Rug pulls, forks, and open-source feudalism

(lwn.net)

275 points pabs3 | 1 comments | 06 Sep 25 05:59 UTC | HN request time: 0s | source

Show context

palata ◴[06 Sep 25 10:19 UTC] No.45148071[source]▶

> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

replies(5): >>45148427 #>>45148502 #>>45148634 #>>45148648 #>>45148948 #

kelvinjps10 ◴[06 Sep 25 13:05 UTC] No.45148948[source]▶

>>45148071 #

But what about GNU their projects require signing a CLA and I don't think they will do a rug pull

replies(4): >>45149059 #>>45149610 #>>45150624 #>>45151048 #

sokoloff ◴[06 Sep 25 14:32 UTC] No.45149610[source]▶

>>45148948 #

I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

replies(1): >>45150229 #

phkahler ◴[06 Sep 25 15:37 UTC] No.45150229[source]▶

>>45149610 #

>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

replies(3): >>45150920 #>>45151105 #>>45167284 #

Arch-TK ◴[06 Sep 25 17:18 UTC] No.45151105[source]▶

>>45150229 #

For a long while I was using MIT a lot, these days I have started switching to GPL especially for anything significant.

All because of the nonsense and all the rugpulls.

replies(1): >>45151810 #

ranger_danger ◴[06 Sep 25 18:41 UTC] No.45151810[source]▶

>>45151105 #

In my experience, the usefulness of any particular license is only as good as your ability to enforce it in court.

replies(3): >>45153087 #>>45153107 #>>45154560 #

palata ◴[06 Sep 25 21:39 UTC] No.45153107[source]▶

>>45151810 #

It's also a risk for the other side. Big companies wouldn't take the risk to go in court, they'd rather not use your project.

replies(1): >>45153181 #

ranger_danger ◴[06 Sep 25 21:48 UTC] No.45153181[source]▶

>>45153107 #

That has not been my experience... instead, they realize that struggling individual developers cannot and do not want to fight for their rights, so they openly abuse them knowing nothing will happen.

replies(3): >>45154410 #>>45154778 #>>45154989 #

bigiain ◴[07 Sep 25 01:14 UTC] No.45154410{4}[source]▶

>>45153181 #

GPL pretty much guarantees Google won't use you code.

Although in this post "Do no evil" world that may no longer be true.

And even if it is, Google don't need to use your code. They have enough resources to clean-room re-engineer pretty much any useful piece of code ever written - perhaps short of Linux, MacOS, and Windows.

If Google decide they need to use your GPL Open Source project, they'll just assign a team to fully document it while meticulously not using any copyrightable text from your project in their version of the documentation, then assign a different team to write software that matches their own internal documentation - most likely in a different language - probably Golang.

Or more likely, they'll make sure there are enough subpoena-able internal internal comms to make it look like they did that, then just get some external-jurisdiction non-english-speaking intern to use Gemini to copyright whitewash the Golang rewrite directly from your open source code.

(I just sat here for 5 minutes trying to work out how to end this post on a positive note - but I've got nothing...)

replies(3): >>45154519 #>>45154591 #>>45157635 #

1. bawolff ◴[07 Sep 25 01:41 UTC] No.45154591{5}[source]▶

>>45154410 #

Is that a bad thing?

I don't write code specificly so google can use it. If they find it useful and are willing to abide by the license, then by all means great, but if they don't want it, that is their business.

As far as white room reimplementations go - why would i care about that at all? Its no longer my code at that point. Copyright is not a patent, all that is their right to do. Just like i have the right to do the same thing to them. (How do you think our nice linux computers manage to interact with proprietary protocols?)

↑