Hi all! I'm David, CEO @ Retool. I'm looking in to this right now and will update my comment here with a response in the next two hours.
Edit: just did a bit of digging.
It looks like we have a Retool template that has some fake data in it (https://retool.com/api-generator/). This is an app built in Retool, and has a few thousand rows of hard-coded data.
I just spoke to the engineers who worked on this project, and we are sorry for including links to fakercloud. This wasn’t intentional, and we just pushed a commit removing all avatars from the template. This is already deployed. I hope you all can understand why we trusted the data generated by the MIT licensed project, and didn’t think it would link to anything proprietary.
I myself am an engineer (and avid HN reader, as evinced by how I found this while reading HN on a Sat night), understand Marak’s frustration, and agree that monetizing OSS is hard. While we’ve already contributed around $10k to various libraries we use (https://opencollective.com/retool), including faker.js, Babel, ESLint, and JSON Schema, I’m going to see if there is more we can do. We’ll be writing a blog post about it this week and I will follow up with more next steps. I wonder whether there is a better way of sponsoring OSS, other than just donating dollars every month? (Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily?) In the meantime, we'll certainly continue sponsoring all the libraries we’re sponsoring already, including faker.js.
Put another way, he forgot to get back to the guy whose project/hosting space his company was using, for a whole month, and he came back with a classy response and decent amount of detail. Everybody wins. Except the people who think there's a court in session here and are worried us plebians are putting _CEOs of companies_ on trial
Atleast put some effort into reading all the material if you want to shame somebody.
1) Initial email was sales pitch that did not touch the problem at all. Which retool responded to by the way.
2) CDN is hardcoded into the JS library. Why would you even do that and then shame people? If it’s against the ToS then you need people point to the ToS first. It’s the author’s fault here.
3) MIT license. How many times do we have to go through this. Retool could just fuck off but even before this witch hunt began, they were already donating.
4) Some human communication explaining the problem wouldn’t hurt. Personally I’m more likely to turn down using faker.js now.
> CDN is hardcoded into the JS library. Why would you even do that and then shame people?
It’s worth noting that before the fakercloud.com URLs were hard-coded into the library, the library was hard-coding a different service’s S3 URLs (uifaces.co) and only stopped when they became inaccessible:
So it seems a little unfair to complain that Retool are embedding URLs to your CDN when this library was doing the same thing to UI Faces a few months ago.
This is a very good overview of the situation. It's sad how Retool's name was dragged through the mud for daring to use an MIT licensed open source project.
They still need to be dragged a bit for copying someone's project. There is nothing against it in the license, but it is still pretty crappy to copy someone's offering and offer it up for free. Especially when you built your free offering on the back of the product you are killing.
I disagree. If you don't want anyone just come by, copy your product and offer it for free, don't release it under MIT. There is no "bro code" when it comes to software licenses.
By its very nature, the "bro code" refers to a "code" that doesn't actually exist, which makes your comment quite ironic. On measures of aptness, that makes it a comparison that's not apposite at all, but instead opposite.
It's generally considered bad form to privatize OSS for your own gain, whether there's a price tag on it on day 1 or not. Ex. VLCs issues over the years
Is there some reason that, at least 13 hours later, the blog post hasn’t been replaced with a mea culpa for accusing these folks of something that ended up being a problem in your own library?
Oh, damn. I thought I’d read further down the thread that they were one and the same but I see he specifically says otherwise. I guess it’s me that owes the mea culpa.
My understanding is they used faker.js to generate urls, and those urls referenced fakercloud. So the open source project faker.js ends up pointing you at fakercloud without realizing it.
David you're probably just getting nonstop flak for this and as the CEO of the "big bad" here just let me say that I feel genuinely bad for you. Whatever conversation you have to have behind the scenes is a truly stupid thing to have to do in this situation. The CDN thing is dumb and maybe arguably not how this should have been done but your team and their work doesn't deserve to be villified for doing basically nothing wrong other than a very simple email miscommunication.
“Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily”
This could be more disruptive than helpful as very few engineers would contribute much one day a month. Would you hire a developer for 1 day per month? They would more likely burden the experienced developers with questions and poor code submissions that need to be reviewed and then forget what they learned a month before.
They voluntarily donated $2000 to faker.js as I can see from opencollective link. It definitely looks like they love supporting open-source and not trying to rip-off small devs.
It's a bit odd that if they hadn't done that, faker.js wouldn't have found out that they were using it that much, and couldn't have sent them the sales pitch in the first place.
In an a bit odd way, this time, donating to OSS, resulted in "bad press" at least for a while.
I hope things will end in a good way, somehow, for everyone
I don't think your company did anything wrong. The CDN is hard codes into the library as far as I can tell.
Ultimately there are two separate issues.
1. The CDN thing, of course.
2. The open source monetization never ending problem.
The first can be fixed with a simple change to the library. The second your company is already trying to help in part. Ultimately open source is not easily monetizable...
Hey David, I really feel for you. These PR-esque situations are never fun, but I think you’ve done an excellent job of handling this.
I believe there is a bias people have of viewing (somewhat ironically) things in terms of a “David vs. Goliath” lens. Everyone loves rooting for the little guy, even when the little guy is objectively incorrect.
Hope your weekend goes better than it has been so far! Retool is an excellent product by the way :)
If it’s rectified upon the CEO finding out about it and he makes a true apology, and implements policy to prevent it from happening again, that’s better than just not saying anything and not doing anything to rectify the situation; however, most people here would agree that doing so doesn’t excuse the fact that he let it happen in the first place.
When Marak sent me the email, I read it as a "Hi, I built Faker, might you be interested in acquiring it?". I responded with a "yes, that could be interesting, give me a day to work on this". In the end, we decided that acquiring Faker didn't make sense, and I'm sorry to Marak for not sending a follow-up email telling him we weren't interested. In this case, the content is different (i.e. we are potentially abusing OSS), which is why I’m responding to this.
(FWIW, I typically receive 50 - 100 sales emails every day. I do try and reply to the ones that look interesting, but I do forget to follow-up sometimes if we're not interested! This does not excuse my behavior in this particular case, and I’m sorry to Marak for not following up.)
I wasn't convinced by this reply either, then I went back and read the actual email. It doesn't mention the problem at all, it's a straightforward sales pitch. Even I ignore tons of those regularly, it's kind of dishonest on the part of the developer to say "oh they caused me a problem, I emailed them and they didn't reply" without mentioning that he didn't mention the problem in the email at all!
Frankly the author of Faker seems like he went into this project with the clear intention of profit, but by releasing it for free, and then pressuring people into giving him money. It's almost predatory.
Especially since Faker.js doesn't do anything that much useful which can't be replicated in trivial time. You use it because it's available, like we all do with MIT licensed libraries.
He promised to look into the possibility of buying faker. The initial email said nothing about the gripes in this article. In fact, the author of the article did absolutely nothing to resolve this problem before writing the article itself.
I hate to be that guy, but idealism in software needs to die.
Don't use a license that's more permissive than you're willing to tolerate.
It's absurd to me for a project to publish something with a 100% open source license and then complain when somebody tries to profit off of it.
Doesn't really matter how egregious or large the perpetrator is. If you want exceptions, write it into the license. People want the goodwill that comes with open source, without accepting the consequences.
That being said, I do empathize with the plight of the author. Perhaps they were naive to this possibility.
The reasons for using GPL and AGPL is that it advertises 'other licences are available - for a cost - but this is the only one you get for free'.
The cost of using GPL licences is that any changes you make to it everybody gets to have and anything you create with it has to be licensed under that licence. It was designed to create a viral effect so that free software remained free and that people could make money from those who didn't like free.
The MIT licence says "I have tenure in some organisation that is getting its money from something else and which can pay me to spend time on this".
> people could make money from those who didn't like free.
Does GPL ever work this way? In practice, GPL discourages corporate (=widespread) adoption, driving down the quality of open-source software, and creating the market for paid closed-source software (which is often worse than open-source software, but packaged better). I'd love to see cases where a GPL-dev successfully negotiates a reasonable "cost-plus" arrangement with a company for a non-free license.
My org is currently evaluating several PDF generation (as well as general BI reporting software) solutions. Several of the options we're considering offer a free AGPL version and a paid commercial version. AGPL is a deal breaker for several members of my team (though not for me) so they would prefer the paid versions of the AGPL software.
So at least in my experience, yes dual-licensing can work
> In practice, GPL discourages corporate (=widespread) adoption, driving down the quality of open-source software
On the contrary, GPL tends to be associated with software from the era that predates the new "social coding" phenomenon. The tendency of folks whose first contact with OSS was GitHub and who are most likely to choose the MIT License usually give us brittle, highly niche devops boondoggle that is the byproduct of their responsibilities at their dayjob and that gets abandoned a couple years after being pushed out to GitHub (when the creator realizes the futility of trying to convince other programmers churning out corporate boondoggle that they or their company should pay the creator for their contribution to the mudpie).
and i believe this is because most GPL software doesn't provide enough value over the cost. But for MIT style licenses, there is zero cost, and thus, adoption must be high by the laws of supply/demand!
In other words, the excess value provided by the software under an MIT license is extracted and kept by the corporations using it. GPL licenses forces some sort of non-monetary compensation in the form of contributions, and thus, the corp cannot extract and retain the full value of the software (and hence, they correctly decide to make a cost/benefit analysis, and choose the most profitable decision).
> GPL licenses forces some sort of non-monetary compensation in the form of contributions, and thus, the corp cannot extract and retain the full value of the software
No, this is false.
- You can use a GPL library without making changes and contributing anything upstream
- You can use a GPL library internally and make changes without contributing anything upstream
- You can use a GPL library, make changes and distribute it to 3rd parties and, only in that case, you simply have to share the changes with the 3rd parties. [Not with upstream]
> You can use a GPL library without making changes and contributing anything upstream
which is fine - your usage of GPL software doesn't affect anyone else. If you decide to charge for it, that's OK too - since if the market exists for such software, the price would equalize to the break-even point of the cost of production.
> You can use a GPL library internally and make changes without contributing anything upstream
If it's "internal", aka, not visible to the outside world, then that's fine too. There's no effect from anyone else's perspective.
> You can use a GPL library, make changes ... share the changes with the 3rd parties
This is the point i was trying to make - in this case, where you make changes, you have to share it. Even tho it's just the 3rd party, this 3rd party has the right to distribute these changes. And anyone that has access to the software is also the 3r party.
So, in other words, if you have visible effects to the outside world with your (changed) GPL software, you are effectively bound to contribute those changes for free, or relicense with the owner to hide those changes.
I have never worked at an organization that does not use GPL software in some way. It discourages shipping GPL components/dependencies in binaries which is the whole point of the license.
As someone who has fallen into the idealism trap, I couldn't agree more.
Here's another opinion I've been mulling - the emphasis on FOSS is actively damaging to our community and we need to take steps to end it. We're highly trained professionals who often sacraficed a lot to get to where we are. Having this culture of giving away our professional work for free - often to people and organizations who can readily afford to pay for it - borders on masochism.
Instead of constantly singing the praises of open source, we should be encouraging a deep level of self-esteem in younger engineers by encouraging them to "know their worth".
There are of course clear and obvious benefits to FOSS - like no licensing friction and better security - but we have to find a sustainable way to reward the developers. Little donations here and there aren't going to do it either.
> Instead of constantly singing the praises of open source
i would differ in my opinion, because it's not the 'singing praises' that's the root cause, but that the creator of said FOSS library expecting money in some form for having provided value up front (either contributions or donations etc).
That's an expectation that will never live up to reality.
> we have to find a sustainable way to reward the developers
this exists already - charging for the software you develop. Or, develop a business model around the software - aka, the software is free, but is just the bait for consulting business.
My argument was not about one person being disappointed by expecting value and getting none - it was a broader point about the cultural encouragement - prevalent in engineering circles - of working for free.
To be specific - I think a good argument could be made for free development in the service of the underprivileged or other altruistic causes. However, a large portion or most development ends up benefitting large public corporations who make large profits. But because, as a culture, we encourage this work, we have basically set ourselves up to be exploited.
I recognize that this is an unpopular opinion and is difficult to make well, in a thread, without being downvoted. But I think there is always value at questioning our underlying cultural assumptions.
> Don't use a license that's more permissive than you're willing to tolerate.
From tfa:
Most Fortune 500s are using Faker in some capacity. The scope of the Faker project is not small... Who pays for Faker development? No one... Most of these donations are from fellow developers, and not enterprises or corporations.
I don't think there's a single OSS license that'd force corps to pony up. Too restrictive terms and they'll simply go looking elsewhere.
Google does OSS right. Open source to commoditize your competitor's advantages, not to strengthen your own.
> I don't think there's a single OSS license that'd force corps to pony up. Too restrictive terms and they'll simply go looking elsewhere.
There is no such license, and there can't be. Just as a license that prohibits use by the military can't be open source, neither can a license that prohibits use by, or requires payment from, corporations.
Dual licensing under GPL (or AGPL) and a commercial license is the closest you'll get, and it relies on the aversion many corporations have to the GPL, rather than adding restrictions per-se.
Mongo did just that (AGPL or custom license), but they moved to create SSPL; for some reason it didn't work out for them?
Redis and Elastic tried something Frankenstein by mixing Apache and custom license code in the same repo, which spooked them and the community for good measure, with Elastic, later, notoriously doubling-down on "open" with SSPL.
Of all the source-available licenses, I like BSL by MariaDB, better.
In my view, if your web server responds to an arbitrary HTTP GET with the asset and 200 error code, then your intention is that the asset is public and any browser can request it. If you don’t like a particular request, return 403 and get on with your life.
I am sure that they can change that if marek requests it. But he doesn’t instead he wants a two year consulting contract where he continues to work on his own project.
The U.S. legislature hasn’t touched computer laws in forever, so an armchair guess is hard, but chances are that causing an extreme financial burden by hotlinking someone else’s images is illegal - although maybe the fact that fakercloud could just block hotlinking based on the referrer header means it’s not as open-and-shut of a case.
To me, that is the idealistic stance. If there’s a world in which an indie developer can muster up the legal guns to win an IP battle against a VC-funded behemoth, it ain’t this one.
Writing restrictions into the license makes sense in theory. Actually enforcing that license against an uncooperative company will take far more time, money and effort than most people are willing to spend.
Large companies won't violate terms of a license knowingly.
Certainly an individual dev could pull in a library with a non permissive license without the broader business being aware. Or, I do agree, there may be particularly corrupt companies that knowingly violate terms of a license... But that's going to be less common than not.
Having worked for big tech, I can assure you they are very strict with licensing.
In this case it's a fast and loose startup, so I agree that it may have happened regardless. But at a certain scale these kind of things will be caught.
But you're not going to get AWS cloning your project if your license doesn't permit it.
I can imagine that big Western or multinational companies won't knowingly violate a FOSS license.
That being said, AFAIU violating the GPL of the Linux kernel is very common in the embedded world. A lot of that is made in places largely out of reach of Western IP laws, and by the time anybody gets around to do something, the fly by night company responsible has ceased existing, replaced by a new company currently working on a device five generations ahead, again committing GPL violations.
which means either the market they serve don't care, or don't have enforcement within reach of the western courts. But then, them "stealing" GPL nor not won't really affect the owner of the GPL software, since the world would've been the same to them whether the fly-by-night company violated them, or did not exist in the first place.
For me the perfect license would be something that allows using the code freely in any project or company that makes no money or is smaller than X people.
If you are using my code and you have a lot of cash from investments or revenue - it would only be fair if you pay for the license.
You have to use a permissive license, otherwise your software will be ignored by all distributions. Which means it won't be available even for non-profit users.
There should be a non-profit-software Linux distribution that is only for non-leeches. But as it is, the OSS landscape favors corporations.
I'm beginning to wonder how much that software-needs-to-be-free propaganda has been spread in the 90s and early 00s by the beneficiaries (corporations and foundations).
To be clear they’re violating the terms of service of fakercloud.com is the implication I took from this
Not so much an issue with them using faker.JS, though honestly companies should do more to pay for development of these kinds of libraries that they depend on, it isn’t the core issue here
Which by the way is a great service if you are in the market and would fully managed fake data api
If faker.js, an open source library, creates links to fakercloud.com - a for-profit offering, then someone who is merely using faker.js isn't falling afoul of the fakercloud.com TOS since they were never even presented with it in the first place.
I think they should make that clearer in the blog post because it really wasn’t clear to me. So they’re paying for fakercloud and providing that data to their customers? It seems like this would then be a TOS issue as you mentioned.
It's not fatalism. I don't want to live in a world where a guy says I can do something with his software, and then gets upset and tries to rally people against me when I do. I've had girlfriends like that.
If you don't want people to make money off your software, or use it a certain way, don't put it under a license that says it's fine to do so.
But, in the long run, doesn't this turn us into proverbial paperclip collecting AIs? The mode of sharing and using shared software is also a matter of social responsibility.
E.g., if the author is obviously asking for sponsorship to maintain the project, as a major user/customer, you should consider a donation. Otherwise, you should be stripped of the benefit of the doubt, regarding the question, whether you are a civil person or not. Likewise, you shouldn't engage in actions, which are prone to doom (economically or otherwise) the project you're profiting from.
1. If you wanted Retool to stop using your service, you should have said it up front instead of beating around the bush. From what I can gather from your emails, you sent their CEO a random sales pitch and he ignored it. Hard to fault him for that.
2. I love faker.js. I have used it in the past, and I'm sure several teams in my company use it today. I would, however, never ever pay for your cloud service, simply because taking a dependency on a third party hosted website to run unit tests is madness. The old school corporate software licensing model might be losing favor, but that does not mean it isn't apt for any use case. If faker.js was still downloadable but needed a license key to run I'm sure people would pay for it. It would probably be the easiest thing in the world to bypass, but the same Fortune 500 companies you mention would gladly break our their checkbooks rather than risk getting sued.
Exactly: Most modern browsers respect CORS. If you send response header "Access-Control-Allow-Origin: *", you're saying any origin can load the response. Clearly, the owner of cdn.fakercloud.com didn't want that behavior.
The server can inspect the Origin header, and if the maintainer doesn't want to support the domain, then don't send the CORS Access-Control-Allow-Origin response header.
No... it was pretty hard to know what Marak wanted just by that email. Knowing the backstory, yes, you could see that. Just reading that email alone, no way would someone understand that "you're using my product in a way I'm not happy about" was the intent.
Yeah so, Marak here should have sent an email more along the lines of:
"Hi X, I'm so and so of Faker (link to some info) and you guys are violating our TOS by reselling our API and hosting the generated content on our CDN. I assume this is a misunderstanding and I notice you've sponsored us in the past, so I was thinking there is a mutually beneficial way for us to resolve the issue. <insert the pitch he already sent> If this sounds like a good way forward let's set up a meeting."
Instead of like a random sales pitch, without the concerning context that he kind of got lucky he even got a first response e-mail to, that doesn't even mention the issue. And then if he wasn't satisfied with the response then he could have sent a follow up demand, asking Retool to resolve the situation and fly within the TOS.
Instead Marak was completely indirect and then when the completely predictable situation of Retool's CEO not reading any more into the situation happened went on full blast in public of Retool.
This is an example of how not to solve issues with other human beings and organizations.
So he made a useful service, put it behind an extremely permissive license, another company tried it, copied what they wanted to copy, and then utilized the permissive license to use his service for the rest. Then, "Retool is offering this new service for free".
So let's review the title:
> Retool is reselling our API...
According to TFA, they are not selling it.
> ...without permission
Except that your MIT license is permission.
I noticed the CEO has shown up here to say he's looking into it. I genuinely feel bad for him. Imagine that conversation.
"Guys I hear we are using this open source project and people say we shouldn't"
"....yeah? It's open source. It has an MIT license. What's the issue?"
"Apparently that person didn't REALLY mean for it to be open source, and now a bunch of people on an internet forum are upset."
"Do any of them pay us?"
"A couple I think? Two said they might stop paying us."
"....I'm confused boss, what did we do wrong?"
---
Now imagine that conversation having to happen and this worry happening every time someone decided they want to use a FOSS library or API for their work.
This comment refers to the submitted title: "Retool Is Reselling Our API Without Permission". We replaced that with the article's title, in keeping with the site guideline "Please use the original title, unless it is misleading or linkbait; don't editorialize."" (https://news.ycombinator.com/newsguidelines.html)
(Since Retool is a YC co, I initially hesitated to do that because of the principle described here: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... But since the submitted title doesn't appear anywhere in the OP, I ended up going with standard HN moderation in this case.)
I came to the same conclusions. I looked over the Retool website. There's no mention of faker.js anywhere as a product, service, etc. that they are offering to their customers or any hint that test tooling in general is a feature they pitch to their customers. It's a data integration tool with a slick UI and lots of nice integrations.
So, they are not Amazon blatantly ripping off some oss company, infringing on a brand name, and offering a me too service. This is a very simple case of a company using an oss library licensed to them under the MIT license in good faith. They even paid for it, which they are not required to do. Companies doing the right thing here is something positive and it should not be expected just received graciously.
Now as for OSS being hard to monetize; some of it is. Some of it does pretty well and some companies have raised hundreds of millions, IPOed or been around for many years selling, supporting, and providing OSS. Most OSS is not like that. By design OSS software is about taking low value commodities and doing a great job of them and providing it for free so we can all focus on adding value elsewhere and solving more valuable problems.
Retool are a great example of a company that figured out a way to add value that their customers are willing to pay for and investors are willing to back. They of course use OSS, just like just about any commercial entity developing software. They probably have numerous dependencies on all sorts of things. Name me a software company that does not do this. This is completely normal in our industry. There is absolutely nothing amoral about it. Faker.js is basically considering themselves more special than all the other packages Retool no doubt also depends on. Why?
Most OSS developers have no illusions or expectations of revenue. I know, because I'm one of them. It's my way of saying thank you for all the OSS I depend on myself. I actually once wrote a little Java library called inbot test fixtures, which is a very simple test data generator not unlike faker.js (in the small): https://github.com/jillesvangurp/inbot-testfixtures. A tiny amount of people got some value out of that over the years. Good for them. The original account for that is long gone (the startup failed) and I moved the code base to my private account and it's technically one of my less popular efforts. However, it's code I wrote because I needed it and I recognized it as non core, non differentiating for our product. So, I put it out there as OSS. The backbone for the library is actually somebody data provided by another github project. I actually reused the library in my latest startup and it saved me time not having to reinvent that wheel.
I've done that with other stuff over the years as well. My philosophy is that most software is low value and hard to monetize like that and therefore is best served as OSS so that you maximize its potential.
I find it interesting how in these cases lots of people are defending company x, because what they do is legal. Something can be legal and still a shitty thing to do. For example if you are running a food kitchen for the needy somewhere, you'd be pretty upset if some rich company (e.g. Olive garden) comes with a truck takes all the food and sells it in their restaurants. It might be perfectly legal, it's still shitty.
if you produced an infinite, free food duplicating machine, and ran a food kitchen with it, but also saw that Olive Gardens took some of the food, and resold it in their restaurants, would you be just as upset?
It doesn't stop the needy from having the food just because Olive Garden also benefited.
Ok so should Olive Garden be allowed to call the police if I go and take the food from their restaurant without paying? Because you just said they have an infinite supply of it.
I am surprised at the outrage and the choice of adjectives in this thread.
Retool is using faker.js in their app, which is MIT. It also looks like the URLs to fakercloud.com CDN are hardcoded in the library [1] so I doubt this was intentional from the Retool dev.
They even have a shout out for faker.js in the “How we built this” box [2]
Using the fakercloud CDN is the only thing that retool is doing that seems wrong; if those URLs are coded into the library itself, than that's faker'js' mistake, not retool's. Sounds like it could be easily fixed with some clear communication.
Hey Marak, have you compensated the original author of faker yet or are you too busy being much of a drama queen (ref GH bug #1046)? How about that relicencing removing the copyleft and attribution terms?
All other factors aside (I think the responses from David are completely reasonable and bookend this discussion completely).
The enterprise plan for Faker Cloud is $500/month [1]. Retool donate $500/month to Marak [2]. I understand that the donation is not the same as paying for the service. But it seems pretty shitty and greedy for Marak to complain about this, _even if_ Retool were in the wrong (Marak could have tried to resolve the issue with them properly, first, before starting a witch hunt).
Don't bite the hand that feeds you. This sort of thing really disincentivises me from wanting to donate to or use this project. Personally, I would completely support Retool stopping using faker.js and pulling their donation - but of course they can't do that since it'd be a PR nightmare.
EDIT: I see that Open Collective reports that Retool's donation to faker.js has been cancelled. I assume that it will be reinstated per David's comment [3]. But as I said above I wouldn't blame them for cancelling it.
It is MIT licensed so theres nothing wrong them reselling faker but the stuff theyre doing here looks quite dodgy.
I am a user of retool but for companies with access to your data you expect a bit of integrity. Would be really interested to know what retools response is.
You should follow up a couple of weeks from now on HN if nothing happens.
All of these stories in the last few months about big tech companies "abusing" open source software is straight out of /r/leopardsatemyface. "I want to build an open source project with a license that lets anyone use it any way they want for free! No, don't use it like that!"
faker.js - the MIT licensed free software - generates links to fakercloud.com. The error is in faker.js creating links to a paid-service CDN, not in how Retool is using the MIT licensed software.
I think the main problem is Retool is using the faker cloud api directly behind the scene (?) and the generated data is hosted on the faker cloud CDN (?).
It's MIT licensed. If they're actually reselling the API (and not hosting their own instance) then it could potentially be in violation of the terms of service, but that's it.
Using images from Faker's CDN is scummy and potentially illegal, but fairly minor overall.
If you are using images that someone else createdbwithout permission or license that is copyright infringement. If you are also using data created from a service and use it in your product again without permission or license this is also copyright infringement.
I have been seeing a lot of Retool lately on my Facebook News feed.
What's amazing to me is that they're using his CDN. Does this company have such terrible code review that they forgot to use their own CDN? Definitely makes me think twice about the quality of Retool's software.
I think Retool is in the wrong, though I also think your emails were quite indirect.
Better to be direct. I think it's very possible the CEO did not fully internalize what you were implying by stating they're using your CDN, etc, and instead it just seemed like a sales email.
This feels gross. The kind of people who read HN see a headline or read this post and will immediately assume it's all true without caring to hear the other side of the story. Somehow the author thought the best course of action would be to publicly call them out instead of just taking sensible technical measures to stop it. Talk about burning bridges. Tarnishing their image in the eyes of people who will never see the follow up, other side of the story, or retraction to this is very irresponsible.
For simple create-and-forget or true community-focused serverside software, I no longer see any reason for using anything other than AGPL.
For serverside software I want to monetize (so maintaining the software is sustainable, and so I can support myself) I'm increasingly leaning towards things like the Business Source License. I like that it allows pretty much everything e.g. Apache 2 does without allowing other companies to just rob me of my monetization strategy. Yes, it is not open source. But it allows others to self host my software and paves a way for the software to be _eventually_ open source.
Honestly, it's time for people to realize that companies are the primary beneficiaries of open source, for server side software, and react accordingly. For me, software is about allowing others see my code and use it for their own purposes. I don't make software so for profit companies can screw me over.
The idealism of open source in the server side space only serves large corporations. Go extreme copy left or go source-available or enjoy working for free.
Ditto. I was eager to set up a manufacturing sector client with Retool this coming week, but holy shit, assholes acting with impunity like this is infuriating, and I'm putting in extra time to try to find an alternative. Open to suggestions
No, it is not. That being said, I certainly would move to another service if they don’t make it right. However, I also run a business and don’t make knee-jerk reactions to cancel support services on a Saturday evening without giving any sort of time for the provider to respond.
Always amazes me how intent people are at trying to frame comments in the least charitable way possible. We all support this person getting paid for their work. End of story.
Says the guy who took the original GPL faker code, translated it to javascript, changed the license to MIT, started as drama queen wondering why he didn't get paid for it, started a commercial service around it, and then found out, no this doesn't work out with MIT licensed code, which doesn't need support nor extensions.
Monetizing open source code is normally not problematic at all.
Time to go back to Stallmanism and license with GPL or AGPL. Besides using your own cloud service (obviously terrible) there’s no theft of “Intellectual Property” when someone takes your MIT licensed code and sells it under their own name.
For when Retool’s team inevitably reads through this: compensate for, and fix this. Until I can see genuine efforts made to repair this situation, I’ve cancelled my account. Shame.
Looks like this hasn't happened to him for the first time either. First page results for faker.js show how he has been ripped off before too(1). Really sad how big companies abuse OSS.
He needs to figure out if he wants to be paid or not. Offering a free product and support and then complaining people don’t pay you is honestly fucking weird.
Retool operates within their own budget, not with the budget of the US tech world.
How many other OSS libraries are they using? If Retool should get 10x that amount, how much should they be paying out to every other library author that published an open source/free-as-in-freedom library?
I'm sure Retool can afford to pay for their use of Faker, but this divide between "the poor individual" and "the rich with infinite money" that has become culturally accepted in society is pulling us farther and farther away from truth.
Can't blame Retool for deciding $500 is adequate, when the author's advertised price for Faker is $0.
It's like something out of Curb Your Enthusiasm: "I don't want money" means "I want money". And "anything helps" means "actually anything below UNSPECIFIED AMOUNT is insulting". Like, how the F do you deal with such people? It's just bait and switch blackmail.
You’re assuming things he didn’t say. He didn’t investigate that in depth. All we saw is the hosted images. Which is wrong, but most likely a mistake done by the devs charged with copying him.
And you’re being incredibly charitable to Retool, who haven’t even said their side of the story.
Those URLs don’t create themselves. It looks to be using a hash of some sort, which means it needs to be something generating them, it’s not just them appending a hash to https://fakercloud.com. And even if it were, why use fakercloud, a paid service that you don’t subscribe to, and not your own?
In either case, your original complaint is that the author can’t decide between working for free or paid. It’s clear that isn’t the case considering, as I pointed out, they have a cloud service that’s paid. They clearly have figured out some way to be paid for their work.
And I’m not charitable to retool. They’re opportunists. But they were provided with a screaming opportunity here.
It’s like getting naked, rubbing some condiments on yourself, going to the woods and screaming EAT ME. Eventually something will start chewing on you, and then you start whining about how unfair life is? Please.
He should have licensed it under AGPL, or chosen a non-free license. His problem was wanting the benefits of open-sourcing his code without wanting the detriments. That said, Retool using images hosted from his own site is pretty scummy.
I mean, actually using Goatse here would probably be a bad idea, but what I really meant by my comment is "maybe you ought to treat this like any other hotlinking abuse situation, for which there are many commonly employed mitigations."
Serving shock images or other rude content is just the particular mitigation that makes me giggle.
I think the “professional” way to handle this is to implement API keys and rate limit requests without API keys heavily. (Possibly putting a link to your pricing page in the “too many requests” header.)
I completely agree, making money writing software is so convoluted. Like, why can't I submit my work to a publisher like all the other authors do? Where are the software publishing companies? Instead, we're expected to also come up with a business model around our software. Then, surprise, you find yourself not really writing software anymore because all of your energy is spent running this business thing you set up just so you could support yourself so you could be a soft..ware...writer. oops. It's a bummer man. Like, yeah, you probably shouldn't have used the MIT license, but like, we have to be lawyers too now? GD.
Yeah, I mean this story sucks, I feel for the creator. But my gut is telling me this is a perfect example we all shouldn’t just default to MIT license out of the ‘goodness of our hearts’.
Honestly that’s why part of the reason why I posted this here. If this made HN Frontend page I feel like they’re gonna notice and have to respond, a lot of potential customers reside on this forum
would it be possible to require a session token or some other secret in order for images from fakercloud.com to resolve? I know of a few services that do this for map tiles to prevent scraping or hot linking.
Maybe "union" isn't the right word, but I feel it could be a powerful force if a group created a github app for solidarity amongst maintainers, that hundreds of FOSS maintainers could authorize to submit license-related PRs against their projects. It could collectivize and streamline the effort of swapping or amending licenses, and seeking permission from contributors for such changes.
How impactful might it be if the "union" could exercise the threat of a banhammer of sorts, so that (at least in theory) in one fell swoop, it could initiate a license clause that targeted very specific conditions (e.g., "Fortune 500 companies no longer get free license"), or maybe even singling out very specific companies in particularly egregious situations.
I wonder if the threat of solidarity amongst FOSS maintainers and consequences would lead to companies starting to play it safe and simply start being better stewards
Even just the threat of the infrastructure for such a thing existing might have an effect, even if it's very rarely engaged.
I may have missed it but I didn't see anywhere that Retool is paying for a subscription. Even if they are, I'm not sure that entitles them to free use of the Fakercloud CDN.
I have been doing open-source cypress tests dashboard (sorry-cypress) for more than 2 years. It's been used by big names, saving $$$ for those companies.
Now I have launched https://currents.dev, which is based on (MIT-licensed) sorry-cypress, which resembles (paid) Cypress Dashboard, that monetizes (MIT-licensed) cypress tests runner.
Open source software doesn't make money because it isn't designed to make money [1]. Others are able to use faker for profit without owing anything to faker because faker gives them license to do so [2].
You use a hammer to set a nail in wood, you don't use a feather. If you try and fail to set a nail in wood with a feather, then the problem isn't failure to set the nail, the problem is you chose a feather for the job.
If you want to make money with software, then offer/license it in a way that requires payment - problem solved.
The problem here is that there will always be someone who fills problems that aren't extremely specialized or hard to solve with a permissive license. If you use a less permissive license, you simply wouldn't see your code used.
There needs to be some way to balance these interests that do not end up with someone working their ass off for absolutely nothing. Particularly enterprise users of FOSS can afford to pay up. In my experience, developers in those companies want that to happen too, but it simply can't be justified to business.
This will keep going for a few years until every single person willing to put in the work is either burned out or has changed to a more copyleft license. We're starting to see that with less trivial projects already (Databases going BSL, Grafana Labs switching to AGPL)
If they use AGPL, how would they get companies to actually use the software before extorti^w shaming them into paying some money for a product they are licensed to use for free?
Developers: think long and hard about the license that's right for your project before you push out to the world. I can't help but feel that free/open source software has become a lot less altruistic in the era of Github. We gained quantity and quality, but lost something else that's difficult to express: innocence? Not every project needs to be a job/startup/foundation (cue Left-Pad LLC). I daresay, not all projects ought to be monetized, period.
no need to shame everyone, of course if the license is AGPL you won't be asking small users to get a license right away, but it gives you leverage with large companies to justify them doing business with you. I don't think a large company would want a core component to die just because it's no longer mantained, nor they want to dedicate the resources to mantain a fork.
I was being snarky - MIT-/BSD-style licenses are licenses and they grant companies license to use your software, without having to "do business" with author (but companies can be publicly pressured to do so (see the fine article), once they start using said software). The snark is rooted on the fact that large companies avoid AGPL software like a leper - they won't even install it, let alone do business with the author. So anyone hoping to do a long-con is better off avoiding AGPL.
You can change your license, but it's not retroactive, the code released so far keeps the old license (and can be forked from there). Note that it would be unsustainable otherwise, e.g. release as free, force people to pay later
If the code is already fairly mature then the big companies using it can just fork it (and make their new fork entirely closed if they feel like it) and the creator of the original code won't be able to do a thing about it.
If you want to open source something, use a copy left license. GPL or AGPL. Licenses like BSD or MIT are basically putting something in the public domain, to be absorbed into propietary packages
Software companies spend exorbitant amounts of money on e.g. AWS and say they're saving money on engineering, yet they waste engineering time to reinvent the wheel instead of paying something in the ballpark of peanuts to an open source dev. They should be laughed out of the room, and it doesn't matter if they had a legal right to do it.
I don't know much about Linux, but it seems to have good financial support from various corporations. If this thing is really being used by big companies, maybe they need to find out how Linux did it and borrow some lessons from that.
Have you considered just turning it off? Or adding a requirement for API keys and disabling any that they hand out to their customers. It would be pretty embarrassing for a large company that had a service go down because they refused to pay for it.
Just to clear this up here: I am not marak but I do find this behavior very frustrating and even if it’s technically legally it’s really scummy behavior and I want to air it out so we can get the truth
I happen to be in the market for this service and it cropped up when I was doing research and felt it prudent to share with the rest of the industry
One of the things I liked about this submission was its tone: the lack of vindictiveness.
We are quickly made aware that we are reading an article made by the author of faker.js. The facts are laid out, mostly without embellishment. Though we understand the author is biased, they leave it to the reader to form their own conclusion. Overall, I appreciated how I was treated as a reader while reading this piece.
As for the matter at hand: despite the MIT license's permissive attitude in this case, it just speaks to the company being complicit somehow in... I don't know what to call it? Shady-ness? I hope you find a worthwhile resolution.
I see clear vindictiveness laid out in the facts, or at least passive aggressiveness stemming from fear of conflict.
Note that in the initial email spurned on by the actions of the company, the concern with them using the paid service to generate a free service is not mentioned at all. Just a sales pitch for a product. He is lucky he even got a response.
A proper email would have directly addressed the concern the author actually had. But he didn't do that. He didn't say "you guys are using my service to provide it to others for free" he said "hey I see you guys use my product, want to buy it?" And then when they didn't he wrote an article about how they're basically stealing from him.
I have been doing open-source cypress tests dashboard (sorry-cypress) for more than 2 years.
Now I have launched https://currents.dev, which is based on (MIT-licensed) sorry-cypress, which resembles (paid) Cypress Dashboard, that monetizes (MIT-licensed cypress tests runner.
Edit: just did a bit of digging.
It looks like we have a Retool template that has some fake data in it (https://retool.com/api-generator/). This is an app built in Retool, and has a few thousand rows of hard-coded data.
Most of this fake data is self-generated, but we used the faker.js library (https://github.com/marak/Faker.js/) to generate three datatypes: IP address, avatar, and industry. This MIT licensed library, when used, creates data that links directly to fakercloud (https://cdn.fakercloud.com/avatars/). Here is the code itself: https://github.com/Marak/faker.js/blob/master/lib/internet.j..., and here is a demo that shows the library generating those links: https://rawgit.com/Marak/faker.js/master/examples/browser/in....
I just spoke to the engineers who worked on this project, and we are sorry for including links to fakercloud. This wasn’t intentional, and we just pushed a commit removing all avatars from the template. This is already deployed. I hope you all can understand why we trusted the data generated by the MIT licensed project, and didn’t think it would link to anything proprietary.
I myself am an engineer (and avid HN reader, as evinced by how I found this while reading HN on a Sat night), understand Marak’s frustration, and agree that monetizing OSS is hard. While we’ve already contributed around $10k to various libraries we use (https://opencollective.com/retool), including faker.js, Babel, ESLint, and JSON Schema, I’m going to see if there is more we can do. We’ll be writing a blog post about it this week and I will follow up with more next steps. I wonder whether there is a better way of sponsoring OSS, other than just donating dollars every month? (Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily?) In the meantime, we'll certainly continue sponsoring all the libraries we’re sponsoring already, including faker.js.
(Also: I’m sorry to Marak for not responding to his email re. acquiring Faker. More in this child thread: https://news.ycombinator.com/item?id=27252420)