←back to thread

Rug pulls, forks, and open-source feudalism

(lwn.net)
275 points pabs3 | 3 comments | 06 Sep 25 05:59 UTC | HN request time: 0s | source
Show context
palata ◴[06 Sep 25 10:19 UTC] No.45148071[source]
> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

replies(5): >>45148427 #>>45148502 #>>45148634 #>>45148648 #>>45148948 #
kelvinjps10 ◴[06 Sep 25 13:05 UTC] No.45148948[source]
But what about GNU their projects require signing a CLA and I don't think they will do a rug pull
replies(4): >>45149059 #>>45149610 #>>45150624 #>>45151048 #
sokoloff ◴[06 Sep 25 14:32 UTC] No.45149610[source]
I think there are two differences there:

FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.

FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.

My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.

replies(1): >>45150229 #
phkahler ◴[06 Sep 25 15:37 UTC] No.45150229[source]
>> My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.

FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.

As this stuff keeps happening I think the GPL will regain popularity.

replies(3): >>45150920 #>>45151105 #>>45167284 #
Arch-TK ◴[06 Sep 25 17:18 UTC] No.45151105[source]
For a long while I was using MIT a lot, these days I have started switching to GPL especially for anything significant.

All because of the nonsense and all the rugpulls.

replies(1): >>45151810 #
ranger_danger ◴[06 Sep 25 18:41 UTC] No.45151810[source]
In my experience, the usefulness of any particular license is only as good as your ability to enforce it in court.
replies(3): >>45153087 #>>45153107 #>>45154560 #
palata ◴[06 Sep 25 21:39 UTC] No.45153107[source]
It's also a risk for the other side. Big companies wouldn't take the risk to go in court, they'd rather not use your project.
replies(1): >>45153181 #
ranger_danger ◴[06 Sep 25 21:48 UTC] No.45153181[source]
That has not been my experience... instead, they realize that struggling individual developers cannot and do not want to fight for their rights, so they openly abuse them knowing nothing will happen.
replies(3): >>45154410 #>>45154778 #>>45154989 #
pabs3 ◴[07 Sep 25 02:14 UTC] No.45154778[source]
Indeed, see for example Vizio (or Tesla) or many other examples.

https://sfconservancy.org/copyleft-compliance/vizio.html

replies(1): >>45154935 #
ranger_danger ◴[07 Sep 25 02:44 UTC] No.45154935[source]
> SFC seeks to confirm in the courts that purchasers of devices running Linux and other software with reciprocal licenses like GPLv2 have a legal right to ask for, and receive, the source code for those devices, so they can adapt the software to their needs, and make practical use of those adaptations by being able to install those changes back onto the devices they purchased.

Specifically the last part of that sentence, unfortunately I'm not very hopeful that it will happen, since v2 does not have the same anti-tivoization clause that v3 does, and Linus has personally said that he wants people to be able to lock down their products.

My own personal experience with SFC, EFF and FSF is also that they will only agree to take on a case for you if they happen to want to do it, and if you sign over all copyright ownership to them, which I think a lot of people are not willing to do.

replies(1): >>45155011 #
pabs3 ◴[07 Sep 25 02:59 UTC] No.45155011[source]
GPLv2 has the same requirements as GPLv3 around installation of modifications. The GPLv3 also doesn't prevent what TiVo did; breaking the proprietary software when run on modified GPLed software. TiVo didn't prevent installation of modified GPLed software, and didn't think it was legal to do that.

https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...

Linus doesn't want people to enforce the GPL in general, not just the lockdown case, he has been arguing against that for a long time.

IIRC SFC has a contract option to enforce your copyrights without being the owner of them, I've seen that contract on paper at conferences. They also have limited resources, so can't take on every case.

replies(1): >>45155151 #
ranger_danger ◴[07 Sep 25 03:30 UTC] No.45155151[source]
> GPLv2 has the same requirements as GPLv3 around installation of modifications

I disagree:

> Stallman found this practice (using crypto lock-down to force the proprietary software to fail) illegitimate. He noted publicly that GPLv2 didn't prevent this behavior, and wanted (and wrote, as explained below) a GPLv3 draft that prohibited that behavior.

I think the author is sometimes (but not always) conflating software installation instructions with the ability to actually usefully install different versions of the software.

At one point he specifically claims that GPLv2 required "a functional installation method", but gives no citations of this in any actual clause of the GPLv2, nor cites any court cases where this was argued either way, and even admits that many lawyers believe that a working installation method is not required (and gives no evidence otherwise because saying he personally disagrees).

> there was a clear installation requirement in GPLv2 — the word “install” appears prominently

Except the only time the word "install" actually appears is in this part:

> scripts used to control compilation and installation of the executable

And I would argue that it's going to be entirely up to every individual judge's 50/50 interpretation as to whether "scripts used to control installation" actually implies a working method of installation as well.

Not only that, but TiVo's "forcing the proprietary software to fail" practice is IMO a completely different legal issue from not even having a method of installing different software on a locked-down device in the first place.

TiVo happened to have a method to do that already, but many devices since then (which use Linux kernels) do not have a way to actually modify any software, and for good reason IMO (e.g. safety/regulation such as in aerospace/defense/medical/automotive industries). And they are not getting sued or called out by anyone to my knowledge... but please prove me wrong.

replies(1): >>45155321 #
1. pabs3 ◴[07 Sep 25 04:09 UTC] No.45155321[source]
If the judge has read the GPL preamble, they would understand the intent of the license, and I would guess that would make it a 90/10 chance of requiring a working install method.
replies(2): >>45157692 #>>45158106 #
2. sokoloff ◴[07 Sep 25 12:45 UTC] No.45157692[source]
IANAL, but my understand is that legally, the preamble is not part of the terms of the copyright license itself and if the preamble can be construed to provide something, but the actual license does not contain it, then it's not part of the license terms.

I'm willing to bet a pretty large amount that any judge with such a case before them will read the preamble in the course of the proceedings.

3. ranger_danger ◴[07 Sep 25 13:47 UTC] No.45158106[source]
The GPL also says:

> Activities other than copying, distribution and modification are not covered by this License

I am interpreting this to mean that "installation" does not count as any of those things. It even says "The act of running the Program is not restricted", and to me that means I am free to restrict how/if the program can run in the first place, which I believe is what TiVo did.

Linus even admits "Tivo never did anything wrong", and honestly from a license perspective I'd rather be on the good side of whoever wrote the thing I'm using, as opposed to an outsider who thinks I might be using the license wrong, and is no party to any case I might be involved in.

Either way this Brad guy seems to go on a lot about how he thinks everyone else is wrong, while also never showing any evidence that his interpretations have ever played out successfully in court... so I think it's at least safe to say that for now, "we don't know" if installation is covered or not, until it's actually tested in court.

And even then, one judge may interpret it differently than the next one, so maybe there can't be a universal answer unless the license is modified to be more clear.