky as long as they do a good job

> Groups like AWS or Google are actually pretty vulnerable (...) build a complete alternative internet for a while there until the management in tech relented and allowed them to speak up in public

The part of AWS or Google infrastructure necessary to "speak up in public", relative to their total infrastructure, is probably close to the tiniest number you can imagine. I can't see how an alternative web forum or short text message service, even if used and supported by many, could make AWS or Google vulnerable. And as a reminder, the public is not a customer for Google nor AWS.

Or maybe by "the US right wing" you meant a handful of billionaires who would fund an alternative to Google and AWS? That still sounds naive to me. The estimated assets of Google or AWS in datacenters only is somewhere in the hundredth of billions, plus a good fraction of that every year for maintenance. Their current valuation is between $2 and $3 trillion.

Having no exeprience about peasants revolts (yet ;)) I only meant to comment on that part of your message.

> This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?

No, the left wing wasn't really involved. It looked from the outside like a pocket of authoritarians settled in the US intelligence services. Given the priorities of the Trump establishment on starting Term 2 when they moved very quickly to gut the US propaganda services I think Trump's people came to a similar view. And the relenting came when it was obvious that the companies involved were going to start suffering commercial consequences. Or, in cases like Twitter, got bought out by prominent right-wing figures.

> Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?

Yeah. It isn't really operating on the same scale as Twitter and it only exists because Twitter felt the obvious way to construe "To all of those who have asked, I will not be going to the Inauguration on January 20th." was as glorification of violence [0]. It's commercial wisdom is unclear.

> I think it's interesting that you posit this as a fight between the "peasants" and the "soliders".

I'm almost positing the opposite, NOT(it is a fight between peasants and soldiers). That is why I think the feudal meme is a mistake - this isn't a situation where the powers that be in the tech world can actually bring consequences down on a class of people. The people have freedom.

[0] It was bizarre. I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.

> There is typically a spike in these clones after a relicensing event, suggesting that people are considering creating a hard fork of the project

That, or maybe people make a "snapshot" just in case. I don't believe many people seriously consider leading the effort of maintaining a fork...

> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

And there are mechanism that restrict you. The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.

Otherwise, im am really wishing for alternative payment processors ... could someone proove me wrong here please.

This is causing management at the current company to run in circles a bit as well. The company has been fairly adamant about having support contracts for systems, and it has encountered a number of these stunts. Opscode with chef a long time ago, CentOS exit, VMWare, Broadcom has a number of more ugly things available in Tanzu.

And we were either paying these companies (looking at VMWare), or looked for quotes and intending to pay these companies. But suddenly, your configuration management is supposed to cost almost 6 digits per year. Very basic services should suddenly cost a mid-6-digit range per year for a basic suport contract. Sorry but what the fuck? And - again, looking at VMWare - even then we can't really rely on it?

I've been recommending to instead sponsor foundations, or straight up paying maintainers and developers of OSS we use regularly. The giggles when suggesting that have been getting quieter. But I'd rather hire a Proxmox/qemu dev than start paying the next VMWare.

I have 0 trouble understanding why Twitter didn't want to be whipping up fury against democracy using their power to do so. Six days before that ban Trump had definitively crossed the line over to full-blown treason with the Reffensperger call. Two days before the ban he sat quietly, waiting and hoping a mob of his supporters whipped up by his verbal diarrhea would sieze power for him, ending democracy. Make no mistake, Twitter did exactly what they had every legal and moral obligation to do.

> The people have freedom.

I repeat my other reply:

The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.

Feudalism is formed by birth right privileges, excluding peasants or merit. With a look to present wealth distribution mechanisms (inheritance), its is no far fetch to apply that polarization effect to software infrastructure too, because software isnt really that immaterial.

> Feudalism is formed by birth right privileges, excluding peasants or merit

Lots of systems have that property, including many democracies (the UK political system, for example, is quite democratic yet embraces birthright privilege excluding peasants). It doesn't characterise or get to the important parts of feudalism.

unless you make that privilege about a universal resource like money, which can be translated to political power. You are right, many societies have that feudalism-like problem (social mobility), when you look at it that way, even without a royal family.

https://www.wired.com/story/yanis-varoufakis-technofeudalism...

> No, the left wing wasn't really involved.

That's fair. You didn't mention the left wing at any point, and I made an assumption.

This is veering quite quickly into unsubstantiated claims of collusion and conspiracy. You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace. It's honestly pretty close to QAnon, which is a huge red flag for me. I can't follow you there, and therefore can't make any substantial arguments for you.

What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces. He tried to get out of the deal, but the establishment forced him to see it through.

> I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.

The announcement twitter made mentions that you have to take those tweets in context of the whole Jan 6. insurrection event. When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump? or do you believe that it was but that the further tweets weren't a further escalation of that conflict?

> The people have freedom.

I understand your argument for that then. I would caution that by saying that your conclusion hinges heavily on whether you believe Donald Trump is actually a popular reformist, or if you believe he is an elitist authoritarian. Your argument is quite close to "This can't be feudalism, the lords wants what's best for us", which is a quite unconvincing argument.

It's hard to feel any sympathy for people who spend money and still bend over.

> Contributors and maintainers often have less power than even the smaller companies, and users have less power yet.

If contributors/maintainers are not happy with what the small company does, they can fork the project (assuming a liberal license) and continue in their own way. Valkey is a good example (with an interesting twist of license dynamics where Redis can use Valkey code now, but not the other way around).

> We have built a world where it is often easiest to just use whatever a cloud provider offers

And, IMHO, this is the major problem in the dev community these days - we've become lazy and focused on nonsense ("pretty"/unusable UIs, web gymnastics, llm, "productivity" etc.). We didn't have problems in the past to fork or reimplement OSes (various BSD instances), compilers (gcc versions), databases (MariaDB), and so on. There are tons of geniuses around hacking on cool stuff, but, sadly, the loudness of various hipsters and evangelists limits their visibility.

> Those providers may not contribute back to the projects they turn into services, though, upsetting the smaller companies that are,

The significant contribution that these providers (AWS, et al.) make to these projects is often overlooked - free advertisement. If I can remember correctly, ElasticSearch got popular when AWS started to offer it as a service. Additionally, cloud providers usually contribute (by employing core developers, shipping patches or testing) to the kernel, gcc or jdk, from which these small companies benefit significantly. In contrast, they themselves could do none of this.

But it is easier to blame "big scary clouds" than to rethink your business model. Be honest, start closed; no one will touch that and no one will be standing in your way.

For most people it is only business, there is zero FOSS ideology.

A hard lesson many have come to learn when there are bills to pay, and coffee priced donations hardly make it.

> You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace.

I'm really not, I just read political news from time to time. The Twitter files [0] were front page material for a few weeks, there isn't really any argument about whether the big social media companies are coordinating with US intelligence. They have regular meetings and there is some cross-pollination of employees.

It's hardly traceless, and it is good stuff to keep abreast of.

> What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces.

Again, you seem to be reading more than I'm writing with this one. You asked when the relenting happened, I picked a rough date on the timeline. I don't think it is remotely controversial to say that he's made Twitter more accommodating for voices from the US right wing.

> When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump?

I mean, if we're talking about the ~100 people who turned up armed [1] then I think it would have been easier for Trump to maintain the element of surprise and just hire some goons rather than making whiny statements on Twitter that require a Doctorate of Crazy to detect violent intent. Maybe even arm them all with guns. He is said to be quite wealthy.

It is an interesting open question of how many of those hundred people decided to come armed because he wasn't going to attend the inauguration. Although I have always applauded Trump's ingenious follow-up of not attending said inauguration to make it look like he was serious rather than the modern Machiavellian puppetmaster he actually is.

[0] https://en.wikipedia.org/wiki/Twitter_Files

[1] https://en.wikipedia.org/wiki/January_6_United_States_Capito...

> If you use a permissive licence, then a rug pull is part of the deal.

True. Yet CLAs do not always give away all rights.

A lot of words without any mention of copyleft, protective licenses, GPL. Difficult to take the article seriously.

There is no such thing as a rug pull in regards to open source. A GPL copy of your code will exist forever.

I emailed Stallman about the ethics of using AGPLv3 with a CLA to allow selling exceptions. Here's his reply:

https://news.ycombinator.com/item?id=42601846

  I see what you mean.  The original developer can engage
  in a practice that blocks coopertation.

  By contrast, using some other license, such as the ordinary GPL,
  would permitt ANY user of the program to engage in that practice.
  In a perverse sense that could seem more fair, but I think it
  is also more harmful.

  On balance, using the AGPL is better.

Yes, it's a pretty weird notion. The only "rug pull" is wrt. ongoing maintenance of the project, but any maintainer may end up abandoning their own project for any reason or no reason at all. This is why essentially all FLOSS licenses have long provided for the right to fork the existing codebase under a new maintainership.

Why does her hair color matter to you? Why is open source longevity and viability not on-topic for LWN discussion?

Dr Foster holds a PhD, did her dissertation about the Linux kernel, and has had a respectably long career in technology with a focus on open source and governance. The topic is literally straight in her professional wheelhouse.

This whole discussion is about FLOSS projects where the right to "do whatever you feel like with code" is well established - even literally so, in the case of purely private/internal changes that are not distributed to or publicly performed for any third party.

Why are you trying to distract from the content of the article? I don’t know why her hair color is so triggering for you but she has a couple decades working in open source, multiple relevant degrees, is on the CNCF Contributor Strategy TAG, and is talking about some real issues affecting a lot of projects.

If you can’t get over her physical appearance long enough to engage with the topic, it’s healthier to leave the thread and do something else.

> my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA.

Just to clarify, this depends upon the exact CLA you sign. Canonical's CLA (CCLA) [1] for example, contains this clause in Section 2.3 Outbound license:

> We may license the Contribution under any licence, including copyleft, permissive, commercial, or proprietary licences. As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the licence or licences which We are using for the Material on the Submission Date.

This means that they promise to release your contribution under the original license as well. Or in other words, they won't relicense the old contributions retroactively. There may be other CLAs that don't make this promise. It's generally a good idea to read and understand what you are signing up for. (Applicable for any agreements, not just CLAs, since your argument is to avoid them.)

Almost all CLAs let the contributor retain the copyright. (If I understand correctly, copyright transfers are involved only in CAAs.) So that option is also available for you to do whatever you want to do with your contributions. In any case, the actual problem is the breach of an unwritten trust you place in the project owners. Since you generously contributed your work to them and everyone else, you'd expect the same favor in return for the contributions by others in the future. But CLAs leave that open and under the sole control of the project owners, primed for a rug-pull. The only way you'll ever get the benefit of those contributions after a rug-pull is if you collaborate directly with the other contributors - a fork in essence.

> If you don't want a rug pull, you should use a copyleft licence and not sign a CLA

There is an odd and particularly hideous combination of those two - AGPL + CLA. I'm generally a proponent of AGPL. However, I believe that this combination is worse than a permissive license + CLA. Copyleft licenses require you to supply the source code (including your custom modifications) upon request to anyone you distributed the application to. In AGPL, the use of an online service also falls under the definition of 'distribution of application'. So you have to distribute the modifications of the server-side code to anyone who uses your service. I see this as a good thing - because someone else with a lot of resources can't just improve and host your service, denying you the benefit of those improvements. However with a CLA, the project owner (perhaps a company) can host a relicensed version with undisclosed improvements, while you will be forced to reveal your improvements if you try to do the same (since you're using AGPLed code). You wouldn't have the same problem if the source was under a permissive license + CLA.

But here is where it gets particularly egregious. The above problem can also affect software under just a permissive license and no CLA. This is what happened to Incus and LXD. LXD was initially under the Apache license and the linux containers community, in collaboration with Canonical. One fine morning, Canonical just decided to take control of the project, prompting the linux containers community to fork it as Incus. For a while after that, both projects used to borrow code from each other since they had the same license. But then Canonical decided to relicense LXD under AGPLv3 + CLA. This means that it was no longer possible for Incus to borrow code from LXD due to license incompatibility, while Canonical continued to do so under a slightly odd arrangement. You can read about it in detail here: [2]

[1] https://canonical.com/legal/contributors/agreement?type=indi...

[2] https://stgraber.org/2023/12/12/lxd-now-re-licensed-and-unde...

The pull is that a CLA allows someone to circumvent the GPL at some point in the future at their leisure

It's open-washing

BTC ecosystem is growing strong :) Especially the Lightning Network

> commonly are subject to rug pulls

This open source purism is toxic. Projects have to be sustainable.

Hyperscalers have hoovered up the entire Internet and own the entire mobile device category. We're over here bickering about small developers writing source available / OSS-with-CLA.

If the community cares so damned much, they can take the last open version and maintain it themselves.

Please take all of this negative energy and fight for a breakup of big tech instead.

"bait and switch"

The FOSS license is the bait, and the CLA is evidence that they had ill intent from the start

Unless you can sustain a fork, it is a rug pull if you’ve incorporated the software in other projects. Imagine if a non-trivial critical project like OpenSSL had this happen.

Shitty behavior like this is more common with software both OSS and commercial than in the past. Treat any meaningful software engagement like a celebrity marriage.

> I don’t know why her hair color is so triggering for you

It isn't hard to guess.

Isn't it paradoxal, that those mentioned companies had set up an OSPO (to do OSS the right/community way... with the right/community minded people)

I believe this kind of schizophrenia is the price to pay of (too) big organizations.

>Why does her hair color matter to you?

It signals the group of people she belongs to which allows me to make a good prediction of her world view. Similar to how after seeing "Since the beginning of history, Foster began, those in power have tended to use it against those who were weaker.", I already knew the type of person who was giving the talk and seeing a picture of her did not surprise me in the least.

>holds a PhD, did her dissertation about the Linux kernel

But it's not about Linix's scheduler, nor it's network stack. It's not technical at all. "Understanding Collaboration in Fluid Organizations, a Proximity Approach" is about looking at collaboration for the development of Linux.

>Why is open source longevity and viability not on-topic for LWN discussion?

Because LWN should focus on the Linux kernel and not about "evil companies" running other projects changing their licenses.

I engaged with the article in another comment and did not want to be redundant so I choose a different aspect of the article to discuss which is about why LWN is focusing on "social issues" in open source and how I do not think it is something valuable for LWN to spend time on and lowers their brand.

Checks notes,

RIP VibeVoice Large 7B

https://arxiv.org/pdf/2508.19205

https://github.com/microsoft/VibeVoice

Nice to have forks & downloadable models now 'innit

This is one of the reasons I like Guix so much: its packaging system treats source builds as the normal case, with binary packages available via caching. So if you go to install a package and there's no cached binary, Guix will happily build it for you on the spot, with bitwise reproducibility if it can. You still get the benefits of prebuilt packages, but you always have that escape hatch.

This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).

And this has always depended on hardware and never really software.

But what about GNU their projects require signing a CLA and I don't think they will do a rug pull

There's also Eclipse Project's CLA and DCO. They are going for 20+ years.

> Not sure why this is getting down votes

Guessing unrelated to the comment itself, prolly got a minor downvote army on my back after a different recent comment on Gaza matters.

Downvotes are just a noisy signal in general and I wouldn't read that much into a few here and there, it comes with the territory.

Oh and yeah, this meta makes for tedious threads so site guidelines and all that.

Why do we need to maximize profits? With current technology we shouldn't need to work 8 hours per day, maybe 2-3 hours max to maintain quality of living. Instead we should work to make everyone's life easier, including your own life of course.

These days you just blindsight a project's community by instating a process heavy (you want the technical people to self-opt-out) 'board of governance', then put in place a draconian Orwellian regime in the name of 'safety', revoking project access from all that do not support the coup, or worse, still dare to speak out againt you.

The biggest issue is that companies which depend on something like OpenSSL do not do enough to sustain it, leaving its maintainers working often uncompensated, for the benefit of people making far more money.

Would it be a rug pull if those maintainers simply burned out and decided "I'm moving onto something else," Leaving the project in limbo, with nobody maintaining it?

Or maybe they really do enjoy working on the project, but it doesn't pay the bills, so they have to look for an alternative way to monetize it, and that way can continue working on it.

My opinion is that unless you genuinely just enjoy working on something and sharing it, you are not obliged to do unpaid labour for the benefit of anyone else. Companies depending on FOSS software should be contributing financially to each and every one of them. This is the real shitty behavior - the expectation these companies have of getting bugfixes and improvements for free.

In the Mongo/Elastic and Amazon cases for example, this is far smaller companies being taking advantage of by a giant. IMO they were right to "rug pull" by relicensing under SSPL. Amazon can easily afford to maintain forks for these projects - but it probably would've been cheaper for them to just contribute financially, and they wouldn't have needed to switch from AGPL. Anyone who works on OpenSearch without compensation is a fool - essentially doing unpaid labour for one of the wealthiest companies on the planet.

Oh stop. When someone gives you free stuff and then changes the terms a little that isn’t a “rug pull” and it’s not “feudalism.” If you contributed a little and voluntarily signed a CLA this is also not a “rug pull.”

The whole reason for these “rug pulls” is abuse of the open source ethos by big companies using it as free labor for SaaS and giving nothing back.

SaaS is more like feudalism than any other software model, yet the open source community seems committed to making sure the SaaS industry can continue its free ride.

Part of why I’d hesitate to ever again make free (as in beer) software is this whole toxic shitty mentality. If I give you a ton of work for free, say thank you. If a bunch of investors fund that, say thank you. This entitlement mentality from a bunch of people with careers that mostly put them in or near the global 1% is gross. It’s not like you people need stuff for free. You ain’t poor.

Just compare X and Blue Sky. There may be some principled leftists who oppose suppressing speech, but in recent times, it has been the left that has been censoring/blocking peoples speech. Another comparison is what is actually censored. Of course there is a certain amount that would be censored by both sides - criticism of power.

Though note that redhat is doing this with all GPL software, but without a CLA.

They retaliate against customers that share source code, and claim that this doesn’t fall under the “without further restrictions” clause in the redistribution of source code phrase in the GPL.

Anyway, rug pulls are apparently possible, even with the GPL, at least until this is taken to court and IBM loses.

"LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities."

FOSS beyond Linux itself is still explicitly on-topic by the site's own self-description.

But we all know what this was about anyway. Good luck to you out there.

It's literally impossible for open source development to be an asocial or apolitical endeavor.

Debian has been like this in practice for at least 25 years (when I first switched to it).

The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)

There's a need to make money faster than the government & central bank dilute it.

Need to fix the money before everything else can be fixed.

How does Rocky Linux continue to get timely updates from upstream?

Do they have to use shells or other subterfuge?

I’ll just add that the quote in the comment you replied to was one of the least offensive things Trump said during that incident (if he even tweeted that).

The news ran a video of him inciting a riot, etc, etc.

It's not ill intent. The CLA clearly states what the intent is. It says "You give the company permission to relicense your work". The intent is there from the beginning - they want to be able to monetize the work. If you dislike such intent, then you wouldn't sign the CLA.

The concern is if they stop dual-licensing, and future releases don't come under a free license, but they only work on their proprietary relicensed version. You have the option to fork, under the same free license that it was originally under - you just won't get further updates from the company involved. I don't see the problem here: You aren't entitled to those updates just because you made some contributions.

It's not possible to rug pull an open-source project by just switching new work to a different license. The real issue with open-source is that we don't live in a utopia where you can publish all of your work for free and still live a quality of life comparable to working at an average developer job, and yet so many non-maintainers somehow feel they are owed future labor. Maintainers come and go. Without sponsorship, the half life on maintainers is going to be relatively short, and more developers are going to be pushed to publishing less permissively.

> The Twitter files [0] were front page material for a few weeks

You're again making vague gesturing towards "coordination" and "regular meetings" in service of justifying claims of "a pocket of authoritarians settled in the US intelligence services". You must know that "regular meetings" don't signal "packet of authoritarians" to anybody but the most diehard conspiracy theorists. Who were these authoritarians? what were they doing? and how were they doing it? The "Twitter Files" holds none of these answers, having been widely reported (according to the Wikipedia page you linked) as being a misrepresentation of normal communication between governmental entities and private companies.

> Again, you seem to be reading more than I'm writing with this one.

I disagree that I'm making any assumption outside of what you've written there, but I'll leave it there.

> I mean, if we're talking about the ~100 people who turned up armed

You're not answering the question. From your tone I can tell your answer is most likely that you don't consider the armed insurrection of the US capitol building connected to Donald Trump. What caused it then? Does Trump have any culpability for letting armed people take part of his march?

Apparently not, given how often people get surprised what happens to their code.

Apparently the do whatever isn't do whatever when it happens to their little bonsai project.

I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

The reason he used that quote is that it was _the_ tweet that caused Twitter to ban him, according to their press release. I agree that it should be viewed in context, and twitter even says as much in that press release, but he didn't cherry pick that quote.

That depends on what's written on the CLA.

"The issue you care about is toxic. You should care about the issue I care about instead!"

>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

I agree. Its an incentives issue if I am being honest. If I ever generate software, I would also prefer to open source it but there are mechanisms where either cloud providers or anybody can take my changes and earn over them without me getting anything in return...

I mean, it is technically what it means to have a foss license but I just can't shake the feeling that we as a society are feeling so entitled that people are advocating against sspl licenses or etc. when I do think that if you are a dev and you wish to work on foss full time then something like sspl might be good in that regards.

Open source Contributors just don't get paid for the work they are doing. They are sadly doing free labour. I feel like I personally might start coding stuff in sspl or maybe just source available licenses if they get more favourable. The whole terminology behind source available licenses is kinda weird in the sense that basically a single clause which is meant to stop big cloud providers from selling your service that you built can make something like agpl foss and sspl not foss/source available.

Isn't nix for the most part same in that sense though compared to guix?

The text includes this specification: "The Foundation promises that all distribution of the Work, or of any work "based on the Work," that takes place under the control of the Foundation or its assignees, shall be on terms that explicitly and perpetually permit anyone possessing a copy of the work to which the terms apply, and possessing accurate notice of these terms, to redistribute copies of the work to anyone on the same terms". So you're right, in principle the FSF could apply the AGPL to every software they have copyright assigned for, but they also have to be careful not to breach the terms of their own contract.

As to the SSPL and similar license, the FSF hasn't publicly commented on it but they also don't include it in their list of approved free software licenses, so we know that the FSF doesn't really think the line could/should be drawn far from the GPLv3 and AGPL.

It's not about ideology per se—the dark humor in my mind is that you're not just paying for software you run yourself, you're paying to not be able to modify it. There's a reason why that sort of arrangement is dying and SaaS is stronger than ever—paying to access a server at least makes more sense as a transaction, even if it is just about as economically inefficient.

Neither you nor the parent comment are using rug pull in the sense of the article.

Consider adding the Software Freedom Conservancy to that list: I'd even trust them more than the FSF.

While I generally don't sign CLA's, I will occasionally consider one if the CLA is to a nonprofit foundation which has strong governance in place to prevent restrictive re-licensing. However, sense these cases have to be very carefully evaluated on a case by case basis, it is very rare that I would even consider it.

For a long while I was using MIT a lot, these days I have started switching to GPL especially for anything significant.

All because of the nonsense and all the rugpulls.

For nearly all open source projects, we are free riders. We use them and don’t contribute anything back. Open source is not about fair exchange; it’s about gift-giving and copying other people’s homework.

If you choose to give gifts to the world, that’s great, but you should go into it with your eyes open and not expect anything back. The world includes a lot of terrible people and you’re giving them gifts too. It’s okay to change your mind.

Calling it a “rug pull” when a software vendor relicenses seems like biased language. We still have all the gifts they gave us. It’s unfortunate that they changed direction, but nothing lasts forever.

It looks like they’re not RHEL compatible any more:

https://www.zdnet.com/article/rocky-linux-9-arrives-with-eve...

That says they pull from CentOS Stream, which I think is upstream from RHEL.

“We use them and don’t contribute anything back.”

This is not, strictly speaking, true. The example projects saw contribution in terms of code, testing, documentation, and - most importantly - marketing and evangelism.

These projects are not things put up on GitHub as a convenience that people just happened to adopt: the companies in question spent great sums of money encouraging adoption, usually with developer evangelists on staff who’d preach the technical advantages and talk about benefits of the licensing to convince people to use them.

It’s naive at best to position that as simple “gift culture” and claim it’s biased to call it what it really is: a rug pull.

In the case of Redis the company promised explicitly it would always keep the license for Redis core: until it didn’t. That’s a rug pull, plain and simple.

Accepting code and other contributions, encouraging other FOSS projects to rely on a project and then relicensing? Rug pull.

Show me a project that was not aggressively marketed for adoption using open source as a selling point and I’ll agree that’s not a rug pull. If Acme Corp just happened to have a GitHub repo for something under a FOSS license and people organically found and adopted it, okay. I’m not aware of any such examples, though.

I'm reminded of the infamous Mojang/Microsoft fiasco with the Bukkit community. They gave no support to a project, after "secretly" acquiring it when they hired some of the developers, letting a volunteer work hard for years maintaining it.

He was rightfully outraged when he discovered he had basically done years of free labor for Microsoft, and ended up leveraging a DMCA notice to shutter the project, due to the lack of a CLA and the inherent nature of Bukkit being ultimately glued onto the Mojang server jar to be useful.

https://blog.jwf.io/2020/04/open-source-minecraft-bukkit-gpl...

Individuals in the U.S. holding this thesis (which I am sympathetic to) have had the ability to opt out of using government currency for savings since 2009 (bitcoin) or 1975 (gold). Yet, the problem persists.

Probably! I just have more experience with Guix than Nix so I don't know what it feels like in practice on the latter.

I find it weird that companies do not have explicit plans for each dependency they pull in. In case of maintenance is dropped and there is critical vulnerability.

Being able to fully support each and every dependency you use should be absolute minimum for any commercial project.

In my experience, the usefulness of any particular license is only as good as your ability to enforce it in court.

> I engaged with the article in another comment

No, you tried to quibble over terminology. Both of these comments were shallow dismissals which tried to distract from the point by focusing on surface issues.

> LWN is focusing on "social issues" in open source and how I do not think it is something valuable for LWN to spend time on and lowers their brand.

Open source is a social concept and politics has been an integral part of it since the beginning. It’s not not “lowering” LWN’s brand to talk about contributor dynamics and it certainly isn’t their job to vet their authors based on the intersection of their tonsorial choices and your personal politics rather than the substance of their articles.

You've touched on some interesting points here. I have also felt the entitlement, but while contemplating why it exists I came to the conclusion that it is due to a misplaced belief that open-source primarily benefits the individual and as such is a righteous crusade. While individuals may become beneficiaries in particular use-cases, I would argue that it is actually corporations that benefit the most, and not by a small margin. Just think of all that labor they get away with not having to pay for and all that specialized knowledge they don't have hire for. Then they also benefit from publishing libraries to end users so that their platforms may be more deeply integrated in customer's tech stacks. Meanwhile the guy maintaining the various open-source libraries that underpin those commercial services doesn't get anything at all. One might even be able to claim that open-source is predominantly an upwards transfer of wealth from engineers to executives.

>Elasticsearch contributors were Elastic employees; that, unsurprisingly, did not change afterward. OpenSearch started with no strong contributor base, so had to build its community from scratch. As a result, the project has been dominated by Amazon contributors ever since

So in a way the "rug pull" achieved what it wanted, amazon is now contributing to development.

I think discussing these "rug pulls" without discussing the destructive habit of many large companies to only profit without giving back misses the mark. Any community where there is a large imbalance between the ones doing the work and the ones profiting will over the long run become unstable.

yes mostly agree but, this has "ten blind men and an elephant" feel to it, also. Long, long ago (in Internet years) it was not clear that certain code, standard, stacks and practices would survive let along prevail, facing slick marketing, inside contract practices (MSFT etc) and the drumbeat of quarterly results reports. "open source" software was a go-board move.. to gain traction in a way that was not easily reversible, given the motivations and then, the time frame -- recall the Silicon Valley motto in the extreme-expansion years "it is faster to adapt an existing stack and then compete, than to start by developing your own before you can compete" .. later changed to "open source your business complement".

So "win" is a multi-layered definition. Business, big business and Corporations win in economic terms often because, they have economic objectives and then execute them. Authors scratch an itch, or finish a college degree, or move on to join another band. none of those things have the aggregate, countable result that a quarterly income statement has.. in 2025, what code is stable, generally available and (often) maintained? is that "winning" ? other corollaries possible..

That's misinterpreting what the previous poster is saying. They are saying that hyperscalers owning significant portions of the Internet (and using lots of projects without giving back) is a bigger threat to the sustainability of OSS.

Now I would argue that the sustainability of OSS is more important at least in the context of an lwn article. That doesn't mean one can not argue that rug pulls are the bigger threat, but that's not what you accused the previous poster off.

In case of dual license, this is the stated goal so there is no "pull". (Unless they stop with the GPL version, but I'd say this is unlikely)

I understand why users get annoyed at "rugpulls", but if a company that is doing the vast majority of the work to develop and maintain a project is not financially sustainable they don't have that many options. An article like this really needs to include info about the financials.

I'm honestly curious since I've been considering how I license my large OSS projects lately [1], and I really do want to understand what would be "acceptable" here. Start more funding campaigns for the project? Work on it less? Sell merch? Openly communicate that they'll need to re-license without additional funding?

[1] - https://jackson.dev/post/oss-licensing-sucks/

There are copyleft licenses like AGPL/GPL that basically require them to contribute back, without going to a proprietary license.

Or just the fact that the project is making the news means more people visit the GitHub page.

If you're not paying or contributing, who are you to complain if the maintainer(s) stop working for free? The level of entitlement is amazing.

I'm confused. His answer doesn't seem to be about the CLA.

The hate comes from the company offering it under an OSS license and then taking it away. If they had started with a non-OSS license users wouldn't feel betrayed. Of course then they may not have had as many users, which is why they tried to be OSS to start with.

What I understand from RMS's answer is that he recognizes that the solution of using the AGPL + a CLA for allowing to sell exceptions creates an imbalance/unfair situation where only one entity can engage in the activity of selling exceptions, but ultimately he cares more about user freedom, and finds the solution of using the GPL to avoid the imbalance worse because anynody could modify the SaaS code without redistributing it, which means that the users freedoms are not respected. Basically, the GPL doesn't protect much the SaaS code and is somewhat similar to a permissive license in this setting. The AGPL protects the code better.

RMS doesn't like the GPL for SaaS software for exactly the same reason they created the AGPL in the first place, and developer inconvenience is less of a concern than potential user freedom breach.

The entity to which the exception is sold could itself close the software for its own users. But so could it if the code was released under a permissive licenses and this is, critically, why RMS finds this acceptable: he doesn't want to consider releasing software under permissive licenses unethical. This is a limit he doesn't want to cross. After all, one can't be blamed for all the sins in the world and it's the company closing the code that would be doing non-free software, not the original authors.

AGPL+CLA doesn't enable more cases of users losing freedom than a permissive license, so this is okay for RMS.

Now, it is a view strictly focused in terms of user freedom outcome and that's probably how anything RMS says should be interpreted by default. Nothing prevents you from considering that there are other aspects to consider and that the imbalance AGPL+CLA creates is unacceptable.

On a side note, it makes me think of the Qt business model.

Using a license that contributors trust your project to abide by is far more useful than any potential litigation that may or may not happen.

It's also a risk for the other side. Big companies wouldn't take the risk to go in court, they'd rather not use your project.

Neither exempts you from taxes, which not only must be paid but specifically must be paid in fiat.

> This means that they promise to release your contribution under the original license as well.

To me it sounds like they reserve the right to use my contribution in their proprietary code as they see fit... My point was that by using a copyleft licence and not signing a CLA, I prevent them from using my contribution in a proprietary fork.

That has not been my experience... instead, they realize that struggling individual developers cannot and do not want to fight for their rights, so they openly abuse them knowing nothing will happen.

Unless you are the size of Google, it just isn't feasible. Most companies don't have the resources to fully support every piece of their tech stack. It would be more practical if the cost of continued maintenance was spread among all companies that depended on the dependency, but I'm not sure how best to accomplish that.

It didn't achieve what Elastic wanted. It didn't lead to more people paying for Elastic licenses, it lead to users switching from Elasticsearch to a fork. And they eventually backpedaled and relicensed again under the AGPL.

Now, it might be better for the Open/elasticsearch ecosystem, because AWS is contributing more, and possibly the competition drives both Opensearch and Elasticsearch to be better. But on the other hand, there is now a split between two incompatible products, and Elastic has certainly lost some trust.

"We didn't contribute anything" is mostly true for most of us. For people who do work on open source projects, it's still true for all the projects you don't work on, which far outnumber the ones where you do.

AFAIK, Mongo, Elastic, Redis, and Hashicorp were all doing fairly well financially when they did their "rug pulls". They maybe weren't doing as well as they wanted to, but they weren't on the verge of collapse either. In the case of Hashicorp, it was probably a strategy to sweeten the acquisition by IBM.

> I prevent them from using my contribution in a proprietary fork.

You effectively prevent your contribution from being merged back into the original project. This generally means your contribution isn't likely to be used. It will sit in its own repo for others to find.

Yes, it's on topic, but there is still or at least should be a focus on Linux. I am expressing feedback that I don't want to see this kind of article.

That doesn't mean conferences need to be loaded with talks about the community and politics.

You could say that about anything though. A bakery has dependenices on fruit suppliers, flour suppliers, paper and wrapping suppliers, the baker(s), the cashier(s), etc. All of which could disappear and they'll have to find new ones

which hyperscalers are we talking about specifically? Microsoft, Google, Apple, Facebook, all gives tons of open source support. I think Amazon does too but less familar. So who are these hyperscalers you're claiming don't give back?

There are also plenty of massive, popular open source projects which don’t require much if any ongoing maintenance. OpenSSL-ish things are the exception, not the rule.

Of the rest, it’s fine to keep using old versions of things…however, things with ecosystems that move on or contributors/users that fetishize “actively maintained” as a use-this-not-that indicator can complicate that decision.

>quibble over terminology

Terminology frames how people think about things. A rug pull sounds negative, when in reality it just means you aren't getting future work under such a permissive license. If someone is shocked from that it means that they felt entitled to the work people were doing for free. I disagree with the whole way the situation is being framed like its wrong for the people who did the work creating a project having the ability to figure out how to monetize it.

>Open source is a social concept and politics has been an integral part of it since the beginning.

But such politics are not a driving force for the Linux kernel. Linux is not open source in order to push the FSF's agenda. When there are people who focus exclusively on the social and political aspects these people are a parasite. It would be different if it was an open source developer sharing their views, but this talk purely serves to advertise an agenda the author has.

>isn’t their job to vet their authors based on the intersection of their tonsorial choices and your personal politics rather than the substance of their articles.

You are not engaging honestly. I stated up front that my issue was with the substance of the article. That picking such a talk over some other talk or topic was a mistake.

I feel like the SSPL is almost a good open source license. I think there is a place for something a little stronger than the AGPL that is copyleft on necessary components even if they aren't directly linked. But it has a couple of major failings:

1. It's too vague about what is covered by it. This makes using such software risky in practice. Is the OS it runs on included? What about a log aggregator used to collect logs? Or a system backup system? The VM hypervisor and orchestration software for running the VMs that host it? I think it would be better if it was more clearly scoped to components that are specifically related to the service itself and not general purpose components of the hosting environment and/or things that could easily be substituted with other standard open source or off the shelf components.

2. It isn't compatible with AGPL or GPL. This is especially bad combined with 1. Does that mean you can't run the service on Linux? I don't think it could be compatible with AGPL code directly linked to it, but it could allow external components to be under most open source licenses.

IANAL, and don't know exactly how to word a license that fixed those issues, but I think there could be something better than the SSPL, and maybe such a license has a better chance of getting OSI approval.

Yep. They have to pool resources and effort to make it make sense. That requires some mechanism of coordination that pulls in enough participation to keep it representative. I'm all over this. PrizeForge's Elastic Funding was designed expressly to create meaningful cooperation between businesses, prosumers, and regular users of all shapes and sizes.

Debian isn't source transparent in the same way tho. (I'm mostly nitpicking). That said, the contributions that Debian has made in terms of reproducible builds can't be understated. They built a wonderful foundation for the likes of nix and guix to build on.

> I think discussing these "rug pulls" without discussing the destructive habit of many large companies to only profit without giving back misses the mark

There's nothing destructive about using software in accordance to it's license, no one's puppy is being kicked.

The problem is too many developers and startups decide to be "paid" in exposure and use permissive licenses as a growth hack while chasing deployment counts and GitHub stars. They are perfectly fine with widespread, unpaid adoption until a hyperscaler with superior infra is involved, then suddenly the license becomes a liability. You can't have your cake and eat it.

"Open source" is more than just GPL. MIT, for example, can be made proprietary. And yes, the last version of that MIT-licensed source will exist forever, but, in practice, forking and maintaining that fork can be a tireless, difficult, painful endeavor that most people will not have the time and energy for.

Can you explain why anyone would trust the SFC over the FSF? The FSF are effectively zealots with a specialized interest. I can understand saying that donations might be better spent with the SFC, but I am not sure that translates to more trust.

GPL pretty much guarantees Google won't use you code.

Although in this post "Do no evil" world that may no longer be true.

And even if it is, Google don't need to use your code. They have enough resources to clean-room re-engineer pretty much any useful piece of code ever written - perhaps short of Linux, MacOS, and Windows.

If Google decide they need to use your GPL Open Source project, they'll just assign a team to fully document it while meticulously not using any copyrightable text from your project in their version of the documentation, then assign a different team to write software that matches their own internal documentation - most likely in a different language - probably Golang.

Or more likely, they'll make sure there are enough subpoena-able internal internal comms to make it look like they did that, then just get some external-jurisdiction non-english-speaking intern to use Gemini to copyright whitewash the Golang rewrite directly from your open source code.

(I just sat here for 5 minutes trying to work out how to end this post on a positive note - but I've got nothing...)

The positive note, I think, is that Google won't use your software and you won't have to deal with Google problems as a result :-)

> But a fork is not a simple matter; it is a lot of work, and will fail without people and resources behind it

Well yes. There is no free lunch. Open source only works if enough people are willing to give back. If your fork dies, that probably means the project had a lot of free riders.

The main issue i have with rug pulls is its essentially false advertising. They grew their customer base by promising open source and reneged when it was no longer convinent. This feels morally gross to me.

However i don't know that i actually am worried about the no longer making contributions aspect. Nobody is obliged to continue working on something forever. Its a totally normal thing for individuals to retire from a project, its fine for companies to stop too.

I disagree, we remember the cases where companies egregiously breach the license, we don't remember the cases where they just comply.

GPL is at least setting your expectations. With MIT can you even call it a rug pull? The entire point is to let companies do that sort of thing.

I was fascinated by the reference to mimir forking into an SSPL version. that seems like the right way to do things.

Is that a bad thing?

I don't write code specificly so google can use it. If they find it useful and are willing to abide by the license, then by all means great, but if they don't want it, that is their business.

As far as white room reimplementations go - why would i care about that at all? Its no longer my code at that point. Copyright is not a patent, all that is their right to do. Just like i have the right to do the same thing to them. (How do you think our nice linux computers manage to interact with proprietary protocols?)

Neither is taxed at rest; only when spent, on its appreciated (nominal) value. At worst, this is double (real) taxation, which, while still objectionable to some, is not continuously dilutive as GGP suggests.

But how can we be sure that the same "nothing" wouldn't have happened with any other (or no) license in most cases?

Did the lock I put on my door actually prevent anyone from breaking in if nobody ever tried?

In my mind, regardless of your license, you still have to be able to defend your rights, or you don't really have any.

SFC are the same as FSF effectively, or even better. Their GPL lawsuit against Vizio for example is brilliant, they are suing as a third-party beneficiary of the GPL, rather than as a copyright holder. If they win then it means any recipient of GPLed binaries can sue for compliance.

https://sfconservancy.org/copyleft-compliance/vizio.html

They are also the only folks doing GPL compliance work for the Linux kernel and hardware vendors.

Indeed, see for example Vizio (or Tesla) or many other examples.

https://sfconservancy.org/copyleft-compliance/vizio.html

> SFC seeks to confirm in the courts that purchasers of devices running Linux and other software with reciprocal licenses like GPLv2 have a legal right to ask for, and receive, the source code for those devices, so they can adapt the software to their needs, and make practical use of those adaptations by being able to install those changes back onto the devices they purchased.

Specifically the last part of that sentence, unfortunately I'm not very hopeful that it will happen, since v2 does not have the same anti-tivoization clause that v3 does, and Linus has personally said that he wants people to be able to lock down their products.

My own personal experience with SFC, EFF and FSF is also that they will only agree to take on a case for you if they happen to want to do it, and if you sign over all copyright ownership to them, which I think a lot of people are not willing to do.

There are lots of open source folks getting paid, definitely not the majority though.

https://github.com/fossjobs/fossjobs/wiki/resources

AGPLv3 doesn't block folks from selling services based on your software, they just have to ensure their users can get a copy of the code. Also AGPL is FOSS.

I don’t think there so much conspiracy.

The big companies could just be a huge collection of disconnected small teams of 2nd rate developers who have little understanding of software licensing and are just trying to ship a product.

Not an excuse though.

Of course, it doesn’t help that annual training focuses on trade compliance and ethics with no mention of licensing.

Hell, I’ve never seen a policy on the use of commercial clip art…

GPLv2 has the same requirements as GPLv3 around installation of modifications. The GPLv3 also doesn't prevent what TiVo did; breaking the proprietary software when run on modified GPLed software. TiVo didn't prevent installation of modified GPLed software, and didn't think it was legal to do that.

https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...

Linus doesn't want people to enforce the GPL in general, not just the lockdown case, he has been arguing against that for a long time.

IIRC SFC has a contract option to enforce your copyrights without being the owner of them, I've seen that contract on paper at conferences. They also have limited resources, so can't take on every case.

AGPL/GPL require people to contribute forward to users, not back to maintainers. They also don't require any monetary compensation, which is what companies like Elastic are mainly after, not code contributions.

You have the right idea; audit all the software you run, including dependencies, and make sure that they are all viable, by contributing back with dev hours and funding, and advocate that other related companies do the same.

Elastic might be fine in the long run. But everyone I know(sample size <20 orgs) migrated to OpenSearch and never looked back. They were never interested in running Elastic in a separate cloud or running it themselves, and that's what a lot of these DbaaS providers have to overcome.

It's already annoying to create your first terraform module for a new AWS managed service, but they then want the users to have the extra complexity of VPC peering/privatelink/vpn and then manage that lifecycle as well.

It doesn't have to be that way though, companies and folks with money can give back and help projects they depend on to become sustainable. Start an Open Source Program Office, audit all the software you run, including dependencies, and make sure that they are all viable, by contributing back with dev hours and funding, and advocate that other related companies do the same.

> GPLv2 has the same requirements as GPLv3 around installation of modifications

I disagree:

> Stallman found this practice (using crypto lock-down to force the proprietary software to fail) illegitimate. He noted publicly that GPLv2 didn't prevent this behavior, and wanted (and wrote, as explained below) a GPLv3 draft that prohibited that behavior.

I think the author is sometimes (but not always) conflating software installation instructions with the ability to actually usefully install different versions of the software.

At one point he specifically claims that GPLv2 required "a functional installation method", but gives no citations of this in any actual clause of the GPLv2, nor cites any court cases where this was argued either way, and even admits that many lawyers believe that a working installation method is not required (and gives no evidence otherwise because saying he personally disagrees).

> there was a clear installation requirement in GPLv2 — the word “install” appears prominently

Except the only time the word "install" actually appears is in this part:

> scripts used to control compilation and installation of the executable

And I would argue that it's going to be entirely up to every individual judge's 50/50 interpretation as to whether "scripts used to control installation" actually implies a working method of installation as well.

Not only that, but TiVo's "forcing the proprietary software to fail" practice is IMO a completely different legal issue from not even having a method of installing different software on a locked-down device in the first place.

TiVo happened to have a method to do that already, but many devices since then (which use Linux kernels) do not have a way to actually modify any software, and for good reason IMO (e.g. safety/regulation such as in aerospace/defense/medical/automotive industries). And they are not getting sued or called out by anyone to my knowledge... but please prove me wrong.

If the judge has read the GPL preamble, they would understand the intent of the license, and I would guess that would make it a 90/10 chance of requiring a working install method.

That’s basically what RedHat is (was?) for

There's several ways to do it:

- incorporate

- foundation (a subtype of incorporating)

- government

- cooperatives

The trouble with corporations is that they do have interests that are very independent of their customers and they are not good agents (principle-agent problem). RedHat, partly because they could not figure out better ways to monetize, has increasingly fought gadgets with gadgets, creating service contracts for support interfaces for open-core products and so on. This does not maximize the value delivery of open solutions.

Government is not known for speed or efficiency. Good luck getting the average Joe to understand why your little git repo needs to come out of his payroll. Even if you get something passed, now all Joe hears on the radio is about how you're stealing his paycheck. Less learned: narrow interests are easy political targets. Okay so let's do a foundation!

So how about foundations? Every single git repo needs a foundation? That's a lot of overhead. Foundations have a scope. They can also suffer from principle agent problems. Foundations are a good solution, but they themselves have not really adapted to the information age. Rigid, self-serving governance can easily become entrenched by insiders who beat the drum while cashing checks.

PrizeForge solve a lot of these problems just by being very broad in scope and very neutral as far as interests. More payment is better. If the market wins, we win. We don't really have to care who or why but we should try to protect customer value by making money smarter and creating the means of coordination so that nobody moves alone.

PrizeForge is not good yet. But it will be. Our solution for the principle-agent problems will completely change how we do social. To start, we've started operating our fund-matching systems. Those will help us bootstrap faster. We can serve some of the communities we know well while building up the rest of our features. (Log in after a few hours, I'm currently doing maintenance).

If we are going to use this metaphor, its not about putting a lock on the door but having a door at all.

You need locks to protect yourself from malicious people, you need a door just to indicate that people shouldn't randomly come in. MIT is like not even having a door. There is no point in buying a top of the end lock if you leave your door open and hang a sign saying free cookies.

I would also disagree that hard power is the only possible way to defend one self. Soft power has its place too and can often offer you much more bang for your buck.

I don't think we're going to get any further here, but I appreciate you taking the time to explain your worldview. It was very nice of you to answer all of my questions :)

Second source is not too hard concept. You should have second supplier ready to go for your business critical supplies. Or be ready to produce those yourself in case of software.

You're right on both counts. My reply is supplemental to your comment and not its correction. I was just adding information about some pesky corner cases for anyone who's interested in it.

I've never worked at Google, but I'd be shocked if they won't use GPL code.

AGPL, sure, as lots of companies won't touch AGPL code (so, if you don't want companies to use your code, license it under AGPL).

But GPL is so commonly used and pretty well understood how to use it productively and safely and still run a profitable company. Avoiding it entirely seems extremely wasteful, at a scale that even Google probably won't be able to choose to.

Any Googlers/x-Googlers care to summarize the open-source usage policy?

IANAL, but my understand is that legally, the preamble is not part of the terms of the copyright license itself and if the preamble can be construed to provide something, but the actual license does not contain it, then it's not part of the license terms.

I'm willing to bet a pretty large amount that any judge with such a case before them will read the preamble in the course of the proceedings.

> If they win then it means any recipient of GPLed binaries can sue for compliance.

I hope they win the case (meaning, I think it's both morally and legally correct), but I hope that the conclusion of the case is not what this sentence says.

I don't want "company uses GPL software and takes pains to not distribute it [they run it only internally]; disgruntled employee finds a way to smuggle a copy of the binaries out, gives that copy to someone else; now that someone else can now demand enforcement of the GPL terms" to be legally supported.

To me, that's entirely different from "I use GPL software to make a TV and I sell that TV to anyone who will buy it." In that case, any buyer of the TV should be entitled to use the terms in clause 3 & 6 of the license and receive the source code that's covered by GPLv2.

https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html (clause numbers above refer to this license)

The GPL also says:

> Activities other than copying, distribution and modification are not covered by this License

I am interpreting this to mean that "installation" does not count as any of those things. It even says "The act of running the Program is not restricted", and to me that means I am free to restrict how/if the program can run in the first place, which I believe is what TiVo did.

Linus even admits "Tivo never did anything wrong", and honestly from a license perspective I'd rather be on the good side of whoever wrote the thing I'm using, as opposed to an outsider who thinks I might be using the license wrong, and is no party to any case I might be involved in.

Either way this Brad guy seems to go on a lot about how he thinks everyone else is wrong, while also never showing any evidence that his interpretations have ever played out successfully in court... so I think it's at least safe to say that for now, "we don't know" if installation is covered or not, until it's actually tested in court.

And even then, one judge may interpret it differently than the next one, so maybe there can't be a universal answer unless the license is modified to be more clear.

Then it's not money and so it's not really relevant. It has little to no bearing on the money supply or the value of money.

The issue is not double taxation per se, it is the inability to pay taxes at all. In order to pay the tax you incur by actually putting the gold/BTC/etc to use, you must liquidate some more of the thing to turn it into something the government will accept. That is what makes fiat real money, and everything else not.

> There's nothing destructive about using software in accordance to it's license

Doesn't this exact same argument work in the opposite direction too? In other words, the "rug puller" is just exercising their rights (explicit in a CLA, or implicit in a permissive license) to use a different license moving forwards. There's nothing destructive because the previous FOSS releases continue to exist and can be forked and maintained by the community if they wish.

> You can't have your cake and eat it.

So what's the alternative? Let's say you independently create an innovative backend/infrastructure software project in 2025, but one that doesn't lend itself well to a SaaS-only model. You require income from it to continue developing it. Realistically, what license do you pick on day one that doesn't doom you to failure?

Well, in practice if they require that I sign a CLA, I just don't bother contributing :-).

Of course they don't care because someone else will work for them for free, but that won't be me.

That's not what "recipient" means: it's a term of art. If I want the source code to your private fork of my GPL'd software, and I see your old laptop on Craig's List, I can't buy the laptop, recover the undeleted binaries from the hard drive, then sue you for the source; this ruling wouldn't affect that.

> Doesn't this exact same argument work in the opposite direction too

It absolutely does; the article discuses this, and at no point did anyone describe license-changes as "destructive". The community/competition also has the right to fork the project when there's a change they don't like (with no assurance of success).

> Realistically, what license do you pick on day one that doesn't doom you to failure?

That's my point exactly! If I have a slice of cake, I can either eat it now or save it for later - not both. You have to pick a poison: AGPL or a custom license will prevent hyperscalers hosting your service, but will slow adoption. MIT or BSD will juice your growth and leave you vulnerable to SaaS alternatives. Switching licenses after achieving popularity leaves you vulnerable to forking - this strategy has been popular lately, but valkey proved that it carries a major risk as well.

AFAICT, there's no license that assures one can maximize adoption, and capture most of the projects value, because these two objectives are in tension. Continuing with the cake theme: the options for project authors are growing the cake and likely capturing a slice of it along others, or having the entirety of a much smaller cake.

edit: the article does outline a strategy that maximizes upside for project author: make outsider contributors sign CLAs, and ensure your org is responsible for most of the contributions.

You are welcome to police the category of 'money' as much as you want, but I don't see what this has to do with the argument being made upthread. Are you saying that the government accepting tax payments in gold or bitcoin would eliminate profit-maximizing behavior and free us from the tyranny of the 8-hour workday?

> the article does outline a strategy that maximizes upside for project author: make outsider contributors sign CLAs

I wouldn't really consider that a separate strategy. When using AGPL and accepting outside contributions in this for-profit scenario, having a CLA (or stronger e.g. CAA) is essentially mandatory. Ditto when using some non-OSI source-available / Fair Source licenses with similar protections against competing SaaS use.

Otherwise, without a CLA, even the project creator effectively can't sell access to an improved/modified hosted SaaS version: each third-party contributor is licensing their code contribution under AGPL, and they are afforded the exact same anti-SaaS protections. So with third-party contributions and no CLA, even the project creator would need to provide the full source code of their SaaS to users, which typically makes the business non-viable.

But meanwhile many folks in the industry are extremely hostile to CLAs, for whatever reason. There are several examples on this page, including one commenter claiming AGPL + CLA is "open-washing". And folks are even more hostile to Fair Source and other non-OSI source available licenses, again several examples on this page, or any time this topic comes up here.

> You have to pick a poison: AGPL or a custom license will prevent hyperscalers hosting your service, but will slow adoption.

IMO the issue is more severe than just slowing adoption; in many cases, using a non-permissive license from day 1 outright kills adoption. And that's really unfortunate, because a few decades ago there was a robust market for software written by bootstrapped independent software vendors, without widespread dogmatic demands for specific license terms. The current status quo is going to lead to a lot less independent software creation, because there's no obvious path to financial self-sufficiency (let alone profit) for such projects.

So with that context in mind, I think the commenter at the top of this subthread is 100% correct. There's currently no way to thread the needle between community licensing demands, and the risk of larger companies capturing all the profits. Logically the only solutions would be to convince users to lessen their dogmatic licensing expectations, and/or to shame cloud vendors into more sustainable behavior regarding FOSS projects, but both of those seem fairly impossible.

Yes, though I hadn't thought about it in those terms at first.

The modern, technocratic government controls policy through many means, but monetary policy is a major one. The switch to fully fiat currency was an important transition point, and I do not believe it is a coincidence that wage gains divorced from productivity gains not long after the end of Bretton Woods. Businesses have always chased profit, but how they do it, what other interests if any they have, and on whose behalf they do it, have changed over time in accordance with (para-)governmental policy, including everything from "intended policy goals" to "unintended consequences" and "regulatory capture".

Though, the simpler point I was driving at about gold and BTC is just that when they are relegated to mere savings, they lose most of their potency. Assets are like potential energy to money's kinetic energy. However, the government accepting anything other than its own currency for payment of taxes would destabilize that currency. Only countries in dire straits would even consider such a policy. Hence, real money is what matters.

Thank you! That's what I was looking for.

> On a side note, it makes me think of the Qt business model.

That's the major example Stallman cited in his article about selling exceptions to the GPL.

https://www.gnu.org/philosophy/selling-exceptions.html

> The KDE desktop was developed in the 90s based on the Qt library. Qt was proprietary software, and TrollTech charged for permission to embed it in proprietary applications. TrollTech allowed gratis use of Qt in free applications, but this did not make it free/libre software. Completely free operating systems therefore could not include Qt, so they could not use KDE either.

> In 1998, the management of TrollTech recognized that they could make Qt free software and continue charging for permission to embed it in proprietary software. I do not recall whether the suggestion came from me, but I certainly was happy to see the change, which made it possible to use Qt and thus KDE in the free software world.

> Initially, they used their own license, the Q Public License (QPL)—quite restrictive as free software licenses go, and incompatible with the GNU GPL. Later they switched to the GNU GPL; I think I had explained to them that it would work for the purpose.

The FSF is also the one organization that effectively already has a CLA via the "version n or later" clause commonly used with GPL licenses. The question then is of course why they'd need a real CLA on top of that.

According to this other article [0] they still aim for 1:1 compatibility with RHEL, and not Stream. I also don't see any mention of Stream in the Rocky 9 release notes.

EDIT: I wonder if Rocky is still following their original plans to leverage rented VMs [1]?

[0] https://linuxiac.com/rocky-linux-confirmed-to-remain-fully-c...

[1] https://rockylinux.org/news/keeping-open-source-open

> But here is where it gets particularly egregious. The above problem can also affect software under just a permissive license and no CLA. This is what happened to Incus and LXD. LXD was initially under the Apache license and the linux containers community, in collaboration with Canonical. One fine morning, Canonical just decided to take control of the project, prompting the linux containers community to fork it as Incus. For a while after that, both projects used to borrow code from each other since they had the same license. But then Canonical decided to relicense LXD under AGPLv3 + CLA. This means that it was no longer possible for Incus to borrow code from LXD due to license incompatibility, while Canonical continued to do so under a slightly odd arrangement. You can read about it in detail here: [2]

Well yeah, that's what you sign up for with a permissive license. Canonical could have just as well kept their changes closed source - here Incus (or others interested in Canonical's changes) at least had the option to also adopt the AGPLv3.

You are ignoring the network and branding effects. The original maintainer removing themselves from the project leaves space for someone to take it over. The original maintainer taking the project proprietary means any replacement based on the last open source code needs to re-build the community from near zero.

I think it's fair to recognize that giving gifts, especially repeatedly over a long time, can create an obligation as people become dependent on those gifts and alternatives they might have relied on otherwise disappear or never materialize in the first place.

And that's before going into the effort of other people that goes into making an open source project successful but who don't have any legal ownership over the source code and thus no legal say in the future of it.

> Good luck getting the average Joe to understand why your little git repo needs to come out of his payroll.

That specific problem could be solved by funding it from taxes that only tech companies have to pay. Maybe something like how FDIC works, where if you want to sell SaaS, you need to pay for some kind of security insurance from the government, and the funds from that are used to support open source projects.

Of course, there are other problems with having the government do it, but I think the taxes issue is solveable. And personally, I'd rather see my taxes spent on helping open source software than military and weapons.

On the other hand, individual developers not working directly on the projects benefit immensely from OSS being easy to integrate and “exploit” by companies. How many skills can you pick up that are instantly transferable between jobs because “everyone” uses the open source project. Surely we’re all better off with most major companies using and deploying to Linux even if most of them will never contribute money or time to it

On a side note, if you had a quality OS like Linux with access to the source code but had to pay a small amount to get it, would you not pay?