←back to thread

Rug pulls, forks, and open-source feudalism

(lwn.net)
275 points pabs3 | 5 comments | 06 Sep 25 05:59 UTC | HN request time: 0.933s | source
Show context
palata ◴[06 Sep 25 10:19 UTC] No.45148071[source]
> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

replies(5): >>45148427 #>>45148502 #>>45148634 #>>45148648 #>>45148948 #
charcircuit ◴[06 Sep 25 11:57 UTC] No.45148502[source]
There is no such thing as a rug pull in regards to open source. A GPL copy of your code will exist forever.
replies(4): >>45148582 #>>45148637 #>>45149245 #>>45154216 #
01HNNWZ0MV43FF ◴[06 Sep 25 12:19 UTC] No.45148637[source]
The pull is that a CLA allows someone to circumvent the GPL at some point in the future at their leisure

It's open-washing

replies(3): >>45149228 #>>45149969 #>>45152391 #
1. hedora ◴[06 Sep 25 13:46 UTC] No.45149228[source]
Though note that redhat is doing this with all GPL software, but without a CLA.

They retaliate against customers that share source code, and claim that this doesn’t fall under the “without further restrictions” clause in the redistribution of source code phrase in the GPL.

Anyway, rug pulls are apparently possible, even with the GPL, at least until this is taken to court and IBM loses.

replies(2): >>45149313 #>>45150668 #
2. paulryanrogers ◴[06 Sep 25 13:57 UTC] No.45149313[source]
How does Rocky Linux continue to get timely updates from upstream?

Do they have to use shells or other subterfuge?

replies(1): >>45151272 #
3. bonzini ◴[06 Sep 25 16:29 UTC] No.45150668[source]
Neither you nor the parent comment are using rug pull in the sense of the article.
4. hedora ◴[06 Sep 25 17:35 UTC] No.45151272[source]
It looks like they’re not RHEL compatible any more:

https://www.zdnet.com/article/rocky-linux-9-arrives-with-eve...

That says they pull from CentOS Stream, which I think is upstream from RHEL.

replies(1): >>45167337 #
5. paulryanrogers ◴[08 Sep 25 12:13 UTC] No.45167337{3}[source]
According to this other article [0] they still aim for 1:1 compatibility with RHEL, and not Stream. I also don't see any mention of Stream in the Rocky 9 release notes.

EDIT: I wonder if Rocky is still following their original plans to leverage rented VMs [1]?

[0] https://linuxiac.com/rocky-linux-confirmed-to-remain-fully-c...

[1] https://rockylinux.org/news/keeping-open-source-open