
“This project violates the MIT license of Gemstash” - throwaway0071
https://github.com/GoogleCloudPlatform/google-cloud-gemserver/issues/36#issuecomment-324503159
======
DannyBee
So, speaking for Google (for once): We're on it (and about to post a
response), but a number of us have looked at this, and having trouble finding
any actual code in common between the repos at all (let alone any where the
license was changed).

I can find parts that depend on the gemstash project being installed, but
nothing that appears to actually have been taken from the gemstash project .

I'd someone here sees some, i'd really appreciate letting us know (here, or
email me at dannyb@google) so we can go fix it.

~~~
PappaPatat
Nothing to find as far as i can see. All that's done is import a gem like
anyone would who's project who depends on an external gem. Mr. Indirect seems
to have had a bad day, take it easy :)] Edit: Seems more just a google
criticaster [https://indirect.tumblr.com/post/164152747613/so-ive-been-
th...](https://indirect.tumblr.com/post/164152747613/so-ive-been-thinking-
about-this-google-manifesto)

~~~
Gigablah
That's not the same @indirect.

~~~
andars
[https://github.com/indirect](https://github.com/indirect) links to
[http://arko.net/](http://arko.net/), which links to
[http://indirect.tumblr.com/](http://indirect.tumblr.com/).

~~~
Gigablah
Ah, I stand corrected, looks like the blog belongs to him, but the article
itself was written by someone else (@williampietri).

------
lfowles
From what I see, google-cloud-gemserver uses gemstash[1] but does not include
its source. Am I somehow misunderstanding the accusation "You forked this repo
from the Gemstash repo"?

[1]: [https://github.com/GoogleCloudPlatform/google-cloud-
gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-
gemserver/blob/d42da74fa9c1f139d49198d1ac38ebec20317063/Gemfile)

~~~
jsmthrowaway
I'm on mobile so reading the code is hard, but after digging through much of
both repos, this doesn't look like a fork at all. I see some code that _looks_
like it's from gemstash, but that's far different than a fork -- not better,
just significantly different, as evidenced by the comments here suggesting
malice and license stripping.

Is the allegation that it was forked and then more than half of gemstash
deleted? Seriously, read the code, even the gem architecture is different. "I
found some gemstash code which btw is MIT and can be embedded all day long"
does not deserve lawyer threats, and I say that disliking Google.

More embarrassed for the issue author here, who went straight for an outrage
jugular without understanding the entire situation, and probably submitted
this thread to HN too.

~~~
mcguire
sillsm just responded:

Hi Andre, I'm Max from Google's open source office.

Thanks for bringing this to our attention. We've stared at both repos, and
we're having trouble finding any actual copy/pasted code between them.

We don't strip license headers or change code licenses intentionally. We
always aim to respect open source licenses. If we made a mistake here, please
help us fix it.

It looks like GoogleCloudPlatform/google-cloud-gemserver depends on gemstash
existing, but we can't find any copied code. It doesn't appear to be a fork.

We'd really appreciate it if you could give us pointers to the code you think
was copied from your project, so we can fix it.

------
dak1
This is a teachable moment for a young student. Let's avoid crucifying them.

We've all made mistakes, most of us were just fortunate enough that it didn't
end up as the top link in Hacker News.

~~~
jrowley
Yeah, blame should be placed on whoever did the code review, but this is
probably something the intern learned/got away with in school.

~~~
donatj
Yes. I don't know what the rules for making code public are at Google, but
where I work we are incredibly cautious.

I would have thought Google would have been far more cautious.

~~~
jonknee
If you look at the repo it's not clear at all if there is an issue. It's
certainly not a fork of a repo. It actually includes gemstash as a dependency
[1] which is a really weird thing to do if it was actually a copy of gemstash.

[https://github.com/GoogleCloudPlatform/google-cloud-
gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-
gemserver/blob/master/Gemfile)

If there is a lack of caution I think it's on @indirect's side.

------
carussell
One of the primary beefs from the person filing the issue seems to be that the
project in question (google-cloud-gemserver) is not also licensed as MIT:

> As I'm sure you're aware, the MIT license [...] does not allow you to change
> the license.

This demonstrates a poor understanding of licensing. The MIT license is a
permissive license, not a reciprocal ("viral") one. I.e., you're free to
incorporate it into other projects even when those projects themselves are not
licensed as MIT.

This wouldn't look so silly if it weren't the case that:

1\. The MIT license text's brevity is very to-the-point

2\. It goes further than similar licenses (e.g., ISC, BSD) and explicitly
names sublicensing when enumerating its (inexhaustive) list of permissable
uses

3\. The other software project in question is licensed under Apache License
version 2.0, which is more or less functionally equivalent to MIT, modulo some
patent termination stuff.

EDIT to everyone commenting about "relicensed MIT files", and "changing the
license": Stop that.

If you mean that it's required to reproduce the text of the license and the
copyright notice somewhere in the end result (a la Firefox's about:license),
then say that. This conversation would go a lot smoother that way instead of
you endlessly repeating about a "license change". Say what you mean.

~~~
steveklabnik
> This demonstrates a poor understanding of licensing.

It doesn't; while the MIT is a permissive license, that doesn't mean that it
lets you change the license.

> you're free to incorporate it into other projects even when those projects
> themselves are not licensed as MIT.

This is true, but you still have to follow its terms, just like any other
license.

(I have not actually looked at the repo or investigated the details in this
specific case.)

~~~
carussell
I don't know what "MIT [doesn't let] you change the license" is supposed to
mean.

The original project is licensed under MIT. The Google project said to
incorporate that code is licensed under Apache 2.0. This is permitted by the
terms of the MIT license.

If there is any wrongdoing here, it looks like a failure to `git add
./NOTICES.txt`, and that's as simple as the remedy to it would be, too.

~~~
masklinn
The problem is not that the project is Apache licensed, it's that (according
to TFA anyway) the project relicensed MIT files as Apache 2 and removed
attribution, both of which are verboten.

You can have MIT-licensed files in an Apache-licensed project, you can not
strip out their original licenses and put yours instead.

------
Flammy
> Stealing software from a non-profit that you refuse to support, even though
> you depend on the work it does, is extremely not cool.

If this truely was an intern who did this, "you refuse to support" and "you
depend on the work it does" are kind of stretches.

Obviously stripping the crediting and copyright details is an incredibly poor
decision, but not like this intern has any part of Google's decision to
support Ruby Together or not.

~~~
movedx
The intern represents Google in all regards and actions.

------
apetresc
The author of Gemstash is clearly trying to wring as much outrage from this as
he possibly can. This is blatantly NOT a fork, it's a wrapper. On Twitter he's
stepped down from the "fork" accusation and downgraded it to "he used our
README", but seems to be enjoying the attention too much to amend his original
complaint.

~~~
bpicolo
The READMEs are very different

~~~
apetresc
I agree. The guy's accusation doesn't make sense on a number of levels. I'm
just quoting him, not endorsing him:
[https://twitter.com/indirect/status/900461424865980416](https://twitter.com/indirect/status/900461424865980416)

~~~
ravisutrave
And finally he confesses that there is nothing wrong!

[https://twitter.com/indirect/status/900525357459161088](https://twitter.com/indirect/status/900525357459161088)

------
hawkice
A lot of people are talking about this being a teachable moment. I suppose
that's true. [EDIT: or is it? This intern probably didn't do anything wrong?
Rest of comment relevant to discussion more than the link.]

But I've managed someone who took code from the internet (multiple files, a
whole sub-project, really) and tried to pass it off as their own. I pointed
out they left the license info at the top of the files, and so it was pretty
easy to tell it violated the license terms. I got push-back about it, saying
they just wanted to deliver the feature (the code didn't do that, but
whatever). I said I was glad the code didn't get deployed, and said we could
work on requirements so a clean room implementation could be done. So far,
yes, teachable.

Then he committed the same code with the license information removed.

Then I fired him.

There's simply no other way to handle these situations. It's unprofessional in
the extreme to plagiarize, and is a lawsuit magnet to boot.

------
bhhaskin
Well this is a bit awkward. It doesn't seem to be a fork at all. or share any
code with gemstash.

~~~
INTPenis
Also it was posted to HN by an obvious throwaway account. Oh the drama...

------
curiousgal
What is up with the tone of that post? It seems that this is his first attempt
of contacting them and yet words like "lawyers" and "super gross" are brought
up.

~~~
drez
Yes, they clearly came with pitchforks ready, probably from feeling burned by
GCP ("GCP has repeatedly declined to support Ruby Together in the work
[...]").

It also doesn't seem clear that the code was forked at all, making this whole
exercise pointless.

------
jimrandomh
The last comment on the issue tracker is:

"Hi Andre, I'm Max from Google's open source office.

Thanks for bringing this to our attention. We've stared at both repos, and
we're having trouble finding any actual copy/pasted code between them.

We don't strip license headers or change code licenses intentionally. We
always aim to respect open source licenses. If we made a mistake here, please
help us fix it.

It looks like GoogleCloudPlatform/google-cloud-gemserver depends on gemstash
existing, but we can't find any copied code. It doesn't appear to be a fork.

We'd really appreciate it if you could give us pointers to the code you think
was copied from your project, so we can fix it."

Whoever used a throwaway account to get this onto the front page of HN, less
than an hour after that issue was posted on GitHub: that was an irresponsible
and wrong thing to do.

------
Kiro
How does he know that it was forked from Gemstash? I don't find the code
similar aside from it using Gemstash as a dependency in a lot of places.

~~~
rickyc091
From what I can tell, it looks like Gemstash was used as a reference to build
google-cloud-gemserver. There are certainly pattern similarities, but a lot of
the codebase has been rewritten. The foundational structure is definitely very
similar, but the code within it is different.

 _Edit >> Adding References (Excuse my formatting.)_

gemstash.rb

* [https://github.com/bundler/gemstash/blob/master/lib/gemstash...](https://github.com/bundler/gemstash/blob/master/lib/gemstash.rb)

* [https://github.com/GoogleCloudPlatform/google-cloud-gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-gemserver/blob/master/lib/google/cloud/gemserver.rb)

version.rb

* [https://github.com/bundler/gemstash/blob/master/lib/gemstash...](https://github.com/bundler/gemstash/blob/master/lib/gemstash/version.rb)

* [https://github.com/GoogleCloudPlatform/google-cloud-gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-gemserver/blob/master/lib/google/cloud/gemserver/version.rb)

setup

* [https://github.com/bundler/gemstash/blob/master/bin/setup](https://github.com/bundler/gemstash/blob/master/bin/setup)

* [https://github.com/GoogleCloudPlatform/google-cloud-gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-gemserver/blob/master/bin/setup)

Just a few examples of similarities. The file location is identical as well.

~~~
whistlerbrk
With the exception of the setup bit, the rest of those links are totally
standard Ruby gem setup.

~~~
jsnell
That's bundler boilerplate, totally verbatim:

[https://github.com/bundler/bundler/blob/master/lib/bundler/t...](https://github.com/bundler/bundler/blob/master/lib/bundler/templates/newgem/bin/setup.tt)

------
gfodor
Title should be changed, its unclear if the license was actually violated, all
that has happened is that the author of gemstash has claimed that is the case.

------
pitaj
It looks like more of an ignorant / stupid mistake than anything else.

~~~
jf
I'd be willing to believe that removal of a license file could be accidental.
However, what is being discussed here is wholesale replacement of a license
notice in multiple files, which is much harder for me to believe is a mistake
made out of ignorance or stupidity.

~~~
donatj
I could easily see someone who hasn't actually read the license and not
knowing anything about software licenses other than that he needs Googles
doing this.

------
eadz
This appears to be a wrapper around gemstash, not a fork and relicense.

[https://github.com/GoogleCloudPlatform/google-cloud-
gemserve...](https://github.com/GoogleCloudPlatform/google-cloud-
gemserver/search?utf8=%E2%9C%93&q=gemstash&type=)

------
zaidf
HN Editors should revise the headline since it seems far from established fact
that the intern violated the MIT license.

If it actually turns out that the intern did't violate the MIT license after
all (as some seem to suggest), he should retain an attorney for having his
reputation smeared.

------
jcranberry
Intern made a stupid mistake. Nothing new. Move along.

------
AaronFriel
I don't know much Ruby, but it looks like gemstash is merely a dependency of
this, and this repo isn't a fork.

------
hamami
Looking at the two repos it's not clear to me whether it's even a fork or not.
The issue owner didn't state which files he thinks are forked from the
Gemstash repo. Also, MIT license is a permissive license and does allow sub-
licensing, so his comment that you cannot change the license is not entirely
correct. However the intern should have kept the original MIT license along
with the Apache license, adding a note that MIT license only applies to
specific portion of the project (that is, if he forked that repository in the
first place..)

------
blaisio
At the time of writing, this post title is clickbaity and presumes guilt
without any actual evidence. This is not what I want to see on hacker news.

------
surrey-fringe
I don't think I would hang out with Andre Arko.

------
Rjevski
I think the tone of the message is unnecessarily harsh. Nobody got hurt and
you didn't loose any money on this, so chill out.

------
Jonas_ba
Undoubtedly a very bad thing to do from the intern, however I feel that if we
treated this correctly we could open a debate and encourage GCP to add
support. Let's not forget that this can likely ruin someone's career. It's a
stupid intern mistake, let's try to get something good out of it.

------
0xBA5ED
>Stealing software from a non-profit that you refuse to support, even though
you depend on the work it does, is extremely not cool.

A bit emotional, aren't we? If the intern did wrong, you already have the high
ground without arguments like this.

------
darren0
When I read this issue I think it just reflects poorly on the author of the
issue. I see no reason to assume ill will. Notification of violating the
license is definitely needed, but the tone of the issue is uncalled for.

------
ocdtrekkie
What would you call what actually happened here? Whitelabeling? It doesn't
appear to be a license violation since no code from the other project is
included here, but I presume this repo basically wraps Gemstash's
functionality, and doesn't really mention (outside of the code itself) that
that is what it is doing.

It may not be a license violation, but "Google Cloud Gemserver", if it is
functionally similar to Gemstash's own functionality, sounds like a
rebranding, which... feels uncomfortable?

------
ftxrcc
This looks more like a case of Google hate more than a MIT license violation.
I've looked at the repos and as others mention, the project is not a fork but
a wrapper and they share no code. Others have also mentioned that the author
of the issue has made clear his dislike for Google. Combined with the
throwaway account posting to HN 30 mins after, this smells fishy.

------
samfisher83
It doesn't look like the guy copied code. I can't see where the google guy
copied code.

------
antoinealb
Where do we see that it was an intern ?

~~~
jbob2000
There's only one contributor to the repo, Arham Ahmed, arhamahmed, Computer
Engineering Student (BASc) 2019 at @uWaterloo

~~~
movedx
2019?

~~~
sevagh
Date of expected graduation, probably.

------
skoocda
This should probably be re-titled now that it's been resolved. @dang is this
possible?

------
amelius
The original code and license was still there on GitHub (albeit in a different
project). So in legal terms, is there even an issue?

In other words, does the law make a distinction between a git repo and a
website like GitHub?

------
wcr3
Title is misleading. Doubt OP (using a throwaway account) even read the
comments; great work.

------
ravitation
Did anyone actually read the issue comments? Or just the headline?

------
another_2
Plot twist: this is actually all staged by Google to get some attention to
their project.

------
dilly_li
I bet his manager did not emphasize the importance of licensing external
codes, although this kind of licensing issue must have been covered during
some orientations at google.

------
altotrees
So, it seems there is way more backstory to this than the issue spells out (or
only starts to). Can anyone provide a bit more context? Was this done in a
backhanded, malicious way? Did Google tell their intern to start this project,
or is it his side project? I mean, it's not cool either way, just curious.

~~~
wnevets
>Can anyone provide a bit more context? Was this done in a backhanded,
malicious way?

according to the complaint he removed the existing licenses and replaced them
with apache. That sounds kinda sneaky

~~~
chimeracoder
> according to the complaint he removed the existing licenses and replaced
> them with apache. That sounds kinda sneaky

That can't be the whole of it, though, right? Because the MIT license allows
relicensing. For example, I can redistribute an MIT-licensed project as part
of a GPL-licensed one, although I do still have to include the original MIT
license as part of the project, even if the whole project is redistributed
under different terms.

It's not really the right way to handle a relicensing, but to be quite honest,
it's easy to make minor technical mistakes with free software licensing even
if you're acting in good faith and trying to do something that is ultimately
permitted by the license

Heck, even the term "MIT license" is technically not recommended by the FSF,
as it's ambiguous (they recommend the unambiguous and equivalent term "X11
license")

------
jjuhl
That is not cool. Respect the licence the original author used or just stay
the f __* away.

