Octotree censorship / AGPL violation #1
Comments
|
If you're interested in it, I branched off from the commit before they removed the license over in my copy, and am working on getting dependencies up to date and making sure it still builds right now. Like I mentioned on the original issue, I'm not particularly bothered about the license violation (including AGPL code in a proprietary product) because my contribution was only one line, but changing the FOSS version to source-available unlicensed (or whatever the intention was behind deleting the license) was not okay. |
|
I would suggest that looking for a significant chunk of code that can be clearly traced back to a change where the current team do not control the copyright (i.e: from a contributor other than them who did not assign them the rights) would be the smoking gun here. While their response has been terrible, they could in theory legally do this as long as they only used code they have the copyright for and can re-license. I'm in no way involved, to be clear, just came across this (and very much not a lawyer, just my layman's understanding). The response from them is just... ugh. |
Good idea, here's an obvious one from @jdreesen: ovity/octotree#861 If you look through the output of And of course, if we look in the "complete rewrite" we'll see that it's an obvious derivative: _handlePjaxEvent(e, t, i) {
if (!this._isDispatching) {
this._isDispatching = !0;
try {
if (($(document).trigger(t), null == e.originalEvent)) {
const e = $(this.pjaxContainerSel)[0];
e && e.dispatchEvent(new Event(i, { bubbles: !0 })),
"pjax:end" === i &&
$(".UnderlineNav .UnderlineNav-item").removeClass(
"selected"
);
}
} finally {
this._isDispatching = !1;
}
}
}Bonus points: You can clearly see that the minifier inlined @jdreesen's const e = $(this.pjaxContainerSel)[0];
e && e.dispatchEvent(new Event(i, { bubbles: !0 })); |
|
Maybe useful: $ for f in $(git ls-files); do git blame --line-porcelain $f | sed -n 's/^author //p'; done | sort | uniq -c | sort -rn
53442 Buu Nguyen
1730 NDQ
102 Phi Nguyen
77 Fahme Bnchi
57 An Le Phu Nguyen
52 Will Simons
30 Jacob Dreesen
18 Danh Nguyen
11 Samvel Abrahamyan
10 Rico
10 duylam
6 Xiao Tan
6 Fiete Börner
5 Steven Noto
4 Ahmed El Sayegh
3 GyuYong Jung
3 Duy Lam
2 Yuichi Tanikawa
2 Andrew Levine
1 Zac Anger
1 Kevin Conaway
1 Ephemera
1 Brightcells |
|
Hey, I’m @Fahme in your CC list and I was hired to work on Octotree. I’m no longer involved, but I was there when we rewrote Octotree. Just so you know. |
|
Thanks for making the list. I want to point out the following people are (or were) in the core team and all of them are paid to work on Octotree. Thanks for trying to make our lives difficult even though we write 99% of the code in the old version and probably 99.999% of the new version. Also, as to why I changed the license, it's because of this kind of harassment. It is not the first time but at some point, enough is enough. See this post for more context. |
|
I think not reverting the contributions of people not in that list might be a violation of copyright law. I'm not a lawyer though, you should ask one to be sure. |
Assuming you have the legal stuff sorted for those contributors (they have signed a CLA/assigned their code to no longer be AGPL), you still need to get assignments from the other contributors to designate their code as non-AGPL (NAL). |
Thank you for this information. Could you confirm whether you received relicensing consent from the other 59 contributors?
I don't want to make your life difficult. You said that the proprietary version was a "complete rewrite", and when I provided evidence to the contrary you deleted it and banned me from interacting with your repository.
...but the license isn't yours to change. The project is a derivative work from dozens of contributors, and if you'd like to change the license then you need their consent. This is literally the entire point of copyleft, which you know, and is why you played the "complete rewrite" card. Please just be honest. |
...
All the more reason your response is baffling, because contacting the few other people to ask them to sign off on the re-license would have been easy. Instead, you seem to try to obscure the truth by calling it a complete rewrite and getting aggressive with anyone bringing up the issue. It sucks if people harassed you, but people making real, good-faith points about you re-licensing without the permission of some of the authors is not harassment. Even if it was, it wouldn't somehow give you the right to act unilaterally to try and claim other people's work. Please, put yourself in the shoes of other people here: you are telling people that code they write could end up being used in proprietary software when they contribute it to projects licensed under open licenses. That clearly isn't OK, and it being a small percentage of the code in question simply doesn't address the core problem. |
|
@christianbundy
After I pointed out that it was not true, instead of admitting you didn't look at it carefully enough, you doubled down on the accusations and posted spams CC'ing a bunch of people. Not only that, you even emailed me repeating the same things, as if all these GitHub issues weren't enough! Do you often harass people like this? If people like you only spent half of such effort in contributing to Octotree instead of attacking me, I wouldn't have had to hire a team to work on it or introduce the paid plan so that we could keep the software alive. The bottom line is this:
@zacanger |
The bottom line is that you don't get to define if other people's contributions are important. They contributed work on the basis of a particular license, you can't use it without following that license. You need to contact them and ask them to give you the rights, or rewrite those segments, but it appears that you haven't done that in at least one case. If you believe you have, then all you have to do is actually answer the question to put people's minds at rest, rather than painting people acting in good faith as harassers. No one is complaining about you making a proprietary product here. You just can't take other people's work to do it, even if it is a relatively small proportion of the overall thing. Telling people you only re-licensed a little work without asking is understandably going to lead to people saying that isn't good enough. You are absolutely entitled to profit from your work. It's just a bit incredible to use that as a defence for denying someone else the right to license their work, however small. |
I am fairly certain that once you @buunguyen change it back to AGPL, everyone who is "trolling" you @buunguyen will stop. |
No, I was banned because I posted evidence that you didn't want other people to see. The archive doesn't lie, and you shouldn't either.
Not once have you actually addressed the code that I've pointed out. It's incredibly clear that your proprietary product is a derivative of the AGPL work with 66 contributors, and instead of admitting it you've:
You're now attempting to gish gallop your way through the discussion without actually addressing any of the points made, and I'm not interested in that at all. If you want to have a two-way conversation here, you're more than welcome to do so, but we're not going to do the one-way conversation style that you seem to prefer. |
If you seriously believe the OP acted in good faith after hearing my side of the story, we're very different.
You mean this case? First, to be absolutely clear, I value all contributions and I honestly wish I received enough contributions so that I didn't have to introduce the paid plan to pay people to work on it. Now, if you looked at that code closely, you would see we rewrote and made it much more robust. If we didn't rewrite certain lines made by contributors it was because we couldn't think of any other way to do it. I mean, how many ways you can call a certain API like dispatching an event? |
Oh, like a derivative?
I want to be very clear: I want you to get paid for your work, and there's nothing wrong with your paid plan. I do not want you to renege on your license agreement or lie about the fact that your proprietary product is a derivative of AGPL code. |
They trolled me when it was still AGPL. That's the ONLY reason I had to change it to unlicensed. |
See, your dishonesty shows. Way to quote something out of context.
|
I'm actually impressed at your ability to deflect and avoid addressing anything anyone else says.
Can I get a link please? I want to believe you, but our relationship has been off to a rocky start. |
I do, and I have no skin in the game here. I think you are letting a genuine bad experience colour your interaction with others, and it is escalating. I would recommend taking a step back, and re-engaging with the assumption people are just being genuine here and trying to ensure the AGPL isn't being violated. You came out swinging, and only revealed a lot of key details after multiple attempts where you have deleted people's comments, closed issues as spam and so on, rather than just responding. I can understand how you might assume bad things given previous issues, but that certainly isn't my read from what I saw of this.
I'm no lawyer, and I'm sure there is an argument about trivial similarities in reimplementation, but as you have stated that you used their code and left small parts of it unchanged, not just that you recreated trivial parts incidentally, my understanding is that is making a derivative work based on the other person's, not making a separate implementation. Fundamentally, people are just trying to look out for other open source contributors and ensure their work isn't being used in a way they wouldn't like. Why not just contact these few people and ask them to allow you to use their work? I really can't believe most people would have any issue with it, and if they do (or you can't contact them), a clean-room re-implementation should be easy if we are really talking about trivial code. To say you value contributions, while freely admitting you didn't do so enough to contact people to ask to use their work, while also complaining about people being unwilling to let you value your work... I can understand why people think you are acting in bad faith. |
I'm actually more impressed that you were being dishonest right from the start, never admitted you were wrong in your accusation even though I have been very clear about everything in my responses. |
|
FYI: This bug report made it to the hacker news front page so it may a get a lot of viewing very soon https://news.ycombinator.com/item?id=24953821 One very important point that's been missing from the hundreds of commenters so far is that there are some constraints for code to be copyrightable, like the work has to be original. It's not 100% clear cut what is copyrightable but a typo correction or a half-line edit would most likely not qualify. One comment had some statistics showing that most of the contributors contributed very little (many a single line change). Should review the changes for what may actually be copyrightable. That should reduce down the copyright issue significantly. IMO: could remove the typo commits and similar. Alter the git history, remove the commit, redo, force push. It might make the open source community cringe but it should be fine legally. |
Good call!
No! Re-writing history probably is never a good move. Instead, consider simply writing up a short report from the above investigation, and explicitly state the status of each contributor's contributions:
|
|
Another option that would probably be acceptable to most people involved would be relicensing under BSD or similar, which would solve all these problems as long as contributors consent to that change. Doing that up front would've saved a bit of stress for a few people today, I bet :) |
Reverting back to AGPL is much easier and less problematic than |
We talked about this, didn't we?
It's a shame you didn't act in good faith right from the start by making a blatantly false accusation, which you never admitted you probably had come up after a cursory look. And you keep calling me a liar even though I have explained everything very clearly. So no, I do not understand what you really want. |
|
@buunguyen, you weren't acting in good faith when you created a closed source fork. You are not legally allowed to do this, and you knew you were not allowed to do this. If you're trying to create a legitimate business then you had better change your tune before you get legitimately sued. "It is hard to make someone understand something when their paycheck depends on their not understanding it." Well, I hope that paycheck covers the legal fees and damages which you're about to acrue. Have some respect for the contributors who have helped you, for the licenses you have chosen, and the bountiful free software community on whose shoulders you stand. |
As a context for the people who just came here, I removed the license a few days ago because I was tired of people asking me why I didn't open-source the full Octotree version. Over the last 1.5 years since I started charging for certain functionalities in Octotree, there have been dozens and dozens hate emails, comments, insults and threats targeting me. On the contrary, during the 4+ years I created and maintained Octotree completely free and open-source, I couldn't recall 3 people who personally thanked me for my work. Such is the life of being an open-source maintainer. |
@Lattyware Absolutely, but the Octotree team is doing the exact opposite of dealing with the infringement in a reasonable form. All they have to do:
They're stuck on step 1, and apparently think that if they say "complete rewrite" enough times that everyone will believe them. It's maddening, and honestly feels like trying to argue with a starfish. |
This is flatly untrue, earlier in this thread they committed to contacting contributors and asking for licensing or removing the offending segments of code, which I think is a very reasonable resolution to the issue given the situation (and, I would note, the only outcome I could imagine being likely from legal action, if—as seems unlikely at this point—anyone actually wanted to pursue that). I said earlier that I thought your argument was in good faith at the start of this, and I would hope that is true and you just missed this in the admittedly busy thread, but your summary is just misleading and confrontational given the response. |
|
It would be more accurate to say that they've admitted it (that'll be useful in court, thanks!), but then tried to worm their way out of their legal obligation to release the source code as a conseqeunce. |
|
You're right, I didn't realize they admitted that their closed-source fork was a derivative and that their "complete rewrite" thing wasn't true. That's very useful, but I'm still concerned about this:
But if you click the link, you'll see this:
This demonstrates a fundamental misunderstanding of what we're talking about: derivatives.
The closed-source fork of Octotree is not a clean-room implementation, it's a derivative of the open source project, and unless they convince every contributor to give up their rights then they'll need to share the source code of their fork. Instead of trying to comply with the license, the Octotree team is trying to disenfranchise its contributors, but their preferred method doesn't even work. The whole point of the AGPL is that most code is inspired by (and derived from) previous code, and therefore it's intentionally difficult to dissolve the rights of the people who have contributed to your project. Their options:
Unfortunately "refactor all of the obvious AGPL violations so it's harder to notice" is not an option here. |
|
@christianbundy I don't think "Perform a clean room implementation of the project with zero shared provenance." is an option. They already have derivative works released to the Chrome Web Store, which, in theory, should fall under AGPL unless they convince all contributors to give up their rights. Any new versions without AGPL licensed code from outsiders could be proprietary though. |
|
Not a lawyer, but isn't the source code of the Pro version already provided to the end-user publicly. That's sort of how Javascript works, you guys know it, right? When you download the browser extension, you download the source code too, it's right here. This whole drama started because @christianbundy was able to look at the source code of the Pro version, inspected it, and saw some similarities in the
Imagine how this would go in a court
|
Given that some code currently in the distributed closed-source version was indeed contributed by someone not working for them and thus hasn't re-licensed it (or assigned it) to a different license, the agpl applies. From the AGPL:
Given that there isn't notice about AGPL code being in the release, and no copy of the AGPL, it is in violation of the licenses of other contributors' code. |
Unless they're shipping unminified, I don't think you can call the shipped JS "the source". |
|
@reanimus That's very much debatable and up to the court to decide, no? To me, it is the source code, unminified or not. Are we really starting a witchhunt because a guy ships his JS code minified? Doesn't it seem ridiculous to you? The fact that @christianbundy was able to point out the similarities between the two versions of the method |
It's not debatable, it's pretty well established. You're obligated to distribute the source you edit. Directly from the AGPL:
|
|
@reanimus Again, "the preferred form of the work for making modifications" is subjective, what's "preferred form" anyway, preferred by whom? And then the story becomes
I'm all for open-sourcing and free software, but this is getting blown way out of proportion. |
With AGPLv1 you (might) have an argument, but not v3 (which is based on GPLv3). From https://copyleft.org/guide/monolithic/
|
|
I am astonished to see so many developers out there who just sticks a license file into their source directory without either reading the full license body (GPL is pretty readable and not one of those legalese) or even some dummy summary of the license somewhere (e.g. Github shows some bullet points). For anyone who'd like to make up for this missing homework, at least read up parts of AGPL that mentions |
Small nit-pick: I couldn't find any of those words in the AGPL 3.0. These are the closest definitions that I could find:
EDIT: Oh, maybe you meant https://copyleft.org/guide/monolithic/? |
|
Hi, everyone. Thanks for voicing your opinions. I've just posted this in the Octotree forum to clear up some misunderstandings and have a dialog with Octotree contributors. Octotree contributors and I will discuss to address any concern and see how we can keep Octotree continue being a useful tool. |
|
Cannot seem to be able to participate in that discussion in any way, because while you closed this issue [0], you also blocked me from your "organization". I am sure many others here also were "not invited to the party". |
|
@hyiltiz I think he made it clear:
"blocked" seems to be a misleading word in this context. That thread would be a discussion between contributors and @buunguyen |
|
To be clear, I (and others who have tried asking questions) are blocked from Octotree repository and Ovity organization. That issue might be contributor-specific, but that doesn't mean that @buunguyen hasn't blocked us and deleted our comments.
It shouldn't have to be said, I'd like to condemn any harassment you've experienced. You should be obligated to fulfill the terms of your license agreement and face the consequences of censorship/etc, but that doesn't require name-calling or harassment. I hope you can take some time to prioritize yourself and your family, and then I'd ask you to reconsider your stance on this issue. I think the right thing to do is follow the agreement and publish your closed-source fork under the AGPL.
Again, I want to highlight that the "rewritten" code is still licensed under the AGPL if it was ever mixed with or derived from AGPL'd code. If your "rewrite" has any shared history with non-trivial AGPL code, it's a derivative. The point of the AGPL is to prevent closed-sourced forks like yours, and I'm disappointed that you're still trying to avoid the terms of the agreement that you have with contributors. Copyleft is a viral, so any changes that touch AGPL code are bound under the AGPL themselves. Any changes to that code is bound under the AGPL, and so on. Unless you've been very careful to avoid touching any AGPL code anywhere, I'd imagine that most of your codebase has been 'contaminated' by the APGL -- which is exactly what the license is designed to do. Again, I'd highlight that the best option is to share the source of your paid product under the AGPL, at least with people who download it (your don't have to put it on GitHub). This solves the problem, highlights that Octotree is committed to the principles of open source software, and [most importantly] is the right thing to do. |
If you have time, please read the copyleft https://copyleft.org/guide/monolithic/#x1-300004 especially sections 6 and 7. I do think you misunderstand what is the derivative means. I can extract the source from the above link that does matter
To answer the problem if you replace a simple method @buunguyen also tried to solve any issue with the contributors of the project, which the license requires he needs to get the grant permission from contributors. Let them solve by themselves. From the license terms from the above official document, the claim of derivative for your sample is not convincible. For your reference, you can read these threads and also read my above link I'd like to say instead of claiming, and act as a magistrate. Let @buunguyen and his contributors do their jobs, and let them keep maintain and improve that good software to the community. Is that your main purpose? |
What does this mean? Org charts? You're writing as if your opinion was backed by a court or something. I'm confused at both your tone and the content of your message.
No, they tried to claim that they weren't infringing and censored any discussion that provided contradicting evidence. They're now trying to avoid complying with the license agreement by asking for consent from contributors, but that's because they want to circumvent the agreement rather than follow it.
Did you read your links? It literally says "first, Google never 'forked Java' for Android", which is exactly what we're talking about here. @buunguyen forked a project that was published under the AGPL and is now refusing to comply with the terms of the AGPL because they think their derivative has enough changes that it's a "complete rewrite". That's not how derivatives work. Every time you make a change, your change is covered under the AGPL. If they want to have a closed-source project then they need to do what Google did: create a clean-room implementation with similar behavior and zero shared provenance. |
Huh? Where do they say that in their post? Show me.
Their post explains the reason your comments were deleted. I see a pattern here @christianbundy, you make some guess then talk about it like it is fact. You are like that from the beginning when you insisted they use code on master with little changes and now you insisted they avoid complying, they infringe, they try to get around compliance, must do clean room blah blah. Someone here said earlier you didn't act in good faith. I now see that is exactly true. You posted here, you posted on hacker news, you tagged a lot of people, keep add flame to the thread, ignore constructive comments from other people. Why are you working so hard to cancel this guy? Because he hurt your feeling by deleting your comments? Because you didn't get the source code you wanted? |
|
Please answer my questions before throwing a barrage of questions at me. I'm trying to be polite so I'll answer, but I'm really not interested in hashing this out repeatedly with drive-by commenters.
Please read the thread. Remember to click 'show 55 hidden comments' because GitHub truncates long discussions. I've repeatedly clarified that claiming "rewrite" doesn't solve the problem, so they want to ask contributors to give up their rights and re-assign the license: #1 (comment)
Yes, exactly: "Had I responded to that instead of throwing a tantrum, this whole ordeal probably wouldn't have happened."
Read the AGPL.
Yes, I've taken the liberty to read the subject we're discussing. I would respectfully request that you do the same. I've already proven that there's AGPL code in their fork, which they've admitted to, and an offer to see more infringement after signing an NDA really doesn't contradict that evidence. My best guess is that they're usually nice people who actually just misunderstand how the AGPL works. They probably think that their fork is fine because they've made lots of improvements to the point that it's hard to recognize the infringement. The problem is that the point of the AGPL is to capture these types of improvements and prevent a closed-source fork. I've tried to talk this over with them repeatedly, but when you bring up the facts they delete your comments and accuse you of spam or trolling.
Yes, this is called "staying on-topic". It's not as fun as the alternative, but it's generally preferred when facts and evidence are on your side. If you'd like to contribute something useful to this thread, feel free, but I won't be replying to any more drive-by comments from folks who can't be bothered to read the discussion they're commenting on. |
|
Updated: another thing @christianbundy, stop making the demand. Let the actual contributors speak their own mind [1][2][3] 1: ovity/octotree#1046 |
|
I asked you to please actually read the thread and your response is now "shut up". Cool. Look, if you don't want to hear what I have to say I'd recommend spending more time in the Octotree repo, where I'm banned. It's unbelievably silly to join a conversation that I started and then complain that I'm part of the discussion. Also, you're doing the exact thing that you're arguing against: advocating for other people. It's just that we're advocating for different people for different reasons:
It's clear that you only want a one-way conversation where you can avoid reading or addressing the points that other people make. I'd like to respectfully challenge you to do better in conversations with other people, but my personal budget for this kind of behavior is spent. I won't be replying to any similar comments. Cheers. |
This is an example of a one-way conversation when you assume my reasons without reading carefully my point. I don't want to waste my energy to argue because every new conversation, you lead people to go in a new direction. I sympathize with @buunguyen because just like him I have my own paid job, and working on open source is a hobby. I iterate my points from the first post. You claim @buunguyen to violate the AGPL rule here, and according to me, it is not convinced if you read this post about the copyleft. I read your comments about the derivative but please interpret the derivative from the legal terms not the word of mouth or you assume that it is. If you can find another example that @buunguyen and his team get from the AGPL code a complex function or a complex algorithm (like I stated clearly in my post) then I am at your side. The similar of such a simple API (and I don't spend time to verify whether @buunguyen get from AGPL code), and I give you a discussion of other voices when we talk about the derivative. So I don't think your example convince me @buunguyen violates the AGPL terms. I respect you have different ideas, but I hope you get my points precisely. It is Octotree does not violate the rights of its contributors You or anyone have the right to talk to the rights of contributors, and I also have that right. @buunguyen stated that contributors can review his commercial code, and clarify whether he gets their codes. Octotree product belongs to the right of its contributors, who wrote the codes and they know the Octotree architect, codebase so if they assess whether @buunguyen do the derivative works make more sense to me. I did write a project that lasts 6-7 years with a very long history, I am going to look into the real code, review the code carefully to detect any infringement, not only a simple API. From my perspective, the contributors have more knowledge about the Octotree to give their assessment rather than give an output of simple API and claim the entire product. Does it make sense? You can fight the right to contributors and the open-source community if you think so, but I do believe in who understands the Octotree architect, API, and worked with @buunguyen and evaluate whether @buunguyen steal their works. If you have the skills to review the code that you are not familiar with, then you can review the code because they are javascript and prove whether they use the same architect just changes a little bit from API, naming conventions, etc then again I am on your side. What you claim them about I am using the Octotree free edition, and I don't have a plan to pay their team. I don't think they can earn money more than their time and effort. When they don't violate the AGPL (until you give more convincible evidence), let encourage and help them if you think they make mistake (per your opinion). That toxic action just kills the emotion of people when they want to contribute to the open-source community. I will be back if you give clearer evidence of how @buunguyen got the AGPL code, with the arguments against the terms here https://copyleft.org/guide/monolithic/#x1-300004. I will be on your side if you do so. Otherwise, I mute from now because I don't want to talk to the wall if we don't have the same page on legal terms, an open and constructive mindset. Thanks and bye-bye. |
|
I give you some more examples. Regarding the derivative or claiming, @buunguyen got the AGPL code, and you didn't understand my original point well:
Do you think people claim this code is appropriate?
According to me, in example 3 I violate the GPL license, and experience expert engineers can assess that I violate the GPL license. Hope that helps |
|
Trying to avoid wading into the rest of this as I am not a Octotree contributor, but care deeply about licensing and the GPL. I write libraries and applications with GPL, AGPL, MIT, or Apache licensing depending on use case. I hope to clarify the licensing questions.
I have read these licenses. I know the differences without a Google search. You violate the AGPL/GPL license if you copy a single line of code into a closed source or MIT/BSD/Apache licensed application. It is best to not look at GPL/AGPL/LGPL code if you are writing a closed source application.
Only the code is covered under the GPL/AGPL. It is only a license violation if I copy the code. Your license does not cover every application which outputs the text
It is already too late if you are in this situation. Do not look at the GPL code. See https://en.wikipedia.org/wiki/Clean_room_design
Yes, it is a GPL violation. Don't do it. |
|
For anyone interested, here is a AGPL compliant fork: https://github.com/treepanel/treepanel |
and others
Since @buunguyen has decided to suppress this conversation via censorship, I thought I'd move the discussion here.
Thread summary
This thread is long, I've summarized it for folks who are just now tuning in.
EDIT: This thread has devolved into uninformed opinions by drive-by commenters. I've already explained all of the basics multiple times throughout the thread, and honestly don't have the energy to engage with people who can't be bothered to read what others have already written. I have unsubscribed to this thread.
TL;DR
Contributions to the Octotree project were licensed under the AGPL, which requires that all improvements are also published under the AGPL. Octotree is now closed-source, and @buunguyen is claiming that it's a "complete rewrite", but I've looked at the proprietary bundle (
octotree.zip`) and it doesn't look like a rewrite to me.Example
AGPL
From
src/view.tree.js:Proprietary "complete rewrite"
From
octotree.zip/src/content.js(both formatted with Prettier for easier comparison):The text was updated successfully, but these errors were encountered: