Hacker News new | past | comments | ask | show | jobs | submit login

I run the open source strategy and marketing team at AWS. As I told Tim privately and publicly (https://twitter.com/mjasay/status/1317084448119169024), I hadn't been aware of this but am talking with the relevant product team to see how we can improve in his regard.

AWS uses a lot of open source, and we contribute a lot, both in terms of code (first-party projects like Firecracker and Bottlerocket, but also third-party projects like Redis, GraphQL, Open Telemetry, etc.), testing, credits, foundation support, and more. But open source is ultimately about people and communities, and I personally feel we could have done more to acknowledge the great work Tim and his co-maintainers have done, and try to support their Headless Recorder work. We're talking with Tim now about this.

(While I think we do far better than sometimes acknowledged, we're also always looking to improve, and appreciate all the feedback that helps us toward that goal.)

Good job taking responsibility, Matt. Handling this the right way.

I do think there's a larger discussion about trillion dollar companies just forking a project and announcing it as a new feature for their platform without even talking to the original creator.

If there's anything to improve, "reach out first" will be a start.

It's open source. You don't have to reach out. There's nothing legally or morally wrong with what you did. But you can do better. A trillion dollar company can do better to act grateful to be in the position that it's in. To be seen as a leader in a space instead of as a consumer of free work.

I honestly think there's room for more than gratitude with, as you said, a trillion dollar company. I know its hard to find a balance when we want free and open tools, developed in a spirit of sharing and enabling innovation. But something feels slimy about an enormous company deriving a huge amount of revenue from a FOSS project, when they could easily compensate developer(s) with barely an impact to their bottom line.

I know its not required by licensing - but "legal" doesn't always mean "right".

Amazon stealing OSS products and repackaging them for profit is a behavior they are replicating over and over. Big and small projects alike are neither protected nor immune (see Mongo, Elastic, Redis,...)

To see so much of the developer community respond by placing blame on the developers is heartbreaking and at the root of the tragedy of open source. It's either: your fault for using a permissive license OR shame on you for not using a permissive license. Where is the outrage at the predatory companies cannibalizing open source?

We need to remember who the real enemy of open source is. The only company that benefits from open source shaming is Amazon.

[1] https://techcrunch.com/2019/01/09/aws-gives-open-source-the-... [2] https://news.ycombinator.com/item?id=19364534 [3] https://thenewstack.io/redis-pulls-back-on-open-source-licen...

> Amazon stealing OSS products and repackaging them (...)

Since when does providing managed services started to pass off as "stealing"?

Am I stealing FLOSS projects as well if I install them on a production environment?

It makes zero sense to try to pull this sort of bait-and-switch scam with FLOSS. If you release a project into the world while explicitly stating that everyone in the whole world is free to use it as they see fit then don't complain that someone was free to use it as they saw fit.

I think you have a point. But there does seem to be a difference between say using FLOSS project X as a dependency in my app vs AWS tweaking it, introducing it as a direct competitor to X, and leveraging their huge marketshare to sell it. Seems like not illegal, not even sure if it's ethically shaky, but there does seem to be a difference right?

Or, a situation about which you might want to ruminate:

A customer is doing a full migration to the cloud. They're already using FLOSS project X on-prem and asks 'Hey, <cloud vendor>, project X is a super important part of our environment? We can't move forward unless you support it. Also, can you manage this for me? I'd really prefer not to roll my own servers.'

What would YOU, as the cloud vendor, do? Give up the on the business (both upfront migration costs and down line usage and maintenance costs), or legally exercise the license that project X's creator CHOSE?

Also, consider that, at your scale (you being the cloud vendor), if 1 customer is having this issue, it's impacting tens if not hundreds of others.

As someone who works for AWS and fields feature requests from customers constantly, the above situation very common.

As a trillion dollar company, it can acquire open source project that is vital for it's customer base rather than leeching of that project. You shouldn't make unethical practices of companies as necessary evil.

TBH, in that scenario, AWS are usually growing the market for X such that the share of the market for X taken by the X developers probably increases after AWS joins the market for X.

> But there does seem to be a difference between say using FLOSS project X as a dependency in my app vs AWS tweaking it, introducing it as a direct competitor to X, and leveraging their huge marketshare to sell it.

Is there really a difference at all? You're complaining that a managed service is somehow "a direct competitor". Compete in what? I mean, am I really competing with the project if I get a few instances up and running?

By your line of reasoning, they are actually helping the project grow and establish itself as relevant piece of infrastructure. Somehow I don't see this being used as a justification to demand a share of the revenue the other way around.

In the end, all I see is people complaining that someone who uses a project that was always freely distributed happens to have deep wallets, and somehow hey feel entitled to some cash just because a third party is rich. Where does this make any sense?

A managed service is "a direct competitor" in usage of the original software. And usage is the one that mostly drives development back into the service.

There isn't a legal difference in AWS repackaging an OSS project, and a company using it internally, but there is a difference in terms of the end result of how the project develops.

That's why I've seen that most comments is support of AWS are either ideologues or their livelyhood depends on a large company that's doing this.

Of course the blame is on the developers. If you don't want commercial enterprises to repackage your project and exclude you, choose a license that says that! How is this even controversial?

Because then everybody will jump at you and shout "OMG you don't allow for repackaging, don't ever dare to imply that your code is Open Source with all the permissions and liberties that your free labor should grant, so we don't have interest in your shitty proprietary stuff and will never check it out".

As seen on HN multiple times.

Which is what the parent refers to with the more politely put "either your fault for using a permissive license OR shame on you for not using a permissive license"

We know that building a business is hard. There is no silver bullet that provides both the adoption rates of OSS and the monetizability of proprietary software. So you pick one, and live with the consequences.

Which is why I either go commercial or hard line GPL.

Don't want to pay me? Well get payed the same way.

There are plenty of business opportunities for commercial software, it is just hard and takes effort, like everything in life.

You can both want a project to be usable commercially and still feel bad about being iced out by people who are vastly better off financially than you are. I had a big project for my Ph.D. thesis that was good enough to get spun out into a startup. They didn't even offer me a job.

They were under no obligation to, but it set my career back five years and I'm still angry about missing out on the obvious route from graduating to being really awesome at what I wanted to be really awesome at.

It's not controversial that they did this, I was a junior employee and they didn't have a ton of money. It still significantly damaged my career to be forced to start all over on a totally new thing despite literally inventing what they were doing without me.

Blame? There doesn't have to be blame for that to suck for the little guy.

Affero GPL FTW

Why is it stealing? And how does "blame" enter the picture at all? Developers went into it with their eyes open. That's not shaming or blaming them, there simply is no "blame" to be had. They made something and decided to give it away with few/no strings attached. There's decades of precedent for such projects being used to great financial profit by millions of people, so I don't find it plausible that most developers aren't fully aware of what they're doing. In fact I'd argue many want exactly this to happen. To develop something that proves incredibly useful and gets adopted by many users.

If someone did inadvertently choose a more permissive license than intended, I'm not sure what to say. "Blaming" them has too negative a connotation, but there is some responsibility on their part for the mistake, though I can sympathize with them given that licensing choice can be complex.

There's a catch 22 with choosing a restrictive license though. On the one hand it may help you monetize a product if it becomes popular, but on the other hand it becomes a lot harder to gain users and achieve that level of popularity.

However I acknowledge that the open source ecosystem and incentives have deep seated problems on this. The rise of networked society is in many ways built on such work, so there is a public good achieved that might never have been possible otherwise. On the other hand, maintaining a project can be thankless and exhausting. There's been plenty of discussions on how to help this situation, with no clear answer that I'm aware of. I certainly don't have one.

I think the legal aspect of the licensing determines what is "right", otherwise the definition of "right" can be interpreted different ways. Don't be fooled, both parties entered into a contract. One when they published the software, and one when they used the software. Any expectations outside of that are left undocumented.

Even agreed-upon contracts can be predatory. Maybe there should be a license that says "free and clear for everyone but trillion-dollar companies, because they should really compensate developers for value".

I personally think it would be a great look for Amazon if they made it a policy to compensate developers from whom they derive significant economic value. Because they can, and because the developers deserve it.

If developers expected to get compensated for the work they explicitly and voluntarily released for anyone and everyone in the world for absolutely free, wouldn't they have released it under different terms? I mean, it sounds awfully dishonest to do a 180 on the expectations once a user with a deep enough wallet happens to be singled out.

It doesn’t seem dishonest. Companies do it (market segmentation).

No, they really don't. You don't see companies giving away their products under a permissive license to, afterwards, stating that we should not pay attention to the license because they now want a chunk of our paycheck. That would be as dishonest as it gets, and the dishonesty in that doesn't change if we replace a company with a single-person company.

A license is not a contract. Using and distributing Free Software is not entering into a contract.

You certainly can have a contract around a license, but that is a whole other topic.

It is in France, and possibly other places as well.

“Right” can always be interpreted in many ways. There is nothing wrong with that. In fact, it is when “right” is just one thing when we need to worry.

When you put a certain license on your freely redistributed code, the assumption is that you're doing it it with your eyes open, and agree with all the ramifications.

Free software which requires a copyright notice to be retained in the source, but has no restrictions on run-time can be used in exactly that way: someone builds it, modifies it to taste and puts it into operation in such a way that your name does not appear anywhere.

You don't necessarily want that. Do you want some AWS customers contacting you about issues with it because they found your name?

What is legal coincides with what is right, because the developers had every opportunity to choose a license which exactly reflects what they think is right. It's a reasonable assumption is that they did exactly that.

The FOSS developer and big company are doing different thing/role.

One is doing development, which requires innovation and time; other is providing service, which requires economy of scale and network effect.

It might be better if the end user tips like likecoin, which will automatically divide the tips to direct and indirect upstream contributor.

It doesn't sound exactly like taking responsibility to me. It's more an acknowledgment of the fact and damage control. Taking responsibility would suggest admitting fault and taking action to make things right. His statement doesn't have any of these. 'I am looking into it' is too vague and doesn't mean much.

Probably Amazon's legal department doesn't let him say much more, but then his statement sounds unconvincing and doesn't serve the purpose of taking responsibility and assuring the comunity of their good intentions.

Fault for what? Using code in accordance with the license selected by its developer?

By admitting fault I mean if you have done something wrong to speak up. Legally there is no fault as far as I can judge, but there is a moral fault. Not giving credit, not trying to involve the developer in their effort and not offering any kind of reward for his effort is definitely a fault in my dictionary.

These kinds of actions damage the community much more than some people realize. Open source developers lose trust in the idea of sharing their work when seeing how huge companies with limitless resources take advantage of their effort. This happens little by little but in the end we become cynical and when we see good intended initiatives from these companies we don't trust them and simply refuse to participate.

I tought Microsoft has abandoned its evil demeanor and has become a good open source citizen until this happened:


I think what they did is much worse than this, because they intentionally misled the developer by giving an impression that they were going to hire him and when he came for an interview they tricked him to share his ideas about the future of his product. What's similar is the reaction of both companies - half-heartedly acknowledging something that has already become public knowledge and giving some vague promise for fixing things.

> I do think there's a larger discussion about trillion dollar companies just forking a project and announcing it as a new feature for their platform without even talking to the original creator.

I always find these messages weird, because in the end it's one engineer like you and I who looked at some open sourced stuff and decided to use it, and perhaps it didn't really do what they wanted so they forked it, and it ended up being used in whatever product they were working on, and in the grand scheme of things it was not about a big trillion dollar company being evil, it was about how engineers do their work nowadays.

> If there's anything to improve, "reach out first" will be a start.

Just don't repeat Microsofts smooth talk, make-your-own and ghost strategy ;-)

It is possibly even worse than just forking.

Legally no, morally yes

Legally no, morally no, ethically yes?

Ethically yes — simply because it will be in their best interest to do so over time.

That's why "Amazon can do better." Not to act more altruistically, but to do better. If they keep doing things like this, it won't be good for them.

I feel like this is an underrated distinction. While definitions vary, this way of looking at it resonates pretty strongly with me, personally.

Interesting, how would you define ethically different than morally?

Morality is a code of values a person may hold, whereas ethics is a philosophic (scientific) approach to discovering and defining such codes, and an attempt to answer two specific questions - whether a human being needs a code of values, and if so, what code of values they should choose to flourish as a human being (and not as any other "being").

So, a person may be clear morally, based on a code of values that puts an emphasis on a legal aspect of interactions between people, but from the perspective of ethics we can observe that such a code may not be sufficient to fully realise their potential of flourishing as a human being.

It was my impression that morality regards the beliefs of one person/entity (here, Amazon) while ethics refers to a different/opposing group.

So clearly Amazon has no moral scruples about doing what they did, but to us (or others) it's ethically ambiguous.

Well, disagreeing about which words to use doesn't necessarily mean there's any disagreement about the object-level situation, but FWIW, the definition I've generally heard is that "ethics" refers to the whole general "ought" side of the is-ought distinction, which is further divided into: axiology, which outcomes are actually desireable in the first place; morality, what actions and strategies people ought to follow to achieve those outcomes; and law (not, unfortunately, to be confused with actual law), how groups of people ought to act in order to deal with coordination problems and evil people.

> So clearly Amazon has no moral scruples about doing what they did

Dude, they picked a software project that was released to the world under a license that explicitly allows anyone and everyone to use it as they see fit, and they proceeded to use the software.

Please do explain exactly wheredo you see any breech in morality.

The point of my comment(s) is expressly that this _isn't_ a breach of morality...

It seems to me that it's not a breach of morality, ethics, or even goodwill. It is a FLOSS project being used in compliance with the author's will.

In a nutshell, ethics is a bit more pragmatic than morals. Ethos and moralis, the customs and "of the customs".

OP here. Matt and I are chatting about this. We will work it out. As per my tweet, it's not about the letter of the licensing, it's about the spirit.

> it's not about the letter of the licensing, it's about the spirit

If it's not in black and white then it's not part of the license. Spirit isn't defined.

To paraphrase Theo de Raadt, if you're not happy for your code to be used in a puppy mulching machine then don't license it under a permissive license.

Open source culture is so much more than the licenses. A license dictates what is legally permissible but it doesn't mean that there aren't other cultural expectations that go with that.

Eric Raymond famously wrote about the customs of open source in Homesteading the Noosphere: "I have observed these customs in action for 20 years, going back to the pre-FSF ancient history of open-source software. They have several very interesting features. One of the most interesting is that most hackers have followed them without being fully aware of doing so."[0]

It is possible for us to have norms of mutual respect beyond what is legally required. I think those norms are actually at the heart of open source and have been since the beginning. I hope we never abandon them just because they are "not in black and white".

[0] - http://www.catb.org/~esr/writings/cathedral-bazaar/homestead...

It's off-the-charts irony to point ESR's observations to try to validate the author's response here, and to frame it in the terms of some monolithic "open source culture". The brogrammer devops culture in 2020 is starkly different from its forebears—the two hacker cultures in focus in CatB. In fact, the entire premise of the book (it's in the name!) is a commentary on the distinction of cultures and the risk of misleading yourself if you're not thinking clearly and make the mistake of conflating them.

Eric Raymond is probably the least reliable narrator of a Free Software ethos that one could pick.

Not trying to troll you, just wanna know: why is that?

Short answer, ideological extremism.

In theory, yes.

But Amazon is a member of the OSS community, and AWS relies heavily on developers, many of whom care a great deal about the spirit of OSS and being a good and responsible member of the community.

Other people are saying this, but AWS is taking a reputational risk here. If things get bad enough, we could end up with no-Amazon clauses in OSS.


Parent was questioning whether 'spirit' mattered, and I am pointing out one good reason.

When someone publishes code with permissive licenses has to expect that all kind of users will take advantage of it in different ways.

That does not mean that is probably doing it for the ones that will be graceful of it. Opensource is not just about licenses but a way of creating.

Not quite the same behavior, but BigCo's free-riding on FOSS is nothing new.

"At Serge’s trial Kevin Marino, his lawyer, flashed two pages of computer code: the original, with its open-source license on top, and a replica, with the open-source license stripped off and replaced by the Goldman Sachs license." [1]

[1] https://www.vanityfair.com/news/2013/09/michael-lewis-goldma...

Using open source software is different than selling it and profiting off of it without even contacting the project's maintainers.

Free-riding on the free? What else are you supposed to do with it?

> As per my tweet, it's not about the letter of the licensing, it's about the spirit.

I don't understand. Wasn't the project released under a license that explicitly grants anyone the right to freely use it as they see fit?

You mean it's not about the letter or the spirit of license at all; it's about the spirit of plagiarism, or sociability, or something.

Honestly, AWS should have a policy they apply consistently. Maybe mention that in your conversations.

Do let us know what comes out of it in a blog as there are many other people like you out there.

Please release my rewrite / serialization library for Apache Avro. I wrote it in 3 different languages for Amazon when I worked there, and went through all sorts of discussions to have them release it, and they refused for no meaningful reason that I could see.

The only reason I was ever given was "we use it and think it is great therefore we won't release it." The implication was "If what you wrote was junk we'd let you release it."

Needless to say I never tried to get Amazon to release any of my software during my time there after that, because the response was so poor.

Edit: If Amazon releases my code, I'll be happy to add a tiny credit to Amazon in Notices.Txt and in no other way be thankful to Amazon.

I'm the Principal Engineer for the Open Source Program Office at Amazon. We've gotten much better about being responsive and inclined to open source projects like that.

Email me at atwoodm@amazon.com, and tell me what the internal code names for your projects were, and were you were in the org. I'll see what I can do.

Honestly, even putting aside the social and community aspects. When I’m evaluating a technical offering I’m often very willing to pay for “hosted xyz”. I feel like I’m reading through the tea leaves to understand which AWS product offering is more or less a hosted offering of an open source product and what additions AWS has made that might change performance characteristics. Even without upstreaming changes, if the offering were pitched as “hosted X with these additions unique to aws” I would likely choose the hosted option over operating it myself.

It goes without saying though that supporting the open source core (and the core developers) would also go a long way.

It doesn't matter, anyone who uses AWS services beyond those that are easily replaced by alternatives (say DigitalOcean, OpenStack, Azure, etc.) is setting themselves up for failure. At the very least they'll need a translation dictionary of Amazon's stupid naming scheme when they want to move.

The long tail of AWS services is a massive waste of time.

Does AWS have a policy of directly funding existing upstream developers/maintainers of projects you are using?

On my old team, AWS RoboMaker they do. Contributed a lot of money and developers to ROS2 to make it a solid robotics platform.

Given the massive amount of revenue they're making off Linux, they should be at list platinum tier Linux Foundation members, but their logo is nowhere to be seen here...


Their strategy for Linux appears to be to contribute code upstream rather than contributing money, according to linux.git's MAINTAINERS and `git log --author=amazon.com`. Also its not like the Linux foundation funds Linux development in general, apart from Linus and possibly similar folks.

This is nice to hear.

Regarding "giving back" by a company like Amazon, we often talk about the problem of open source maintenance being thankless and difficult due to time commitment and lack of compensation, etc. Personally I don't think direct $$ compensation is the answer, but how about a policy that, for example, dedicated X number of developer hours to the main branch? As in, Amazon tasks a few developers to each give 10 hours of time in direct collaboration with the maintainer(s) to perform tasks the maintainers may have in their queue. That way "giving back" for a project you use is specific and alleviats some of the burden of running a project for exactly those projects from which Amazon benefits.

I am a Principal Engineer in the Open Source Programs Office at Amazon.

This is something we are very aware of, and discussions about this cross my desk weekly.

One big problem of the many problems I face regarding such proposals is the people who are the best at writing open source who need the money the most are not the people who are good at writing grant proposals and are good at sucking the money out of such funding systems.

I know Matt. I'm impressed that AWS hired him for this. That's a promising sign.

Where is that crowd that denounced n8n.io for using a license that explicitly prevents this kind of exploitation. I dont understand why people harp constantly for software to be open completely and free, and put a suprised pickachu face when it gets exploited.

Imo there needs to be an official policy from aws on thes kinds of issues. Taking a free product and monetizing it on this scale morally requires some compensation for the original creator(s).

Wow what a great take. Kudos for doing the right thing here. Very excited to see how this pans out.

I hope you write an update to this. I'd love to know how this went.

Surely you should be sending him a significant pay check. You're worth billions and just ripping off other peoples projects?

Why? It was knowingly and intentionally released to the world for free, to do with as anyone wishes. No one is ripping anyone off.

Technically true (only). Amazon are devoid of ethics but we know that already.

Well done response. Kudos.

We're talking with Tim now about this.

Offer him money and do it in public.

OK but also do not stop this development is all..

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact