For example, my informal and cursory analysis of the article:
> Section D.7 requires the person uploading content to waive any and all attribution rights.
It does not. The Github license requires a waiver of the requirement of attribution insofar as such waiver is needed for Github to do what it already does e.g. as the license indicates, provide search results without attribution.
Further, only Github has been given this waiver. Anyone else is still held to any requirement of attribution.
> section D.5 requires ... the right to “reproduce your Content solely on GitHub as permitted through GitHub's functionality”, with no further restructions attached; this is a killer for, I believe, any and all licences falling into the “copyleft” category
While D.5 does permit performing, using, and displaying of a work, it permits reproducing on GitHub only. Any copying from GitHub not granted by way of another license would be a violation of the author's copyright.
Use, performance, or displaying in the absence of a right to reproduce strikes me as a rather narrow set of rights.
I stand to be corrected, but I see nothing sinister, nefarious, or unwarranted by GitHub.
YMMV. If you need legal advice, retain a lawyer.
I think you've convinced me. I was concerned that the use, performance or display may be a problem... but thinking it through, I do not really see this as an issue with most copyleft licenses. They are usually tied to distribution of code - which is reproduction.
I echo your disclaimer. If you need a lawyer, get one.
If someone asks me my opinion about an engineering or management issue they're facing, I'll give it to them knowing that I don't know the complete set of facts and they should take my opinion with a grain of salt. I might be missing important context and I might just be wrong. If I ask someone else advice on any topic, I assume that there is an implicit disclaimer. Is there something fundamentally different about the law? Is it because lawyers are in the business of giving advice?
Anyway, appreciate you guys weighing in and hope you do it more frequently :).
Because an attorney-client relationship is created when the client reasonably believes it to have been created. As a result, you have to be really fucking clear that people are not your clients because, when making the determination of whether someone has reasonably determined that someone is their lawyer, courts look to what the average bloke would think - i.e., a total dumdum. So you really have to hit people over the head with the fact that no, you are not their lawyer.
So, the second part of this is that when an attorney-client relationship is created, the attorney has a tremendous amount of duty to the client, and, if the client acts on the advice of the attorney and gets results they do not like, they can sue the attorney for malpractice.
> If someone asks me my opinion about an engineering or management issue they're facing, I'll give it to them knowing that I don't know the complete set of facts and they should take my opinion with a grain of salt.
Are you a licensed Professional Engineer? If so, for the love of Odin's beard, stop giving informal advice, as you are exposing yourself to professional liability.
Licensed professions - accounting, medicine, law, professional engineering - have extremely high duties of care to their clients. They are exposed to malpractice liability when things go wrong. They have ethical obligations. It can be extremely hard to fire delinquent or terrible clients.
To put it a completely different way: lawyers give advice as their job. There is no such thing as "informal advice" from a lawyer, the same where there is no such thing as a "pick up game" with an NBA player. It is their primary occupation. I don't do it for free - I charge a pretty stiff hourly rate. And every time I take on a client, it has impacts on my firm's malpractice insurance. In fact, I cannot take on clients without the explicit approval of the managing partner at my law firm - I get his written approval for every single one. To make it clear, the managing partner is the guy who, if there was a war between all the lawyers, gets to wear the biggest, fanciest hat. So, no, I am not just going to do the thing I do for my day job as a favor to someone else, any more than your computer programmer friend wants to fix your iphone.
Does that go some distance to answering your question?
The rest of your post is fascinating, and it made me understand this disclaimer much better; but surely this analogy is misleading.
If I've understood you correctly, there is, legally (or perhaps even by definition?), no such thing as informal advice from a lawyer; but surely it is only conventional that you will probably be in a pick-up game with an NBA player, as no regulation or law prohibits it. (Indeed, by analogy with any field whose practitioners tend to be passionate about it, I would assume that it is quite common for NBA players to play pick-up games with one another.)
Or perhaps, as someone ignorant of all things sports, I have missed the point of the analogy.
> Indeed, by analogy with any field whose practitioners tend to be passionate about it, I would assume that it is quite common for NBA players to play pick-up games with one another.
I would be surprised, specifically for the 'injury' reason above. They don't play pick up games - they go to practice - which is supervised and has medical personnel right there. But who knows. That is speculation.
But from a lawyer or an engineer that's not really okay, because even if you say I'm not giving your question my full attention and yeah, I think you'll be okay with just a simple rebar frame and no concrete for your bridge, but don't quote me on that and get a professional's advice ... the asker will be more confident, because he/she just did that, asked a professional, even if not in its proper capacity - and when bridges go down people get angry.
Though thinking about it, people usually get very angry at street ball too!
At this point they can take it easy and recommend literally anything since the most painful ramifications have been lifted. If you happen to score against an NBA player in pick-up you might be proud but you'd be dishonest to suggest that this means you have professional skill.
Related question, "... if the client acts on the advice of the attorney and gets results they do not like, they can sue the attorney for malpractice..."
Does that really happen a lot, or is it just something that they drill into you in law school? I never hear about attorney malpractice suits.
And, importantly, if you are a litigator - as in, someone who sues people for a living - your clients are already demonstrably the sorts of people who are willing to sue when they are pissed off. It is not unreasonable to assume that if things go wrong in these circumstances, people turn on their lawyers.
_I am not your laywer_
Consider your IP stolen.
Compare with the following: I am a software engineer, here's my take on this or that technical matter, but don't apply this sample snippet as is in production, also I'm waiving all responsibility, like MIT-license style.
It's not that you shouldn't listen to random professional folks on the internet, it's that when they informally give some opinion on a matter, they may very well be missing some key part of your very specific context, and while common sense just would tell you not to take it as is and that you could hold them liable for anything, J. Random Bloke statistically lacks common sense so one has to spit proactive waiver statements telling people to act on their own responsibility or take advice in a proper, formal client-to-professional context.
What is the threshold for a reasonable impression of the relationship? Could random advice on an internet forum really trigger it?
"Reasonable belief" is the threshold. There's a whole bunch of case law, of course, on how that applies to specific circumstances, but you aren't going to get a short answer other than the actual standard.
> Could random advice on an internet forum really trigger it?
Maybe; lawyers tend to be fairly conservative about the risk, because the consequences of professional misconduct are potentially quite serious career impacts.
Anyone else desperately want to see this happen?
Is this because HN is located in the US? Would two American citizens have this relationship via a French site?
Or how about "I'm not formally signing off on this statement as a product of my legal-professional persona, but you're free to take what I just wrote to another lawyer and get them to vouch for its veracity, which they probably will"?
I hear that in military and political contexts all the time—"I can tell you this as a friend, but not in my role as X, so go find some other X who's allowed to speak on it if you need formalization"—but I never hear it from lawyers. It always seems to be phrased more as "what I'm about to write is probably wrong and you should go to get your own lawyer who will tell you something entirely different."
I say that all the time. I am sure it is in my comment history. E.g:
Please do note that D.5 also covers “reproduce”, which _is_ “distribution of code”, _and_ that I address this point in my article.
So, in short: If you need to give lots of money away, get a lawyer, but even then you’re not getting what you’re paying for. They also only cook with water, they also are just erring human meatbags.
The language is as follows:
>Any Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of your Content in repositories they control).
>If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality. You may grant further rights if you adopt a license.
"Reproduce" is limited by "solely on github." I simply disagree with your analysis. I've read many hundreds and written dozens of software licenses - this is what I do for a living. Your argument, up to this point, is unpersuasive. I am always willing to change my opinion based on a persuasive argument or evidence, but you are not providing that - you are simply saying I am commenting on it "demeaningly." That is not a "responsive," argument, and, in this case, it is also false.
Have you asked any lawyers about this? Or are you just relying on your interpretation?
If the license under which I got the code from someone else specifies that I can only distribute the code or snippets if I am including the license header, then that causes an issue.
(I asked a family member who is a lawyer about that, and they agreed that this seems to be a problem. I’ve tried to get approval from all authors of the code I used to be on the safe side).
Specifically, the terms under which I licensed the code I put on GitHub from a third party include
> provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
[EDIT] Due to "you are submitting too fast, please slow down", I will only answer questions on this comment via email.
The whole problem is that I, as an uploader of code that I did not write, do not have the authority to make that waiver.
If GitHub then does things with that code that the license doesn't allow, it was GitHub that is doing something it's not allowed to - unless, as uploader, you've agreed to indemnify GitHub for this sort of thing.
In particular, "store and display your Content [..] as necessary to render the Website and provide the Service" is rather broad given that the functionality included in the "Service" (defined as "the applications, software, products, and services provided by GitHub") can change at any time, without notice.
If I go and fork some random open source project off Sourceforge or whatever, I cannot publish it on GitHub as I do not have the original author's permission to grant GitHub these rights.
Overall I feel this was a pretty poor move by GitHub.
The OP doesn't mention D.4 much. The first paragraph of D.4 seems fine to me. But I worry the "clarification" (2nd paragraph) in D.4 could potentially cause problems:
> That means you're giving us the right to do things like reproduce your content (so we can do things like copy it to our database and make backups); display it (so we can do things like show it to you and other users); modify it (so our server can do things like parse it into a search index); distribute it (so we can do things like share it with other users); and perform it (in case your content is something like music or video).
Is "modify it" the same as "create derivative works"? If so, seems you've granted Github the right to "modify it" and "distribute it" potentially without any restrictions.
Assuming github does have feature(s) that require additional privileges to the source beyond what the open source license provides, doesn't that preclude hosting any project where any single one of the contributors don't contribute via github? (ignoring CLAs and work for hire.) The uploader is unauthorized to grant a wider license to github than they received the code under, right?
I wouldn't say they're being sinister, but I don't think that was the point. The point was that their cover-your-ass move is preventing a large number of open source projects from being hosted on the service in compliance with the ToS.
Yes it does. If there's a license that says "you must not make backups of the code on Thursdays", then hosting it on github would be incompatible with the license. So is hosting other people's non-open-source code in a public repo. Github's ToS put the responsibility of checking that the compatibility of the license and github features on whoever uploads the code.
> The point was that their cover-your-ass move is preventing a large number of open source projects from being hosted on the service in compliance with the ToS.
Well, there are features that Github wants to have on public repos, for example public code search with short snippets, and the "fork" button. Their ToS has to "cover their ass" for these features, their lawyers would throw a fit if they kept the features without asking for permission in the ToS.
If there are OSS licenses that are not compatible with these features, then either the uploader or github was breaking copyright laws already.
But I'm not convinced that its anywhere as big deal as the author of the article makes it seem.
So github has public code search, which shows 5 line snippets of code with a link back to the repo. Does this satisfy LPPL's "code must be distributed unmodified" rule? Is this enough attribution to satisfy CC-BY? A reasonable person would say yes, because you can just click on the link to get to the whole repo with the full codebase and authors.txt file.
But github isn't going to take the legal responsibility of checking each license for these questions, people uploading the code will have to do it themselves. (Also, github has no way of checking that the person uploading the code actually has the right to put the license.txt file on the code).
This convinced me.
I can release my code under GPL, and then sell it to someone else under different terms. It's my code, and I have copyright. I don't have to give the same permissions to everyone.
Likewise, just because I give Github certain permissions doesn't mean I have given the same permission to everyone else.
edit: I don't think forked repos are much of a problem. They're already on Github, so they already accepted the ToS. if they didn't, that's not your problem as a forkee. Unless the code was forked before this new ToS. Copyright is so messy.
Does a link to the source repository (which grants easy access to the usernames of all contributors and the full content of all files in the repo) not count as attribution?
So I need to find a lawyer and pay him $1000+ so I can see if GitHub is safe to use?
I guess I'll just stick with storing projects on my computer at home and skip this cloud-based stuff. I can't afford to retain a lawyer and consult with him for everything I do with code online.
If you grant Github a right to reproduce your IP, but no further rights, do people have a right to view Github's reproduction of your IP?
Any (informal) opinion on the validity, according to the new ToS, of mirroring third-party F/LOSS projects on GitHub (ones distributed under GPL, MIT or BSD)?
Do I need to get the permissions from each author of the work to upload it, above what Free Software licences already allow?
I _am_ working with them to get it fixed, but they enacted the new terms prematurely, so _currently_ the mess is there.
Meta question here. Is it necessary to say "I am not a lawyer...if you need legal advice, retain a lawyer."? Is that statement really legally protecting you? Is it intended to encourage the reader to take you less seriously? I'm having trouble not seeing this statement as a cargo cult prefix/postfix to commenting on legal issues, and if it's not really necessary, it seems more tasteful to me to leave it out.
The new terms don't do anything except make explicit what they were already doing.
D.7 + D.4: They were already doing activities these terms explicitly give them the right to do. They are internally copying (backups), modifying (compressing and indexing), and displaying anything uploaded. If having it spelled out violates your license, I don't see how them just doing it without having it spelled out doesn't also violate the license. Maybe this just shifts where the license violation is occurring from GitHub's doing to a user's uploading, but it doesn't change the fact that a license is being violated somewhere on either the old or new terms.
D.5: This section was already in the old terms! The new terms actually clarify and limit what they mean by "fork". It still doesn't give the forking user a right to modify, just create their own copy within the context of GitHub. You already granted users the right to "fork" anything publicly submitted under the old terms.
D.3: The rant (the writers own tag, but I find it appropriate) is just nitpicking here. It om-mitts the reason why they would remove content, which is because it violates their policies. GitHub needs this right to enforce their content restrictions. Also, if GitHub ends up removing partial content such that it violates the license it was submitted with YOU aren't the one breaking the license. They are.
I wonder how this affects other similar services (eg: GitLab).
I have repositories that include code I forked which is required to have attribution.
Before the change, GitHub was violating the license (and potentially covered by fair use).
After the change, I am now violating the license, and granting something to GitHub which I don’t even have.
Is this really modification in terms of copyright law? (Honest question. I'm only passingly familiar with copyright law.)
The text doesn't seem totally true, for example:
Yet, from the ToS, section D.7:
> You retain all moral rights to Content you upload, publish, or submit to any part of the Service, including the rights of integrity and attribution. However, you waive these rights and agree not to assert them against us, to enable us to reasonably exercise the rights granted in Section D.4, but not otherwise.
So you don't waive "any and all" rights.
From the article:
> Section D.5 requires the uploader to grant all other GitHub users… right to “use, display and perform” the work (with no further restrictions attached to it)
From the ToS, D.5:
> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality.
So uh yeah, there are lots of restrictions on it. "solely on GitHub as permitted through GitHub's functionality", so they can only use Github functionality (i.e. Forking) on your content. They can't sell your content or relicense it or host it on their own website.
The only real problem I see here is that unless you created the work entirely by yourself ("you" here can mean a group), you can't grant the rights necessary to upload to Github, even if you're well intentioned or the original authors may be fine with it. And these rules apply to private repos, too. I wish the author had focused more on that.
> The only real problem I see here is that unless you created the work entirely by yourself ("you" here can mean a group), you can't grant the rights necessary to upload to Github, even if you're well intentioned or the original authors may be fine with it. And these rules apply to private repos, too. I wish the author had focused more on that.
The author did explicitly mention that. But I think it's worth listing all the issues with the ToS, not just one.
Right. If you put up your code publicly you are implicitly allowing other people to do those things, since there's nothing you can do to stop it. How could you stop someone from privately running your code on their hardware?
You're also implicitly allow people to fork and download the code, since Github doesn't allow public projects to restrict those abilities. Your particular license may restrict making further copies, though.
As one example, "display" isn't made contingent on attribution. As an unusual but plausible example: a GitHub user could grab a pile of code from across GitHub and render it to construct a "movie hacking UI" for a film, without even an attribution for the code they used.
> since there's nothing you can do to stop it. How could you stop someone from privately running your code on their hardware?
(Also, "nothing you can do to stop it" is not a grant of permission.)
That's fine, but in general these software licenses do not cover "display", they cover _distribution_. If you consider "using code in a movie hacking UI" to be distribution, then you would already have been bound by the license. If you don't, then you're not. Nothing changes.
Yes, that means that "display", insofar as that corresponds to a copyright-protected exclusive right like performance, is not licensed by the license, and (if you aren't the original copyright holder) you have no authority to grant a sublicense to GitHub that covers display.
Okay, well, I give you permission to copy the words in this sentence into your brain, but you're not allowed to process their semantic content into a coherent idea. If you do, I will sue you.
Largely to avoid that sort of thing.
By having the code in the open, you don't 'implicitly allow' unlicensed uses -- you just become reliant on copyright law as your protection.
Hmmm, I see how the and can be read that way. They really need to use more punctuation in these instead of so many 'and's.
But so if they can only access and reproduce your content through Github, what constitutes use/display/perform, and in what ways could they do that? Judging by the way D.4 is written, I take it to mean things like playing an audio file or running some executable code within the browser.
> The author did explicitly mention that. But I think it's worth listing all the issues with the ToS, not just one.
Yeah, I get that they mentioned it, I meant I wished they spent more than a sentence on it because I feel that's the bigger issue.
IANAL, nor do I have a dog in this fight, since I prefer contracts to copyrights. However...
I think there are at least a few scenarios that require some thinking about, anyway:
Given that the TOS forces allowance of use and performance of content uploaded to Github without regard to any license you might have been bound by otherwise, it seems as though it effectively negates any other such restriction. CC BY-NC doesn't allow commercial use, but now they can just point to the implicit license they got with it because you shared it on Github, right?
The AGPL requires that modified source used to furnish a direct service must be republished. If usage of Github means that you have granted a license, separately from the AGPL, to every user of Github to use your software, then publishing AGPL software via Github seems to negate the license: anyone who has it and who got it using Github may use it to run a server and need not follow the terms of the AGPL to do so.
But this leads to problems with other restrictive licenses as well, such as the GPL, since as long as someone is only distributing your software via Github, they have a license to reproduce it without regard to other terms like modification of source, and other Github users have a license to download and use it.
This would of course not work if github became in future a hosting service where people could run projects as services on their platform.
If you set your pages and repositories to be viewed publicly, you hereby grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality. You may grant further rights if you adopt a license.
1. to access your Content through the GitHub Service,
2. [and] to use, display and perform your Content,
3. [and] to reproduce your Content solely on GitHub as permitted through GitHub's functionality.
From the pushback on this point here and in other comments, I wonder if people are parsing this as
1. a nonexclusive, worldwide license to access your Content through the GitHub Service,
2. and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality.
...which seems wrong to me. If that were the intent, then I think it would have been easier to say
[...]through the GitHub Service, and to use, display, perform, and reproduce your Content solely on GitHub as permitted through GitHub's functionality.
In the general case however it is hard to use, display or perform content for which someone can't access or copy.
To quote your quote:
>> If you set your pages and repositories to be viewed publicly
This is the same non-story that goes around any time someone reads the terms of service of twitter/facebook/dropbox/etc. These services need some license grant to do what you want them to do.
Note that any OSS license fulfills the requirements. I always assumed a free license was a requirement anyway. If that's the case, nothing really changed.
Especially given that the actual EULA text is this: "If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality. You may grant further rights if you adopt a license."
(There also seems an odd confusion between "illegal" and "in violation of the terms of service", which are very different things indeed, but that's less crucial to examining what the terms actually say you can, and cannot, do on GitHub)
Um, remember Aaron Swartz? JSTOR?
JSTOR and Aaron reached an agreement. JSTOR didn't want Aaron prosecuted. But that didn't stop Carmen Ortiz, the federal prosecutor, now did it?
See also "Computer Fraud and Abuse Act Reform"  and "Aaron's Law: Violating a Site's Terms of Service Should Not Land You in Jail" .
- Anything requiring attribution (e.g. CC-BY, but also BSD, …)
- Anything putting conditions on the right to “use, display and perform” the work and, worse, “reproduce” (all Copyleft [maybe minus GPL])
- Anything requiring integrity of the author’s source (e.g. LPPL)
There's a fair bit more detail on the post, but that's the gist of it.
The concerns relate to section D of the new ToS, which is here:
Honestly, to me, these signify more of a problem with either a) legal interpretation of these licenses or b) the licenses themselves. The things that Github wants to do with your code are perfectly reasonable, and I don't think would be interpreted as "breaking the license". All code is attributed to you when displayed to other users and isn't being broken up in its distribution (unless you believe that only viewing a single file is breaking up the source code... which is just silly) in practice.
I really don't view this as a problem. I think fighting any of these issues against Github (without this ToS) in court would likely be very difficult and unfruitful... but the risk makes it necessary for Github to protect themselves anyways.
It's relatively normal for a site to claim a permissive license for the purpose of implementing site functionality, such as transmitting, displaying,
rendering, or backing up the content. It's far rarer for a ToS to claim a permissive license for arbitrary other purposes, let alone grant that license to every other user of the site. The ToS changes here grant such a license to all GitHub users, and not just to use site functionality (e.g. hitting the "fork" button).
The few other times I've seen a site attempt to claim such rights over user-submitted content, it has resulted in a backlash just like this.
Sure. But if you have code that has a licence that doesn't allow that... you shouldn't be putting it on Github.
This is the clause you are referring to "If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality." The key words here are "solely on GitHub as permitted through GitHub's functionality." This doesn't appear to be giving users license to do anything with the code off GitHub's site.
The ideal scenario is that the concerns are all drafting errors or otherwise missed details, and can be fixed via clearer drafting of a new version. I don't think there's a systematic intent here to undermine FOSS licensing, just a set of mistakes that didn't take such licensing into account very well.
That being said, the license grant Github asks for ("use, display, perform, and reproduce") seems to be a minimal set that is part of any OSS license anyway. It doesn't elaborate on any terms of such a license, but from the context it's clear that GPL/BSD/CC/etc. are considered acceptable (see for example the mention of "granting additional rights via license" which links to an overview of these licenses).
Usually the right being exercised is that of copying, not merely using; for example, assuming that running a program is a form of use, the GPL does not set conditions on using (or displaying or performing); are there any copyright licenses that do restrict activities other than distribution?
Quite a few.
The JSON license prevents usage in weapons, the old Java license prevents usage in nuclear submarines (until RedHat lobbied to remove that part), etc.
As they say, when you upload some code to Github (or any other service or website), they are making a copy, and then more copies for backups. If the code is visible to other users, then they are distributing it to other users. If the code is searchable, then they are taking out and distributing little bits of it.
Github needs a legal basis to do all these "obvious" things - and so would every hosting service.
If LPPL requires the integrity of the author's source code, then it's not just incompatible with Github's ToS, its incompatible with all search engines that show snippets of results.
Is there anything that they are asking for in the new ToS that they have not been already doing by running the website, and everyone being okay with when they upload code?
CC-by-sa used to be incompatible with most copyleft licenses, but it now provides explicit compatibility with the GPL: https://creativecommons.org/2015/10/08/cc-by-sa-4-0-now-one-...
Vaue proposition was never very high for me, and went negative.
I can only speak for myself. Amount of value others place on the copyrights to the software they've spent blood sweat and tears building is up to them.
My personal favorites are stories of the form "I don't like this Apple product, so Apple has lost touch and is doomed. Not that I've laid hands on the product. But still!"
But this one, an instance of "I have discovered the hidden-in-plain-sight plot by a popular service to commandeer your intellectual property!" is pretty good too.
We want our terms to allow everyone to contribute. I've created an issue for us to look at making our indemnification more specific
5. License Grant to Other Users
If your project doesn't have a license attached, then the rights you provide GitHub and users are as follows:
You agree to allow others to view and "fork" your repositories (this means that others may make their own copies of your Content in repositories they control).
If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content.
Choosing a License for the repo supersedes the above rights declaration and reverts completely to the License of your choice.
There's cases where I'm using someone else's GPL3 code. Im using it because of the GPL and am granted rights. I can't comply with the "rights" GH wants because I don't have them to give.
I also have projects that I'd like to share as GPL, but not as BSD or MIT. My choice. The existing version grants GH an effective BSD license for everything on there.
It would mean that github is responsible for analyzing each license and what features they can provide for code under each license, and take the risk of potentially defending their understanding of each license in court if other people disagree. It would also mean that if someone illegally changes the license file on someone else's project and then uploads it to github, then github is at risk instead of the uploader.
A better solution would be to describe the features they provide for public repos in detail, and require uploaders to pledge that the license is sufficient to grant these rights, or that they grant the rights themselves.
best read in something like reader mode or something
I updated the article in the meanwhile since I am in contact with people at GitHub, trying to convince them to change things to the better ;)
http://sprunge.us/TCaI is a mirror, in case my Apache goes down.
Atlassian Bitbucket has similar terms (even worse actually; [...])
This isn't just my personal opinion, by the way. The CC FAQ specifically says:
> We recommend against using Creative Commons licenses for software. Instead, we strongly encourage you to use one of the very good software licenses which are already available. We recommend considering licenses made available by the Free Software Foundation or listed as “open source” by the Open Source Initiative.
But any of the BSD/MIT-ish licences should be close enough to a “gift” for this to work (well they do protect the author/licensor a bit more, but…).
As far as I can tell this is simply false. At https://creativecommons.org/retiredlicenses/ there is a list of "retired" (deprecated) legal tools, which does include a "Public Domain Dedication and Certification" but in the right column says "Replaced by two separate tools: the CC0 Public Domain Dedication and the Public Domain Mark." Furthermore, at the top of the page it says "CC will no longer offer these licenses via its license chooser or other mechanism for any future work" and if you click on the link (https://creativecommons.org/choose/) there is a "Want public domain instead?" link to https://creativecommons.org/publicdomain/ which prominently features the CC0 dedication.
So you can see that CC0 is still recommended it and it is in current use. Mike Linksvayer (former VP of Creative Commons) uses and recommends it: http://gondwanaland.com/mlog/2013/11/25/upgrade-to-0/
> CC requested the OSI to not approve it
I actually read through the OSI mailing list thread about the CC0 dedication once, and as far as I recall the OSI people (I think it was Bruce Perens) had reservations and eventually the CC side decided it wasn't worth pursuing, see https://opensource.org/faq#cc-zero for the OSI summary.
This blog post is FUD.
It's also corroborated by other lawyers in the thread saying basically the same thing though. My conclusion that the blog post is FUD doesn't solely derive from the post I linked to.
I find this disturbing.
Also, although extremely unlikely, I would imagine Github finally panicking upon a large exodus of high-profile FOSS projects.
Most companies are allergic to lawyers. As in, they'd rather avoid the issue outright and go elsewhere if a hint of a legal question comes up. The fact that they didn't bother floating this change by the greater community at large does not give me the warm fuzzies that they learned their lesson.
But then, they took a week to look at the reviews (ostensibly; I, as well as others, never got any response to them), went and made some minor changes (which were not enough to address the problems at all) AND BROUGHT THE CHANGED DOCUMENT INTO PRODUCTION RIGHT ON THE NEXT DAY, without any further review or warning. That’s like bad.
It is important to understand it from a progressive point of view, since any compromise would also require Github's needs to be fulfilled at least to some degree. It would also help understand that the author may actually be wrong in his assessment. And last but not least you're just painting half a picture if you just mention your own arguments. Makes your arguments way less convincing.
That’s not my point here.
The intent behind the rules and what they’re trying to achieve is GOOD and A STEP UP from the previous ToS.
HOWEVER, they have language that IS problematic for almost ALL copyleft and/or attribution-requiring works that include contributions from people who did not upload it directly to GitHub themselves. THAT’s what I’m discussing.
To conclude, I suspect you are better off just self-hosting GitLab (just pay them license fees). It's really just 3.25 per user per month, please support their self-hosted instance.
Under the "Can I add more users to my account" faq it indicates that additional users would be billed at 50% upon renewal, while the following question "The True-Up model seems complicated" indicates that additional users would be billed at full price.
I'm not in the market right now, but for people that are this might be a bit confusing.
If you want to spend money on things and you're a small team also consider Atlassian's JIRA $10 for 10 users plan. JIRA might be overkill for small projects, but if you want nice agile project management tools it's pretty good.
JIRA isn't much worse than GitLab EE license wise - both will give you their full source under a license that you can't do much with it. The only difference is that part of GitLab is available under a better license, but it's not the version you're running if you run EE.
Why not pay 3-10 bucks to be sure that GitLab stays alive for something so critical as hosting your code?
I'm cheap and I don't personally care that much whether they last so long as there's other options available. I wish them the best, but I'm not going to cry over porting some issues to a different system in the worst case.
Please stop this misinformation from spreading further. Please.
Any OSS licence already grants way enough rights for a hosting platform to operate, period. Anything else can be solved technically and does not need to involve legalities. (For example, when displaying search result snippets, put notices pointing to the original file in the original repository, as “context, complete copyright notices, licence and attributions” right next to each.)
So the ToS simply need to require all those grants only for works that are not under an OSS licence (see also my updated article, remember http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm is the correct link, NOT the one on top). For any works NOT under such an OSS (Open Knowledge, Free Cultural Work, whatever) licence, the ToS grant is not unjustified to ask (especially as GitHub doesn’t care about hosting OSS projects, or the licences of whatever content they host).
> The internet just told me about the updated ToS and its potentially disastrous effects on the legal certainty of thousands, if not millions of open source contributors. I demand you adjust your ToS to ensure that users can be safe that they will not get into legal trouble by sharing open-source code and artifacts on Github.com. If you fail to provide me with sufficient legal certainty in this matter, I'm prepared to move my source code to other providers or to my private premises.
> Since my employer, $name, is also a paying user of Github.com, I will also refer to my employer's legal department to check which legal concerns could arise from my continued use of Github.com for work purposes, and take appropriate action.
As near as I can tell from the headline, it's the same as http://www.mirbsd.org/permalinks/wlog-10_e20170301-tg.htm#e2... , which does load for me.
The webserver is a first-generation Celeron 2.4 GHz (Dell PowerEdge 750, AIUI) with 1 GiB of RAM, running MirBSD (not the fastest OS out there) with Apache. So, no surprise.
Yes, one of _those_ Celeron CPUs with so few L2 cache it can be discounted as having none.
For that, it does remarkably well (though 「ls -l /var/www/logs/」 surely shows the traffic ).
Now, the new ToS are not so bad that one immediately must stop using their service for disagreement, but it’s important that certain content may no longer legally be pushed to GitHub. I’ll try to explain which is affected, and why.
I’m mostly working my way backwards through section D, as that’s where the problems I identified lie, and because this is from easier to harder.
Note that using a private repository does not help, as the same terms apply.
Anything requiring attribution (e.g. CC-BY, but also BSD, …)
Section D.7 requires the person uploading content to waive any and all attribution rights. Ostensibly “to allow basic functions like search to work”, which I can even believe, but, for a work the uploader did not create completely by themselves, they can’t grant this licence.
The CC licences are notably bad because they don’t permit sublicencing, but even so, anything requiring attribution can, in almost all cases, not “written or otherwise, created or uploaded by our Users”. This is fact, and the exceptions are few.
Anything putting conditions on the right to “use, display and perform” the work and, worse, “reproduce” (all Copyleft)
Section D.5 requires the uploader to grant all other GitHub users…
the right to “use, display and perform” the work (with no further restrictions attached to it) — while this (likely — I didn’t check) does not exclude the GPL, many others (I believe CC-*-SA) are affected, and…
the right to “reproduce your Content solely on GitHub as permitted through GitHub's functionality”, with no further restructions attached; this is a killer for, I believe, any and all licences falling into the “copyleft” category.
This means that any and all content under copyleft licences is also no longer welcome on GitHub.
Anything requiring integrity of the author’s source (e.g. LPPL)
Some licences are famous for requiring people to keep the original intact while permitting patches to be piled on top; this is actually permissible for Open Source, even though annoying, and the most common LaTeX licence is rather close to that. Section D.3 says any (partial) content can be removed — though keeping a PKZIP archive of the original is a likely workaround.
But what if I just fork something under such a licence?
Only “continuing to use GitHub” constitutes accepting the new terms. This means that repositories from people who last used GitHub before March 2017 are excluded.
Even then, the new terms likely only apply to content uploaded in March 2017 or later (note that git commit dates are unreliable, you have to actually check whether the contribution dates March 2017 or later).
And then, most people are likely unaware of the new terms. If they upload content they themselves don’t have the appropriate rights (waivers to attribution and copyleft/share-alike clauses), it’s plain illegal and also makes your upload of them or a derivate thereof no more legal.
Granted, people who, in full knowledge of the new ToS, share any “User-Generated Content” with GitHub on or after 1ˢᵗ March, 2017, and actually have the appropriate rights to do that, can do that; and if you encounter such a repository, you can fork, modify and upload that iff you also waive attribution and copyleft/share-alike rights for your portion of the upload. But — especially in the beginning — these will be few and far between (even more so taking into account that GitHub is, legally spoken, a mess, and they don’t even care about hosting only OSS / Free works).
I’ll be starting to remove any such content of mine, such as the source code mirrors of jupp, which is under the GNU GPLv1, now and will be requesting people who forked such repositories on GitHub to also remove them. This is not something I like to do but something I am required to do in order to comply with the licence granted to me by my upstream. Anything you’ve found contributed by me in the meantime is up for review; ping me if I forgot something. (mksh is likely safe, even if I hereby remind you that the attribution requirement of the BSD-style licences still applies outside of GitHub.)
(Pet peeve: why can’t I “adopt a licence” with British spelling? They seem to require oversea barbarian spelling.)
Atlassian Bitbucket has similar terms (even worse actually; I looked at them to see whether I could mirror mksh there, and turns out, I can’t if I don’t want to lose most of what few rights I retain when publishing under a permissive licence). Gitlab seems to not have such, but requires you to indemnify them… YMMV. I think I’ll self-host the removed content.
Isn't D7 saying you waive your rights so that github can serve the content?
And I'm sure they consulted their legal team regarding this. I don't think I would have to get an attorney on retainer to go "That doesn't look right."
Is it mostly harmless? Probably. But in cases where I'm the creator and set the license to GPL3 Affero, I expect that everyone follows that. I'm not going to grant exceptions unless they pay me.
>> Please use the correct (perma)link to bookmark this article, not the page listing all wlog entries of the last decade. Thank you.
Is this a problem now? :(
Or the people who asked actual lawyers, and got as a response that this is something that’s very risky.
I’ve got code in my repos from third parties under the explicit condition that I can only distribute it with attribution, so I can’t give GitHub the right to distribute it without attribution in search results.
I can’t grant GitHub rights that I don’t have, what they’re asking of me would require me to do the equivalent of "I’ve got a bridge to sell you".
Google doesn't attribute links to free software appearing in it's search results. Github doesn't need special rights to do it.
And all this besides $dayjob which suffered on the day, so I’ll probably need to work the weekend to catch up.
I am, in this instance, pragmatic: explaining what’s bad, why it’s bad, what we need to do right now, and that’s it, and now I’m trying to work on a solution with the GitHub people.
If this is not enough, do your own research. In my referrers, there have popped up some Russian sites that (according to Google Translate) did some of their own research (and came to similar conclusions). Ex-Debian’s joeyh did, too.
I still want to maintain a user purely for ownership of presence there. But I certainly won't use it.
I'll move on to things like GitLab or IPFS for transmitting projects I'm working on.
Nah. Not worth it. If I want it as GPL3, I expect them to comply with GPL3.
Or NotABug (https://notabug.org) which is a lot more friendlier toward open source projects. IPFS sounds good, I'd love to see something P2P in this space, but nothing P2P seems to be mature enough.
However they were completely open and transparent about what happened, and they handled it as well as they could have.
It's of course still bad because GitLab makes a big deal of being about the "whole package" rather than just version control, but it's not the massive potential for intellectual property loss "six hours of data" implies for what most think of primarily as a git hosting service.
If you don't want to do that in this thread, feel free to email me: connor at gitlab.com
gitlab is a very good alternative... but i think that porting of a working project (not just code) is still complicate to accomplish. Manually import items like:
it is very expensive in terms of operation.
I know that there are products, libs and API to, let say, mirror your repository, but all those tools, after you dive into some READMEs, are just not enough.
BTW: if anybody knows how to do "1 to 1" porting from github to gitlab i will appreciate it
This is an intractable part of open-source software development. We can piss all over GitHub for trying to figure it out and getting it wrong, but at least they're trying.
Or self-hosted FusionForge if you need more fancy stuff.
I did a quick skim and didn't see anything regarding waiving attribution rights.
But 4-clause BSD and similar advertising clauses are _probably_ affected, and Apache 2 _when_ a NOTICE text file exists is _very likely_ affected. (Maybe even without; the Apache 2 licence requires giving recipients a copy of the licence text, too.)
Regarding "Maybe even without; the Apache 2 licence requires giving recipients a copy of the licence text", doesn't the BSD 3-clause license require this as well?
I think that's a fair goal for Github to pursue - maybe they didn't get it right this time (IANAL) but I think we can all work with them to get something that makes everyone happy, hopefully with less heat and more light
Disclaimer: I have GPL and LGPL code and hardware hosted on Github
If you create a work from scratch and decide to put it under GPL and upload it to GitHub (thus granting extra rights), that’s just fine.
It’s only you cannot currently upload SOMEONE ELSE’s GPL’d work (including your own derivate thereof) to GitHub.
Of course, even if you don't infringe on other people's rights, there's also the question whether you're okay with these ToS.
Basically, starting March 2017, uploading anything (new) like that is not allowed. Removing repositories and/or the entire user account, to make it explicit that such grants are not given for what’s already there, may be prudent (yes, overreacting is not necessary, but acting is, and don’t talk legal requirements down to overreacting, because if you DO upload a GPLv2’d work to Github as things are now, YOU lose the right to use it under the GPLv2 in the first place and CANNOT get it back except from the (all!) authors).