
I just recevied an DMCA takedown from GitHub because upstream is “unopensourced” - jsiepkes
I just received a DMCA takedown request for a GitHub repo of mine because my fork of EdgeFS (I started working on a Illumos &#x2F; SmartOS port) uses sources of EdgeFS. Apparently Nextenta has (more then 9 months later) has come to the conclusion that they want to &quot;un-opensource&quot; it and want to put the OSS genie back in the bottle.<p>Is this even possible?<p>The most interesting excerpts:<p>-------------8&lt;---------<p><i></i>Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.<i></i><p>After DDN’s acquisition of the NexentaEdge source code (as described above), it was renamed “EdgeFS” and was subsequently improperly open sourced under [private] without DDN’s permission.<p>-------------8&lt;---------<p><i></i>Is the work licensed under an open source license? If so, which open source license? Are the allegedly infringing files being used under the open source license, or are they in violation of the license?<i></i><p>No. EdgeFS was improperly contributed as open source without the authorization of DataDirect Networks, Inc. or its wholly-owned subsidiary, Nexenta by DDN, Inc., the copyright owners.<p>-------------8&lt;---------
======
georgyo
Not a lawyer but,

If it was released under an open source license by people who did not legally
have permission to change the license, then yes this is possible.

It sucks, and you should likely still challenge it. But they may have the
legal high ground.

It's like if a stolen painting is given away or sold. The recipient is may
have no knowledge the painting is stolen and acting in good faith. But the
original owners before it was stolen are still the legal owners.

~~~
wegs
It's a bit more complex than that. There's the legal concept of __apparent
authority __.

Let's say I go into a bank. The bank requires an officer to approve all loans.
A minimum-wage teller offers me a loan with a 2% interest rate, with
absolutely no authority to do so. I don't know that, and I come out thinking I
have a 2% loan. The bank is generally still required to honor the terms of
that loan.

[https://en.wikipedia.org/wiki/Apparent_authority](https://en.wikipedia.org/wiki/Apparent_authority)

If forensics here prove that the person who open-sourced did not have the
authority to do so (but was affiliated with whoever holds copyright on
EdgeFS), and that OP had no reasonable way to know they did not have that
authority, the most likely outcome is that:

* Nextenra could not pull back the license.

* Nextenta's recourse would be to go after whatever employee open-sourced it without authority, not OP.

This contrasts with an example where an unaffiliated party posted Nextenta's
source under an open source license. If you post the Windows source code under
the GPL, and you don't work for Microsoft, and I make use of that source code,
that's when I'm also liable.

I'm not a lawyer. This isn't legal advice, which I couldn't give without
knowing specifics of what happened when and how. This is merely a correction
to the post which says: "If it was released under an open source license by
people who did not legally have permission to change the license, then yes
this is possible." This was statement is misleading, at least under US law.
I'll also mention you can't get reasonable even legal information without
posting a lot more background (two short exerts aren't adequate for anyone to
have a legal opinion).

~~~
jsiepkes
> I'll also mention you can't get reasonable even legal information without
> posting a lot more background (two short exerts aren't adequate for anyone
> to have a legal opinion).

There isn't that much more to show but here is the entire DMCA takedown
request which I received:
[https://gist.github.com/siepkes/8e1f51e2ce9e44ba7116ed79e492...](https://gist.github.com/siepkes/8e1f51e2ce9e44ba7116ed79e49298f4)

> If forensics here prove that the person who open-sourced did not have the
> authority to do so

Announcements of the opensourcing were made on various places (like Reddit
[1]) by Dmitry Yusupov who is Co-founder and CTO of Nexenta. He also made a
lot of commits in the OSS Github repo which was Apache licensed.

[1]
[https://www.reddit.com/r/edgefs/comments/cf0o2b/edgefs_open_...](https://www.reddit.com/r/edgefs/comments/cf0o2b/edgefs_open_sourced/)

~~~
WhyNotHugo
The "Co-founder and CTO" did the publishing, and they claim it was an employee
without permission?

Lol. They're clearly bullshitting. I'd believe that excuse if a mere developer
had open sourced it, but not someone that high up.

~~~
gpm
Note that this the the co founder of the CTO of the company that was acquired,
not of the company that owned the copyright at the time. Edit: Or at least not
the CTO of the company that owned the company... I'm not clear on what the
subsidiary corporate structure here looks like.

I remain skeptical... but it's important to get the facts right.

------
jka
It appears that Nexenta's edgefs code was open source under an Apache 2.0
license at least as far back as 2020-03-12:

[https://web.archive.org/web/20200312165928/https://github.co...](https://web.archive.org/web/20200312165928/https://github.com/Nexenta/edgefs)

... and probably further back too - here's an HN post referencing the
licensing from around Q3 2019:

[https://news.ycombinator.com/item?id=20671417](https://news.ycombinator.com/item?id=20671417)

I hadn't heard of DataDirect Networks before; it looks like their acquisition
of Nexenta closed in May 2019:

[https://www.theregister.co.uk/2019/05/07/ddn_is_buying_nexen...](https://www.theregister.co.uk/2019/05/07/ddn_is_buying_nexenta/)

"Nexenta by DDN will be run as a separate entity, retaining its own sales and
engineering teams. The Nexenta sales people now get a wider DDN channel to use
and there are cross-selling opportunities for both."

As far as I understand -- I'm not a lawyer -- changing a license requires that
existing contributors are notified and agree to the change of licensing.

[https://softwareengineering.stackexchange.com/questions/5532...](https://softwareengineering.stackexchange.com/questions/55326/can-
you-change-a-license-once-you-pick-one)

~~~
pas
> As far as I understand -- I'm not a lawyer -- changing a license requires
> that existing contributors are notified and agree to the change of
> licensing.

Not the contributors, but the copyright holders. That's why usually projects
require a CLA (Contributor License Agreement) to be signed, so they get the
copyrights (or they get the rights to relicense the work).

~~~
jka
Thanks for the clarification, that makes sense.

------
frantzmiccoli
Not a lawyer.

Reading the former license would make sense. But I would be very surprised if
any mainstream open source license can be revoked.

[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)
was the license of EdgeFS if I believe in Google's cached result. There is no
mention of a time limit or withdrawal possibility.

Some jurisdictions may restrict my conclusion because they don't allow authors
to renounce all their rights - to put something in the public domain for
example. But giving an open source license is like selling one, you can not
just roll back six years later "please give me this back, I don't want this to
have happened"

Plus, if EdgeFS has/had external contribution, changing the license of the
project without prior allowance from other authors is an infringement of they
copyright.

------
Communitivity
UPDATE: According to the web archive [2], the LICENSE file was committed first
10 months before Mar 12 2020, i.e. sometime in May 2019. That looks a lot like
someone wanted to commit it as Open Source just before the acquisition
finalized, and may make your battle harder.

UPDATE 2: Found possible confirmation unfortunately that EdgeFS was not Open
Source before May 2019 (retrieved May 8,2020 [3]):

    
    
      dmitry_yus 3 points·1 year ago
      Fair points and let me provide some clarifications! :-)
    
      Yes, EdgeFS isn't open sourced at the moment but we are 
      moving in direction of opening it up under Apache License. 
      That's our intent and sooner or later this will happen."
    
      As always, I am not a lawyer and this doesn't constitute 
      legal advice, and you should see a lawyer for accurate 
      details.
    

That said, if Github tells you when you forked, and you can show their license
file at the time was an Open Source license, then you should be able to point
that out. Where things get murky and you may be SOL are if any of these are
the case:

* You Open Sourced it yourself rather than forking via Github

* There was no license file

* You worked on the project for them as your employer at any point

* The fork occurred in May 2019 or afterwards

* The project was uploaded to Github, or Open Sourced, in May 2019 or afterwards

Fighting a DMCA is an uphill battle, as there is no risk to Github in
enforcing it, but a big risk for them in fighting it. They make their money
off of commercial users I suspect, so if commercial users stop believing
Github will uphold their IPR, then they'll stop paying.

If any of the above conditions are true I would expect it to be a steep uphill
battle. It may be a steep uphill battle requiring lawyers to fight anyway,
since it revolves around IP in an acquisition. What it may come down to is
that code Open Sourced before May 2019 is ok, code Open Sourced after that
might be under a cloud (and basically means you shouldn't use it unless you're
willing to fund a long and painful legal battle).

A sad end to one of the flag bearers of the Illumos effort (I believe I
remember reading Adam Leventhal of Nexenta on the Developers Council[1]).

[1]
[https://web.archive.org/web/20160710123826/http://wiki.illum...](https://web.archive.org/web/20160710123826/http://wiki.illumos.org/display/illumos/illumos+Developers%27+Council+Meeting%2C+May+16%2C+2012)

[2]
[https://web.archive.org/web/20200312165928/https://github.co...](https://web.archive.org/web/20200312165928/https://github.com/Nexenta/edgefs)

[3]
[https://www.reddit.com/user/dmitry_yus/](https://www.reddit.com/user/dmitry_yus/)

~~~
bjoli
Dimitry (who is CTO at Nexenta) published a story on Reddit titled "EdgeFS -
Geo-Transparent and Scale-Out Data Storage Layer just got open
sourced!":[https://www.reddit.com/r/opensource/comments/clzbnx/edgefs_g...](https://www.reddit.com/r/opensource/comments/clzbnx/edgefs_geotransparent_and_scaleout_data_storage/)

But then again, maybe the CTO is the rogue employee...

Edit: here is an archive in case it is taken down:
[http://archive.is/WZYl2](http://archive.is/WZYl2)

Edit2: here is a tweet from their official handle:
[https://twitter.com/EdgefsIo/status/1156309079968514048?s=20](https://twitter.com/EdgefsIo/status/1156309079968514048?s=20)

~~~
ckdarby
Can't get much clear cut than a C executive stating it has been open sourced.

~~~
bjoli
Well, being devil's advocate: DDN maybe thinks Nexenta did not have the right
to open source Edgefs after it aquired Nexenta.

It seems to be BS though. Citing from the DMCA:

    
    
        "[...] EdgeFS was improperly contributed as open source without the authorization of DataDirect Networks, Inc. or its wholly-owned subsidiary, Nexenta by DDN, Inc., the copyright owners".

------
ballenf
> Instead, we will offer the EdgeFS users a royalty-free license for non-
> commercial uses subject to the terms of our EULA.

That line is in the DMCA request.

I'd guess the investors were told they were paying for this IP but didn't take
fast enough steps to prevent a legitimate officer of the company from open-
sourcing it.

~~~
zuzzurro
One year between the acquisition and the take down seems a lot of time. It may
seem they were not even trying?

------
bjoli
Adding to other sources I found in a reply to Communitivity:
[https://twitter.com/nexenta/status/1141728687357857792?s=20](https://twitter.com/nexenta/status/1141728687357857792?s=20)

Tweet text : Next week, our CTO and Nexenta Founder @dmitryy will be speaking
at #KubeCon 2019 in Shanghai, on NexentaEdge, and the power of open-source
projects (@edgeFS and @rook_io !). Get details here:
[http://ow.ly/SeTD50uJ0yX](http://ow.ly/SeTD50uJ0yX)

------
paukiatwee
I was researching k8s store offering and found
[https://rook.io](https://rook.io) and rook support edgefs with stable status
[https://github.com/rook/rook#project-
status](https://github.com/rook/rook#project-status)

This post make me never use egdefs in any form.

------
greatgib
In addition with other comments, you Can look at what are your contributions
and code changes. All the parts that are completely reworked by you could be
considered as yours. And you can also ask them to ensure that they don't use
your own code/modification as a retaliation of the code not being open source.

------
dddw
wow, that's just stupid. Buying an opensource product and then trying to un-
opensource it. Good look with the troubles, hopefully there is someone here on
HN who knows any good legal defense people ( EFF ? )

