
New GitHub Terms of Service - stock_toaster
https://github.com/blog/2314-new-github-terms-of-service
======
joeyh

        Solely to allow us to provide the Service and to host 
        the Content you upload to the Website without violating 
        any rights you have in it, you grant GitHub and our 
        successors a nonexclusive, worldwide, transferable, 
        fully-paid and royalty-free license to use, reproduce, 
        display, modify, adapt, distribute, and perform the 
        Content in connection with rendering the Website and 
        providing the Service.
    

This appears to let Github take any software repository hosted there, and use
it under this license to provide features to the github website. So they could
take AGPL licensed software and modify and use it without complying with the
source disclosure requirements of the AGPL because they have been provided
this other more permissive license. It's essentially a free BSD license to
everything on Github, for Github alone.

Also, "the Service" is defined as any product or service Github provides, so
this could be expanded into any business.

The "transferable" in that also might let Gihub contract with some other
company to provide part of "the Service" \-- perhaps in an entirely unrelated
business than the current Github website, and transfer the license to any free
software they like to that other company.

I don't know if it was intended to be used this way, and I am not a lawyer so
I could be misinterpeting it, but I will not be hosting any software on Github
if they adopt this TOS, without consulting a lawyer.

(The current TOS has nothing like this in it.)

~~~
eli
No. Like it says, the license is solely to allow the service to function and
display what you have uploaded to it.

Virtually every website that allows users uploads had a provision like this so
that you cannot upload a copyrighted work and then turn around and sue them
for infringement.

~~~
joeyh
Except Github is hosting software, and this license allows them to modify and
use that software in any way they like, without complying with the software's
normal license.

~~~
ceejayoz
> this license allows them to modify and use that software in any way they
> like

Only "in connection with rendering the Website and providing the Service",
i.e. they can display it in the web UI and syntax highlight it and whatnot.

~~~
shakna
> and providing the Service

This is the wording that concerns me most, because the Service is defined as:

> The “Service” refers to the applications, software, products, and services
> provided by GitHub.

Thus, GitHub could legally use this to use any software hosted by them, so
long as it entered their stack at some point.

Contrived example:

They could use a modified Linux kernel at the bottom of their stack, and
refuse to give anyone access to the source. Breaching the AGPL, but it doesn't
apply. Simply because the Linux kernel is mirrored on GitHub.

~~~
ceejayoz
> They could use a modified Linux kernel at the bottom of their stack, and
> refuse to give anyone access to the source.

Sure, if they wanted to risk billions of dollars of valuation for no good
reason. After such a thing was discovered, how long do you think folks would
continue hosting their private proprietary projects there?

~~~
shakna
As I said, contrived example.

Doesn't change the fact that the wording is troubling.

------
koolba
> You may scrape the website for the following reasons:

> Researchers may scrape public, non-personal information from GitHub for
> academic research purposes, only if any publications resulting from that
> research are open access.

> Archivists may scrape GitHub for public data for archival purposes.

> It is prohibited to scrape GitHub for spamming purposes, including for the
> purposes of selling GitHub users' personal information, such as to
> recruiters, headhunters, and job boards.

How about a level of indirection?

Alice the Archivist scrapes GitHub and compiles a compendium of names /
emails. She then publishes this information in bulk for anybody who'd like to
use. Alice's cousin Roger the Recruiter downloads the archive and does what he
does best. Alice isn't selling anything, she's just providing the information
bundled up. Roger isn't getting it from GitHub, he's getting it from the
public feed (say via Bitorrent or a public data set posted somewhere).

~~~
bryanrasmussen
what makes someone an archivist?

~~~
jdc0589
archive.org, etc...

~~~
noplay
Or software heritage

------
Heliosmaster
It's a bit ironic that GitHub proposes new Terms and conditions and there is
not an easy way for the user to run a simple diff

~~~
koolba
It says "DRAFT — NOT YET EFFECTIVE" so it's possible they'll have that when
it's official.

~~~
drdaeman
Could've did it on a wip_newtos branch.

------
r3bl
Section D, rule 7 seems like it could use some work:

> GitHub employees do not access private repositories unless required to for
> security or maintenance, or for support reasons, with the consent of the
> repository owner. [...] If we have reason to believe the contents of a
> private repository are in violation of the law or of these Terms, we have
> the right to remove them.

So, basically, GitHub says that there's a possibility for them to remove a
private repo because of a hunch that it violates ToS, without actually looking
at it to make sure?

~~~
snowwrestler
It says "reason to believe" which means they will have evidence (the
"reason"). You might need to sue them in order to see it, but that's usually
how these things go.

If they wanted to give themselves free reign to remove repos they would say
something like "we have the right to remove private repos at any time, for any
reason, at our sole discretion."

------
Flimm
> Default Contributor License: To address growing confusion over licensing and
> contributions to others’ projects, we added a simple default contributor
> license. If it does not suit your needs, you may add your own Contributor
> License Agreement to your repository.

That is much needed. Does anyone know what the new default contributor license
is?

~~~
driusan
"Additionally, unless there is a Contributor License Agreement to the
contrary, whenever you make a contribution to a repository containing notice
of a license, you license your contribution under the same terms, and agree
that you have the right to license your contribution under those terms."

It makes me _so_ unreasonably happy to see that added to the terms of GitHub..

------
morbidhawk
I'm in the process of moving all of my repositories hosted on GitHub to fossil
scm instead. Unlike GitHub it is open source[1] and with a simple cgi
script[2] I am able to host all of my repositories on my own web server. After
knowing git, fossil wasn't very hard to learn and it comes with ticketing and
wiki built-in and accessible via a web UI locally on any machine I'm using.

One of the benefits in addition to being able to read fossil source code and
being able change/style the web interface however I want is that I don't have
to worry about staying up to date on Terms of Service changes I really have no
say in.

Edit: failed to mention fossil can import/export to/from a git repository[3]

[1] 2-clause BSD license: [https://www.fossil-
scm.org/xfer/artifact/f99187d1905883d3](https://www.fossil-
scm.org/xfer/artifact/f99187d1905883d3)

[2] cgi script: [http://fossil-
scm.org/xfer/doc/trunk/www/server.wiki#cgi](http://fossil-
scm.org/xfer/doc/trunk/www/server.wiki#cgi)

[3] import/export git: [http://fossil-
scm.org/xfer/doc/trunk/www/inout.wiki](http://fossil-
scm.org/xfer/doc/trunk/www/inout.wiki)

~~~
bachmeier
I'm almost in the same boat. I'm putting all new repos in Fossil.

I like being able to have complete control over the web interface. I like that
it's lightweight, unlike say Gitlab, yet provides a full website. I like that
the bug tracker is part of the repo rather than part of a company's
proprietary infrastructure.

The biggest advantage, by far, is that it's not Git. I agree that Git is good
for a lot of projects. It's an unnecessarily complicated beast for small
projects with a couple of collaborators, neither of whom are willing to spend
hours dealing with weird commands to handle a repo that got messed up for
unknown reasons. Fossil, unlike Git, is version control that others are
willing to use.

~~~
morbidhawk
I agree 100%, I'm a lot happier with it for personal projects especially once
I got the hang of it, and you get a lot of web tools that are baked into it
nicely. The only concern going into it was knowing that I couldn't change/undo
previous history but since using it I actually think that is a version control
feature you want (assuming you don't slip in a password) so you don't risk
losing previous data, you just have to be more thorough in looking at what you
are committing.

~~~
bachmeier
> assuming you don't slip in a password

You actually can delete a password using shunning, but it's not a regular part
of the development process. (I only mention that because many potential users
are scared off because they misinterpret not being able to change history.)

------
ggregoire
I'm curious about this topic. How do you write such documents (ToS, Privacy
Policy, etc)?

If you release a side project or a startup and you can't afford a lawyer like
GitHub probably does, what are the solutions?

~~~
kodablah
Do what a lot of people do, find your favorites, cobble together your own and
go from there. Of course a lawyer is best, but until you can pay for one and
at least while things like privacy policies are important for SEO, fake it
till you make it.

Of course you should actually abide by your own policies. You can even search
for common phrases[0] to see how many templates are out there.

0 -
[https://www.google.com/search?q="We+use+regular+Malware+Scan...](https://www.google.com/search?q="We+use+regular+Malware+Scanning")

~~~
ggregoire
Thanks, I'll probably do that.

------
mjw1007
It's disappointing that they don't allow a user to have two accounts.

I don't want to take my personal github credentials to work, and my employer
doesn't use paid github services.

The effect is that if when I'm at work I come across a bug in a project hosted
on github, I probably won't report it.

------
cgtyoder
Section K.3. is very problematic - it is (essentially) the same as the
previous TOS. It states that github can restrict/delete your account for any
reason, at any time, without warning. This may be fine for trivial projects,
but if you're running a business and relying on github for actual revenue,
this is completely unacceptable. I have asked people about this, and their
answer has essentially been, Cross our fingers and pray it doesn't become a
problem. I won't use github for anything remotely serious until this
substantially changes.

~~~
justinclift
What would be better wording?

~~~
shakna
A warning, and a appeal process, would remove much of the worry in this area,
at least for the businesses I've worked with.

~~~
justinclift
That sounds sensible. Hopefully @nsqe is reading this and responds. :)

------
chad-autry
The new license grant to others is nicely explicit on what permissions are
granted on an unlicensed repo vs the old vague "you agree to allow others to
view and fork your repositories." Note that you CANNOT legally edit your fork
of an unlicensed repo. That would be violating the original repos copyright.

[https://help.github.com/articles/github-terms-of-service-
dra...](https://help.github.com/articles/github-terms-of-service-
draft/#5-license-grant-to-other-users)

------
m0sa
they really should've done this as a pull request...

~~~
OJFord
Against what repository? There's no github/github.

~~~
Gaelan
Yes there is, but it's a private repo so we see a 404. Beside the point.

~~~
OJFord
Right, sorry, I meant to say 'public'. And I don't see that it is beside the
point, because there's no other relevant and public repository that I can
identify - no github/terms or whatever.

~~~
Gaelan
I was saying my own comment was beside the point.

------
LeonidBugaev
I'm really curious if new "Scrapping" terms apply to API usage.

~~~
justinclift
"Scraping" is when a person downloads a full HTML page.

eg project repo page

Using the GitHub API (as intended) wouldn't be scraping.

------
lucb1e
I would assume Github, of all companies, would provide a git commit with a
diff. Alas.

Here is a diff:

[https://github.com/lgommans/terms-of-
services/commit/32e5aef...](https://github.com/lgommans/terms-of-
services/commit/32e5aef37853ae8f2aa054f33236051c13d84b58)

~~~
nsqe
We didn't provide a diff because the new Terms were not an iteration of the
old Terms; they were written from scratch.

As you can see from that diff, comparing the documents in diff form was just
confusing, so we didn't try.

We hope to provide future updates in PRs with a diff.

