←back to thread

Rug pulls, forks, and open-source feudalism

(lwn.net)
275 points pabs3 | 3 comments | 06 Sep 25 05:59 UTC | HN request time: 0.797s | source
Show context
palata ◴[06 Sep 25 10:19 UTC] No.45148071[source]
> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

replies(5): >>45148427 #>>45148502 #>>45148634 #>>45148648 #>>45148948 #
kelvinjps10 ◴[06 Sep 25 13:05 UTC] No.45148948[source]
But what about GNU their projects require signing a CLA and I don't think they will do a rug pull
replies(4): >>45149059 #>>45149610 #>>45150624 #>>45151048 #
sokoloff ◴[06 Sep 25 14:32 UTC] No.45149610[source]
I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

replies(1): >>45150229 #
phkahler ◴[06 Sep 25 15:37 UTC] No.45150229[source]
>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

replies(3): >>45150920 #>>45151105 #>>45167284 #
wizzwizz4 ◴[06 Sep 25 16:58 UTC] No.45150920[source]
Consider adding the Software Freedom Conservancy to that list: I'd even trust them more than the FSF.
replies(1): >>45154302 #
Supermancho ◴[07 Sep 25 00:54 UTC] No.45154302[source]
Can you explain why anyone would trust the SFC over the FSF? The FSF are effectively zealots with a specialized interest. I can understand saying that donations might be better spent with the SFC, but I am not sure that translates to more trust.
replies(1): >>45154754 #
1. pabs3 ◴[07 Sep 25 02:11 UTC] No.45154754[source]
SFC are the same as FSF effectively, or even better. Their GPL lawsuit against Vizio for example is brilliant, they are suing as a third-party beneficiary of the GPL, rather than as a copyright holder. If they win then it means any recipient of GPLed binaries can sue for compliance.

https://sfconservancy.org/copyleft-compliance/vizio.html

They are also the only folks doing GPL compliance work for the Linux kernel and hardware vendors.

replies(1): >>45157776 #
2. sokoloff ◴[07 Sep 25 12:57 UTC] No.45157776[source]
> If they win then it means any recipient of GPLed binaries can sue for compliance.

I hope they win the case (meaning, I think it's both morally and legally correct), but I hope that the conclusion of the case is not what this sentence says.

I don't want "company uses GPL software and takes pains to not distribute it [they run it only internally]; disgruntled employee finds a way to smuggle a copy of the binaries out, gives that copy to someone else; now that someone else can now demand enforcement of the GPL terms" to be legally supported.

To me, that's entirely different from "I use GPL software to make a TV and I sell that TV to anyone who will buy it." In that case, any buyer of the TV should be entitled to use the terms in clause 3 & 6 of the license and receive the source code that's covered by GPLv2.

https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html (clause numbers above refer to this license)

replies(1): >>45160378 #
3. wizzwizz4 ◴[07 Sep 25 17:38 UTC] No.45160378[source]
That's not what "recipient" means: it's a term of art. If I want the source code to your private fork of my GPL'd software, and I see your old laptop on Craig's List, I can't buy the laptop, recover the undeleted binaries from the hard drive, then sue you for the source; this ruling wouldn't affect that.