Hacker News new | past | comments | ask | show | jobs | submit login
Project includes a dependancy that has a license that forbids its use (github.com/dapr)
213 points by withinboredom 61 days ago | hide | past | favorite | 234 comments



I love that all the discussion here is about the license I wrote and not about the actual project, which is a completely terrible idea and something I created as a lark.

Why did I not spell this out in the blog post? For my own amusement. I also think it shows that licenses really don't matter all that much as some people think, they are not computer code.


>>> I also think it shows that licenses really don't matter all that much as some people think, they are not computer code.

They matter as long you're willing to enforce them, and have the time and money to do so.

In that case, you may be able to submit some form of take down request to GitHub against that project and other projects who are using your library.

https://github.com/search?q=bouk%2Fmonkey&type=commits

edit: wow, one of the projects that depended on your library was arduino up to 2020. https://github.com/arduino/arduino-cli/commit/09b4e8804fbd61...

edit2: was also used by AWS up to last week when they removed it. https://github.com/awslabs/karpenter/commit/d84365e8c44178ea...


update: hit the jackpot

the library is currently in use by Heroku/SalesForce to build deploy java apps (or something like that) https://github.com/heroku/java-buildpack/blob/master/go.mod

I wonder what sort of settlement you could get if you were to send them a lawyer for real.


They will be happy to cease use of the code.

The damages probably amount to $0. "Don't use this code, no seriously don't" isn't exactly an advertisement of the value it provide.


They may already have, looks like that archived repository has been replaced with: https://github.com/heroku/heroku-buildpack-java

which doesn't even use go.

And they'd like you to even move away from that replacement to an ever newer replacement: https://github.com/heroku/buildpacks-jvm


There could be many reasons for having an injunction against using code.


Welcome to America in one sentence.


I really don't understand this way of thinking


I'm no lawyer, but don't you usually have to show damages?


Damages would be loss of revenue. He was deprived of the ability to negotiate terms of use for payment.

This is why the GPL is more developer friendly than other licenses. If a business doesn't like the GPL you can offer to relicense your code, ... for money. And money is the restitution you seek when the license is violated.


I'm curious how damages would be calculated in a case like this. Obviously you can't get away with saying "I would have charged them $10 billion for this code, so that's what they should owe me." But on the flipside, should they be able to say they wouldn't have been willing to pay anything for it, therefore they owe zero?


I am curious as well. Since it's not a typical work for hire relationship, it could be a (modest) percentage of profits, or a business contracting fee of ~$500k or so.


Statutory damages can apply, but in the US statutory damages for copyright infringement require registering the copyright prior to the infringement.


The blog post and the README both seem to encourage use of the project. And a license that prevents all use including personal is very rare and not exactly in the spirit of GitHub. So I’m curious why both the blog and your README don’t mention explicitly that you don’t want allow use or explain why. Would it be worth putting something at the top of the README?


> And a license that prevents all use including personal is very rare and not exactly in the spirit of GitHub

Non-free licensed code has been on GitHub for quite some time. It's not only about free software and you should not assume so, as in all software.

Edit: changed FOSS to "free"


Just to clarify, FOSS has significant provisions above and beyond allowing personal use. The term non-free is very different from "not allowed to use at all".


Yeap, you're right. There are lots of terms to describe free and non-free software. I meant "free" in any capacity, for clarification.


So what of it? Show me a court verdict that throws the license out of the window because README led you to believe something.

It would be an interesting precedent, forcing companies to comply with everything their advertisements say and doing away with any sort of fine print and ToS. I’m all for it, in fact. Total Ankh-Morporkization!


OP said: "I also think it shows that licenses really don't matter all that much as some people think". I doubt they would be unable to sleep at night because of a license violation.


I'm glad that I can now say that I've contributed Windows support to a project which I probably violated the license of while working on :P

By technicality, the license has been violated by quite a large variety of corporations: Microsoft, AWS, Heroku, Bilibili, Baidu, Apache, Arduino, etc. [0~6], and much much more [7]

Crazy.

[0]: https://github.com/microsoft/bedrock/blob/a0ab244a80a94133cb...

[1]: https://github.com/awslabs/karpenter/pull/609

[2]: https://github.com/heroku/java-buildpack/blob/master/go.mod#...

[3]: https://github.com/bilibili/overlord/blob/b524449801b5411583...

[4]: https://github.com/baidu/openrasp/blob/f992962207bec063eda6f...

[5]: https://github.com/apache/camel-k/issues/2067

[6]: https://github.com/arduino/arduino-cli/issues/740

[7]: https://sourcegraph.com/search?q=context:global+%28bou.ke%7C...


I've considered making a license that is basically MIT/BSD, but requires that anyone using an automated license checking/compliance system (any corporate users) to pay a fee to use the software.


Why do you think that only corporate users use an automated license checking/compliance system?

If you do personal projects that are open source it's equally important to know what licenses your dependencies have if you release those projects to the public.


The primary difference is that as an individual, you can easily add that new licence to your allowlist. In an enterprise, it might be easier to fork over the money rather than convincing legal to allow your use of the software.


License checking is like code coverage. A part of our profession. It is not only for corporate users.


Individuals run license checkers too.

I would describe an end user count, revenue size, etc in order to apply special circumstances to corporations. Drone.io does a great job of this.


Instead of doing that, why not dual-license your program under CC-BY-NC and AGPLv3, and then sell exceptions?


A lot of legal departments have a mental image of AGPL (and GPL) as a bogeyman that will steal all the company's code if allowed anywhere near the building. I've sat through a presentation one time that tried to paint these licenses as something only basement dwellers use for personal projects. I spoke to the presenter afterwards and told them about projects like Linux and Mongo, and how even AGPL is not as scary as they thought.

The lawyer seemed genuinely surprised and said they would read up on it. I'm pretty sure my bringing this up in a friendly manner caused them to question their assumptions. Had I picked a fight during the presentation I'd just be labeled a basement dweller.

However, this lawyer also told me something interesting. To some extent it doesn't matter whether I was able to change his mind. As long as other lawyers in the field have this bogeyman concept in mind, the use of GPL will get flagged in due diligence, etc. and it's easier to simply not use a component with strong copyleft when developing a product (unless it's as irreplaceable as Linux).

This is a long-winded way of saying that selling exceptions will likely scare off potential purchasers long before they are in a position to consider the purchase. Most shops have a blanket "no GPL ever" policy and a dev won't even bother with the component even for a prototype.


My personal experience as a developer and owner is that it is very difficult and time consuming to understand the risks and to comprehend the *GPL licences.

For example, using an LGPL based JavaScript library just leaves me confused every time. I read the LGPL 3.0, read some stack overflow answers, and read the GNU website. Yet I am left without being 100% certain that I can minify the LGPL JavaScript into a single file with my own source code (because JavaScript is not object code, and because sending JavaScript to the browser is distribution).

With BSD/MIT licences everything is clear and less ambiguous, and if I get something wrong then it is usually something easy to fix.

If I were a general counsel, I wouldn’t trust all my developers to follow the GPL licenses properly nor would I trust developers to correctly avoid simple mistakes. A default ban limits liability, reduces risks of negative publicity, and anyone that needs an exception has to justify it.

Idealistically, I love the GPL, and I truely believe in the goal of share and share alike.

Practically I understand why following the *GPL licences is difficult and that it involves multiple risks for a business, and so many commercial businesses sensibly prefer to avoid the costs.


There was a funny Microsoft license for Xlsx.js (a lib that read Excel files in browser): It was allowed to distribute freely… as long as it runs on Windows:

> (F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the software or derivative works that (1) are run on a Microsoft Windows operating system product, and (2) are not Excluded Products.

So you could not deliver it on Safari, but also not on Chrome if it ran on Mac.

Aaaand that is why the JSXLSX implementation was developed, exactly the same as xlsx.js but without the restriction.

https://github.com/stephen-hardy/xlsx.js/issues/8


Why not license it so that any individual or business below $X revenue can use it, but others have to pay a fee?


The issue here is that you're a well-poisoner, putting out code that can't be used, as a joke, while also making a popular blog post and making the software easy to use as a library. Now that it's being used, it's also hard for folks to remove your library and implement something similar without it being considered a derivative.

Sure, it's funny, but it's a joke at the expense of everyone else. This is like going to a party and walking up to every person and making a joke at their expense. Were the jokes funny? Maybe. Does everything think you're an asshole? Almost certainly.


If anything, it’s raising awareness of the fact that just because it’s on GitHub doesn’t mean it’s FOSS, and that developers need to pay attention to licensing before snatching someone’s work up for their own personal & commercial benefit.

In this case the license was silly, but if this library had been GPL, it’d still have been a massive violation by most of those big companies, and that’s something we need to pay more attention to.


One important difference is he didn't walk up to anybody, they walked up to him. He owes nothing to anybody, it's not like he ran a media campaign.


He wrote a blog post that was quite popular at the time. He's in this thread explicitly saying he did it for the lulz. The repo doesn't clearly say not to use it, only the license does.

People shouldn't use software without checking the license, but if you're making a joke, for a pattern that's actually something used in the industry, because you believe that pattern is bad, yeah, you should label it a joke.


He's not a well-poisoner, someone just decided to chug from a bottle clearly marked "do not drink".

If someone spends the time to integrate mystery code without taking the time to check the license allows it then frankly they dug that hole themselves.


On the Internet, unless you sprinkle your words with emoticons, it is hard to convey irony or amusement using text alone.

You absolutely have the power to end the controversy by switching to a more mainstream license then adding a clear disclaimer like “use at your own risk”.

GitHub currently lists 465 projects that depend on your library, which means more than a handful of devs find it useful.


I'm all for FOSS, but I fail to see how saying something like "There would be no problem if you accepted to release it with a less restrictive license" differs from saying that to a GPL library developer because proprietary code was found using it. Why should the first be considered "a controversy" but not the second ?


License aren't computer code, they are social code. That matters more, not less, than computer code, at least until we're all disembodied brains in a large VR matrix - because usually people run code for people purposes, not the reverse. Coders frequently ignore this aspect, but not everybody has this luxury.


I see no reason why disembodied brains wouldn’t find a need for social agreements as well, it’s not like the absence of élan vital would cause them to cease being social. The content and mode of expression of those agreements might be quite different, of course.

(We fleshbags could probably use more widespread application and understanding of formal language and notation as well—the most cumbersome description of linear interpolation I’ve ever seen was in the section on a real estate tax hike in the tax code; it had paragraphs! I mean, I feel for those who didn’t have a good time in high-school algebra, but I don’t see how they could reasonably deal with that monstrosity either.)


"Someone told me that each equation I included in the book would halve the sales." -- Stephen Hawking

Algebrophobia apparently is a thing.


Medically, I’m entirely willing to believe there’s an X-phobia for any X. I just doubt this particular one would cut off more people than avoiding unreasonably long phrasing would include (let alone the weird French lingo the English-speaking world seems to insist on), and making a text accessible as is to literally everyone is plainly impossible. For regulations you’ll have to arrange special accommodations for some groups in any case—it’s only a question of which ones; for contracts it’s just another thing to negotiate.

Culturally, yes, and I can’t help but be awed at how stupid and self-inflicted it is. (See “Mathematician’s lament”, et al.) Introducing algebra into legal practice now would probably be a spectacularly bad idea even if it were possible. That’s why I mentioned “more widespread application and understanding of formal language”. Passing this hurdle is a massive ordeal—if I meaningfully contributed to it and knew that, I could probably die a happy man—but, I mean, we were talking disembodied brains in VR here.

By the way, can anyone explain what it is people actually like about A Brief History of Time? I went on to study some of this stuff, but the book appears both unnecessarily convoluted and surprisingly stingy with actual information compared to my preferred pop sci fare. I like me some enigmatic promises of explanations, but Hawking’s were left mostly unfulfilled, or so it seemed to me.


Yeah, I looked at your project, and immediately wondered why the fact that someone merged a patch using it at all wasn't the suspect issue...


Eh, I feel like rewriting function pointers is a pretty standard trick, amusing (and definitely amusing that people are actually using it) but not terribly novel to the audience that finds these hacks amusing. Combined with the fact that the headline and issue is about the license/it takes multiple clicks to even find out what the library does, and it's not surprising that that's the focus.


Someone posted the actual project here: https://news.ycombinator.com/item?id=28266515 - but since both the url and the title of the OP are specifically about the license, it's not surprising that that was the topic.


That's because this thread is specifically about the license.


Well done! It also made me think GitHub should do more to highlight the license in their UI.


[flagged]


"I did it as a lark" has been used as an expression for a long time already, well over a century.

To give a few examples, https://www.google.com/books/edition/The_Boy_s_Own_Annual/X7...

"Sure as goodness, I thought you both did it as a lark", from a book published in 1895, so it's reasonable to assume it was already in some level of common idiom by then. It's unlikely The Boys Own Annual was trail blazing in its use of language.

Or https://www.google.com/books/edition/The_Fortnightly_Review/... from 1929. "D you remember I got certified as a lunatic for trying to make a living by betting that one horse would reach a post before another, I admit it was silly, but I only did it as a lark"

Language changes and evolves over time. You're attempting to be King Canute, except maybe one apparently deluded enough to believe the courtiers, only not as the tide is on the way in, but as the tide is long past and you've almost drowned.

The ship sailed on the point you're making before you were even born.


[flagged]


Does anyone actually use "as a lark" to mean the action was done while being a bird? Common usage these days is for "as a lark" to be effectively synonymous with "on a lark"; thus it would be more useful/helpful for people to be familiar with this variation of the common idiom.


"On a lark" is something I (a native English speaker, from London, which is in England, after which the language is named) have never heard or seen written -- anywhere -- before your ill-considered and wholly-incorrect posts on this thread.

Shush.


Not sure why new information has provoked such a personal response from you. As a native English speaker from London, have you heard of “as a lark”?


Usually in British English (Yorkshire, might vary by region), I just hear "It is/was/will be a lark", so I'm not sure if either is particularly common. However, I've definitely come across people using "as a lark", whereas I can't recall hearing "on a lark". I've seen it used in text, but I'm not sure how many were from British English speakers.


Merriam-Webster and Cambridge both use "as a lark" in their online dictionaries:

> on/as a lark idiom

> US, informal

> just as a way to have fun

> She entered the race on/as a lark.

https://www.merriam-webster.com/dictionary/as%20a%20lark

> lark noun [C] (ACTIVITY)

> an activity done for enjoyment or amusement:

> He started hang-gliding years ago as a lark.

https://dictionary.cambridge.org/dictionary/english/lark (definition from the Cambridge Academic Content Dictionary)


For all extensive porpoises it means the same thing }:^)>


Never seen that before: your coinage? If so I hope your license is a little more free than the OP's: I intend using it when I can get away with it.


Where on earth did you get that notion from? Just because you use a particular phrase does not make it the only or the definitive version.

On a lark, for a lark, as a lark, larking about, and so on are all common. It's not some obscure quotation or meaning, it's just a simile comparing with the bird (perceived as happy).


https://grammarist.com/phrase/on-a-lark/

The “lark” in the idiom “on a lark” has nothing to do with a simile to birds. It derives from an old Norse word which means “to play.” https://en.wiktionary.org/wiki/lark#Etymology_2

Using correct terms helps to communicate effectively. What is wrong with promoting correct use of English? I always appreciate it when my coworkers promote correct programming idioms to me, it helps me become a better programmer.


> Using correct terms helps to communicate effectively. What is wrong with promoting correct use of English?

As has been mentioned elsewhere, language is constantly changing. It isn't even that slow of a process. As a result the vast majority of linguists view linguistics as a descriptive rather than prescriptive science. The "prescriptive" approach to linguistics is much more common among teachers but hopefully that is also being tempered.

The reason why this matters is because prescriptive approaches to language have a long history of being used to enforce class, ethnicity and geography based discrimination.

I think there is a fine line to walk here. If you are going to fight against the changing of language, you need a good reason. I personally really dislike the confusion of "literal" and "figurative" (where "literal" now figuratively means "figurative") because it clearlt reduces the expressivity of the language. In contrast, the advent of "irregardless" doesn't reduce the expressivity of the language (though it foes add some minor complexity as it is an annoying exception in the meaning of the "ir" prefix.) Similarly, the common use of "me" instead of "I" in "and" clauses is commonly touted as a misuse of language even though I have never encountered as usage where it added ambiguity and is extremely common. I've had people tell me they take it as a marker of low intelligence while those same people will make a very similar mistake by switching "me" for "myself" in and clauses.

I do think there is value in teaching people about the historical and cross-cultural uses of language, as this increases our ability to understand eachother. I also think there are times where we should push back against language shifts that descrease the effectiveness of the language. However, I think it has to be done with care to avoid perpetuating injustice and becoming irrelevant as the real language in use shifts.

In your particular case, you seem to be denying the existence of fairly commonly used phrases that don't actually have any negative impact on the information carrying ability of the language.


> prescriptive approaches to language have a long history of being used to enforce class, ethnicity and geography based discrimination.

This is a sloppy argument. Nothing about teaching correct English enforces discrimination and in fact it does the opposite by leveling the playing field.

If one day teachers stopped teaching grammar, that would only worsen the linguistic shift across the races and classes, allowing them to more easily discriminate between each other.

Even if you want to erase the idea that there is a “correct” English, the inevitable presence of the differences in speech will regress the concept to “my tribe’s English” and eventually “my tribe’s language.”

Teaching and promoting a standard and correct English promotes a more liberal society. I’m puzzled that sloppy arguments like the one you made above continually permeate culture when it only takes a few logical steps to see how it results in an outcome opposite to what you want.


> “my tribe’s English”

That's where we are already. What you propose is forcing the other tribes to speak your tribe's english.

I am not saying that there aren't advatages to teaching people about other tribe's dialects. If you combine that with inclusive policies you can merge dialects. When you enforce a specific dialect, then you exclude and alienate speakers of other dialects and this will INCREASE linguistic drift.

I see nothing sloppy about my argument and I don't think that particular word (especially when you make no effort to explain what is "sloppy") is more of an ad hominem attack than perhaps you intended.


It’s sloppy because it’s just a regurgitation of a talking point that has no logical basis. You and I both know that not teaching a standard English or pretending like one does not exist would only worsen language-based discrimination.

> When you enforce a specific dialect, then you exclude and alienate speakers of other dialects and this will INCREASE linguistic drift.

How exactly would that happen? It would provide a means for other dialects to adopt the standard dialect and communicate with the wider community. That’s the opposite of increasing linguistic drift. In the situation you’re suggesting, you’re expecting everyone to understand and communicate in every other dialect simultaneously. That’s just an unrealistic expectation.

> That's where we are already. What you propose is forcing the other tribes to speak your tribe's english.

I propose everyone who desires to participate in the English-speaking world voluntarily unite and find consensus under standard English. Stop taking something personally that isn’t personal and speak the standard English so that we may all better communicate and information can more freely disseminate across more populations.

Imagine if people started making the argument that correcting incorrect Python was racist/classist and people should just start forking Python if they do not like standard Python. That would be silly yet that is what you are suggesting. Obviously having a single agreed-upon dialect of Python is beneficial to everyone and it shouldn’t be personally offensive to recommend that people program in standard Python.


> It’s sloppy because it’s just a regurgitation of a talking point that has no logical basis.

It definitely is not a talking point. This is a stance I have arrived at after studying linguistics, philosohy of language and psychology then doing lots of traveling and spending over a decade thinking about it, all as someone who is inclined towards engaging in language pedantry. If there are errors in reasoning, those errors are mine since it is a stance I arrived at without hearing it from other people.

> How exactly would that happen?

How it always happens? How much time have you spend in multi-lingual contexts? How do you think creols and slang develope? Language naturally evolves to fit the needs of people who use it.

> I propose everyone who desires to participate in the English-speaking world voluntarily unite and find consensus under standard English.

Who decides what is standard? Can the standard change? Is it fair to set that standard as something that one group learns at home and another group has to study and practice to use?

> Stop taking something personally that isn’t personal

It's hard to get more personal than the language you think in and use to talk to the people closest to you.

> we may all better communicate and information can more freely disseminate across more populations.

You say "we", but the "we" for whom it is easier is limited to the people that already speak the annoited "correct" dialect.

> Imagine if people started making the argument that correcting incorrect Python was racist/classist and people should just start forking Python if they do not like standard Python.

Programming "languages" aren't actually languages in any sense that makes your argument here have any value. Programming "languages" are actually complicated mathematical notations. Funnily enough, your example, python, actually has two versions in use. If everyone refused to use python 3 because it was "bad python" then the communtiy would have been worse off.

The fundemental problem with your position is that it is inherently hypocritical, arbitrary and self-serving. You distinguish between the age of "as a lark" and "on a lark" based on an arbirary point in time. There are plenty of idioms / meanings that are younger than "as a lark" but that you hypocritically would accept as just fine. For example, you use the term "forking" in a manner that is both semantically and grammatically very new. If a word or usage arises as part of your dialect, it automatically becomes part of the "standard", but if it arises in the dialect of an outgroup then it qualifies as "incorrect english".

I am not opposed to developing language standards, but those standards need to be both responsive to shifts in the language and inclusive for a wide range of dialects. Ideally you can also teach this standard without impicitly judging people as stupid and uneducated when they use their native dialect. You also need to be careful about using adherence to this standard as a gatekeeper to prevent people from having equal opportunities.


>> How exactly would that happen?

> How it always happens? How much time have you spend in multi-lingual contexts? How do you think creols and slang develope? Language naturally evolves to fit the needs of people who use it.

This is a failure to demonstrate how promoting language standards may result in increased discrimination.

Again, whether a language standard is promoted or not, people will discriminate against others who differ from them. The existence of a language standard removes the confusion and ambiguity as to what the correct form of the language is. This enables everyone to participate in the usage of the language equally.

> Funnily enough, your example, python, actually has two versions in use. If everyone refused to use python 3 because it was "bad python" then the communtiy would have been worse off.

Right and it took an official body with authority over the language to get everyone to reunite over Python 3. If no official body stepped up and no standard version was declared, there may still be large fragmentation between Python 2 and 3. Everyone clearly understands fragmentation of a language community is a stark negative. You are suggesting we pretend that a standard form of English does not exist which would only result in further fragmentation of English, which just as in Python, would be a bad thing for the community at large.

> Ideally you can also teach this standard without impicitly judging people as stupid and uneducated when they use their native dialect.

No one in this thread ever suggested using language standards for this purpose. And again, the existence of a language standard is largely orthogonal to this phenomenon. Judging people as stupid comes from differences in people, not language standards. In the absence of the existence of a “correct English” the judgements would transition from “you are not speaking correct English” (which is shared by all) to “you are not speaking my tribe’s English” (which is unique to a single tribe and would be a lot more tribally divisive).

> Who decides what is standard?

Whoever is the appropriate authority of the language. It could be a national government or an academic organization. Language standardization isn’t a new concept, nearly all European languages have gone through a standardization phase. It’s a solved problem. This is the equivalent of saying we can’t standardize Python because there is no obvious way to decide who is allowed to standardize it. That is just silly. Either an interested committee will form or a pre-existing authority will take on the responsibility.


> This is a failure to demonstrate how promoting language standards may result in increased discrimination.

It does that right now, no "may" about it.

> Again, whether a language standard is promoted or not, people will discriminate against others who differ from them.

"Promoted" is a too nice a word when the reality is that the standard is used limit the opportunities of people who don't follow the standard.

> You are suggesting we pretend that a standard form of English does not exist

It doesn't exist. There is no single standard English, there isn't even a standard set of spellings for English.

> Judging people as stupid comes from differences in people, not language standards.

I've literally had people tell that they assume someone is stupider if they use the "me" instead of "I" in an "and" clause.

> Whoever is the appropriate authority of the language. It could be a national government or an academic organization. Language standardization isn’t a new concept, nearly all European languages have gone through a standardization phase.

There is no such authority for English, so there is no standard?

Also, "standardisation" didn't work for German or Spanish (the other two European languages I speak) as local dialects diverge significantly from the "official standard". It is far from "solved".

> This is the equivalent of saying we can’t standardize Python because there is no obvious way to decide who is allowed to standardize it.

That isn't what I said at all.

> In the absence of the existence of a “correct English” the judgements would transition from “you are not speaking correct English” (which is shared by all) to “you are not speaking my tribe’s English” (which is unique to a single tribe and would be a lot more tribally divisive).

Those judgements already happen. Teaching people about each other's dialects would make them less foriegn and lead to less judgement and better understanding.

When you take that position that there is "one correct English", that makes it harder to encourage people to learn each other's dialects and it encourages discrimination against people whose dialects differ more from the one correct English.

Finally, I'll repeat myself: I am not wholey opposed to language standards on principle. A good language standard would be determined inclusive organization that is representative of all its speakers, would be a living standard that changes as the underlying language and it's dialects change (i.e descriptive), and would understood as common reference point for communication rather than as the one correct way of using that language ( i.e. not proscriptive).

English does not have such a such a standard and other language standards I am aware of are not super effective and tend to be rather eurocentric and not inclusive of their broader populations.


>> This is a failure to demonstrate how promoting language standards may result in increased discrimination.

> It does that right now, no "may" about it.

If language standards indeed cause discrimination, please demonstrate how. Otherwise this is a baseless claim.

> I've literally had people tell that they assume someone is stupider if they use the "me" instead of "I" in an "and" clause.

So you think if a standard English did not exist, then people would no longer judge others who speak differently from them as stupid?

> A good language standard would be determined inclusive organization that is representative of all its speakers, would be a living standard that changes as the underlying language and it's dialects change (i.e descriptive), and would understood as common reference point for communication rather than as the one correct way of using that language ( i.e. not proscriptive).

Right so you support the idea of a language standard, likely for all the benefits I’ve listed, except when people use them to make other people feel bad. Just a note to everyone reading this: the subject of making people feel bad is a social phenomenon that is entirely orthogonal to whether or not a language standard is “proscriptive.” The term he is looking for is “normative” and all standards, language or not, must be normative to a degree.


> If language standards indeed cause discrimination, please demonstrate how. Otherwise this is a baseless claim.

That wasn't my claim. My claim was that prescriptive approaches to language facilitate and magnify discrimination and have historically frequently been used to justify and enforce discrimination. You can look at how regional UK dialects affect employability and education outcomes. You can look at the way speakers of the ebonics dialect have been forces to learn to change not just their dialect but their accent to get jobs. There is such a wealth of examples of the roles that language plays in descrimination that suggesting otherwise seems odd to me.

> So you think if a standard English did not exist, then people would no longer judge others who speak differently from them as stupid?

I think if we encouraged people to gain more exposure to other dialects in school and didn't teach people that those dialects are wrong then there would be less judging of people based on how they speak rather than what they are saying.

> Right so you support the idea of a language standard, likely for all the benefits I’ve listed, except when people use them to make other people feel bad.

That is not what I said. I might support a standard, depending on how that standard is determined, how it is promoted and how flexible it is to change.

My concerns with linguistic standards has nothing to do with "making people feel bad" and everything to do with denying opportunities to people. I've stated this repeatedly so I'm not sure why this isn't getting through...

> The term he is looking for is “normative” and all standards, language or not, must be normative to a degree.

No, the term is the one I used originally but then mistyped in my last response "prescriptive" ("proscriptive" is the opposite, telling people what not to do rather than what what to do.)

"Normative" and "prescriptive" are similar but distinct terms. When you tell people how to speak, that is prescriptive, when you judge people based on how they speak, that is normative. So in my view, prescriptive linguistics encourages normative behaviors around language.


> You can look at how regional UK dialects affect employability and education outcomes.

If you apply for a job in China and you only speak broken Chinese, resembling a pidgin language, it’s not “discrimination” if you are not hired. Similarly, if you apply to a position where you are expected to speak standard English and you only speak a lesser known dialect, that is not discrimination either. It’s not meeting job requirements. Yes it’s unfortunate that those who don’t have the skill of speaking standard English cannot obtain those jobs, just as it’s unfortunate non-Chinese speakers cannot obtain jobs in Chinese-speaking areas. The good news is that we have brains that are capable of learning new skills.

> My claim was that prescriptive approaches to language facilitate and magnify discrimination and have historically frequently been used to justify and enforce discrimination.

This is just false. Discrimination is a social phenomenon that itself is causal to your so-called prescriptive approach to language, not the other way around. In other words, the pre-existing discriminatory attitude causes the exclusionary behavior in language not vice versa. It’s silly to blame racism/classism on the promotion of correct English. Especially when the existence of a standard for correct English makes it clear and unambiguous for new people entering the English-speaking world how they can most effectively communicate with existing English speakers.


> just as it’s unfortunate non-Chinese speakers cannot obtain jobs in Chinese-speaking areas

Except the dialects are often local to the places where the opportunities are being sought and can exist due to a long history of racism driven segregation...so you analogy is completely erroneous.

> In other words, the pre-existing discriminatory attitude causes the exclusionary behavior in language not vice versa.

I'm glad to hear you admit alteast part of this. If you grant that discrimination leads to some language prescriptions, is it that hard to see how those prescriptions, when used normatively by people with no intention of racism, can end up perpetuating the exact racist attitudes that lead to the creation of those language prescriptions?

This is precisely my point: this history and the current reality means that we should be care about how and when it is worth spreading prescriptive approaches to language, ideally limiting it to times when ambiguity is created or meaning is lost.


> Except the dialects are often local to the places where the opportunities are being sought and can exist due to a long history of racism driven segregation...so you analogy is completely erroneous.

“Local” is totally subjective. The core point is that requiring that a job application speaks in a certain manner is not necessarily unjust and likely in the vast majority of cases is a pragmatic matter. Language / dialect is not an intrinsic property of someone’s identity. People are able to learn new accents, dialects, and languages. Accents being the easiest to learn. It’s not a protected class. The existence of a standard makes it easier for newcomers to learn the language.

> If you grant that discrimination leads to some language prescriptions, is it that hard to see how those prescriptions, when used normatively by people with no intention of racism, can end up perpetuating the exact racist attitudes that lead to the creation of those language prescriptions?

No, that’s nonsense. If someone’s feelings are unintentionally hurt because they are made aware that their English is not correct, that is not racism.


Rant all you want, but if P.G.Wodehouse uses a phrase it's good enough for me.


P.G.Wodehouse cites “for a lark” which is correct. He does not cite “as a lark” nor does your other source.


Note that your etymology link agrees with mine (via skylark).

OED cites P.G.Wodehouse (for a lark), and J.Krantz (of a lark).


The homophone with lark (the bird) likely reinforced the idiom but was probably not the origin of it. “For a lark” is correct as well, OED does not cite “as a lark.”

The phrase “as a lark” probably emerges as a mixture of “as a joke” and “on a lark.”


From the explaining blog post [0]

> If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here.

Also

> Wrapping it up in a nice library

> I took the above code and put it in an easy to use library. It supports 32 bit, reversing patches, and patching instance methods. I wrote a couple of examples and put those in the README.

Then in the README[1]:

> Make sure you read the notes at the bottom of the README if you intend to use this library.

Either the author is confused or has decided that he doesn't want to maintain an hack. Anyway license is pretty clear.

There was an HN thread[2] when it was released.

[0] https://bou.ke/blog/monkey-patching-in-go/

[1] https://github.com/bouk/monkey

[2] https://news.ycombinator.com/item?id=9290917


The author is not confused, it's like an actually enforcable version of "use it at your own risk" because it includes legal risk. It's clever and funny


Gonna have to disagree that it's funny.


Why not? Do you feel entitled to a warranty?


I just don't think "here's a neat thing... tee-hee you can't use it!" Is funny. I don't know if "neener neener" was ever funny to me, even as a child. I understand that it's important to you to bandy about "subtle" accusations by using words like "entitle" so you can feel like you have a point, but there's nothing more there. If I felt entitled I would just ignore the license and use the code anyway.


I have no idea what you’re talking about.


I have a hard time believing that the word "entitle" was accompanied by no judgement, but if not, then I apologize for making assumptions. I find feelings of entitlement to be largely the result of selfishness or delusion, and so when I hear it applied to me, that's what I think is being said.


It's satirical


It seems that you're not interested in suing anyone over this. However, you still don't give people permission to use, not even in small throwaway tests. Which is fair.

But your blog post[0] language suggests that you are okay with and even incentivizes people trying this out (even if trying it out might be technically illegal, because it infringes your rights).

I think you should have mentioned something about the license in your blog post. As it stands, "If you’re not interested in how it works and you just want to do monkey patching, then you can find the library here." is misleading. If the user wants to do monkey patching, they better not look at your code and program their own solution.

[0] https://bou.ke/blog/monkey-patching-in-go/


Pretty funny right?


Not really. The JSLint license is funny because objecting to the "The Software shall be used for Good, not Evil." requirement looks like an admission of malintent. Doubly funny that it compelled IBM to ask for explicit permission to use JSLint for evil.

Your project, on the other hand, just looks like it was designed to waste people's time. Congrats I guess?


No, don't screw around with people legally. It makes you look dishonest.


He does not look dishonest. He looks like the hero we all deserve. Dial it back a bit, would you?


I think his satire is excellent. Look at how these silly licenses are simultaneously taken very serious and frankly not taken seriously at all. I think he has proven something really quite interesting, and in a pretty amusing way.


How is he screwing around with anyone legally? Has anyone been sued over this? Most of this stuff is unenforceable in any meaningful way. Worst case is really some nasty emails.


I think so. There is also second-order funnyness from all of the very serious nerds who don't find it funny at all. I'm loving it ahah!


Not in the slightest, but I guess that’s your kick.


I mean you trolled a lot of devs and they are now salty over this silly thing and uhmm I think it's my poor sense of humor but I don't usually find practical jokes that funny.


I found it really funny!


Has anyone ever tested in court whether a license has to be made in good faith to be binding?


Well, if it isn't binding, then there's no right to reuse it (beyond certain fair use exceptions) under the copyright law that applies by default.

For me the question is whether the misleading blog post would be found by a court to be an implicit license separate from the one in the codebase. My guess is that it would depend on several factors including the specific circumstances of the accused infringer and the specifics of contract/copyright law in the relevant jurisdiction, but probably at least sometimes yes.


TIL something can be implicitly licensed. Well the term is implied license https://en.wikipedia.org/wiki/Implied_license


An open source licence generally only gives additional rights. If it's not binding, then default copyright would apply, meaning you're still not allowed to use it.


Yes, I had a chortle, particularly at the reactions in this thread. :D

Though I'm an anarchist who thinks people give the law as written far too much weight. (As opposed to what the population as a whole thinks is good or bad)


What is it satirizing?

Or is this just a post-hoc "its just a joke bro. Y u mad?"

Regardless, its your code, do what you want.


Ding ding ding. There is no satire to be found here.


Have you checked how many projects depend on Monkey? It seems the blog post has been translated and reposted many times. Satire does not translate well.


Satire doesn't work very well on the internet in textual context. That's why emoticons were invented.


It crossed my mind...

Thanks for chiming in and clear the misunderstanding.


You can also check the revision dates and see that the license was updated a year after the readme, which would imply any encouraging language in the readme is simply out of date.


Presumably revision 697673d58359af7ebdcad66f99b81d011359d8ef and earlier is perfectly fine to use, lacking a LICENSE.txt and with the README encouraging use


If no license is present, the default is actually “all rights reserved.” This is the same level of restriction.

https://choosealicense.com/no-permission/


That said,

> If you publish your source code in a public repository on GitHub, according to the Terms of Service, other users of GitHub have the right to view and fork your repository.

https://docs.github.com/en/github/creating-cloning-and-archi...


The actual term (D.5 from https://docs.github.com/en/github/site-policy/github-terms-o... )

> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).

> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users.

This allows you to browse and use the fork button to create a repository. It's unclear if the second paragraph is clarifying, or adding to the first term. If it's additive, then you might also have permission to host your own private repo off service.

Nowhere does it give you a license to _use_ the contents of the repository in your software. Nor does it allow you to publish the contents outside github - the first paragraph does not address publishing, and the second makes it clear that paragraph only applies "through Github's functionality".


> Nowhere does it give you a license to _use_ the contents of the repository in your software. Nor does it allow you to publish the contents outside github

To clarify, I did not mean to say that it does; I merely wanted to make people aware of the fact that some "default" restrictions are lifted when you publish on GitHub (just like when I type this comment on HN).


The idea that the Github terms of service negate "All rights reserved" in any public repository is a bold claim indeed.


You're granting GitHub the right to display your content to other users, and to make additional copies of it ("forks"). Those seem like reasonable rights to assign to Github when agreeing to their terms of service. I think it's completely clear that putting "all rights reserved" doesn't allow you to opt out of certain parts of the ToS, any more than the "I do not allow Facebook to use my content..." pseudo-legalese borderline-sovereign-citizen nonsense that goes viral every time Facebook change their privacy policy.


Side note, but for all the people saying this is absolutely godawful and the license is OK because no one in their right mind would use it in production, this project from MS does basically the same thing: https://www.microsoft.com/en-us/research/project/detours/

Recently open sourced, but has been used for twenty years in real products from MS and others. It's not so crazy as you might think!

An example of a real use I had for it: redirecting messages from OutputDebugString to a log file. AFAIK that is the best way to do it, when you only want the output from your one process. "Why not just call a proper logging function directly instead?" Because the OutputDebugString calls were coming from inside my GPU driver. Real life is not some ivory tower of perfection. An imperfect world requires imperfect solutions.


I've done a lot of work with Detours and have written my own trampoline injection thingies in Python and Ruby, and this approach is not really a reasonable way to build production software. A proof-of-concept Detours implementation posted as an illustration for an amusing blog post may be the most perfect possible use case for a "you are not allowed to use this for anything" license, maybe rivaled only by the code you post for a cipher you designed yourself.


The key difference being that Detours is a library written by Microsoft engineers with access to the Win32 team and the ability (if not drive) to ensure that Detours functions correctly as changes are made. Those changes are also probably pretty rare, given Win32’s famously stable ABI.

This library patches a third party runtime, one that explicitly forbids this kind of instrumentation and has a famously unstable ABI.

You can do whatever you want to get your job done, and this is certainly one way to do it, but it’s absolutely a dangerous hack.


To anyone else confused as I was, "this project from MS does basically the same thing" is referring to monkeypatching a running executable, not having a license that forbids use of the software.


Quite an unusual, but effective, way to mark something as a proof of concept that's dangerous to use:

From [1]: "This is as unsafe as it sounds and I don't recommend anyone do it outside of a testing environment."

[1]: https://github.com/bouk/monkey#i-thought-that-monkeypatching...


> … I don't recommend anyone do it outside of a testing environment.

… which is exactly dow it is used in dapr

> This is only used in the test (and thus not.compiled and distributed in our binaries).

(source: https://github.com/dapr/dapr/issues/3563#issuecomment-901563...)


> > … I don't recommend anyone do it outside of a testing environment.

> … which is exactly dow it is used in dapr

Eh... There's a difference between "a testing environment" as used in that quote and "as part of an automated test" as you mean here.

To me the former implies an experimental and/or ad-hoc environment, while the latter implies a stable, production environment.


There's a teeny bit of a difference between using it to explore monkey patching a go executable and using in the test suite of a released project.


You don't have the right to use it, even in a testing environment. The license denys you the right to use it.


Yes, but at the same time demonstrates the code clearly so you could implement it yourself. I'd say this is code sharing aiming at zero reuse.


What worries me the most about these comments is: 1) how many software developers that do not understand how licenses and copyright work 2) how many software developers that feel entitled to use someone else's code and default to feeling offended when they feel they've been mislead 3) how many software developers that are not focusing on the most important thing, which is how embarrassed you should be that you imported this code in your codebase to begin with.


I wholeheartedly agree. It feels a bit like a debate about speed limits: "I'm really only a couple kph/mph over it. The speed limit here is stupid anyway."

I am however glad this issue came up. The author does not appear to want to screw anyone over legally on this - so why not take it as a lesson learned and go from there?


No problem, just start typing code like it and let Github Copilot handle the rest


Even better, Fairuseify[1] will repackage a fair-use version of the library for you automatically.

[1]: https://fairuseify.ml/


Ingenious!

It only needs some build-in YouTube and Getty-Images browser to select fairuseify targets. (It should work for all kind of media, of course).

I think we've solved the copyright issue right now finally for good, didn't we?


I never imagined that there would be a license designed so that only copyright violators have access to your project, but I support it and will probably use it. Any project I write that I think would be useful but is bad and I would never want to see shitting up Debian repos might get this.

I like a license that says that I reserve the right to sue whoever I feel like suing. If you use it, make sure I don't feel like suing you (e.g. make no money) or that I can't catch you (i.e. be an outlaw.)


One of the best things about people in software is (in my perception) they tend to want to share and share alike with open source and open licenses. Paid licenses also make sense to me, but it really bums me out in a way that I can't fully atriculate that the "neener neener" license is also apparently appealing to some people.


License reads:

> "Copyright Bouke van der Bijl

I do not give anyone permissions to use this tool for any purpose. Don't use it.

I’m not interested in changing this license. Please don’t ask. "

Used by counter on GitHub is at 464. The way it's worded would imply that they are all violating the license? How can this be enforced for inconsequential small pet projects? Is this really something to worry about, particularly with what (seems to me) to be a sort-of spurious license?


Yes. You take something you do not own (even down the tree). You have to check if you are allowed to. It does not matter if it is a small pet project or the Linux Kernel.

Sure you can ignore him and wait for him to lawyer up and make your life miserable. Considering that IT specialists which have capacity to contribute to open source are typically not poor or have idealogical interests, I would not take the bets.

Respect the wishes of the people you take code from.

License checking is like code coverage. If you are a professional you take care of it.


> You have to check if you are allowed to. It does not matter if it is a small pet project or the Linux Kernel.

Actually it does matter and you don't have to. In practice pet projects are basically never going to be sued, it's simply not worth it. As a side note, a lot of techy people struggle to separate the law as written with the law as practiced.

The ethics question is more interesting, but for something like this which is clearly satirical? No harm, no foul.


The "pet project" was the dependency in my example which license would be violated.

The contextual author does not care for sure. But generally it is an ethical problem like you said but also a practical one. Once you stack enough pet (or should I say lpad) projects together something bigger comes out. And the liability is hidden three layers down the dependency tree.


> Used by counter on GitHub is at 464. The way it's worded would imply that they are all violating the license?

Yes. My read of the situation is not that it's a license that intends to stop people from using it, but rather that it's a license that selects for a specific target audience that doesn't care about copyrights or is anti-copyright.

In my opinion, that's a perfectly valid audience to select for, although a license that specifically prohibited any licensee from ever filing a lawsuit over a copyright claim or sending a DMCA takedown might be a funnier way to accomplish it.


I’m anti-copyright.

I still wouldn’t use this code, because I don’t want to break the law. Being anti-copyright doesn’t mean you also need to be against due process.


Being willing to break the law doesn't mean you're against due process. Due process is what happens afterwards, that safeguards you from being punished for doing something you have not done.


Copyright Bouke van der Bijl

I do not give anyone permissions to use this tool for any purpose. Don't use it.

I’m not interested in changing this license. Please don’t ask.


If it keeps this out of production in even a handful of companies, that's probably a good thing in aggregate.

It's a neat blog post, shows interesting internals, and no - you should not do it.


https://github.com/bouk/monkey/blob/master/LICENSE.md

Then why publish the blog post and put it into a package??


Look, don’t touch.


clearly satire


Which part and in what way? Clearly the blog post is not satire, since the method works, and the license cannot be satire as it seems like it would be legally sufficient to prevent people from using it, which is exactly the stated purpose of the license. It's also implied that the author has received requests to change the license so others can use the package, which have been denied. The author even went so far as to remind people in this comment thread that they don't want it to be used! The license is serious on its face and in practice. Where is the joke?


Your reaction is the joke


Hilarious.


You're a joke.


Sure. It is a "joke" until you're tempted to sue a big enough fish that falls for it and get some people fired. Pathetic.


Somebody with codepilot to check it out?


You have the right to use this project via git submodules. The GitHub terms of service requires code owners to allow forking and linking to their public repositories, regardless of license.


It does not appear to grant (or attempt to grant) use of the software. So sharing and forking are fine, but not necessarily anything else.

> 5. License Grant to Other Users

> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).

> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license. If you are uploading Content you did not create or own, you are responsible for ensuring that the Content you upload is licensed under terms that grant these permissions to other GitHub Users


> So sharing and forking are fine, but not necessarily anything else.

Did I imply otherwise? Git submodules are just links. Please explain how linking to a submodule is not allowed.


Well, I thought the purpose of linking in git submodules was to compile the source code and then use it. The "using it" is not granted by the GitHub license. Did I misunderstand your original point? If not, the verbiage "use this project via git submodules" which uses the word "use" was the source of my confusion.

Was someone disputing the right of OP to share a link to the blog post or the repository?


You said it yourself: GitHub users can use GitHub projects on GitHub. Git submodules stay on GitHub, so it's allowed.

> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)

You can run the code on GitHub Codespaces & GitHub Actions, you can fork the code to make changes, and you can dynamically link/embed the code in other projects on GitHub through git submodules.


> You can run the code on GitHub Codespaces

I think this would fall under "use" which I dispute the GitHub TOS allows.

> and you can dynamically link ended the code in other projects on GitHub through git submodules.

Sure. As long as you do not compile and run it, you can link it until you turn blue in the face.


> As long as you do not compile and run it, you can link it until you turn blue in the face.

With GitHub Codespaces and GitHub Actions you aren't compiling or running the code, GitHub is.

From my understanding, this satisfies the following:

> solely on GitHub as permitted through GitHub's functionality


I don't really know much about CodeSpaces but yeah, if it is always run in a service provided by the GitHub ecosystem, you can probably run it. I don't know how useful that is. Also, it says you can fork it. It does not say you can modify it.


I told the judge that I didn’t kill anyone, the hitman I hired did! For some reason, he didn’t see it as you do.


Performing those actions on GitHub isn't important because it allows you to technically bypass a restriction by having a third party do it (which I agree is a poor defense) but because the author explicitly relinquished some rights by putting the project on GitHub.


the author does not relinquish rights to run the code. running it on a third party service does not magically launder the license.


> does not relinquish the rights to run the code

I don't think anyone who's posted so far is a lawyer, but the claim is precisely that GitHub's ToS do relinquish the rights to run the code, so long as you only do so on GitHub and through their published interface.

GitHub ToS> If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking).

> running it on a third party service does not magically launder the license

Totally agreed. By uploading to GitHub publicly you've granted an _additional_ license and asserted that you had the legal right to do so. It's kind of like when open source projects will also sell a proprietary license on request -- companies aren't magically beholden to the GPL'd version just because it exists somewhere; they get to choose which of their available licenses they'd prefer to use.


This is just mean! The documentation definitely reads like the library is meant for use, but the author forbids all use in the license.


Why is it mean? The author can use whatever license they like. If you don't like it, you're more than welcome to release your own code under a more permissive license.


It's misleading to present the project as being for use by others and then forbid any use in the legal print?


Is it misleading to present a project as free and then have the (A)GPL license? Here I thought it was free, now suddenly there are all these conditions...

The "legal print" in this case is five lines long, written in (contrary to most licenses) very plain english, located in the root of the repository, in a file named 'LICENSE.md'. It's not exactly hidden where a reasonable person might overlook it. "We didn't know" isn't a very convincing defense.


Normally such fact is advertised in the readme, and the github sidebar will recognise and display the title of such a license in the sidebar.

It's commonly understood that open source software may be copyleft.

I think not mentioning a license that says "No use permitted" amongst some instructions on how to use it is deceptive.

> "We didn't know" isn't a very convincing defense.

Good thing "mean", is a matter of subjective perception and not of law, then. Or do you suggest everything legal is automatically good?


Yes. It is misleading to advertise software as Free and Open when it's actually Copy Left.


He can but it's still mean. It's like I can call you an autist bitch and still be mean :(


It is clearly meant for use. Those two things are not in contradiction and it's quite often that good software is spoiled with bad license. If you have to know, the secret is not to respect the made up license. Pls give downvote, copying is stealing.


Using monkey patching is an awful idea and always means your code architecture is bad. Will not be surprised if this message was the original author's intent.

Edit: it actually was: https://news.ycombinator.com/item?id=28265605


I'm completely baffled how people work. Something like that can't actually happen. At least if you assume people working on software can read. But it seems not even this can be safely assumed nowadays.

How can someone include some dependency without checking the license? That's actually the very first thing to do, before you can even consider using something!

Not doing this is extremely unprofessional. Additionally it's stupid and very dangerous: You can bring yourself and/or your company into serous trouble. Really serous trouble.

Do people really pull in some random stuff without even looking a little bit what it is? This would make the old write-up¹ about someone placing the ultimate backdoor everywhere a certainty by now.

Sorry for ranting but this whole thing is a real-world satire, imho. The license was a joke, OK. But that it didn't fool only some random hobby hacker but alleged professionals at big corps is truly egregious. I can't stop shaking my head…

¹ https://medium.com/hackernoon/im-harvesting-credit-card-numb...


I highly doubt most devs check the license of every dependency 3 layers deep from their UI framework. create-react-app, vue-cli sets up several hundred dependencies. If you tell me >50% of devs investigate each dependency manually, or run a license checker on that, I don't believe you.

Where I work for we have automated license scanners for this reason. They would flag such a use. But this open source project, and apparently 467 other cases, missed that. Maybe the contributors assumed the author had done their due diligence, maybe they just don't check in general, it's hard to know.


Automation is of course very helpful.

But my point wasn't about transitive deps (directly). The point is about pulling something new into your project.

At the point you include something that something needs to tell you the license for itself and for all its dependencies. If it doesn't that's already fishy in its own rights (and you should turn back or start investigating for real). You need to look at the provided license lists of course.

Yes, I see more and more projects that don't list licenses for their deps. But that's usually already a license volition on its own! You can't use something like that, it's obviously problematic.

Having some tools that download random stuff form the internet may be OK when you're doing something for yourself. But at the moment you want to publish that something you're obligated to check the licenses. That's a know thing. If you don't that's very shoddy work, and actually you could get sued for all resulting damages.

So no matter what it's actually impossible to include code with a problematic license, given no botchers were involved anywhere deeper in the chain.

And here we're at the core of what I've said:

It's completely baffling to me how something like that could possibly happen. At least as long as I try to believe that no complete idiots work in the industry, people who aren't even capable of reading, and don't know even the most basic things about the job they try to do. People that therefore shouldn't be allowed to touch anything as they could create great danger for their surroundings and for themself!

But OK, maybe I just have to accept that the software industry is not different to this here:

https://www.youtube.com/watch?v=FfyPLTIn2D8


The npm circus is crazy. How anyone can consider himself a dev and then depend on packages like

is-odd, 486.139 downloads weekly

is-even, 206.628

is-windows, 17.329.418

is-empty, 176.643

true, 504 too many

false, circa 700

is-number, 46.806.043 (!!!)

is-promise, 10.282.368

left-pad, 3.014.769

These are the one I hate more, but it's full of unnecessary one-line packages. Some of them are even used by the big players. I just don't understand...


A valid license does nothing to prevent supply chain attacks.


A long time ago I implemented a similar (less flexible) thing for C, also as a sort of goofy learning experience:

https://github.com/mgraczyk/fast_check_once/blob/master/fast...

There's something really appealing about replacing code at runtime to "hack" the bypass normal behavior of the language. For testing/mocking this can even be useful.


This post inspired me to try writing some SQL that downloads all the LICENSE files of declared go mod dependencies: https://askgit.substack.com/p/query-for-go-dependency-licens... using a project I maintain.

Some flaws, but was able to download a bunch of licenses :)


Technically, that is not a license, since a license is something that grants permissions and that statement expressly does not.


So there is no grant of copyright to distribute copies of the dependency, but what about useyright? The dependant project just uses the the dependency to run a test. Supposing it didn't distribute it as part of the release, is that still allowable?


The conflicting license states

>I do not give anyone permissions to use this tool for any purpose. Don't use it.

So no use rights either.


But the granting of rights to redistribute is governed by the applicable copyright law, as far as I know there is no equivalent body of law governing usage. You can't give someone information but attach conditions to its use, except in specific circumstances. You can certainly make someone sign a contract before agreeing to give them the information, but that's not what's occurring here.


>You can't give someone information but attach conditions to its use, except in specific circumstances.

Wouldn't that effectively bar the use of DRM? If I buy a blu-ray, I can't legally watch it unless I have a player capable of unlocking the content.

That may be one of the "specific circumstances," as there is a law that specifically forbids bypassing DRM.


> If I buy a blu-ray, I can't legally watch it unless I have a player capable of unlocking the content

Depends on jurisdiction.


IANAL but these specific circumstances of ‘use’ typically include copyrighted music and drama, which cannot be performed in a public or commercial setting without permission or compensation. The Beatles may own Yesterday but they can’t stop me from whistling it.

Where I think this case gets murky is that the item in question is not distributed or used by users of the software, but is part of the production process for it.


Copyright law governs the right to generate and use copies of a work, whether they are for distribution or your own use. It’s right there in the name: “copy” right.

If you can figure out how to use software code that someone else wrote, without making your own copy of it first, I suppose that would not be in violation. I’m not aware of any way to do that, though.


I have heard lawyers argue that, because to run a computer program (or play a DVD or whatever) it must be copied into memory, software that doesn't grant you the right to use it cannot legally be used.


This argument doesn't make sense to me (under US law) given that

> (a) Making of Additional Copy or Adaptation by Owner of Copy.—Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:

> (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or

https://www.law.cornell.edu/uscode/text/17/117


(a) doesn't hold because you aren't the owner of a copyrighted work that is licensed to you. You're also not even being given a license in this context.

Read GitHub's TOS, they explicitly state you give them the right to copy your work in order to allow for forking because their lawyers KNOW they have no rights otherwise and could be sued.


(a) doesn't refer to owning the copyright, it refers to owning the physical copy (the hardware which the information is saved on, the paper and ink in a book).

GitHub's TOS requires permission to copy, because github is not just executing your code.


> as far as I know there is no equivalent body of law governing usage. You can't give someone information but attach conditions to its use

There is, and you can. It's called patent law. If the author of this license also had a patent, they could deny others the ability to use it. But unlike copyright, you are not automatically granted a patent for your creations.


Copyright does not give authority over use, only over redistribution.


If I put up a message on a billboard, with a copyright notice denying the permission to read it aloud, would that be legitimate license?


It would be a silly license. I imagine reading aloud a message on a billboard would be ruled fair use. Republishing of your message by an unauthorized party could be infringement, but your license doesn't change that; the default ("no license") is "all rights reserved" so redistribution is already forbidden.


Does that make it law? What if he typed “Every time you run this code you owe me 5 bucks” ?


This feels like "Left-pad 2: Electric Boogaloo"

edit: Although, "This is only used in the test (and thus not.compiled and distributed in our binaries)." https://github.com/dapr/dapr/issues/3563#issuecomment-901563...


Is the "I do not give anyone permissions to use this tool for any purpose. Don't use it." actually a forbidding, strictly speaking?


No. It's probably intended satirically, but in practice it's a null statement since there's no grant of anything nor an exchange of value. It's equivalent to the default of "All rights reserved". This includes any fair use rights you might have, however, and any rights due to Github's ToS, so you can likely review and discuss the code, and quote from it, but if incorporated into a product or service then it's actionable; the author has the option of asserting their rights.

There's no assertion that the method is patented so you'd probably be free to also use the technique, as long as you don't reuse or incorporate the original work. If your code consequently looks like the author's then that's usually fine too, c.f. NEC v. Intel (1989), although actually relying on this precedent is a question balancing your access to legal resources vs how much the author really gives a shit.


The default is that you’re not allowed to use it. There needs to be an explicit grant of license to change that, and there’s not.


Do you refer any specific law?


It's called 'Copyright'


It's crazy to me that people would intentionally introduce monkey patching into a language where it's not supported.


I dont know how that could be surprising as sometimes monkey patching is the best (only?) way to do something.


GitHub terms of service [1]:

"If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)."

I think these override it?

[1] https://docs.github.com/en/github/site-policy/github-terms-o...


No it does not. This statement is exclusively for the fact that GitHub and a reader is not liable for showing/reading your copyrighted code.

The only weak spot is GitHub Actions/Code spaces/etc for dev tools I guess. Because that falls under "GitHub service" and is a functionality of it.


No, this would also seem to protect users who click the "fork" button on Github. It would not, however, allow them to clone the software to their local computer or use it for any other purpose.


The Github terms do not indicate that the license is transferable. Github can display the code, but even if someone downloads from Github, they still can't use it.


I am not a lawyer... There may be an argument here that

1. GitHub has a valid license to distribute it (as a result of their TOS)

2. Running the downloaded code is not copyright infringement (or not obviously so, and hasn't been established as so in any court that I am aware of)

3. Using the APIs is not copyright infringement (see Oracle v Google, if that was fair use this almost certainly is)

Thus no copyright infringement has occurred.

Still, keeping this in the codebase is at best boobytrapping your code to create accidental future instances of copyright infringement, and it's an interesting case of people not checking licenses (since it's pretty clear they didn't realize this in advance).


Github has a valid license to distribute it but you are not Github so that doesn't give you a right to anything. In particular it doesn't give you a right to download it.


> In particular it doesn't give you a right to download it

That sentence is wrong, GitHub’s terms of service explicitly give users a right to download, and also run, the code of any project that is publicly visible. Please read the terms, especially section D “5. License Grant to Other Users”. https://docs.github.com/en/github/site-policy/github-terms-o...


Those terms don't say anything about a right to "download and also run" code:

> you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality

(emphasis mine)


“Display”, “Use”, and “View” are all terms that are all talking about downloading. “Perform” means to run the code. You are still using the GitHub service when you clone a GitHub repo locally, that is part of GitHub’s functionality. What it’s not saying is that the only way to view a project is via an http connection through a browser to github.com.


"Perform" means to run the code THROUGH GitHub and its services (i.e. Actions). You are NOT allowed to run the code on any hardware YOU own. Downloading is an implementation detail of performing your right to "Display", "Use", and "View" the content ON GitHub and its services. You are forbidden from downloading the content for any other purpose.


> You are NOT allowed to run the code on any hardware YOU own.

Sure you are, that is just not true.

> You are forbidden from downloading the content for any other purpose

The rights GitHub grants allow a copy to be made. What you can’t do is redistribute the code, that part is clear. But what you do with it on your machine when not showing it to anyone else is not prohibited by GitHub’s terms, nor by copyright law. I’ve read both. If you have too, and believe otherwise, please cite the relevant sections.


> 1. GitHub has a valid license to distribute it (as a result of their TOS)

From the GitHub TOS someone posted:

"... license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking)"

I'm not sure if cloning from GitHub to your local computer falls under "reproduce Your Content solely on GitHub as permitted through GitHub's functionality" (due to "solely on GitHub" part).


I'm not completely sure either, I don't think you would get a definitive answer short of litigating it (and let's be honest, no one is litigating over this).

(Again, not a lawyer, not super familiar with this part of copyright law, but...) I'd argue that the copy is made on githubs server and then sent to me, and I simply move the sole copy around (or to the extent that I make a new copy it is a lawful copy of the network traffic for archival purposes under 17 USC 117 (a) (2)). That "git clone" is clearly a integral part of githubs service so the license is clearly intended to cover it. That "git clone" is not meaningfully different from "wget" from "a web browser" - again the license is clearly intended to cover this. That any liability that does exist falls on GitHub as the party making the copy.

I'm not sure which if any of those arguments would convince a court though


Regards (3): have not they have a dependency on the implementation? Oracle/Google was about the interface and the design of the API interface not the implementation.


They do, it's not an entirely identical situation, I believe it is analogous though.

The question I'm addressing in 3 is whether or not the source code becomes a derivative work of the dependency (meaning writing it in the first place would be illegal). The only portion of the dependency that the source code copied was the names of a few functions/modules (part of the API). Copying that part of the API into the work seems very analagous to the Oracle/Google case, except even less was copied and it is even less of a market place competitor (but again, I'm not a lawyer).


The license forbids use. The project is (or was) clearly using it. GitHub is irrelevant.


The license has no legal authority to forbid that which is not forbidden by law and/or permitted by other licenses the author has granted. (See other discussions here for arguments as to whether or not it has that legal authority)


github TOS do not grant you use of others code. it grants distribution. those are two very different things.


See this sibling thread: https://news.ycombinator.com/item?id=28265245

I am contending (with citations to the law) that you simply don't need a license to execute other peoples code once you legally have a copy of it.


The core question is whether downloading code from GitHub legally gives you a copy of it.

The answer is likely no (within the U.S. at least), based on conversations I’ve had with lawyers who specialize in intellectual property law.

While arguing on HN is a fun intellectual exercise, I would encourage anyone to talk things over with a lawyer before putting financial resources at risk by intentionally violating the expressed license (or lack thereof) in published software code. Even if it is published on GitHub.


I wonder what happens when I upload to GitHub code that I have permission to distribute, but that I don't own, that GitHub doesn't have permission to distribute and I don't have permission to give others permission to distribute.


Then you cannot grant such right to GitHub, thus, you cannot post to GitHub.


I do wonder about things like the linux kernel being uploaded to github though... it doesn't seem like all the contributors consented to giving GitHub this license.


Those rights are a subset of those granted by the GPL2, aren't they ?


I don't believe so, since the GPL (like most licenses) conditions those rights on things like keeping the license intact. Also the GPL doesn't actually say anything about performance or display (which may or may not matter).


I think GitHub gives you the right to download or fork the repo, but the license explicitly states that you can't use the code. That might mean running it on its own is technically illegal.

The license literally says "you can't use this". How are so many people confused about the license in this thread?


> That might mean running it on its own is technically illegal.

Based on what law/authority?

Copyright law forbids making copies, derivative works, etc. Not using things. You're allowed to read a book without a license.

Moreover copyright law makes an explicit exception for the copies required to run a computer program on a machine that aren't used in other ways (i.e. copying it to ram/registers): https://www.law.cornell.edu/uscode/text/17/117

The author may say "you can't use this", but it is not clear to me that he has any legal authority to do so.


Quite so. As written, it's a null statement. To be enforceable, a license has to be written by one party such that another party may acquire rights in exchange for accepting the terms. This is how licenses become contracts.

Simply reading the words "Don't use it" does not bind you, because there is no grant of use; there is no offer or exchange of value, so no contract has been formed, and the statement is at best advisory. It is equal to writing "All rights reserved", which is to say, you retain whatever rights pre-existed under statutory and common law, such as right of fair use and so forth, and anything due to Github's ToS.

Engineers often fall into the trap of thinking the law is a programming language. It isn't, mercifully.


As pointed out in other comments, music and drama are exceptions to this where their ‘use’ is protected by copyright. You can read a play aloud if you like, but you can’t perform it publicly without permission (or royalties).


That's the typical outcome, but not by exception to this analysis; if a work of music or drama included an equally poorly worded "license", then the rights and obligations of all parties would similarly fall back to the terms of service of the platform through which the work was acquired, with a backstop of the Berne Convention, TRIPS agreement, TPPT, and various EU directives (or rather more specifically, the local implementation of those, assuming your jurisdiction is a signatory to any).


That is not a blanket exemption. It is for "the owner of a copy of a computer program".

If you stole a copy of Microsoft Office on CD from a shop (back when that was a thing) it seems clear that using the software would have been a copyright infringement because you wouldn't have been the owner.

In this case you have the right to download the software (via the github agreement) but how does that relate to ownership and the legal exemption? I've no idea.


I believe "owner" here is just referring to classical property rights, you literally own the magnetized platter which encodes the program, like you literally own the ink and paper that makes up a book. Once you've downloaded the software you have a version of it on your hard disk (or ssd) that you literally "own" (but you don't own the copyright to it).


It's due in part to the absurdity of of publicly sharing something and then declaring "neener neener you can't use this." It's seemingly contradictory to open-source something that you forbid the use of.


This would have been a mostly benign comment had you not thrown in the bad take about Oracle v. Google. There are enough of those on the Internet already.


Care to share your objection to it?


Not particularly. For further inquiries, refer to the about section of my HN profile.

You can also refer to this thread and pay particular attention to toyg's response.

<https://news.ycombinator.com/item?id=27687960>


> Unlikely to respond to replies. (A tip for the intellectually dishonest: you can seize this opportunity to get the last word in.)

Lol (quoting your profile here since I think it's fair to give other people the expectation that you won't engage)

> toyg's response.

I both agree with his reponse and would categorize my use of the case here as within that (the only code copied out of the dependency is API related).

I can't force you to debate this, but I also have to say I don't think casting vague aspirations without an explanation is a useful form of comment.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: