Rug pulls, forks, and open-source feudalism

I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

Consider adding the Software Freedom Conservancy to that list: I'd even trust them more than the FSF.

For a long while I was using MIT a lot, these days I have started switching to GPL especially for anything significant.

All because of the nonsense and all the rugpulls.

In my experience, the usefulness of any particular license is only as good as your ability to enforce it in court.

Using a license that contributors trust your project to abide by is far more useful than any potential litigation that may or may not happen.

It's also a risk for the other side. Big companies wouldn't take the risk to go in court, they'd rather not use your project.

That has not been my experience... instead, they realize that struggling individual developers cannot and do not want to fight for their rights, so they openly abuse them knowing nothing will happen.

Can you explain why anyone would trust the SFC over the FSF? The FSF are effectively zealots with a specialized interest. I can understand saying that donations might be better spent with the SFC, but I am not sure that translates to more trust.

GPL pretty much guarantees Google won't use you code.

Although in this post "Do no evil" world that may no longer be true.

And even if it is, Google don't need to use your code. They have enough resources to clean-room re-engineer pretty much any useful piece of code ever written - perhaps short of Linux, MacOS, and Windows.

If Google decide they need to use your GPL Open Source project, they'll just assign a team to fully document it while meticulously not using any copyrightable text from your project in their version of the documentation, then assign a different team to write software that matches their own internal documentation - most likely in a different language - probably Golang.

Or more likely, they'll make sure there are enough subpoena-able internal internal comms to make it look like they did that, then just get some external-jurisdiction non-english-speaking intern to use Gemini to copyright whitewash the Golang rewrite directly from your open source code.

(I just sat here for 5 minutes trying to work out how to end this post on a positive note - but I've got nothing...)

The positive note, I think, is that Google won't use your software and you won't have to deal with Google problems as a result :-)

I disagree, we remember the cases where companies egregiously breach the license, we don't remember the cases where they just comply.

GPL is at least setting your expectations. With MIT can you even call it a rug pull? The entire point is to let companies do that sort of thing.

Is that a bad thing?

I don't write code specificly so google can use it. If they find it useful and are willing to abide by the license, then by all means great, but if they don't want it, that is their business.

As far as white room reimplementations go - why would i care about that at all? Its no longer my code at that point. Copyright is not a patent, all that is their right to do. Just like i have the right to do the same thing to them. (How do you think our nice linux computers manage to interact with proprietary protocols?)

But how can we be sure that the same "nothing" wouldn't have happened with any other (or no) license in most cases?

Did the lock I put on my door actually prevent anyone from breaking in if nobody ever tried?

In my mind, regardless of your license, you still have to be able to defend your rights, or you don't really have any.

SFC are the same as FSF effectively, or even better. Their GPL lawsuit against Vizio for example is brilliant, they are suing as a third-party beneficiary of the GPL, rather than as a copyright holder. If they win then it means any recipient of GPLed binaries can sue for compliance.

https://sfconservancy.org/copyleft-compliance/vizio.html

They are also the only folks doing GPL compliance work for the Linux kernel and hardware vendors.

Indeed, see for example Vizio (or Tesla) or many other examples.

https://sfconservancy.org/copyleft-compliance/vizio.html

> SFC seeks to confirm in the courts that purchasers of devices running Linux and other software with reciprocal licenses like GPLv2 have a legal right to ask for, and receive, the source code for those devices, so they can adapt the software to their needs, and make practical use of those adaptations by being able to install those changes back onto the devices they purchased.

Specifically the last part of that sentence, unfortunately I'm not very hopeful that it will happen, since v2 does not have the same anti-tivoization clause that v3 does, and Linus has personally said that he wants people to be able to lock down their products.

My own personal experience with SFC, EFF and FSF is also that they will only agree to take on a case for you if they happen to want to do it, and if you sign over all copyright ownership to them, which I think a lot of people are not willing to do.

I don’t think there so much conspiracy.

The big companies could just be a huge collection of disconnected small teams of 2nd rate developers who have little understanding of software licensing and are just trying to ship a product.

Not an excuse though.

Of course, it doesn’t help that annual training focuses on trade compliance and ethics with no mention of licensing.

Hell, I’ve never seen a policy on the use of commercial clip art…

GPLv2 has the same requirements as GPLv3 around installation of modifications. The GPLv3 also doesn't prevent what TiVo did; breaking the proprietary software when run on modified GPLed software. TiVo didn't prevent installation of modified GPLed software, and didn't think it was legal to do that.

https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...

Linus doesn't want people to enforce the GPL in general, not just the lockdown case, he has been arguing against that for a long time.

IIRC SFC has a contract option to enforce your copyrights without being the owner of them, I've seen that contract on paper at conferences. They also have limited resources, so can't take on every case.

> GPLv2 has the same requirements as GPLv3 around installation of modifications

I disagree:

> Stallman found this practice (using crypto lock-down to force the proprietary software to fail) illegitimate. He noted publicly that GPLv2 didn't prevent this behavior, and wanted (and wrote, as explained below) a GPLv3 draft that prohibited that behavior.

I think the author is sometimes (but not always) conflating software installation instructions with the ability to actually usefully install different versions of the software.

At one point he specifically claims that GPLv2 required "a functional installation method", but gives no citations of this in any actual clause of the GPLv2, nor cites any court cases where this was argued either way, and even admits that many lawyers believe that a working installation method is not required (and gives no evidence otherwise because saying he personally disagrees).

> there was a clear installation requirement in GPLv2 — the word “install” appears prominently

Except the only time the word "install" actually appears is in this part:

> scripts used to control compilation and installation of the executable

And I would argue that it's going to be entirely up to every individual judge's 50/50 interpretation as to whether "scripts used to control installation" actually implies a working method of installation as well.

Not only that, but TiVo's "forcing the proprietary software to fail" practice is IMO a completely different legal issue from not even having a method of installing different software on a locked-down device in the first place.

TiVo happened to have a method to do that already, but many devices since then (which use Linux kernels) do not have a way to actually modify any software, and for good reason IMO (e.g. safety/regulation such as in aerospace/defense/medical/automotive industries). And they are not getting sued or called out by anyone to my knowledge... but please prove me wrong.

If the judge has read the GPL preamble, they would understand the intent of the license, and I would guess that would make it a 90/10 chance of requiring a working install method.

If we are going to use this metaphor, its not about putting a lock on the door but having a door at all.

You need locks to protect yourself from malicious people, you need a door just to indicate that people shouldn't randomly come in. MIT is like not even having a door. There is no point in buying a top of the end lock if you leave your door open and hang a sign saying free cookies.

I would also disagree that hard power is the only possible way to defend one self. Soft power has its place too and can often offer you much more bang for your buck.

I've never worked at Google, but I'd be shocked if they won't use GPL code.

AGPL, sure, as lots of companies won't touch AGPL code (so, if you don't want companies to use your code, license it under AGPL).

But GPL is so commonly used and pretty well understood how to use it productively and safely and still run a profitable company. Avoiding it entirely seems extremely wasteful, at a scale that even Google probably won't be able to choose to.

Any Googlers/x-Googlers care to summarize the open-source usage policy?

IANAL, but my understand is that legally, the preamble is not part of the terms of the copyright license itself and if the preamble can be construed to provide something, but the actual license does not contain it, then it's not part of the license terms.

I'm willing to bet a pretty large amount that any judge with such a case before them will read the preamble in the course of the proceedings.

> If they win then it means any recipient of GPLed binaries can sue for compliance.

I hope they win the case (meaning, I think it's both morally and legally correct), but I hope that the conclusion of the case is not what this sentence says.

I don't want "company uses GPL software and takes pains to not distribute it [they run it only internally]; disgruntled employee finds a way to smuggle a copy of the binaries out, gives that copy to someone else; now that someone else can now demand enforcement of the GPL terms" to be legally supported.

To me, that's entirely different from "I use GPL software to make a TV and I sell that TV to anyone who will buy it." In that case, any buyer of the TV should be entitled to use the terms in clause 3 & 6 of the license and receive the source code that's covered by GPLv2.

https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html (clause numbers above refer to this license)

The GPL also says:

> Activities other than copying, distribution and modification are not covered by this License

I am interpreting this to mean that "installation" does not count as any of those things. It even says "The act of running the Program is not restricted", and to me that means I am free to restrict how/if the program can run in the first place, which I believe is what TiVo did.

Linus even admits "Tivo never did anything wrong", and honestly from a license perspective I'd rather be on the good side of whoever wrote the thing I'm using, as opposed to an outsider who thinks I might be using the license wrong, and is no party to any case I might be involved in.

Either way this Brad guy seems to go on a lot about how he thinks everyone else is wrong, while also never showing any evidence that his interpretations have ever played out successfully in court... so I think it's at least safe to say that for now, "we don't know" if installation is covered or not, until it's actually tested in court.

And even then, one judge may interpret it differently than the next one, so maybe there can't be a universal answer unless the license is modified to be more clear.

That's not what "recipient" means: it's a term of art. If I want the source code to your private fork of my GPL'd software, and I see your old laptop on Craig's List, I can't buy the laptop, recover the undeleted binaries from the hard drive, then sue you for the source; this ruling wouldn't affect that.

Thank you! That's what I was looking for.

The FSF is also the one organization that effectively already has a CLA via the "version n or later" clause commonly used with GPL licenses. The question then is of course why they'd need a real CLA on top of that.