
Microsoft WinObjC: Restore original licenses - mikeash
https://github.com/Microsoft/WinObjC/issues/35
======
DannyBee
Speaking as someone whose job it is to make sure these issues don't happen at
a similar large company:

No org can be 100% perfect all of the time, no matter what processes they put
in place. This looks like just a regular process failure.

I don't know what MS's are specifically, but we do everything from training
new employees to verifying headers on outgoing releases (much to the annoyance
of plenty of engineers who just want to release shit). I suspect they do the
same.

Replacing headers with a standard header is pretty common. However, we require
code segregation to prevent the issue that happened here (IE all third party
codes goes in third party directories with an associating LICENSE file
describing the license/notices). That makes it easy to tell that someone
screwed up when replacing headers.

 _Doing that_ is uncommon for most companies in practice (at least, when i
surveyed my counterparts, most want to be doing it, but it doesn't really
happen in practice with a > 50% rate due to not being closely involved enough
with engineering and development practices to make it easy).

Most of them are happy to mix up third party code with their own code, or
really bad at enforcing, and then when you go to release it, you don't notice
things like what happened here.

Then again, we also tell new employees that we care about getting the notices
and credits right not because we are worried about legal repercussions, but
because of the golden rule (you'd be pissed if you ask for one small thing to
use you code, and they can't be bothered to do it, and we don't want other
people to feel that way about us).

I suspect that is pretty different too :)

But this seems like an object lesson in proving that. The people whose headers
were changed feel aggrieved regardless of the fact that it was probably a
simple process screwup / whatever. They don't care about that. They care that
somebody decided they really wanted to use it, and that it saved them
time/energy/helped/whatever, but despite that, when they made the choice to
use it, they didn't seem to bother to put the one small thing the author asked
of them on "the list of things to do before release"

(Regardless of whether this is actually the case).

~~~
JoshTriplett
> Replacing headers with a standard header is pretty common.

It shouldn't be. That's a fundamentally bad idea.

It'd be reasonable to put a standard header at the top, immediately followed
by "Based on (other project):" and the header for that project. But _changing_
those headers is never OK.

~~~
teamhappy
> It shouldn't be. That's a fundamentally bad idea.

I don't think it's that bad of an idea. The MIT license says:

    
    
        The above copyright notice and this permission notice shall be
        included in all copies or substantial portions of the Software.
    

What that means is anybody's guess. I'd say if you include one copy somewhere
you're pretty much off the hook.

~~~
teacup50
A source file is reasonably "a substantial portion"; in fact, a per-file
license is applicable to that file, and does not cover other files.

~~~
teamhappy
Yup. I'm saying (guessing, really) the header doesn't necessarily have to stay
in the file. You might as well put it somewhere else (e.g., docs, license
file).

\---

Per-file licenses are different. The only one I looked at is MPL2 and IIRC it
mentions the little note doesn't have to be in the file.

------
ecobiker
>> Someone at Microsoft needs to go back to the first commit and track down
every bit of code that was taken, and investigate the origin of the code, and
properly restore the copyright notices.

It is specifically to avoid these issues that most companies don't go through
the trouble of open-sourcing their code. Not at all saying it's wrong to
enforce licenses I'm just pointing out the obvious that companies that don't
want to get into legal trouble avoid the issue altogether and discourage open
source. A well known company I used to work for requires legal to sign-off
anything that has to be open-sourced. A startup I currently work-off had to be
audited for license compliance before a round of funding. One primary reason I
see is that most engineers don't understand licensing very well. They don't
understand when it's safe to use GPL and when it's not.

~~~
WalterBright
At D one huge reason we use github is to establish an audit trail of where
code that gets incorporated comes from, which:

1\. discourages people from committing code that isn't theirs 2\. if there is
bad code committed, we can determine the extent of it and so take corrective
action 3\. it's a great defense against false claims of bad code

------
mikeash
There's been a brewing controversy on Twitter and GitHub today about
missing/changed licenses on some of the code that Microsoft incorporated into
their WinObjC release from yesterday. This GitHub issue seems to be the best
summary of what's going on so far. The quick summary of the summary is that
there are a bunch of files released under BSD/MIT-style licenses where
Microsoft removed attribution, some files which are GPLd or even more
restrictive, and at least one file which is not under an open source license
at all.

Full disclosure: some of my code is in there, so I'm not an unbiased source.

~~~
teacup50
The scrubbed copyrights are bad enough, but can be fixed. The incompatible
licenses mean that this code is actually unusable.

I have no idea how MS is going to rectify this.

~~~
waynecochran
I feel a bit ignorant here, but are there open source license that simply can
not co-exist?

For example, could I write program Foo.c (using CDDL license), which uses
GPL'ed Bar.c and MIT'ed Dad.c (both unmodified)?

~~~
dragonwriter
> but are there open source license that simply can not co-exist?

The GPL can basically not coexist with any other license, though lots of
licenses (though perhaps fewer than the FSF claims, especially for GPLv2 and
previous) allow code to be relicensed under the GPL (which is different from
the code coexisting.)

The reverse is emphatically _not_ true, GPL code generally cannot be
relicensed (downstream; the copyright owner can do whatever they want) to
another license, except newer GPL versions if the optional "or any later
version" clause is included with the GPL.

~~~
mindcrime
My understanding is that the GPL can usually coexist with licenses that are
non-copyleft, or with some copyleft licenses, as long as the license doesn't
require the resulting work have any license restrictions beyond what the GPL
requires.

Anybody who's terribly interested in all of this will probably enjoy reading
the GPL FAQ, especially this bit:

[http://www.gnu.org/licenses/gpl-
faq.en.html#WhatIsCompatible](http://www.gnu.org/licenses/gpl-
faq.en.html#WhatIsCompatible)

IANAL, YMMV, HTH, WTFBBQ, ETC.

------
cmarschner
Microsoft is very serious about OS licenses, and I'm sure the team is
currently sweating to get this right. Before Nadella, it was very difficult to
get a permit to use OSS at all; With the new culture, openness (giving and
taking) is encouraged, but some teams might have taken it too lightly. It's a
learning process.

------
corysama
What is proper procedure for open-source mashups? Setting aside GPL, if I have
a project that lifts a single function each from separate projects that are
individually zlib, mit, bsd, apache, mozilla, eclipse and boost. What do I do?
Put a license url annotation on each function? What license can my project as
a whole be?

~~~
JoshTriplett
Document the licenses for each, and include all the copyright notices and
license headers, exactly as they appeared at the top of the files you took
those functions from. The resulting file is under the conjunction of all of
those licenses, requiring anyone who uses it to comply with all of them
simultaneously. That's theoretically possible when the licenses don't
conflict.

------
fithisux
I hope they make it compilable with clang + mingw headers.

------
geofft
I like the dude who thinks that the GPL hasn't been proven valid in a US court
and that migueldeicaza has trouble getting a job in the industry.

~~~
cannam
it's quite irrelevant, but I was about to post the same -- the idea of Miguel
"becoming unemployable" as a result of this is just delightful.

~~~
geofft
Yeah. Ironically, what _would_ actually make me hesitate to hire someone is
seeing them post on a public issue tracker that they believe the GPL is
unenforceable and that blatantly violating it is a good idea. Leaving aside
their critical thinking abilities, soft skills, etc. it's a serious risk of
legal liability to have such a person write code for my company.

~~~
mikeash
Indeed. They seem eager for Microsoft to intentionally violate the GPL in
order to create a court case which they believe would result in invalidating
the GPL. Who's to say they wouldn't see an opportunity for causing this to
happen by incorporating GPL into whatever project they're working on at their
job?

------
finishingmove
Oh no. First time I see something like this. Why can't Microsoft be like the
good-guy companies, like Google (and Apple)?

------
merb
I Love open source, but I find its really disturbing that some code can't live
together when licensed under different open source licenses. Under my Java
Code I mostly avoid unnecessary Libraries altogether. That's the reason why I
mostly Build my stuff with akka and undertow and postgresql jdbc only (and the
jdbc stuff gets replaced as soon as my library async postgres driver does what
I need) so that I only have Apache 2 Code (and some parts BSD which will be
replaced).

Everything else is just too odd. And if I or any other people below me pulls a
library in that isn't APL2 i will refuse the PR. It just sucks how aweful it
is to write programs with awesome licenses that are incompatible. But you just
want to use existing things, which you can't do cause people are dumb and
doesn't write licenses which are happy together. I mean why can't I write
GPLv3 Code and pull other Open Source licensed things, too? It's still Open.
And that's the problem the Open in Open Source mostly isn't open. I see the
source, but I can't do anything with it.

