←back to thread

Rug pulls, forks, and open-source feudalism

(lwn.net)
275 points pabs3 | 1 comments | 06 Sep 25 05:59 UTC | HN request time: 0s | source
Show context
palata ◴[06 Sep 25 10:19 UTC] No.45148071[source]
> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.

Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".

If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!

If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.

If you use a permissive licence, then a rug pull is part of the deal.

replies(5): >>45148427 #>>45148502 #>>45148634 #>>45148648 #>>45148948 #
charcircuit ◴[06 Sep 25 11:57 UTC] No.45148502[source]
There is no such thing as a rug pull in regards to open source. A GPL copy of your code will exist forever.
replies(4): >>45148582 #>>45148637 #>>45149245 #>>45154216 #
zozbot234 ◴[06 Sep 25 12:11 UTC] No.45148582[source]
Yes, it's a pretty weird notion. The only "rug pull" is wrt. ongoing maintenance of the project, but any maintainer may end up abandoning their own project for any reason or no reason at all. This is why essentially all FLOSS licenses have long provided for the right to fork the existing codebase under a new maintainership.
replies(2): >>45148671 #>>45167404 #
Spooky23 ◴[06 Sep 25 12:24 UTC] No.45148671[source]
Unless you can sustain a fork, it is a rug pull if you’ve incorporated the software in other projects. Imagine if a non-trivial critical project like OpenSSL had this happen.

Shitty behavior like this is more common with software both OSS and commercial than in the past. Treat any meaningful software engagement like a celebrity marriage.

replies(4): >>45149174 #>>45151762 #>>45152745 #>>45153772 #
Ekaros ◴[06 Sep 25 18:35 UTC] No.45151762[source]
I find it weird that companies do not have explicit plans for each dependency they pull in. In case of maintenance is dropped and there is critical vulnerability.

Being able to fully support each and every dependency you use should be absolute minimum for any commercial project.

replies(2): >>45153348 #>>45153714 #
socalgal2 ◴[06 Sep 25 23:02 UTC] No.45153714{5}[source]
You could say that about anything though. A bakery has dependenices on fruit suppliers, flour suppliers, paper and wrapping suppliers, the baker(s), the cashier(s), etc. All of which could disappear and they'll have to find new ones
replies(1): >>45156307 #
1. Ekaros ◴[07 Sep 25 07:59 UTC] No.45156307{6}[source]
Second source is not too hard concept. You should have second supplier ready to go for your business critical supplies. Or be ready to produce those yourself in case of software.