
New GitHub Terms of Service require removing many open-source works - gamache
https://www.mirbsd.org/wlog-10_all.htm
======
bmh_ca
IAAL. My reading of the article and the terms of service strongly suggest that
the author of this article is not well informed on the subject.

For example, my informal and cursory analysis of the article:

> Section D.7 requires the person uploading content to waive any and all
> attribution rights.

It does not. The Github license requires a waiver of the requirement of
attribution insofar as such waiver is needed for Github to do what it already
does e.g. as the license indicates, provide search results without
attribution.

Further, only Github has been given this waiver. Anyone else is still held to
any requirement of attribution.

> section D.5 requires ... the right to “reproduce your Content solely on
> GitHub as permitted through GitHub's functionality”, with no further
> restructions attached; this is a killer for, I believe, any and all licences
> falling into the “copyleft” category

While D.5 does permit performing, using, and displaying of a work, it permits
reproducing on GitHub only. Any copying from GitHub not granted by way of
another license would be a violation of the author's copyright.

Use, performance, or displaying in the absence of a right to reproduce strikes
me as a rather narrow set of rights.

I stand to be corrected, but I see nothing sinister, nefarious, or unwarranted
by GitHub.

YMMV. If you need legal advice, retain a lawyer.

~~~
libertymcateer
IAAL as well.

I think you've convinced me. I was concerned that the use, performance or
display may be a problem... but thinking it through, I do not really see this
as an issue with most copyleft licenses. They are usually tied to distribution
of code - which is reproduction.

I echo your disclaimer. If you need a lawyer, get one.

~~~
lukas
This is a little off topic but these comments make me wonder: why are lawyers
so reluctant to give informal advice? I really appreciate the two thoughtful
and informed comments at the top of this article here - why the disclaimers? I
look for and give informal advice about all kinds of other topics that have
the same levels of ambiguity and sometimes the same levels of importance as
legal issues but it's always a real challenge to get a lawyer to weigh in
informally on a legal issue.

If someone asks me my opinion about an engineering or management issue they're
facing, I'll give it to them knowing that I don't know the complete set of
facts and they should take my opinion with a grain of salt. I might be missing
important context and I might just be wrong. If I ask someone else advice on
any topic, I assume that there is an implicit disclaimer. Is there something
fundamentally different about the law? Is it because lawyers are in the
business of giving advice?

Anyway, appreciate you guys weighing in and hope you do it more frequently :).

~~~
libertymcateer
> This is a little off topic but these comments make me wonder: why are
> lawyers so reluctant to give informal advice?

Because an attorney-client relationship is created when the client _reasonably
believes it to have been created._ As a result, you have to be really fucking
clear that people are not your clients because, when making the determination
of whether someone has reasonably determined that someone is their lawyer,
courts look to what the average bloke would think - i.e., a total dumdum. So
you really have to hit people over the head with the fact that no, you are
_not_ their lawyer.

So, the second part of this is that when an attorney-client relationship is
created, the attorney has a tremendous amount of duty to the client, and, if
the client acts on the advice of the attorney and gets results they do not
like, they can sue the attorney for malpractice.

> If someone asks me my opinion about an engineering or management issue
> they're facing, I'll give it to them knowing that I don't know the complete
> set of facts and they should take my opinion with a grain of salt.

Are you a licensed Professional Engineer? If so, for the love of Odin's beard,
stop giving informal advice, as you are exposing yourself to professional
liability.

Licensed professions - accounting, medicine, law, professional engineering -
have extremely high duties of care to their clients. They are exposed to
malpractice liability when things go wrong. They have ethical obligations. It
can be extremely hard to fire delinquent or terrible clients.

To put it a completely different way: lawyers give advice _as their job_.
There is no such thing as "informal advice" from a lawyer, the same where
there is no such thing as a "pick up game" with an NBA player. It is their
primary occupation. I don't do it for free - I charge a pretty stiff hourly
rate. And every time I take on a client, it has impacts on my firm's
malpractice insurance. In fact, I _cannot_ take on clients without the
explicit approval of the managing partner at my law firm - I get his written
approval for every single one. To make it clear, the managing partner is the
guy who, if there was a war between all the lawyers, gets to wear the biggest,
fanciest hat. So, no, I am not just going to do the thing I do for my day job
as a favor to someone else, any more than your computer programmer friend
wants to fix your iphone.

Does that go some distance to answering your question?

~~~
DanielBMarkham
Great answer! Thanks.

Related question, _"... if the client acts on the advice of the attorney and
gets results they do not like, they can sue the attorney for malpractice..."_

Does that really happen a lot, or is it just something that they drill into
you in law school? I never hear about attorney malpractice suits.

~~~
libertymcateer
Why would you? They are deeply embarassing and lawyers try to make them go
away as quickly and quietly as possible. However, the big ones do make the
headlines - BUT, while I read Hackernews every day, and you likely do to - do
you ALSO read law360, aboveTheLaw and the New York Law Journal? Because that
is where you read about malpractice lawsuits. Not on techcrunch. And trust me
- they happen _all_ the goddamn time. _All_ the goddamn time. There are
lawyers who do nothing but sue other lawyers. There is an entire legal
malpractice insurance industry.

And, importantly, if you are a litigator - as in, someone who sues people for
a living - your clients are already demonstrably the sorts of people who are
willing to sue when they are pissed off. It is not unreasonable to assume that
if things go wrong in these circumstances, people turn on their lawyers.

------
chad-autry
_pfffft_ Bunch of yammering without any good analysis. Disappointing.

The new terms don't do anything except make explicit what they were already
doing.

D.7 + D.4: They were already doing activities these terms explicitly give them
the right to do. They are internally copying (backups), modifying (compressing
and indexing), and displaying anything uploaded. If having it spelled out
violates your license, I don't see how them just doing it without having it
spelled out doesn't also violate the license. Maybe this just shifts where the
license violation is occurring from GitHub's doing to a user's uploading, but
it doesn't change the fact that a license is being violated somewhere on
either the old or new terms.

D.5: This section was already in the old terms! The new terms actually clarify
and limit what they mean by "fork". It still doesn't give the forking user a
right to modify, just create their own copy within the context of GitHub. You
already granted users the right to "fork" anything publicly submitted under
the old terms.

D.3: The rant (the writers own tag, but I find it appropriate) is just
nitpicking here. It om-mitts the reason why they would remove content, which
is because it violates their policies. GitHub needs this right to enforce
their content restrictions. Also, if GitHub ends up removing partial content
such that it violates the license it was submitted with YOU aren't the one
breaking the license. They are.

~~~
majewsky
> modifying (compressing and indexing)

Is this really modification in terms of copyright law? (Honest question. I'm
only passingly familiar with copyright law.)

~~~
Hello71
I believe the general consensus is "it is not clear at this time".

------
squeaky-clean
(edit since I didn't expect many votes, I am not a lawyer at all)

The text doesn't seem totally true, for example:

> Section D.7 requires the person uploading content to waive any and all
> attribution rights.

Yet, from the ToS, section D.7:

> You retain all moral rights to Content you upload, publish, or submit to any
> part of the Service, including the rights of integrity and attribution.
> However, you waive these rights and agree not to assert them against us, to
> enable us to reasonably exercise the rights granted in Section D.4, but not
> otherwise.

So you don't waive "any and all" rights.

From the article:

> Section D.5 requires the uploader to grant all other GitHub users… right to
> “use, display and perform” the work (with no further restrictions attached
> to it)

From the ToS, D.5:

> If you set your pages and repositories to be viewed publicly, you grant each
> User of GitHub a nonexclusive, worldwide license to access your Content
> through the GitHub Service, and to use, display and perform your Content,
> and to reproduce your Content solely on GitHub as permitted through GitHub's
> functionality.

So uh yeah, there are lots of restrictions on it. "solely on GitHub as
permitted through GitHub's functionality", so they can only use Github
functionality (i.e. Forking) on your content. They can't sell your content or
relicense it or host it on their own website.

The only real problem I see here is that unless you created the work entirely
by yourself ("you" here can mean a group), you can't grant the rights
necessary to upload to Github, even if you're well intentioned or the original
authors may be fine with it. And these rules apply to private repos, too. I
wish the author had focused more on that.

~~~
JoshTriplett
The license to "use, display and perform your Content" isn't limited to the
GitHub site or functionality. Only the "access your Content" and "reproduce
your Content" are limited to GitHub.

> The only real problem I see here is that unless you created the work
> entirely by yourself ("you" here can mean a group), you can't grant the
> rights necessary to upload to Github, even if you're well intentioned or the
> original authors may be fine with it. And these rules apply to private
> repos, too. I wish the author had focused more on that.

The author did explicitly mention that. But I think it's worth listing all the
issues with the ToS, not just one.

~~~
E6300
> The license to "use, display and perform your Content" isn't limited to the
> GitHub site

Right. If you put up your code publicly you are implicitly allowing other
people to do those things, since there's nothing you can do to stop it. How
could you stop someone from privately running your code on their hardware?

You're also implicitly allow people to fork and download the code, since
Github doesn't allow public projects to restrict those abilities. Your
particular license may restrict making further copies, though.

~~~
JoshTriplett
> Right. If you put up your code publicly you are implicitly allowing other
> people to do those things,

As one example, "display" isn't made contingent on attribution. As an unusual
but plausible example: a GitHub user could grab a pile of code from across
GitHub and render it to construct a "movie hacking UI" for a film, without
even an attribution for the code they used.

> since there's nothing you can do to stop it. How could you stop someone from
> privately running your code on their hardware?

(Also, "nothing you can do to stop it" is not a grant of permission.)

~~~
matthewmacleod
_As one example, "display" isn't made contingent on attribution._

That's fine, but in general these software licenses do not cover "display",
they cover _distribution_. If you consider "using code in a movie hacking UI"
to be distribution, then you would already have been bound by the license. If
you don't, then you're not. Nothing changes.

~~~
dragonwriter
> That's fine, but in general these software licenses do not cover "display",
> they cover _distribution_.

Yes, that means that "display", insofar as that corresponds to a copyright-
protected exclusive right like performance, is not licensed by the license,
and (if you aren't the original copyright holder) you have no authority to
grant a sublicense to GitHub that covers display.

------
TheRealPomax
I'd like to point out that taking exception with "the right to “reproduce your
Content solely on GitHub as permitted through GitHub's functionality”" means
you were probably already not using GitHub, since that literally describes
what happens when someone clicks the "fork" button.

Especially given that the actual EULA text is this: "If you set your pages and
repositories to be viewed publicly, you grant each User of GitHub a
nonexclusive, worldwide license to access your Content through the GitHub
Service, and to use, display and perform your Content, and to reproduce your
Content solely on GitHub as permitted through GitHub's functionality. You may
grant further rights if you adopt a license."

(There also seems an odd confusion between "illegal" and "in violation of the
terms of service", which are very different things indeed, but that's less
crucial to examining what the terms actually say you can, and cannot, do on
GitHub)

~~~
jlgaddis
_There also seems an odd confusion between "illegal" and "in violation of the
terms of service", which are very different things indeed, ..._

Um, remember Aaron Swartz? JSTOR?

JSTOR and Aaron reached an agreement. JSTOR didn't want Aaron prosecuted. But
that didn't stop Carmen Ortiz, the federal prosecutor, now did it?

See also "Computer Fraud and Abuse Act Reform" [0] and "Aaron's Law: Violating
a Site's Terms of Service Should Not Land You in Jail" [1].

[0]: [https://www.eff.org/issues/cfaa](https://www.eff.org/issues/cfaa)

[1]:
[https://www.theatlantic.com/technology/archive/2013/01/aaron...](https://www.theatlantic.com/technology/archive/2013/01/aarons-
law-violating-a-sites-terms-of-service-should-not-land-you-in-jail/267247/)

~~~
nostrademons
U.S. courts have repeatedly (see eg. US vs. Nosal & US vs. Drew, both linked
in the pages you cited) ruled that ToS or acceptable-use violations are not
criminal offenses under the CFAA. In their opinions, they explicitly argued
that criminalizing breaches of contract would violate widespread public
knowledge of the difference between a contract & a law, and would make the
CFAA unenforceably vague. It's pretty likely that Aaron would've been
acquitted had the case gone to trial.

------
angrygoat
The site seems to be struggling with load - here are the categories of works
the author argues are incompatible with the ToS:

\- Anything requiring attribution (e.g. CC-BY, but also BSD, …)

\- Anything putting conditions on the right to “use, display and perform” the
work and, worse, “reproduce” (all Copyleft [maybe minus GPL])

\- Anything requiring integrity of the author’s source (e.g. LPPL)

There's a fair bit more detail on the post, but that's the gist of it.

The concerns relate to section D of the new ToS, which is here:

[https://help.github.com/articles/github-terms-of-
service/#d-...](https://help.github.com/articles/github-terms-of-
service/#d-user-generated-content)

~~~
techman9
Forgive my ignorance here, but would this hypothetically include anything
licensed under the GPL?

~~~
matthewmacleod
No.

------
JoshTriplett
Joey Hess wrote a concurring opinion:
[https://joeyh.name/blog/entry/removing_everything_from_githu...](https://joeyh.name/blog/entry/removing_everything_from_github/)

~~~
kevinr
If, as joeyh says, the FSF are talking with them about it, maybe I'm going to
wait until they're finished before doing anything drastic with my repos.

~~~
joeyh
The possibility that a Github TOS change could force a change to the license
of your software hosted there, and that it's complicated enough that I'd have
to hire a lawyer to know for sure, makes Github not worth bothering to use.

Vaue proposition was never very high for me, and went negative.

I can only speak for myself. Amount of value others place on the copyrights to
the software they've spent blood sweat and tears building is up to them.

------
edw
It's submissions like this that demonstrates the extent to which user-
contributed news aggregators are amplifiers for the prior assumptions—and
obsessions—of the users doing the contributing.

My personal favorites are stories of the form "I don't like this Apple
product, so Apple has lost touch and is doomed. Not that I've laid hands on
the product. But still!"

But this one, an instance of "I have discovered the hidden-in-plain-sight plot
by a popular service to commandeer your intellectual property!" is pretty good
too.

------
sytse
GitLab's indemnification is mentioned in the article "Gitlab seems to not have
such, but requires you to indemnify them… YMMV. I think I’ll self-host the
removed content."

We want our terms to allow everyone to contribute. I've created an issue for
us to look at making our indemnification more specific
[https://gitlab.com/gitlab-com/www-gitlab-
com/issues/1185](https://gitlab.com/gitlab-com/www-gitlab-com/issues/1185)

------
kefka
They could have avoided the bulk of these problems by the following:

5\. License Grant to Other Users

If your project doesn't have a license attached, then the rights you provide
GitHub and users are as follows:

You agree to allow others to view and "fork" your repositories (this means
that others may make their own copies of your Content in repositories they
control).

If you set your pages and repositories to be viewed publicly, you grant each
User of GitHub a nonexclusive, worldwide license to access your Content
through the GitHub Service, and to use, display and perform your Content, and
to reproduce your Content.

Choosing a License for the repo supersedes the above rights declaration and
reverts completely to the License of your choice.

___________________________________________

There's cases where I'm using someone else's GPL3 code. Im using it because of
the GPL and am granted rights. I can't comply with the "rights" GH wants
because I don't have them to give.

I also have projects that I'd like to share as GPL, but not as BSD or MIT. My
choice. The existing version grants GH an effective BSD license for everything
on there.

~~~
ProblemFactory
They would have avoided most of the complaints, but I'm sure their lawyers
would never have approved such ToS.

It would mean that github is responsible for analyzing each license and what
features they can provide for code under each license, and take the risk of
potentially defending their understanding of each license in court if other
people disagree. It would also mean that if someone illegally changes the
license file on someone else's project and then uploads it to github, then
github is at risk instead of the uploader.

A better solution would be to describe the features they provide for public
repos in detail, and require uploaders to pledge that the license is
sufficient to grant these rights, or that they grant the rights themselves.

------
michaelmrose
Here is the article text

[https://gist.githubusercontent.com/michaelmrose/3f9b655fde54...](https://gist.githubusercontent.com/michaelmrose/3f9b655fde540516ed41fdb0041da2df/raw/e12dac7491e42e0d8801e57e45d23b06b61ef772/gistfile1.txt)

best read in something like reader mode or something

~~~
majewsky
Since we're talking about licensing: Did the author allow you to publish his
works on Github? ;)

~~~
mirabilos
The plain body text is under The MirOS Licence, so that’s fine. For more, see
[http://www.mirbsd.org/LICENCE](http://www.mirbsd.org/LICENCE)

------
Sunset
I'll give you a solution. Continue using Github, ignore anyone who says
anything about copyright. Have fun trying to sue me.

~~~
rgbrenner
youre forgetting about the dmca.. github will terminate your account if you
get a few dmca notices.

------
camus2
So people suggest moving to gitlab, what about bitbucket? it also offers free
repositories. What makes Gitlab better. Ultimately centralising all the
opensource in one service is a bad thing for opensource in general. Github
shouldn't become the "defacto" custodian of opensource projects. It's like
today the internet is "distributed but heavily centralized in one place". Look
at the S3 outage recently, taking down half the internet.

~~~
jwilk
From the article:

 _Atlassian Bitbucket has similar terms (even worse actually;_ [...] _)_

------
joeblau
I just created a project using CC4.0 last weekend and I noticed that GitHub
didn't have it in the list of suggested license you can choose. When I added
it manually, GitHub did recognize it which I thought was awkward. It seems
like GitHub is already trying to steer users away from creating the types of
repositories they don't want to support in the TOS.

~~~
duskwuff
Depends on what kind of project you're working on. Creative Commons is not
especially appropriate for software licensing, so it's perfectly sensible for
GitHub to avoid recommending it.

This isn't just my personal opinion, by the way. The CC FAQ specifically says:

> We recommend against using Creative Commons licenses for software. Instead,
> we strongly encourage you to use one of the very good software licenses
> which are already available. We recommend considering licenses made
> available by the Free Software Foundation or listed as “open source” by the
> Open Source Initiative.

\-- [https://creativecommons.org/faq/#can-i-apply-a-creative-
comm...](https://creativecommons.org/faq/#can-i-apply-a-creative-commons-
license-to-software)

~~~
eikenberry
With the exception of CC0, of which there is no equivalent available and which
they do say is suitable for software.

~~~
eridius
CC0 looks to be equivalent to the WTFPL.

~~~
azrazalea
More likely to be legally upheld in court though IMHO

~~~
mirabilos
True. But CC0 is deprecated by CC themselves _and_ CC requested the OSI to
_not_ approve it. It is unclear whether there will be a successor.

But any of the BSD/MIT-ish licences should be close enough to a “gift” for
this to work (well they do protect the author/licensor a bit more, but…).

~~~
incongruousa
> CC0 is deprecated by CC themselves

As far as I can tell this is simply false. At
[https://creativecommons.org/retiredlicenses/](https://creativecommons.org/retiredlicenses/)
there is a list of "retired" (deprecated) legal tools, which does include a
"Public Domain Dedication and Certification" but in the right column says
"Replaced by two separate tools: the CC0 Public Domain Dedication and the
Public Domain Mark." Furthermore, at the top of the page it says "CC will no
longer offer these licenses via its license chooser or other mechanism for any
future work" and if you click on the link
([https://creativecommons.org/choose/](https://creativecommons.org/choose/))
there is a "Want public domain instead?" link to
[https://creativecommons.org/publicdomain/](https://creativecommons.org/publicdomain/)
which prominently features the CC0 dedication.

So you can see that CC0 is still recommended it and it is in current use. Mike
Linksvayer (former VP of Creative Commons) uses and recommends it:
[http://gondwanaland.com/mlog/2013/11/25/upgrade-
to-0/](http://gondwanaland.com/mlog/2013/11/25/upgrade-to-0/)

> CC requested the OSI to not approve it

I actually read through the OSI mailing list thread about the CC0 dedication
once, and as far as I recall the OSI people (I think it was Bruce Perens) had
reservations and eventually the CC side decided it wasn't worth pursuing, see
[https://opensource.org/faq#cc-zero](https://opensource.org/faq#cc-zero) for
the OSI summary.

------
gamache
Better link:
[http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm](http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm)

------
Manishearth
Here's an actual lawyer (who is also a programmer) talking about this.

[https://writing.kemitchell.com/2017/02/16/Against-
Legislatin...](https://writing.kemitchell.com/2017/02/16/Against-Legislating-
the-Nonobvious.html)

This blog post is FUD.

~~~
rando832
No, your comment is complete FUD. Even a cursory skim of that blog post, you
can see it's about a completely different issue in the TOS and does not
discuss the issues this post is about at all.

~~~
Manishearth
Yes, it doesn't, because the thing the blog post talks about is a non-issue --
it instead focuses on a much more minor issue (why would it do that if there
was a larger issue that was _this_ bad?).

It's also corroborated by other lawyers in the thread saying basically the
same thing though. My conclusion that the blog post is FUD doesn't solely
derive from the post I linked to.

------
smilekzs
> there was a review phase, but my reviews pointing out the problems were not
> answered, and, while the language is somewhat changed from the draft, they
> became effective immediately

I find this disturbing.

Also, although extremely unlikely, I would imagine Github finally panicking
upon a large exodus of high-profile FOSS projects.

~~~
Karunamon
It's sad, but given the (positive, don't get me wrong!) response to the Dear
Github letter from a while back, it seems that mass outrage is the only thing
the company understands.

Most companies are allergic to lawyers. As in, they'd rather avoid the issue
outright and go elsewhere if a _hint_ of a legal question comes up. The fact
that they didn't bother floating this change by the greater community at large
does not give me the warm fuzzies that they learned their lesson.

~~~
mirabilos
They actually had a review period, and did some good changes.

But then, they took a week to look at the reviews (ostensibly; I, as well as
others, never got any response to them), went and made some minor changes
(which were not enough to address the problems at all) AND BROUGHT THE CHANGED
DOCUMENT INTO PRODUCTION RIGHT ON THE NEXT DAY, without any further review or
warning. That’s like bad.

------
erikb
So, let's just assume for a second that the author's comments are all
completely correct. Then it's still not a good analysis, since it doesn't say
at all how these rules came to be and what they try to achieve. I don't think
Github's management is so broken that they would F up their core users'
businesses for no reason.

It is important to understand it from a progressive point of view, since any
compromise would also require Github's needs to be fulfilled at least to some
degree. It would also help understand that the author may actually be wrong in
his assessment. And last but not least you're just painting half a picture if
you just mention your own arguments. Makes your arguments way less convincing.

~~~
mirabilos
“how these rules came to be and what they try to achieve”

That’s not my point here.

The intent behind the rules and what they’re trying to achieve is GOOD and A
STEP UP from the previous ToS.

HOWEVER, they have language that IS problematic for almost ALL copyleft and/or
attribution-requiring works that include contributions from people who did not
upload it directly to GitHub themselves. THAT’s what I’m discussing.

------
simplehuman
Just wanted to expand a bit more on the knee jerk reaction of suggesting
GitLab.com. From what I know from their business, GitLab.com is a loss leader
and they make their money primarily from the enterprise self-hosted product.
Please keep this in mind because this is important. No service is a charity
and GitLab.com will always be their low priority. GitLab.com is not magically
immune to problems that GitHub.com faces in terms of license. Once GitLab
becomes big, you will see the same things all over.

To conclude, I suspect you are better off just self-hosting GitLab (just pay
them license fees). It's really just 3.25 per user per month, please support
their self-hosted instance.

~~~
problems
You can also run the open source version of GitLab on your own hardware for
free. Gitea is also quite good if you don't need the more advanced
functionality that Gitlab provides - for basic git and issue tracking it's
good enough.

If you want to spend money on things and you're a small team also consider
Atlassian's JIRA $10 for 10 users plan. JIRA might be overkill for small
projects, but if you want nice agile project management tools it's pretty
good.

~~~
mirabilos
No, don’t use JIRA for developing OSS: [https://mako.cc/copyrighteous/free-
software-needs-free-tools](https://mako.cc/copyrighteous/free-software-needs-
free-tools)

~~~
problems
I generally agree with the statement, but just throwing other tools around -
not necessarily just for open source development.

JIRA isn't much worse than GitLab EE license wise - both will give you their
full source under a license that you can't do much with it. The only
difference is that part of GitLab is available under a better license, but
it's not the version you're running if you run EE.

------
jwildeboer
Dear moderators, please fix the headline. This is IMHO turning into clickbait.
The linked article is wrong in many ways, as lawyers have explained in the
comments here.

Please stop this misinformation from spreading further. Please.

------
spullara
For those that think this is a problem, is there a ToS and license that
everyone would agree gives Github and users the legal right to do what they do
today that is compatible with all the OSS licenses?

~~~
mirabilos
Yes, that’s actually what GitHub and I are talking about now.

Any OSS licence already grants way enough rights for a hosting platform to
operate, period. Anything else can be solved technically and does not need to
involve legalities. (For example, when displaying search result snippets, put
notices pointing to the original file in the original repository, as “context,
complete copyright notices, licence and attributions” right next to each.)

So the ToS simply need to require all those grants only for works that are not
under an OSS licence (see also my updated article, remember
[http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm](http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm)
is the correct link, NOT the one on top). For any works NOT under such an OSS
(Open Knowledge, Free Cultural Work, whatever) licence, the ToS grant is not
unjustified to ask (especially as GitHub doesn’t care about hosting OSS
projects, or the licences of whatever content they host).

------
grabcocque
Hanlon's Razor applies?

~~~
eli
Neither. We need a new axiom about engineers misunderstanding legal documents.

------
majewsky
Github has a contact form:
[https://github.com/contact](https://github.com/contact) \- Here's the love
letter that I just sent them if you need something to copy-paste.

> The internet just told me about the updated ToS and its potentially
> disastrous effects on the legal certainty of thousands, if not millions of
> open source contributors. I demand you adjust your ToS to ensure that users
> can be safe that they will not get into legal trouble by sharing open-source
> code and artifacts on Github.com. If you fail to provide me with sufficient
> legal certainty in this matter, I'm prepared to move my source code to other
> providers or to my private premises.

> Since my employer, $name, is also a paying user of Github.com, I will also
> refer to my employer's legal department to check which legal concerns could
> arise from my continued use of Github.com for work purposes, and take
> appropriate action.

~~~
vortico
Off topic, but why is GitHub trying to direct potential Homebrew users to the
correct contact forms for that project? Is Homebrew sending people to the
GitHub contact form for troubleshooting or something?

~~~
cytzol
If you’re logged in, it says that for the last public repo that you saw. You
must have last seen Homebrew.

~~~
vortico
I see, thanks. Although I don't use OS X and thus have never used Homebrew so
I don't know why it would have shown up.

------
JadeNB
This page doesn't load at all for me. Am I the only one?

As near as I can tell from the headline, it's the same as
[http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm#e2...](http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm#e20170301-tg_wlog-10)
, which does load for me.

~~~
mirabilos
Someone intelligently (hah) decided to link to the (1 MiB) page with the
entire wlog posts of the last decade (plus CSS, webfonts, …) instead of to the
permalink of the one article (15K), and _then_ over https.

The webserver is a first-generation Celeron 2.4 GHz (Dell PowerEdge 750, AIUI)
with 1 GiB of RAM, running MirBSD (not the fastest OS out there) with Apache.
So, no surprise.

Yes, one of _those_ Celeron CPUs with so few L2 cache it can be discounted as
having none.

For that, it does remarkably well (though 「ls -l /var/www/logs/」 surely shows
the traffic ).

------
michaelmrose
Does anyone have a copy of this article.

~~~
kefka
The new Terms of Service of GitHub became effective today, which is quite
problematic — there was a review phase, but the problems were not answered,
and, while the language is somewhat changed from the draft, they became
effective immediately.

Now, the new ToS are not so bad that one immediately must stop using their
service for disagreement, but it’s important that certain content may no
longer legally be pushed to GitHub. I’ll try to explain which is affected, and
why.

I’m mostly working my way backwards through section D, as that’s where the
problems I identified lie, and because this is from easier to harder.

Note that using a private repository does not help, as the same terms apply.
Anything requiring attribution (e.g. CC-BY, but also BSD, …)

Section D.7 requires the person uploading content to waive any and all
attribution rights. Ostensibly “to allow basic functions like search to work”,
which I can even believe, but, for a work the uploader did not create
completely by themselves, they can’t grant this licence.

The CC licences are notably bad because they don’t permit sublicencing, but
even so, anything requiring attribution can, in almost all cases, not “written
or otherwise, created or uploaded by our Users”. This is fact, and the
exceptions are few. Anything putting conditions on the right to “use, display
and perform” the work and, worse, “reproduce” (all Copyleft)

Section D.5 requires the uploader to grant all other GitHub users…

    
    
        the right to “use, display and perform” the work (with no further restrictions attached to it) — while this (likely — I didn’t check) does not exclude the GPL, many others (I believe CC-*-SA) are affected, and…
        the right to “reproduce your Content solely on GitHub as permitted through GitHub's functionality”, with no further restructions attached; this is a killer for, I believe, any and all licences falling into the “copyleft” category.
    

Note that section D.4 is similar, but granting the licence to GitHub (and
their successors); while this is worded much more friendly than in the draft,
this fact only makes it harder to see if it affects works in a similar way.
But that doesn’t matter since D.5 is clear enough.

This means that any and all content under copyleft licences is also no longer
welcome on GitHub. Anything requiring integrity of the author’s source (e.g.
LPPL)

Some licences are famous for requiring people to keep the original intact
while permitting patches to be piled on top; this is actually permissible for
Open Source, even though annoying, and the most common LaTeX licence is rather
close to that. Section D.3 says any (partial) content can be removed — though
keeping a PKZIP archive of the original is a likely workaround. But what if I
just fork something under such a licence?

Only “continuing to use GitHub” constitutes accepting the new terms. This
means that repositories from people who last used GitHub before March 2017 are
excluded.

Even then, the new terms likely only apply to content uploaded in March 2017
or later (note that git commit dates are unreliable, you have to actually
check whether the contribution dates March 2017 or later).

And then, most people are likely unaware of the new terms. If they upload
content they themselves don’t have the appropriate rights (waivers to
attribution and copyleft/share-alike clauses), it’s plain illegal and also
makes your upload of them or a derivate thereof no more legal.

Granted, people who, in full knowledge of the new ToS, share any “User-
Generated Content” with GitHub on or after 1ˢᵗ March, 2017, and actually have
the appropriate rights to do that, can do that; and if you encounter such a
repository, you can fork, modify and upload that iff you also waive
attribution and copyleft/share-alike rights for your portion of the upload.
But — especially in the beginning — these will be few and far between (even
more so taking into account that GitHub is, legally spoken, a mess, and they
don’t even care about hosting only OSS / Free works). Conclusion (Fazit)

I’ll be starting to remove any such content of mine, such as the source code
mirrors of jupp, which is under the GNU GPLv1, now and will be requesting
people who forked such repositories on GitHub to also remove them. This is not
something I like to do but something I am required to do in order to comply
with the licence granted to me by my upstream. Anything you’ve found
contributed by me in the meantime is up for review; ping me if I forgot
something. (mksh is likely safe, even if I hereby remind you that the
attribution requirement of the BSD-style licences still applies outside of
GitHub.)

(Pet peeve: why can’t I “adopt a licence” with British spelling? They seem to
require oversea barbarian spelling.) The others

Atlassian Bitbucket has similar terms (even worse actually; I looked at them
to see whether I could mirror mksh there, and turns out, I can’t if I don’t
want to lose most of what few rights I retain when publishing under a
permissive licence). Gitlab seems to not have such, but requires you to
indemnify them… YMMV. I think I’ll self-host the removed content.

~~~
DanBC
Are you a lawyer?

Isn't D7 saying you waive your rights so that github can serve the content?

~~~
kefka
Nope, I'm not. But plain language in a ToS or contract is pretty easy to go
"Nope, I don't like that. I don't agree."

And I'm sure they consulted their legal team regarding this. I don't think I
would have to get an attorney on retainer to go "That doesn't look right."

Is it mostly harmless? Probably. But in cases where I'm the creator and set
the license to GPL3 Affero, I expect that everyone follows that. I'm not going
to grant exceptions unless they pay me.

~~~
DanBC
How does your ISP transmit your code (licensed under GPL3 Affero) from your
work/home computer to a website?

~~~
mirabilos
Both the AGPL (“anciliary transmission”) and the law have exceptions for ISPs
and other such scenarios.

------
em3rgent0rdr
HN Mods, sounds like they need some protection from the HN hug of death:

>> Please use the correct (perma)link to bookmark this article, not the page
listing all wlog entries of the last decade. Thank you.

[https://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm](https://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm)

------
k__
I have a few repos with GPL-3.0

Is this a problem now? :(

------
grandalf
Would someone please contact one of the leaders of Github for a comment? Too
much speculation going on.

~~~
matt4077
Any reasonable reading of these ToS will lead to the conclusion that they're
merely asking for a minimal license grant necessary to provide their service.
Maybe GH will add a sentence to appease the hair-splitting armchair-lawyers,
but the speculation is no different than the 100 other, identical conspiracy
theories targeting any other service with user-generated content that have
made the rounds in the last decade.

~~~
kuschku
> to appease the hair-splitting armchair-lawyer

Or the people who asked actual lawyers, and got as a response that this is
something that’s very risky.

I’ve got code in my repos from third parties under the explicit condition that
I can only distribute it with attribution, so I can’t give GitHub the right to
distribute it without attribution in search results.

I can’t grant GitHub rights that I don’t have, what they’re asking of me would
require me to do the equivalent of "I’ve got a bridge to sell you".

~~~
grandalf
What's the solution? Public repos with opt-in lists? Or just using private
repos for everything?

~~~
kuschku
CLA. That’s the solution. Require every contributor to sign a CLA, and only
use code that allows redistribution on GitHub.

------
dermur
FWIW we're in the process of building
[https://eversentinel.com/](https://eversentinel.com/) to monitor ToS changes.
It's in beta so we're still adding services but will definitely be adding
GitHub

------
shawn-butler
Does anyone know what was the resolution of Github/IBM removing OpenLava's
repo from Github?

------
hl5
In what use case does Github violate free software licenses such that it
requires additional rights?

~~~
mirabilos
Github doesn’t, it just requires that of its users (that, or to not upload any
copylefted works, or works under licences requiring attribution, which contain
work from people who have not agreed to waive those requirements for Github).

~~~
hl5
If Github can continue to use and distribute free software without violating
the terms of the license then why demand additional rights? I don't get it.

Google doesn't attribute links to free software appearing in it's search
results. Github doesn't need special rights to do it.

------
jldugger
Interesting topic, wish the article included a bit more analysis and
explanation to support itself.

~~~
mirabilos
Sorry about that, I was more concerned with getting the explanation into more
than 140 chars and out to both people and GitHub and getting in touch with
GitHub than with writing a lengthy article.

And all this besides $dayjob which suffered on the day, so I’ll probably need
to work the weekend to catch up.

~~~
jldugger
Be that as it may, without an extended analysis of the possible multiple
interpretations and conflicts with copyleft, it leaves the author looking
somewhat shrill.

~~~
mirabilos
I _am_ the author. And I am not an academic interested in bringing out a
lengthy article with explaining the interpretations and all.

I am, in this instance, pragmatic: explaining what’s bad, why it’s bad, what
we need to do right now, and that’s it, and now I’m trying to work on a
solution with the GitHub people.

If this is not enough, do your own research. In my referrers, there have
popped up some Russian sites that (according to Google Translate) did some of
their own research (and came to similar conclusions). Ex-Debian’s joeyh did,
too.

------
kefka
I deleted the projects in my userspace.

I still want to maintain a user purely for ownership of presence there. But I
certainly won't use it.

I'll move on to things like GitLab or IPFS for transmitting projects I'm
working on.

~~~
cakeface
Are you using a self hosted GitLab? I feel that GitLab would have the exact
same issues that GitHub has. The TOS are just clarifying what is required to
run a cloud source code repository. If they want to do things like index the
code, run tests on it, fork it to other users, show it on their website, then
they need certain permissions from the copyright holders of the code. These
permissions are not special to github I don't feel. Anyone with the same set
of features would require the same permissions.

~~~
kefka
The contract states that I have to effectively grant them a BSD license for
whatever I do there. Then open source licenses can stack on others' as I
choose.

Nah. Not worth it. If I want it as GPL3, I expect them to comply with GPL3.

------
akerro
Here, have it: [https://gitlab.com/explore](https://gitlab.com/explore) move
your code here, thank me later.

~~~
programbreeding
Nothing wrong with gitlab, I personally use their self-hosted product. But
just a reminder to all that they lost a bunch of data 1 month ago today [0].

However they were completely open and transparent about what happened, and
they handled it as well as they could have.

[0] [https://about.gitlab.com/2017/02/01/gitlab-dot-com-
database-...](https://about.gitlab.com/2017/02/01/gitlab-dot-com-database-
incident/)

~~~
connorshea
To be clear, we lost six hours of data. Not something we're proud of at all,
but I figured an exact number would be useful.

~~~
pluma
Also to be clear GitLab (apparently) didn't lose any data actually stored in
git from that timeframe, "just" the data stored via GitLab itself (issues,
wikis, etc).

It's of course still bad because GitLab makes a big deal of being about the
"whole package" rather than just version control, but it's not the massive
potential for intellectual property loss "six hours of data" implies for what
most think of primarily as a git hosting service.

~~~
dullroar
Not quite. I coincidentally signed up for a GitLab account that very day, at
that very time period, to make a minor change to someone else's project. I (1)
set up my account, (2) forked their project, (3) made the change, and (4)
issued a pull request. Came back the next day and none of that was there,
including my forked git repo. I had to do it all over again, and it was clear
it was a clean wipeout of everything, because I was allowed to re-register
with the exact same userid, etc. I know that is a rare-snowflake event, but
the fact I had a repo and had even sent a pull request from it shows they did,
in fact, lose some data in git itself.

~~~
connorshea
The git data itself was untouched, but in the eyes of the DB there was no
project that got created due to the lost DB data, so the git repo isn't hooked
up. If you can give me the username and project name I can have support fix it
up for you.

If you don't want to do that in this thread, feel free to email me: connor at
gitlab.com

~~~
dullroar
It's all good. I just replicated all the work (setting up the account, my
forked repo, the change, my pull request) the next day.

------
adelarsq
So going to Gitlab...

------
TechHawk
Does this apply to the BSD 3-clause license? As far as I can tell no, but
would be great to hear other people's opinion...

~~~
mirabilos
As far as I can tell: no, unless GitHub takes taking excerpts from works too
far and redistributing them without the licence attached. But nobody else is
allowed to deal in those excerpts then, except via the original licence, so,
likely not.

But 4-clause BSD and similar advertising clauses are _probably_ affected, and
Apache 2 _when_ a NOTICE text file exists is _very likely_ affected. (Maybe
even without; the Apache 2 licence requires giving recipients a copy of the
licence text, too.)

~~~
TechHawk
Thanks for your reply!

Regarding "Maybe even without; the Apache 2 licence requires giving recipients
a copy of the licence text", doesn't the BSD 3-clause license require this as
well?

~~~
mirabilos
BSD/MIT/etc. only require the licence text to be present, usually by retaining
it in the source code or accompanying documentation. Yes, it’s close. No, I
don’t want to go there and discuss this detail.

------
Taniwha
As I see it the underlying issue is that Github doesn't want the GPL of one
customer's project to attach to github itself, or to other projects hosted on
Github.

I think that's a fair goal for Github to pursue - maybe they didn't get it
right this time (IANAL) but I think we can all work with them to get something
that makes everyone happy, hopefully with less heat and more light

Disclaimer: I have GPL and LGPL code and hardware hosted on Github

------
chmike
Wouldn't GitHub simply remove the now disallowed licenses from the list of
predefined licenses ?

~~~
mirabilos
The licence per se is not disallowed.

If you create a work from scratch and decide to put it under GPL and upload it
to GitHub (thus granting extra rights), that’s just fine.

It’s only you cannot currently upload SOMEONE ELSE’s GPL’d work (including
your own derivate thereof) to GitHub.

------
pyb
Did I read correctly ? Must I remove my GPL licensed code from Github ?

~~~
jwilk
Nope, you don't have to overreact.

~~~
mirabilos
But, thanks to the new ToS becoming effective immediately (as of 28½ hours
ago), you __do __have to __act __.

Basically, starting March 2017, uploading anything (new) like that is not
allowed. Removing repositories and/or the entire user account, to make it
explicit that such grants are not given for what’s already there, may be
prudent (yes, overreacting is not necessary, but acting is, and don’t talk
legal requirements down to overreacting, because if you DO upload a GPLv2’d
work to Github as things are now, YOU _lose_ the right to use it under the
GPLv2 in the first place and CANNOT get it back except from the (all!)
authors).

~~~
andrewshadura
No.

------
pottersbasilisk
so it begins. github is the new sourceforge.

