
NVD3 Erased From Existence - foobar2k
http://loopj.com/2012/11/16/nvd3-erased-from-existence/
======
lazyjeff
Reading the google groups discussion raises some interesting questions:

What prevents other open source projects from being taken down with a
"management did not authorize this" notice? For example, what prevents Twitter
from saying Bootstrap was released by a rogue employee, invalidating the open
source license and rendering millions of websites in copyright violation?

What happens to the commits by other authors to the source tree? Do they own
the copyright to their commits, even if they modify invalid open source code?

How does the open source community react when this happen? Do they fork and
pretend the source code is legit open source? (from reading the discussion, it
seems like many developers have already forked the code and encouraged others
to work off it)

Perhaps there are reasonable solutions to these, but I'm interested to see how
this story unfolds, since it may affect how people think of companies open
sourcing code in the future.

~~~
jarrett
It's highly questionable whether a company has the legal authority to
retroactively revoke an open source license.

The legal doctrine of promissory estoppel is generally considered to protect
open source licensees. If you license something for free, and people come to
rely on that free licensing, they generally have a right to keep using it,
even if you change your mind and try to revoke it later. You can, however,
stop licensing the software to new parties.

Novus seems to be trying to get around this by claiming that the license was
never valid to begin with, because it was issued by a rogue employee. However,
I would argue that the doctrine of apparent authority applies here. That is,
to a potential licensee, there was no reason to believe that the open source
licensing was anything but company-sanctioned. (The rules for apparent
authority are actually a bit more nuanced than that, but the main point is the
same.) Thus, even if the employee did indeed act without authorization, I
think Novus would still be bound by the license.

Novus seems to be on shaky legal ground, and I find its cease-and-desist
questionable. Unfortunately, it would appear that the recipients of the cease-
and-desist opted to comply rather than risk a fight. So the scary thing is not
that companies can arbitrarily revoke an open source license--in fact, they
can't. Rather, it's that a letter containing vague legal threats can have such
a strong chilling effect.

~~~
jakejake
It is a conundrum. If I were to hack into Microsoft and obtain the source to
Windows 8, release it on github under the GPL - it seems highly unlikely that
would be honored. Although if even one single person downloaded it under GPL
then technically they should be able to distribute their own version under
GPL.

It seems like if the code is considered "stolen" there must be some legal
common sense. I would also imagine the longer the code stays as open source,
the less likely you'd be able to claim theft. If you immediately took it down
claiming copyright that would be one thing. If you knowingly left it up for a
year, though, that would certainly be a different situation.

~~~
georgemcbay
"It is a conundrum. If I were to hack into Microsoft and obtain the source to
Windows 8, release it on github under the GPL - it seems highly unlikely that
would be honored. Although if even one single person downloaded it under GPL
then technically they should be able to distribute their own version under
GPL."

While I think there is a lot of legal subtlety at play in the nv3d case, I
think your case is a lot more clear cut. You never had the legal authority to
make the Windows 8 source code GPL in the first place, so the code isn't GPL,
no matter what the README you attached to it says and people continuing to
distribute it would be in clear violation of copyright.

Your Windows 8 example is pretty clear cut, sort of like if I steal your car
and resell it to someone else. Just because they bought the car doesn't mean
they own it, it still belongs to the original owner though the person who
bought it clearly has a legal case for restitution against the person who sold
it to them without owning it.

------
fuzzythinker
My trust with nvd3 pretty much ended when they pulled their finance part of
the library out few months ago without any notice. That tells me they are
capable of doing it again in the future.

EDIT: Now that I thought about this more, since they pull out the finance part
of the library before, it is very likely that they _did_ know about the
library being open sourced. Makes it much harder to believable the story.

------
pygy_
It's a strange case to begin with:

The readme of the first public release says:

 _nv.d3 - v0.0.1

A reusable chart library for d3 by Bob Monteverde of Novus Partners._

The license later said that the copyright belonged to Novus, (not Montaverde),
under the GPL v3.

This means that they couldn't (nor could anyone) use the Free contributions in
closed source products.

Since Montaverde is responsible for ~95% of the code
(<https://github.com/RobertLowe/nvd3/graphs/contributors>) and he sounds
embarrassed by the ordeal, it looks like a dick move by someone above him at
Novus.

~~~
1qaz2wsx3edc
Hi,

Thanks, that's my fork, it's was released under Apache 2.0.

<https://github.com/RobertLowe/nvd3/blob/master/LICENSE.md>

* 2. Grant of Copyright License.

* Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

Irrevocable copyright, I love it. It will stay open source and hosted there.

Bob should not be all to blame. Novus is clearly handling this poorly.

EDIT:

I'll accept pull requests, and if anyone had issues, please repost them.

~~~
jnbiche
Thanks for your stand, Rob. If anyone doubts that Novus knew about this
project, consider that it was hosted on the official company github account
and was sitting there under an open source license for almost a year. Take a
look for yourself in the job ad posted on HN in September:
<http://news.ycombinator.com/item?id=4463689> It's even referred to as "open-
source" in the ad. I'm guessing that when Bob asked if he could build an open
source library to use with company projects, his boss told him "sure, knock
yourself out". But now his boss's boss, or maybe the CEO, sees how nice it
looks and wants to put the genie back in the bottle.

Luckily, "un" open sourcing projects under Apache, BSD, MIT, GPL, etc. is not
so easy.

~~~
shardling
Here's a direct link to the job posting, since it was hidden behind the "more"
link for me: <http://news.ycombinator.com/item?id=4464588>

Also, the poster (wheaties) is not Bob, since they mention Bob in the third
person a few times in other posts.

------
kevingadd
The discussion thread is interesting - it is strongly implied that NVD3 was up
publicly and widely used for ~9 months, and its open source release seemed to
have been approved by management.

Are there any other notable examples where a project was 'open' for such a
long period of time and then the company that claimed to own the copyrights
tried to un-open it? It seems like there's a huge potential for nasty side
effects when something like this happens. 9 months is long enough for lots of
people to start relying on a library that's been released under a permissive
license like Apache2 and then suddenly have the rug pulled out from under them
because a vendor either did a terrible job of protecting their copyrights or
decided to take their toys and go home.

~~~
manaskarekar
Not just that, the company might actually integrate the ideas and development
from others gathered during this 9 month oops period into its now conveniently
closed source product.

------
yenoham
I find it remarkable that the 'management' would want to do this. This make
their company look ridiculously out of touch; by now LOTS of people have seen
and edited this code themselves, and have copies; you can't put that genie
back in the bottle.

They could have used this to their advantage by simply allowing it to stay
open but requiring that their company/brand name be used in the project (like
Twitter Bootstrap), thus allowing the company to be seen as a supporter of the
open source community without much effort on their part. Now they look the
exact opposite of that, by doing something that would require huge effort and
resources to achieve/maintain.

~~~
ISL
There's still time, if that's something they wish to do.

If/when the whole story emerges, it'd be neat to hear.

------
btipling
NVD3 leaked memory terribly. For us creating and removing a small number of
charts quickly ate memory in the tens of megabytes. While the code was
readable, it was not a very efficiently written library. I also took issue
with how it used a global shared function to throttle chart generation. This
feature did not seem to work very well but I did not spend much time with it
once I saw the memory footprint.

NVD3 is one of many chart libraries that placed more emphasis on design than
robustness. Having gone through many charts I wonder if any of these
developers have heard of the Profiles tab on web inspector.

Something like NVD3 can be used on a static page that isn't live updated for a
short time. But a long living application will have problems.

In other words don't worry. NVD3 wasn't very good. Go look at the d3 basic
chart examples on the d3 example's site. It is not hard to build graphs with
d3. You don't need NVD3.

Having said this, I thought the NVD3 editor was pretty cool. Better than the
actual library.

~~~
mamcx
>NVD3 is one of many chart libraries

The opposite for this are which?, ie: For people with not enough experience
could be good idea to know which ones are bad in this regard and wich ones are
good.

I`m in the hunt for a chart library. So far, I think in Google chart and
highcharts.

~~~
koide
flot is nice, at least for real time updates on charts. I'm building a
websockets enabled realtime dashboard with flot, left it running last weekend,
did not leak a bit.

~~~
btipling
Flot actually leaks quite a bit. We use flot at work and I had to hack the
code to keep it from leaking. It doesn't leak as bad as NVD3, but it leaks.
You will see it never surrenders the canvas element if you call shutdown on it
if you check out memory snapshots.

~~~
koide
I wonder what I did wrong on my testing. How did you test and against what
version? Do you have a public version of your app or tests?

------
Void_
Does this mean we have to stop using it? If they once released it under
permissive license, can they just change it and sue me if I still use it?

~~~
pudquick
The gray area here is their claim: That it was done without their approval.

If the company is the copyright holder, then the license that the code was
released under was invalid from the start - regardless of it being out in the
public.

Just because someone gets some Microsoft internal code and slaps an open
source license on it and releases it to the public, that doesn't mean every
company is now free to use the code without reprisal from Microsoft.

They're not "changing" the license - they're saying it never existed / was
never valid in the first place.

Now, if they had done it officially - then yes, the best they could do was
dual / re-license it. Being the copyright holder, they have the right to do
this at any time. They could then stop work on the original open source
licensed version and from that point on, internally, continue to develop their
closed source version (minus the contributions to the open source fork).

The open source (older) version would continue to exist, separately, and
continue to be free for use.

If someone has a business/product built on using nv3d and they come after them
with a cease and desist / demand for money, the business in question could
definitely take them to court over it and attempt discovery to find internal
documents indicating whether it was truly approved or not - which would then
either ratify or abolish the license once and for all.

~~~
wtracy
Once they can reasonably prove that is was done without authorization, could
you personally sue the rogue employee for damages, I wonder?

~~~
chris_wot
Well, of course.

------
fuzzythinker
Found this dc.js library reading the thread. Looks interesting.

<http://nickqizhu.github.com/dc.js/>

------
rcthompson
I don't know the back story behind this, but I just want to say that this is
by far the most respectful and reasonably-worded takedown request I've ever
seen.

~~~
georgemcbay
Funnily enough, while it is comes off as a very reasonable request
linguistically, it is one of the most offensive takedown requests I've ever
seen, given the backstory of this library.

------
dkural
I am very concerned that due to github relying on private repositories for
revenue; it has been all too eager to comply with this very legally
questionable take down request. Do we need an "open" github; that is truly on
the side of open source software?

~~~
mmcnickle
The "takedown" notice was issued to the owner of the nvd3 repository, _not_
github. The owner of the owner of the repo decided to comply.

------
mangler
Some publicity is bad publicity, Novus Partners....

------
RyJones
As someone that works on releasing open source products from a closed source
company, this is scary reading. Suddenly, all of the checks and balances we
have to hurdle seem reasonable.

------
chris_viau
It seems like NVD3 is back from the dead:

"Please see Novus' official statement on nvd3 with an explanation, apology,
and commitment to its permanent status as an open-source project. We know this
was a shock and a major inconveniece, but we want to regain the community's
trust and involvement. Please see the full statement at:
<http://nvd3.org/statement.html> "

------
maxaf
Please see Novus' official statement on nvd3 with an explanation, apology, and
commitment to its permanent status as an open-source project. We know this was
a shock and a major inconveniece, but we want to regain the community's trust
and involvement. Please see the full statement at:

<http://nvd3.org/statement.html>

------
charlesboudin
All of the comments seem to be very USA-oriented, but if one wants to learn a
lesson from this we should also discuss other POVs. Does anyone know how would
a similar case be handled in EU? Or just using a fork after the cease-and-
desist - does estoppel and so on exist there?

------
daseme
Apparently it is on its way back up:
<https://twitter.com/bobmonteverde/status/270646593257078785>

------
yason
Putting the specifics of this case aside, the whole question underlines once
again the questionable sanity behind copyright and intellectual property. The
corner cases like these are a signal that the copyright thinking isn't
entirely in alignment with reality. With physical goods it's very clear: if an
employee had gone rogue and given off a prototype device built by the company,
any resale of that device would naturally be illegal (it's illegal to buy and
sell stolen goods) and the device could eventually be returned to the company.

However, with bits, things are different. Bits can be copied, they can't be
stolen, and bits aren't unique things whose possession can be controlled.
Thus, the idea of copyright is to "own" the copyrighted works so as to control
making copies of it. The company tried to assert that it owns the library and
extrapolate from there that they could control the bits that represent copies
of the library. But if the thing companies intend to control is the idea or
"the works" instead of the physical bits then we're faced with another
dilemma.

Consider if the leaked thing was a trade secret, which is an idea with no
physical presentation. The trade secret was published without permission by a
rogue employee and thus it wouldn't be a secret any longer, then how could the
company possibly claim it _could be restored_ somehow? How could anyone who
had read about the trade secret explicitly unmemorize it? There are no
physical copies or bits to destroy, the idea would simply live in peoples'
minds and eventually travel to the company's competitors. The cat's out of the
bag, what can you do.

I think that in this case, the only plausible view of what actually happened
is just that. The culprit is the employee who should be liable for the damages
if it turns out that he actually did publish the source code without a
permission. (Based on the comments even verifying that is still uncertain.)
Similarly, if an employee smuggles in GPLv3 code in to the company's codebase
then the company can't just shrug that off, and must release their proprietary
source code as GPLv3.

Both are quite harsh conclusions. It seems that for any company larger than a
few dozen people would eventually bump into one of these two cases. Employees
would have to require written permission from their managers to release source
code. (What if their managers didn't have the permission to give that
permission?) Companies would have to audit all new source code before adding
it to their version control system. (Nearly an impossible task unless commit
lag of months would be considered agile in their line of business.)

In practice, things don't work——neither way, as long as copyright is removed
from the realm of bits, data, and software and the concept of intellectual
"property" is disintegrated from the beginning. WHen companies stop relying on
those delusions and base their business on things that actually work on real
life, they are relieved of much suffering.

~~~
kabdib
If you "copy" the bits that happen to open up access to my bank account, I'm
not likely to use the word "copy", I'm going to say "stolen" and involve the
police.

Similarly, if you "copy" the bits that I'm trying to monetize (they're a book,
or a movie, or a computer program), I will also prefer the word "steal" and
likewise involve the police.

Just because a low-level mechanism ("hey, we /copy/ bits, we don't destroy
them! You still have them!") enables behavior on your part does not make that
behavior ethical or lawful, nor does it imply that the notion that someone can
control ownership of mere bits is bankrupt or delusional.

~~~
jrockway
If you "don't read" my book, I'm going to call that "stealing". After all, if
you had read it, I would have gotten $20, and I didn't get my $20, so you must
have stolen something from me.

(Do you see how insane this is?)

~~~
kabdib
(facepalm)

------
spiritplumber
Anyone got a backup?

~~~
smoyer
Do you really want to use a library with a questionable license in your
project? Even if the source is widely available, it would be safer to consider
it tainted.

------
pebb
Time to sue Novus Partners I guess.

QUOTE

    
    
      I'm one of the 30 other individuals that acutally patched and commited changes for Bob to include in nvd3.js; I'm looking for contacts for the other 29 contributors.  (Please contact me at using the feedback form on congocart.com or master-technology.com) I would like one of us (I'm willing to volenteer) to contact Mr. Qunibi of Novus partners in a position of consensuses from those who actually have code in the product.
    
       My thoughts that would I believe be amicable (i.e. win/win) to both sides is that they can have our permission to take ALL of our changes closed source in the own future versions as long as we also (the community) may use the last release under the open source (Apache) license it has been under since shortly after it was released on there official novus github account and go our own separate way.   I know my changes were really early to the library and some of my code may not even exist anymore (lol).   
    
        But I believe the cost for them to audit the whole library and rip out all of our changes and rewrite it all could be major -- I believe Bob could legally remove all of our code; but for the actual re-implementation Bob would have to hand it off to someone to do a fully clean-room version to make them legally safe from being sued.   And that could be very costly in time and resources.   Cost wise for them It might even be cheaper for them to ditch the last 6-7 months of changes and to just revert to the version before my patch/commit (which was issue #3  <G>).     So I think we might be able to make this a win/win proposition if I can get the consensuses of the other 29 contributors.   
    

Nathanael A.

