

How TaxCloud Stole My Code and How I'm Doing Something About It - drewtemp
http://hovercar.in/blog/don-t-steal-code

======
chaz
TaxCloud posted sample code for Zencart in December 2010, and it appears to me
that the variable names were already established. Some of it is below.

    
    
      // func.taxcloud.php
    
      function verifyAddress($address, &$err) {
    
        global $client;
    
        // Verify the address through the TaxCloud verify address service
        $params = array( "uspsUserID" => USPS_ID,
               "address1" => $address->getAddress1(),
               "address2" => $address->getAddress2(),
               "city" => $address->getCity(),
               "state" => $address->getState(),
               "zip5" => $address->getZip5(),
               "zip4" => $address->getZip4());
      [...]
    

Post: [http://dev.taxcloud.net/2010/12/30/taxcloud-example-code-
rea...](http://dev.taxcloud.net/2010/12/30/taxcloud-example-code-ready-for-
zen-cart-developers/) Code: <http://morecarts.taxcloud.net/cartcode/>

------
mdasen
I'm curious what license you're using (since there's no mention in the
readme). It seems clear that you wrote this to be open source and help people.
Since there's no license information, third parties (ie, people who aren't
you) should assume that they have no right to use it (that it's proprietary
since there's nothing offering other rights). You've said it's open source,
but under what terms can I (or TaxCloud) use it?

A lot of open source licenses don't require attribution. If you had licensed
this under the GPL2 or MIT licenses, would you still consider what they did
wrong?

It's crappy (in the plagiarism way) to take someone else's code and try to
make people think you wrote it. You haven't explicitly licensed your code
under any license and so, to be conservative, third parties should operate
under the assumption that the code is proprietary. However, many times open
source does allow you to fork something and make it your own. For example,
Joomla is a fork of Mambo. The codebase has evolved, copyright notices have
been changed, and there isn't credit back to Mambo on the website. If it were
a less known project, many people might assume that it all originated with
Joomla (and, in fact, with Mambo seemingly dead and it having been quite a
while since the fork, I'm guessing a lot of newer people wouldn't find out).

Often times, open source licenses don't require attribution. It might have
been that the person at TaxCloud got your email telling them about your open
source project and assumed an MIT license for it. One shouldn't assume things
like that, but people make more egregious errors.

Anyway, it would be nice to know what license the open source code is governed
by (and this is true for many more projects that just don't have a license
file) and I hope you're able to resolve the situation in a way which makes
things better for you.

~~~
boop
"You haven't explicitly licensed your code under any license and so, to be
conservative, third parties should operate under the assumption that the code
is proprietary"

I would have guessed that without an explicit license, open source is free for
anyone to take/modify/reuse. After all, it is open source.

In other words, the default would be the most permissive license. You suggest
it is the opposite - that without a license, the code should be considered
proprietary. Can anyone more familiar with open source licenses clarify?

~~~
drewcrawford
Under the Berne convention, all works produced in any signatory country are
automatically subject to copyright:
[http://en.wikipedia.org/wiki/Berne_Convention_for_the_Protec...](http://en.wikipedia.org/wiki/Berne_Convention_for_the_Protection_of_Literary_and_Artistic_Works#Content)

Wikipedia says "A typical software license grants an end-user permission to
use one or more copies of software in ways where such a use would otherwise
potentially constitute copyright infringement of the software owner's
exclusive rights under copyright law."
<http://en.wikipedia.org/wiki/Software_license>

You may be basing your prior belief on e.g. Wikipedia's claim (scroll down)
that "A primary consequence of the free software form of licensing is that
acceptance of the license is essentially optional — the end-user may use,
study, and privately modify the software without accepting the license."
IANAL, but this statement seems dangerously incorrect to me. It may be
technically correct that you do not "have" to accept the license terms--but
then if you are downloading the software, or creating derivative works without
a license, you would be violating the law. E.g.

Uploading or downloading works protected by copyright without the authority of
the copyright owner is an infringement of the copyright owner's exclusive
rights of reproduction and/or distribution. -
<http://www.copyright.gov/help/faq/faq-digital.html#p2p>

~~~
178
It is true in the sense that there are conceivable ways to use FOSS without
accepting the licence. There are common ways like dual-licensing (if the
license is GPL and the company has all the copyrights they can still sell me a
different license) or even fair use (someone could create a parody of FOSS and
publish it).

------
autarch
Looking at the examples it's really hard to know if this stuff was copied. How
else would you write this sort of stuff? This seems like really simple,
straightforward code.

A lot of it seems to be about creating a hash based on a well-defined data
type. Is there some other way of doing this that makes sense in Ruby?

Similarly, he points out similar variable names. If you have a variable
containing an API key what do you call this besides "api_key"?

Maybe these are just poorly chosen examples, but if these are the best
evidence the author has I don't think there's grounds for flipping out quite
yet.

~~~
petercooper
A few things stand out as distinctive in terms of Ruby style. For example, for
_self.send "#{sym}=", val_ , I'd much prefer to see _send :"#{sym}=", val_.
And "sym" is a poor choice of variable name semantically when it's really
referring to an attribute name.

If I were writing this, I'd probably have a single hash that defines the SOAP
names and internal names then dynamically create those accessors and
dynamically create the hash in to_hash rather than have repetition. DRY and
all that. So there are other ways to go about it.

There's not a _great deal_ to go on, of course, but the chance of two
independent Rubyists stumbling across an identical solution syntax-wise is far
from high (though is not minuscule, either.)

~~~
drewtemp
Valid point. When I first looked at the code I knew the initialize code was
fairly common, but then I noticed the unnecessary require. I started to
explore a bit more and noticed that the style changes from the copied code[1].
They also place their require statements immediately after module
declaration[1]. Not to mention the use of single quotes vs double quotes.

1 -
[https://github.com/donnen/TaxCloud/blob/b036594969f045660a79...](https://github.com/donnen/TaxCloud/blob/b036594969f045660a79dea575621092c5d7b0d9/lib/service/lookup_service.rb)

------
jakejake
The author writes about his love of contributing to open source, but since his
code has no license this may not even be open source code at all. The author
should put some kind of license with his code so that it is used the way he
wishes. If he wants credit, there are attribution licenses out there. GPL may
help to get contributions back to your code. Different licenses will have
different results.

Also, hypothetically, if the official API was GPL and he used that as a
starting point - in fact he could be the one in violation of the GPL for not
including copyright info in his code.

~~~
praptak
> if the official API was GPL

Assuming APIs are copyrightable to start with. There is no broad ruling that
they aren't (except maybe in EU:
<http://www.groklaw.net/article.php?story=20120502083035371> ) but Oracle
tried to claim copyright on APIs and failed.

~~~
narcissus
Isn't the Oracle case more about the definition of an API (what I would
consider to be the header files, for example), versus this, which is more of
an implementation of an API, though?

------
jrockway
Although you still get copyright protection without it, a comment at the top
of every source file with your name and the license makes it very easy for
people to figure out who owns what. You didn't have any license, you didn't
have any authorship or copyright headers in your source code, and then you
asked the company that "stole" your code to take a look and share the code
with others.

The problem is that you're communicating in a very vague manner: you should be
explicit about all of your expectations and intentions so others interacting
with you don't have to guess what you're thinking.

Imagine how this interaction would have gone if your source file started with:

    
    
        # Copyright (c) 2012 My Consulting Firm
        
        # This program is free software: you can redistribute it and/or modify
        # it under the terms of the GNU General Public License as published by
        # the Free Software Foundation, either version 3 of the License, or
        # (at your option) any later version.
    
        # This program is distributed in the hope that it will be useful,
        # but WITHOUT ANY WARRANTY; without even the implied warranty of
        # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        # GNU General Public License for more details.
    
        # You should have received a copy of the GNU General Public License
        # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    

And you emailed them saying:

"Hello. I've created a gem that's licensed under the GPLv3 for interacting
with your service. Please feel free to link to it or redistribute it on your
website under the same terms."

My guess is: this problem would have never occurred.

------
paulsutter
What do you really expect from them? Being vague isn't helping the situation.

\- If you just want attribution and an apology, ask for that.

\- If they dont know what you want, they may just remain silent.

It was probably a lower-level mixup, some programmer was in a hurry, had too
many tickets under his name, and rushed out a solution. The company was
probably unaware.

Making veiled references to some action you might take just means they will
refer it to a lawyer, who will say, "Just keep quiet and dont change anything
right away. It's unlikely he has an Oracle-vs-Google sized budget to make a
case, and anything you say or do might work against you. Rewrite it as soon as
you can think of another justification, and be sure to create an email trail
for that."

~~~
drewtemp
If hurry means more than 8 months. I edited the post to include the date I
contacted them (August 24, 2011). The writing style for the copied code vs
additional code they wrote is inconsistent.

[https://github.com/donnen/TaxCloud/blob/b036594969f045660a79...](https://github.com/donnen/TaxCloud/blob/b036594969f045660a79dea575621092c5d7b0d9/lib/cartitem.rb)
vs
[https://github.com/donnen/TaxCloud/blob/b036594969f045660a79...](https://github.com/donnen/TaxCloud/blob/b036594969f045660a79dea575621092c5d7b0d9/lib/service/lookup_service.rb)

------
calvin
Drew's gem doesn't specify a license. It may be open source, but it's not
clear what the license is. That doesn't help in this kind of a situation.

~~~
drewtemp
Correct. No license implies copyright.

~~~
orjan
Copyright exists regardless of license. So to say "implies copyright" isn't
exactly true.

~~~
178
The author (or his company) always has the copyrights (if it is not sold) and
thus can license it any way(s) wanted, for example und open source licenses.
Authors in certain countries can also release their code into the public
domain -- that would be the only situation where there is no copyright
involved anymore.

------
jpalomaki
A general request (not specifically towards the author): If you release a
project under open source license, please be specific about what kind of
attribution you would like to get when your project is used within a product.

Giving credit would be so much easier if one could use for example Maven or
npm to automatically create a list of attributions that could be then
formatted and included in the "About page".

~~~
jaggederest
Ruby's gemspec format includes an array of authors or a singular author for
this purpose. It's quite handy.

------
syntaxgoonoo
I think you are creating a storm in a tea cup. I agree that there has been
some copy pasting of code blocks. But that's life and the nature of writing.

------
Cushman
That require is a smoking gun for sure, but I'm not too sure about the
copyright claim. It's _their_ copyright on the API in the first place, and
there are a limited number of ways to wrap an API in Ruby.

It's sleazy to cut and paste code without attribution, but this post comes off
as way too confrontational considering the company hasn't had a chance to
respond yet. (Which response is perfectly likely to be "Ah shit, brain fart,
sorry.")

~~~
chaostheory
This is really strange; I just don't understand why the company would do this.
It doesn't make any sense, unless an employee in the company was too lazy to
write his own stuff and wanted to pass off someone else's work as his.

------
jenandre
I think the arguments here are weak. Using a builder is extremely common in
API wrappers like this (I just did this myself wrapping an API in Ruby). In
the second example, the code you pointed out was similar really wasn't that
similar. Someone else made a good point: because this is an API wrapper
there's really only a limited number of ways to do things.

Still, there's a good chance that someone looked at it to see how you did
things -- these things are hard to prove. Regardless, I think your response is
a bit over the top? Does it warrant this nasty blog post, or could you have
just emailed the dude and said, "Hey, I noticed you guys may have been
inspired by my code, a lot of appeared similar. I am licensing under GPLvXXX
[or whatever your license is] and it requires some attribution if you guys did
use some of my code." I suspect they would have happily given it to you. If
they refused, well, then maybe then would have been the time for the rant. :)

No offense, but the way you handled this, you are coming off like some guy
having a temper tantrum on the internet, instead of a developer with valid
grievances handling this maturely.

------
lubujackson
Depends on the open source license... some of them totally allow commercial
ripoffs without attribution.

------
zunky
Out of curiosity, what program was it he used to view the source code? The one
in the screenshots.

------
onedev
I sent a message to them regarding this, and I hope they do something about
it.

------
kposehn
What text editor is that you are using?

~~~
jordanthoms
Anyone know that theme?

~~~
tortilla
Phoenix Theme:

<http://netatoo.github.com/phoenix-theme/>

Not sure the color scheme.

------
phpluver
fuck em

