I lead the Microsoft Open Source Programs Office team. I'm sorry this happened.
We have merged a pull request that restored the correct LICENSE file and copyright, and are in touch with the upstream author Leśny Rumcajs who emailed us this morning. We'll look to revert the entire commit that our bot made, too, since it updated the README with a boilerplate getting started guide.
The bug was caused by a bot that was designed to commit template files in new repositories. It's code that I wrote to try to prevent other problems we have had with releasing projects in the past. It's not supposed to run on forks.
I'm going to make sure that we sit down and audit all of our forked repositories and revert similar changes to any other projects.
We have a lot of process around forking, and have had to put controls in place to make sure that people are aware of that guidance. Starting a few years ago, we even "lock" forks to enforce our process. We prefer that people fork projects into their individual GitHub accounts, instead of our organization, to encourage that they participate with the upstream project. In this situation, a team got approval to fork the repository, but hasn't yet gotten started.
To be as open as I can, I'd like to point to the bug:
- The system we have in place even tries to educate our engineers with this log message (https://github.com/microsoft/opensource-management-portal/bl...): "this.log.push({ message: `Repository ${subMessage}, template files will not be committed. Please check the LICENSE and other files to understand existing obligations.` });"
A lot of commenters are sharpening their pitchforks, but this comment, in my opinion, makes it very likely that it was an honest mistake. Amazing what taking personal responsibility and earnestly apologizing can do to restore trust and credibility!
Yeah, I think this is an example of addressing a mistake that other companies should take note of. I don’t trust Microsoft-sized corporations as a matter of principle, and I don’t typically give them the benefit of the doubt, but when one of their own engineers explains in human-readable terms what specifically happened—on a holiday, no less—I’m impressed enough to believe him. Some PR flack showing up with vague boilerplate about how Microsoft values the open-source community and they’ll look into it would only have encouraged more outrage.
I always appreciate communication that acknowledges I’m a person, not a data point or a customer. I wish more companies ditched the greasy PR approach and allowed folks like Jeff to do their talking for them.
I think a key reason that corps do try to avoid admitting fault, is because in a lawsuit that can be used as evidence for a guilty verdict in a civil lawsuit in some of the most slam dunk ways.
If we remove this feature of common law legal systems, I think you will get far more admissions of fault like this one.
If you hurt people, organizations, etc for admitting their mistakes, they're going to stop doing it.
The key take away is that apologizing and admitting fault doesn't absolve one of liability. There are a number of "amnesty" laws on the books where admitting fault can server to limit or reduce your sentence - especially with tax issues. I'm not sure how desirable such a thing would be in civil law among private parties. Especially in cases where a tort is minor to one party but a big deal to the other because of disparate wealth.
E.g. if Microsoft burned your house down would an apology and explanation be enough to settle the matter? How could we encode this principle into law for minor things but not large things?
I don’t think accidentally removing credits from a software license is exactly on the level of burning someone’s house down.
In general, I wouldn’t say that causing someone harm should be dismissible with an apology, but in a situation where the harm seems pretty limited, easily reversible, and unintentional—and the apology seems genuine and even informative—I don’t see a particular benefit to causing hardship to someone who made a mistake. The communal reaction as it is should give Microsoft/Google/etc an idea of what the blowback would be if this sort of thing was a deliberate corporate practice.
The harm is depriving the author of their moral rights, and the name recognition from their work. Depending on how popular the library becomes this could deprive the author of substantial business opportunities.
And if this was a deliberate decision that Microsoft refused to undo, I’d be as outraged as everyone else here would be.
But it wasn’t, and they did undo it, and I found their response impressively civilized and professional. So I’m not really understanding why everyone seems to want to hold this guy accountable for all the shitty stuff Microsoft could have done, didn’t do, and apparently did in the past.
Alright... What is a proper response to an honest mistake in your book? We have links to a bug, explanation of what happened, a clear response (that they will check to see if this happened on other forks), they reversed the change...
Unsure why the bar would need to be higher. This is all reasonable given the circumstances.
Fully agreed. And yeah, when it comes to my expectations as far as how large companies respond to embarrassments, the bar is about as low as it gets. A tone-deaf non-apology that sounds like a robot wrote it is what I expect to hear, and I’m almost invariably right.
And that offends me. The idea that someone thinks I’d be convinced by such a response—that I’d find it persuasive and acceptable—is fucking insulting.
So when the guy who’s actually responsible for the mistake—and not some polished corporate drone—actually shows up in the comments section, explains what happened, and talks to me the way one of my colleagues would: yeah, that is above and beyond by most standards, certainly the ones I have for evil empires like FAAN(M)G companies, and I give major credit for that.
Agreed. It's mostly I think because the press can only really do bikeshedding, and so the form of what people say is all they can comment on and amplify, and so we need professional spokespeople to keep up with the rules of what's okay to say, rather than more people to make better products.
How has Microsoft reformed? Windows 11 is more intrusive than ever, it changes default programms more frequently to their desired programms and it is so annyoing to switch browser. THey still are the same old.
> makes it very likely that it was an honest mistake.
I don’t have any doubt that it was an honest mistake. They also took accountability for the mistake, shared their steps to prevent it from happening again, and they’re in contact with the original repo author directly.
At this point, anyone digging for excuses to further demonize Microsoft isn’t interested in honest discussion about this issue. This is a textbook mistake followed by rapid resolution (on Christmas Day, no less), with great communication on top.
If you read the comments, most people believed it was an honest mistake. What we didn’t agree with was that it was an excusable mistake. Microsoft have since acknowledged it’s not excusable and thus will rectify that error. So as far as I see it, all parties, both for and against MS, should be satisfied with the outcome.
In a way I'm glad that this is not taken lightly. We all need to be informed and calm, but mega-corporations should be held to higher standards. They should feel breath of an angry mob once in a while. I imagine, that if reactions to things like that would be just "meh, it's probably just a mistake" it would not be resolved as quickly or it could just be ignored. But now that it is all cleared up let's go home and Merry Christmas.
Intent is a red herring, especially when the actions of an organization, rather than an individual are being considered. More important are the actions' consequences and the organization's propensity for repeating them.
Web search engines claim fair use for snippets, and MS claims fair use for Copilot. However, a web search engine result page is only an aggregate of the excerpted pages, and it refers back to them; unlike software authored using Copilot, it does not draw those snippets together into a coherent purposeful whole, strip all reference to the original author. and claim complete originality.
That MS went ahead with training Copilot on open source code authored by people who are clearly not OK with it is why they are so short on goodwill.
Why is Copilot any different from a human doing essentially the same thing? Complete originality doesn't exist. I think the people who are complaining about Copilot have likely done the same thing themselves. I can't erase the memory of all the code I have read and written that somebody else 'own' the copyright to, so my brain will subconsciously use copyrighted code when writing software.
Because copilot is not a human and can do things that humans can't. Moreover I encourage you to learn music pieces by listening to them and then selling/giving away snippets. You will have big corporations on your heels fairly quickly even though you are a human.
Could you please stop breaking the site guidelines? You've unfortunately been doing it repeatedly in your HN comments. People are supposed to get the benefit of the doubt here.
What happened here was obviously a mistake. The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.
The thread would have been a lot more fun if we could have spent it talking about what prompted your team to build this thingy, and bounce other people's approaches to the same problem off, and maybe share some war stories about dumb things bots have done on our behalf.
Thanks, regardless, for the information you've provided here. It's interesting.
> The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.
Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.
The issue looked like a mistake from the start to anyone paying attention (committed by a bot, changes were consistent with a boilerplate LICENSE file being checked in).
If someone at Microsoft wanted to steal some code, forking it on Github and then publicly documenting the history of the code in the most visible way possible would truly be the dumbest way to do it.
Especially here, when the smoking gun is a change to an MIT licensed project. One of the torch-holding commenters remarked that developers at Microsoft ought to know enough about how licenses work to know what a big deal this was. Physician, heal thyself.
> Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.
I would go so far as to say almost no group is, they just have different preconceptions that encourage assumptions of malice in different ways and directions.
There is no substitute for more facts about the situation, no matter how much we'd like to assume the details that aren't given.
The obligation you're not living up to is to HN, not to Microsoft. If you want to participate here, the onus is on you not to be knee-jerk; avoiding knee-jerkism is the subtext of like 3/4 of the site guidelines.
This is veering to the meta, however, one of the best things came out of my HN experience is how to converse and discuss better. Actually I strive hard to not to be a knee-jerk person. I always take my time while writing something and try to back-up with actual events and/or facts.
The point I was trying to make that for companies like Microsoft, reaching for the pitchfork is not always a knee-jerk reaction IMHO. For all the things they have done, my initial reaction is always Oof, not again..., which is actually sad for a company of this size.
It's actually unfathomable to me for a company like Microsoft to not test these flows adequately and allowing this to happen.
For a change, I want to see a more open computing platform, a less intrusive Windows version, or a longer maintenance window for CentOS, but we all have is a brawl.
One big clue you have that the reactions here were knee-jerk is that they all turned out to be totally wrong. There's a lot of corncob dot gif happening in the aftermath.
I'm glad that my assumption proven to be wrong, by Microsoft itself, nonetheless. However, is being wrong is always equal to being a knee-jerk? Does the reputation of the company in question doesn't play a role here?
Or, shall we be stateless, and evaluate every events without any prior experience? I don't think that holds a lot of water in real world, either.
Another clue that it's knee-jerkism is that the accusations make no sense. It's hard to see what Microsoft plausibly stood to gain by modifying an MIT license. I suspect a lot of the accusations here are being made by people who simply don't know what an MIT license means. For that matter: even with a restrictive license like the GPL, it's hard to make sense of this as a heist, especially since it's right there in the public git log.
I don't think it's going to be possible to salvage the torch and pitchfork comments on this thread. For lack of a better way to put it: they're pretty dumb.
> It's hard to see what Microsoft plausibly stood to gain by modifying an MIT license.
Actually, not being able to find a plausible gain in five minutes doesn't automatically clear Microsoft (or any company) in my mind. From top of my head, I can list three technologies which I find suspicious in the long run: LSP, WSL, SecureBoot.
All in all, I just don't trust Microsoft, and think about the worst of their actions first. They're the only company (ORACLE being a firm second) which evoke this reaction for me, and this their own making over the years.
Just because I don't trust a company and assume the worst of them, and telling this openly makes me a knee-jerk person, so be it.
As I said, I'm happy to be proven wrong, but I refuse to be stateless, and look every action of this company with completely neutral eyes.
If you don't have anything well-considered to say about an event on HN, the best thing to do is not to say anything at all. Believe it or not, your personal distrust of a giant company isn't all that interesting to the rest of HN.
I think what he has to say is well-considered, and interesting. Meanwhile, the fact that you consider yourself qualified to speak for "the rest of HN" is... deeply fascinating.
I’m sure you meant to qualify that statement to say it is deeply interesting to you, rather than imply that your assessment of the interestingness is somehow objective or represents what other people think.
It doesn't matter how "dumb a heist this would have been". This is Microsoft and their track record with respect to illicit and/or illegitimate behavior needs to be continually scrutinized. They put themselves in this position. They have made plenty of intentionally dishonest "mistakes" over the years.
Track records matter and Microsoft doesn't have a clean one. Scrutiny of companies of their size should be the norm. Maybe they would do more to improve "mistakes" if more people held them accountable in a continuous fashion.
"Scrutiny" doesn't mean making up nonsense issues, which is what this is. There's no amount of weasel words you're going to apply that's going to make changing an MIT license in a public git repository part of a terrifying conspiracy --- or a conspiracy of any sort.
Removing and applying an incorrect license to open source software by a multi-national software giant is a "nonsense issue"?
Hardly "weasel words" when you look at the action that took place. It wouldn't be OK for you to do it and it isn't OK for a bot that Microsoft deployed incorrectly to do either.
"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."
I understand the license. Based on your response and Microsoft's attribution change I don't think you understand the argument. I won't patronize you however based on the non-response.
No, do go ahead, because I don't understand really any of the dudgeon being worked up in this thread, given the original license gave Microsoft the right to do virtually anything it wanted to with the software already. Obviously, Microsoft shouldn't take credit for other people's work; equally obviously, to me at least, that's not what they were trying to do, since all it took was a single Github link to show what had happened.
This is my favorite part of the culture change which is happening at Microsoft.
We are still working on it. And, it will take time.
Jeff's team, my team, the java team whose forked repo this unintentionally highlighted are working with dozens of other teams every week. Satya says we're all in on open source.
Hold Jeff and Me and all the leaders of Microsoft to that vision. Keep us accountable. And, know this takes time. Let's make technology and humanity healthier and more sustainable in 2022.
I realize that Microsoft is composed of many pieces, but that doesnt prevent me from treating it like a single entity. And that entity has IMHO done horrible things to it's own products and customers, so I'd rather they keep theirs hands off FLOSS as much as possible.
But if you treat it like a single entity, that means you also treat all the people working there like that entity. The janitor working at Microsoft doesn't deserve your ire, nor the secretaries, etc. But they work there, and carry around their logos on their backpacks and what not. Those people have feelings, and those feelings feel bad when the entity they work for is lashed out at. It does make one feel bad when one's company is raked over the coals, because it makes one feel responsible, even if one doesn't even know what's going on.
So, for the sake of the feelings of the innocent people who work there, I would ask everyone to please modulate the volume and intensity of ire that they project. Please speak truth to power, but don't be harsher than is needed to get your point across.
But as for some background: I am a PM for Microsoft Build of OpenJDK and from late last year to around May this year I made contributions to the gRPC_bench repo as a Microsoft employee for some experiments we have been working on, to evaluate and improve different ways of implementing gRPC exchange in Java. [1]
This fork was intended for newer experiments, one of them being about coding and running these benchmarks on GitHub Codespaces. For that, I needed the repo on an org where we, as employees, have Codespaces enabled.
The rest is HN history (back to Jeff's reply above [2]).
FYI: when linking to a line of code, simply press Y on your keyboard to have Github switch from the _branchname/path/to/file.xyz_ URL to the _sha1/path/to/file.xyz_ URL. The former can result in your URL pointing to unrelated code if lines are added or removed in future commits on the referenced branch.
Really appreciate the prompt and transparent response, Jeff. Especially at a time when I assume you were not expecting to jump in on duty.
I hope that despite all the harsh words, you can have sympathy with that behind them are legitimate concerns and suspicion stemming from past bad behavior from various part of your organization. Due to this, and Microsoft's position of power, you have a much, much lower budget for these kinds of mistakes compared to the most other orgs.
Even if there was nothing intentionally malicious at play here, it would not be far-fetched for an outsider to interpret as "implicit maliciousness through neglect".
Here's hoping that 2022 will be a year of bridging the divide and sincere alignment.
Yes, it would be far-fetched. The conspiracy theory here is self-evidently implausible. We need to stop pretending that the accusations here were made in good faith, or are anything more than wishcasting. People write about these things because it's a lot more fun for them than to write about what actually might have happened, even if what actually happened is probably a better, more lastingly valuable conversation to have.
So, I'm of the opinion that a collective (for example a company) can exhibit malicious behavior despite no malicious intention of any particular individual in it. It can be emergent, and moreso the larger the organization. Along similar lines of systemic discrimination, there does not need to exist any conscious conspiracy or malintent. For better or worse, the whole is greater than the sum of its parts.
This comment speaks towards that this is the case:
> I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.
(I mostly agree with your sentiment, though. I do get the impression that leadership is sincere in wanting to do right. It's just that it's not that black-and-white or easy. As another MS employee commented, this is something that has to take time and they need to be held accountable along the way. https://news.ycombinator.com/item?id=29684127)
If there was a plausible evil plan behind this licensing silliness, I'd shut up about it. But there isn't. The insinuations being made on this thread (still! continously!) are embarrassing. It's not that I think Microsoft is incapable of putting together a solid heist; it's that observers here have such bad taste in heists.
Agree with you there. I see it as manifestations of fear, tribalism, and short-sighted oversimplification around complex issues. Without wanting to dive deeper into any of those topics, I believe there are similar mechanism at play on a larger scale in COVID-conspiracy theories and the re-emergence of Western xenophobia/nationalism.
It can be hard to assume good faith when your counterpart clearly isn't. But I think it can be at least as important then. We need to come together and find common ground.
I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.
>I certainly understand how scandalous this looks to crowds like Hacker News.
I don't. I'm with the Microsoft employee who was pissed at how people think it's edgy to diss on Microsoft. What were the chances that Microsoft was openly doing that? Some dude who has now deleted his post said Microsoft was trying to "create a monopoly of web IDEs". These are clearly people who barely have a passing knowledge of how Microsoft works these days.
People think critical thinking means complaining endlessly. It doesn't. You can't think critically if you don't think clearly. And you can't think clearly if you're only looking for a reason to lift the pitchforks.
It took significant public outrage and press coverage before either of those were even acknowledged, a long time after.
> What were the chances that Microsoft was openly doing that?
After reading the above, is it really that edgy to be assuming the worst? If it's truly just recurring instances of different rogue employees, doesn't that speak to a systemic and/or cultural issue that needs to be addressed with additional internal safeguards and/or deterrents to prevent it from happening again?
To the credit of the relevant team here, today this was promptly addressed as soon as it got their attention. But it will take more than that to set to rest decades of precedence.
(I did not partake in the flaming and don't find it constructive or beneficial; just saying I have full understanding of the suspicion and understand that MS are still on probation)
To late to edit or delete my comment above but just to set it straight I just learned that the whole lerna debacle linked above was a nothing-burger aka fake news.
Thanks for the response. Mistakes happen, human or computer, not the end of the world, and I get it. I was just more curious to know if there is a manual process for this type of forking that was not being vetted via the bot, and to bring another example to your attention.
If you read the repo history carefully, you'll see a bot was responsible for rewriting the "LICENSE" file from an Apache license to the Microsoft (c) stamped MIT license. This human commit simply copied that same language to the file named "LICENSE.txt". It's unclear why they did that, but that human was not responsible for introducing the license text into the repo.
? Instead of a software bug, it was a human error. Is it really surprising that with a company of Microsoft's size, some employees fuck up? Likely the employee was trying to say that the contributions in this fork that were not present in upstream are covered by the new license, but failed to do so properly (by leaving the original license intact and identifying precisely which files the new license applied to and which it didn't).
Courts will take a far more generous view than you are here. If Microsoft is not profiting from the change, and fixes it promptly when pointed out, the courts will shrug at any case - no harm, no foul. It's not even clear to me that it's illegal to have the wrong license on GitHub, assuming the shipping product does not violate the correct license. As nobody has pointed to any infringing Microsoft product... What are we talking about?
Damn dude. You posted this comment on CHRISTMAS no less. Either your phone exploded or you are a VERY PASSIONATE hacker news fan. Either way ... props to you for trying your best to straighten this out immediately.
This feels like the sort of thing where straightening it out immediately, even on christmas day, was well worthwhile simply because it would let him enjoy his christmas dinner without worrying about an inevitable building dramastorm.
That is not, however, a complaint - being smart enough and giving a damn enough to realise that straightening it out immediately was a really good idea is impressive and laudable in and of itself.
I saw your comment on the cups repo. Please don't feel horrible about it. An honest mistake is an honest mistake, as long as the issues are remediated. Merry Christmas
>SQL Operations Studio was built on the back of many open source projects that all use the MIT License for a reason: it's the right way to keep moving the community forward, empowering your users to do cool stuff and build useful things for the community.
>We're just asking SQL Operations Studio to use the same license that Visual Studio Code does.
Thanks for explaining. Out of curiosity, does Microsoft have any external-facing GPL-licensed projects? Are there any restrictions to using (i.e. open sourcing something developed internally or forking something from outside MS) GPL-licensed projects? Specifically, would teams be able to get approval to fork GPL repos?
Git for Windows comes to mind. Teams can absolutely get approval for any open source license; however, for a GPL project, we'd have their open source legal team work with them to brief them on the license obligations and requirements, such as publishing code to https://3rdpartysource.microsoft.com/.
Interesting, so that's specifically for GPL-licensed projects? Or am I misunderstanding and you would have dev teams work with Legal for any open source licensed project?
Copyleft has more process, since we absolutely need our engineers to understand the obligations we have, and for some of us, it may be the first time we're being introduced to open source communities and licensing, so we have to do more education in the GPL case.
Our process revolves more about _using_ open source than forking specifically.
Whenever a build runs at the company, we have a detection task that identifies the open source that is used, storing an inventory. We evaluate the open source licenses for that inventory, and have automation depending on the license that will help inform a team that has taken a new dependency with specific legal obligations - could be to get business and legal approval for something, to take training and learn about copyleft software and licensing, or that they need to post third-party buildable source. We're also able to use that inventory to help with incident response and blast radius analysis.
To scale, we need to make sure that our guidance and policies are in front of people, but we know that engineers want to get work done (or will find a way around what we have in place), and so need to be efficient and straightforward.
Not all situations will require a business or legal approval. Our motto has been "eliminate, automate, delegate" - eliminate onerous bureaucracy and policies - automate licensing compliance and inventory and approvals - and delegate to business leaders and others when there's a need for humans to be involved.
For those that don't know Polish it means Forest Rumcajs (https://en.wikipedia.org/wiki/Rumcajs), probably a joke of the author that wants to be anonymous.
I figured something like this was the cause. I must say I'm quite disappointed by all of the negative comments before anyone from MS had a chance to explain what happened.
Thank you for the full transparency, sadly we may hear for years of people saying how Microsoft blatantly ripped off someone else's copyright, but that's probably okay, those people probably wouldn't use your projects for whatever reason anyway, when in fact it was a bot meant to keep you guys from releasing code prematurely without a reasonable license to begin with (at least that's what it sounds like?).
Thanks for clarifying. This also highlights the lack of sufficient testing, and subpar processes, eg automation should be tested against critical paths, and changing a license should require human approval.
Agree. The lack of tests has been the biggest regret of mine for this project. It started as a hackathon project a long time ago, and as it grew up, it never got the testing investment it deserved. I imagine the code coverage is about 0.001% and there's no end-to-end tests in place.
Feels like the reverse Streisand effect at play here; a high-profile minor fuckup that helps popularize a positive thing. This was fun to meme on, but I'm glad Microsoft appears to be on an upward slant ethically. It also makes me more comfortable being a Microsoft customer.
And here I was ready to sharpen my pitchfork. Thanks for communicating the error and the correction. I know this time of year can be especially challenging.
So, you are adding licenses automatically? This seems pretty risky. Why not just prevent commits that don't have a license? Shouldn't there be a human somewhere in that loop?
The attitude in these threads always boggles my mind. When YOU, your teammates or someone else you know makes a mistake, then it’s just a mistake. But when someone at Microsoft makes a mistake it’s because Microsoft is evil and by extension so is the person who offended.
“It’s a big company”, you say. They should have a process! And I’m sad to say, they do/will have a process exactly because of this attitude. Then, everyone wonders why it takes forever to fix that bug they’re furious about or why features are slow to come.
Full disclosure: I work for MS, though have nothing to do with this. It’s a huge company. I know hundreds of people and most of them are upstanding and try to do the right thing.
This is a bot that is supposed to configure the right license when employees start a new repo in the Microsoft GitHub org.
It seems the automation is also triggered when Repos are forked into the Microsoft GitHub org which isn't correct behavior.
This isn't a deliberate action. If it were plenty of employees (myself included) would be outraged.
I assume it's a bug in the bot - an edge case that was not considered. It is very rare to fork something into the Microsoft GitHub org after all.
I looked at some of the other forked repos (95 out of 4.5K repos) and all the human commits from MS I saw seem to care about getting the licenses right. So it really is just a broken bot.
I hope the bot can be fixed soon and I'm going to put my figurative pitchfork down now.
He wrote a great response. Not many people I know would stand in front of a online mob and say "It's code that I wrote". And then fix it on Christmas!
While I'm glad this got resolved so quickly, I'm slightly ashamed of myself and the HN community for how we handled this. In hindsight the outrage was wildly out of proportion for a simple bug.
If you look at life as good & evil, you won't solve any conflicts. You should rather focus on "incentives". Correcting bugs and errors take time and other resources, therefore require incentive to prioritize.
If their bots were to stamp Microsoft projects with open source licenses, there would be huge incentive for them to tackle this problem within this sprint, and make sure it never happens again.
This bug profits them, or does not harm them at worst case. Therefore, by drawing attention and applying pressure, we should create the incentive for them to allocate resources to fix it, and make sure it does not repeat.
How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file? A certain degree of malfeasance cannot possibly be explained as incompetence.
Please don't pile on like this. You can make your substantive points without "how can someone be so bad at their job" hyperbole. Any mistake can be made to look terrible if you're uncharitable enough.
> A certain degree of malfeasance cannot possibly be explained as incompetence.
This is a missing conditional check, a mistake that is extremely easy to make and one I’m sure you’ve made at least once if you’ve been a professional programmer for any significant length of time.
or maybe they do not know/they missed that creating a fork from an existing project actually triggers “new repo created” event in the github organization, which has an unintended effect.
I agree with you in principle but "stamp out" and "be better" are phrases that produce the opposite of what you're aiming at. We're trying to avoid the online callout/shaming culture here.
These forks may be done for security purposes for projects that use source-based build systems so that the depending project doesn't have 3rd party repo dependencies.
As someone whose developed similar GH integrations, getting things right with their API is fairly tricky. What would actually be desirable is public-to-private forks so that the fork-dependency pattern is more enterprise friendly and this kind of confusion is mitigated.
Have you considered that the reason for the outrage is because people don't actually trust Microsoft to do the right thing? I can see this is a mistake, but surely the litany of awful business practices by Microsoft in the past precedes it?
Sorry, I didn't mean to imply you were. But no offense, so what if it isn't acceptable to employees? The decisions by Microsoft are made by the management of the company. As an example of another company with severe credibility problems, I'm sure there are plenty of employees at Facebook who don't like working there now, but they are still there. And still implementing the policies and directions of management.
MS dev here. Thanks for calling this out. I contacted the GH@MS admins to look into this and to consider adding some safeguards to the tooling so this doesn't happen in the future.
How is it remotely possible to not understand you cannot automatically overwrite a license file with your own. If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?
A simple solution prior to writing to a file in this case is to check if it already exists. It shouldn’t matter what triggers this bot if it’s programmed safe and idempotent.
Nuking the existing LICENSE file and replacing with the canonical one is a good move when it's your own developers' work. They could easily have picked "a" MIT license or screwed up the copyright string, and getting this normalized from the moment the repository is published is important.
But it's important that this -not- get applied to outside work from forks.
It should raise an exception that causes a person to have to deal with the matter. I should not be surprised if I were to find that this is actually in fact so and the extra step is responding to a prompt which people got used to not reading.
The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.
The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect. For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.
None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
I am not a MS employee but I do work as a software engineer at a small company and make six figures a year. Mistakes like this happen. In fact they happen all the time. There are a lot of people out there writing code on any given day. Some of them may have been staring at the screen for 12 straights hours trying to make a release date. Sure its a lot more visible when someone like MS makes one, but think about the actual issue here. They did not create a feature with the intent to overwrite existing licenses files, they made a feature to ensure the correct licenses were added to new repos. Now they forgot one edge case (out of how many thousands or millions?), took ownership of the mistake, and are taking actions to correct it. Overall to me that seems like a very small bug that they took/are taking steps to fix on Christmas no less.
>>None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
If the rest of the world thought like you we would not have any people left in high paying jobs. Everyone is bound to make mistakes. Owning up and setting things right is what is important in my eyes.
> The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.
Sometimes planes literally fall out of the sky. NASA caused a space shuttle to explode killing the entire crew. It is fundamentally untrue that anywhere in the world we have perfect people or processes.
> The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect.
I expect that occasionally sometimes people will ship bugs and neither they nor the processes in place will catch them. This is a very minor bug. This is not the sort of bug that keeps engineering leaders up at night.
> For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.
It’s really easy to point at others’ errors with the clarity of hindsight. But everything you said here boils down to just predicting the specific broken case, which is useless advice. Even your suggestion to check commit logs is useless unless you know the bug you’re looking for. It’s not as if Git spews errors when a license file is changed and it shouldn’t be. And if they knew what to look for in the logs, they wouldn’t have checked in the bug in the first place.
This team has doubtless shipped thousands of features. It’s unsurprising that they’ve shipped some bugs.
> None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
You’re talking about a bug that caused a license file to be incorrectly changed and the fix is a revert. There is an audit trail of what happened and what repos were affected. It literally had no meaningful negative effect except to Microsoft’s image with the severest of critics, and to Jeff Wilcox’s holiday break. This is not a Therac-25 level incident.
I find it very interesting that none of the hyper-critical people in the comments here have discussed catching any broader class of issues. There are many comments criticizing the author for failing to check for an existing license file. (e.g.” How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file?”) None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.
The ability to criticize an error someone else already found is not valuable or constructive. And if this is the best you can bring, your judgement is certainly no better than the engineer who created the bug in the first place.
Disclosure: I’m a Microsoft employee.
Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.
> Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.
If I worked with you it would be my responsibility to support my coworker and help them improve. As it is neither of us has much of an obligation to the other we are uninvolved third parties giving our unsolicited opinions to one another. It is a privilege as an uninvolved observer to another to analyze it frankly without worrying about hurting someone's ego. It is OK I think to look at some mess or other and the inevitable conciliatory excuses and or hostile push back against criticism and call bullshit.
> None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.
This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.
> This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.
Sure. In retrospect, that seems like a really good idea. But I'm sure you've done an awful lot of stuff that is dumb in retrospect, too.
Legal asks for tooling to ensure that the correct license file ends up on all developer projects. It's known that developers will often Google license agreements, copy them from places that don't belong, end up with the wrong LICENSE from a templating mistake. Someone builds tooling to just smash the correct LICENSE file in as a first commit on any repo that shows up in the Microsoft org: if it's an active developer and this is the rare case where this logic is wrong, surely they'll notice that this has happened, and this will prevent code from being up with an incorrect license.
Then, the use case evolves: people start to fork things into the Microsoft organization, and this code does the wrong thing an appreciable fraction of the time. But no one is scrutinizing commits on forked repos to the same extent and doesn't notice.
Maybe you do much better and have never made a mistake like this. But real people make real mistakes. Yes, when you encounter a mistake, you try to get better for next time! But that doesn't mean that we should expect a 0 mistake rate out of ______ org or not assume good faith with an ordinary rate of bad outcomes until proven otherwise.
Unlike the GP poster, I am not a MSFT employee-- I am often skeptical of MSFT actions but they get a pass here. Obliterating the license file has no advantage for MSFT, and has the risk of legal exposure and this kind of public black eye. Obviously someone screwed up, but screw ups happen. Now that Jeff Wilcox has had to work on Christmas, you can be sure he will be even more attuned to this type of issue in the future.
Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know? Especially if no one noticed these and called them out on it until now.
> Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know?
Is it wrong though? I mean, if Microsoft's reiterated pattern of license switches is automated, wouldn't this also mean that the error would be easily detected based on public feedback alone? And given this was not the first or second or third separate and independent occurrence of this pattern, if this was a honest mistake then wouldn't this already be addressed in any of the multiple past shout-out?
Microsoft, a collective group of people trying to do the right thing, has made many choices over their time. Many of those choices have been in direct violation of things like, but not limited to, the spirit of the Internet, anti-competiton, spying on their customers, and many other negative things. Should we have let those things slide because Microsoft employs others that weren't involved? No. You can say this may have been a mistake but that is a slippery slope. Microsoft deserves negative press on "mistakes" because this acts as a balance to keep the power they wield in check. Beyond that you have a significant bias against biting the hand that feeds.
In my opinion, this gets a strong reaction because:
1. They made similar mistakes in the past.
2. They didn't fix it for half a year.
3. They can expect strong financial benefits from making these mistakes.
4. They've recently burned a lot of goodwill by deliberately infringing licenses on a large scale when they trained Copilot.
5. They could have easily prevented this kind of mistakes.
My summary would be that Microsoft deserves to be punished for making this mistake. If nothing bad happens now, then we'll have the same discussion again in half a year from now.
In some cases, they changed other licenses to MIT. That would then allow them to train their AI models on this source code, or redistribute a closed-source monetized GPL rip-off.
Team A) makes a mistake and changes the license.
Team B) uses the fork under its new license and forgets to check the original branch's license.
Two honest mistakes leading to a de-GPL-ed library.
I was talking not only about this specific instance of it happening, but Microsoft had similar mistakes throughout the past 6 months. Here's the one from CUPS, a Linux printing library:
It used to be Apache License, then it became "MIT License (c) Microsoft Corporation". Thanks to the attention that this thread got, it has now been fixed:
But that source code was online with the wrong license for more than 6 months. Imagine if you had hosted Windows source code with a misattributed MIT license for 6 months... They would also bring out the pitchforks ;) Or even worse: well-paid lawyers.
I asked what Microsoft had to gain from altering an MIT license. You're answering a different question. But, fine, I'll bite: tell me how Microsoft stood to make a nickel by modifying an Apache license.
The MIT license puts essentially no restrictions on them that they would need to relicense out from under. They can't un-MIT it. So I'm still not clear on how you propose for them to make money by doing this. Do you have an answer to my question?
If they can change the copyright ownership from an individual to themselves, then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge, and could prevent anyone from using the software and associated documentation files in an unrestricted form.
> then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge,
You don't need to change the "ownership" to do this. MIT licensed software can be put under more restrictive licenses for subsequent revisions by anyone.
I think the OP is playing 20 questions for their own entertainment. I think what they're not telling you is that there's nothing to prevent someone from making a closed-source product incorporating something which is MIT licensed (but they're still supposed to give credit where due). That's also not the whole story. Squirrel!
If they don't know the answer to the question I actually asked, all they have to do is not answer it. I object to the notion that I'm the one playing games here.
It does seem like you are doing this. I have tried to answer you. Instead of asking questions, just state how you believe I’m wrong. I’m ok with this, if I’ve not understood something or made a mistake, I’m happy to concede.
Asking questions until you get an answer you want worked for Socrates, but for everyone else it is better to just state what is wrong about my and other’s argument and the reason why.
As was pointed out upthread: your theory about what Microsoft stood to gain from this license change was simply incorrect. I'm not sure what we're still discussing at this point.
You said I hadn’t answered your question. What I said was incorrect. Ergo, I answered your question. You told me I hadn’t answered your question, now you say I answered your question but I was wrong. Try to make up your mind.
If you are confused what is being argued about, perhaps stop.
Again, as was pointed out to you upthread, the license terms on that project already allow them to do the thing you claim Microsoft was hoping to do by altering the license. It's a MIT license! It's practically the least you can do beyond writing "these files are placed in the public domain".
I'm sorry to beat up on you. It's not your fault, but someone upthread wrote that Microsoft's developers should have known better than to have this bug, because developers should all understand licensing. That set me off, because in hate-reading this thread (something I should obviously not be doing), it's clear that a lot of Microsoft detractors here simply don't know what the MIT (or Apache) licenses do.
But then, the reason I started hate-reading this thread in the first place was that I clicked on the story link, saw an authorship edit to an MIT-licensed file, and thought to myself "how can so many people here give a shit about this?"
Ah. I see, that’s fair. You aren’t beating up on me, it’s better for me to find out about an error than not at all. Thank you for explaining the problem.
They're asserting ownership. By asserting ownership they're converting good will and assuming the mantle of authority, which will sway plenty of weak-minded people: hey it's Microsoft.
I see how that gets them a C-grade Mastodon lyric, but not how it gets them a nickel. Did I ask this question in a particularly weird way? The responses it's getting are a little confusing.
This isn’t just one person making a silly mistake. This is a catalogue of failings. Where’s the peer review? Are you suggesting that anything published in the main branch on Microsoft’s GH org gets commit without any branch protection? And as pointed out by others, this isn’t even an isolated case.
A healthy org doesn’t blame individuals, it blames failures in process. Thus Microsoft should own this mistake. Stating it’s the fault of an individual sounds more like your team operates a blame culture. Which, frankly, is a major red flag for a failing organisation.
I’m satisfied that the situation has been, or at least will be, resolved.m however there is still the unanswered question of who audits the changes the bot makes.
There is a definitely lesson to be learnt here that bots aren’t infallible themselves and thus need reviewing too. Automation undoubtedly enhances our developer experience but we do need to ensure that automation doesn’t make unchecked changes. This is something a great many engineers can learn from too.
Just pointing out this (reality distortion) is a general phenomenon. Have seen the same in all big companies (& many small). As an employee you want the best for the company and you naturally imbibe the company culture and that is perfectly fine. But there is a line and this is something one has to watch out for as an employee. As an example, seeing any critical comment from outside as an attack on the company.
It is good that an employee explained how this particular event happened and that is to their credit.
I respectfully, and vehemently disagree. Informing someone that they may be drinking too much of their company's Kool-Aid, without knowing what is in it, is a moral obligation.
Despicable that you present this as a bannable offense.
Sorry, but garden-variety internet comments and cheap personal attacks don't rise to the noble level of moral obligation. The comment plainly broke the site rules. That's not allowed here. If people have noble duties to fulfill, they can do that without breaking the rules.
I too don't think there is any "moral obligation" involved but I did feel it was perfectly fine to point out what I did. I quoted their "I work for MS" to provide the context for my comment, nothing more.
Sorry, but that's definitely not accurate. You quoted it as part of a personal attack: implying that someone was lying about making a mistake, imputing sinister motivations to them instead, and adding a name-calling putdown into the mix (accusing them of being inside a "reality distortion field", as if you know more about their world than they do). All that is clearly against the site guidelines: https://news.ycombinator.com/newsguidelines.html.
You are insinuating astroturfing with no evidence other than "I work at Microsoft" and your personal, albeit somewhat justified, belief of "MS bad". It's not a constructive comment.
Ok, but anyone could say that about any comment, so from a moderation perspective that is either an empty point or means that we shouldn't moderate anything at all.
For practical purposes, someone has to make judgment calls about these things. The way we do that is that we have a set of guidelines (https://news.ycombinator.com/newsguidelines.html), and moderators who make calls about which accounts are breaking them. We try to be as even-handed as possible when we do that, but certainly no one is going to agree with every call we make. Nevertheless, someone has to do the job, and that includes banning accounts when people break the rules and aren't interested in modifying their behavior.
Moderation is absolutely necessary. What bothers me is that we are 4 or 5 comments deep, and you still seem to not understand why I spoke up in the first place.
The comment you initially replied to did not come off as a personal attack at all to me, in fact, there was nothing personal about it. They took data that was shared with them and used their experience to spit out their own thoughts on the matter.
So, I am calling you out for being a bit too zealous with the power you wield. What you do with my perspective being shared with you is up to you, but you're doing a lot to not just ask yourself "Was I being too harsh?" ... Here you have a human telling you that yes, that was too harsh.
Calling out the bitter flavor of a corporation's kool-aid is not a personal attack on anyone. Period.
If you (edit: I meant the original commenter) had just said it about the corporation, it would still not have been a high-quality HN comment, but I wouldn't have posted a moderation reply.
Sorry? I did not attack anyone. I am defending a comment by somebody else in which you presume they are personally attacking someone who has openly admitted they work for Microsoft.
You really are lost aren't you? Along with the irony of mentioning "high-quality" comments. Wow. What is the _level of quality_ when the commenter has lost track of the person with whom they are speaking...? In case you missed it, I'm talking about you.
I will re-iterate, because I'm patient. I am telling you that you were overzealous in moderating a harmless comment about Microsoft as a company. There is no personal attack in the comment, no matter how you choose to view it.
Feel free to understand the perspective of others before you blindly share more of yours. What a disgusting interpretation of "moderation." Censorship is a much better word to describe where you're headed.
You're right, of course: the comment I described as containing a personal attack was by bakul (https://news.ycombinator.com/item?id=29684540), not by you. Sorry for mixing that up! I've added edits to the GP to clarify.
> I took the comment to be a refreshing dose of reality.
This is how I meant it but I could have phrased it or presented it differently as this point got lost at least with the moderators and may be many more. Will try to be more careful in the future.
I appreciate your speaking up. And I also appreciate the moderators in trying to keep the discussion standards high. They have a tough job trying to decipher the intent of every commenter.
I don't work at Microsoft but I can confirm. There are so many "suggestions" for Microsoft Teams. I don't know if there exists another company whose employees are more critical of Microsoft Teams than Microsoft.
My personal conspiracy theory is Teams would have died long ago if not for strong support from the top.
Which is odd because Github doesn't use Teams, they're Slack based. As in, if I set up a meeting with my Github counterparts they're late because they had to install Teams.
when $new_repo in $msft_github:
echo $standard_license > LICENSE.md
Could just be normal practices, and doesn’t check if a license already exists because it’s usually handling non-forked OSS repos. What’s the phrase? “Never ascribe to malice that which is adequately explained by incompetence”.
I don’t know why people assume the more money you make the more infallible you are. Trust me that every FAANG engineer has written code with some similar pitfall that seems so obvious from the outside.
Respecting a license is completely orthogonal to the unintended behavior of an automation used on something it wasn’t really meant for (fork rather than a new repo)
This is the peril of the imaginary "corporation" identity. People expect a company to be one coherent and consistent entity, but although a company can be managed well, establish culture and processes, and progress towards cohesion, it can never become as coherent as one person. And a person is not that coherent in the first place.
I am sure I subconsciously make the same mistake when I think about other companies. But I am making conscious effort to get better, take a more forgiving view on the humankind and give people as well as corporations chance to try again and be a better version of themselves, build the mental capability to remember that corporations are comprised of real people, and people make mistakes, and reasonable people who make up the majority of the population are constantly seeking (just struggling) to be better versions of themselves.
Ok. I worked at MS from 2005-2015. As I recall, there was this huge formal legal process and due diligence around including a single line of open source code. Is that not still the case? Am I remembering it wrong?
You have to take "companies doing good" always with a grain of salt. They're profit seeking companies, who act aggressively in their own interests.
It doesn't have to be a debate on "good vs evil" I've always hated those terms applied in these contexts, it's childish and for the naive. Fix the problem and move on.
'Profit-seeking companies' begs a common pejorative that actively reduces the variety in the pool of companies. It may not be descriptive of the companies for which this is not an overarching motivation. Many of them really want to make a happy customer by crafting as good a thing possible for the price they charge, and be well by their employees.
That said, I can relate the the cynicism especially for the giants. But painting them all as 'profit-seeking corporations' may deaden a satisfaction that comes from being a customer for a company you believe is good.
A company is merely a useful legal and organizational fiction. It's all people all the way down and those people don't act in a different moral context when they act on behalf of a company.
Microsoft is a rather special case of a company that has virtually no goodwill in the open source world. These are the dividends that result from statements and actions over decades. So when something like this occurs, the default reaction is often 'of course... it is Microsoft after all'.
Few people are likely to know <insert employee here> but many people are very familiar with decades of bad behavior undertaken by Microsoft not as isolated misdeeds but as a matter of policy. Lacking personal context misdeeds or mistakes are extremely apt to be interpreted in context of literal decades of bad behavior by Microsoft.
I mean come on the seismic change in leadership at Microsoft is just former lower echelon leaders during the time frame that MS was doing wrong now moving up and taking the helm.
We are after all talking about the company that tried to destroy the competition by funneling money into a fraudulent lawsuit/pr campaign that was a front for a pump and dump. The only thing separating MS leadership and felony charges is meeting notes between them and SCO and the fact that important people don't go prison in the US if can at all be avoided. Lest we forget the current CEO was at this time an executive VP as well.
Maybe it boggles your mind merely because you yourself are an ethical person who comports themselves properly professionally and would want people to see your efforts good and bad in context of who you are. This is entirely reasonable but people don't know you personally whereas your company makes headlines for bad behavior.
I am finding it hard to accept that it is an honest mistake.
From my personal experience, every software engineer that works in a company of this scale is obligated to take a training course on software licensing and understand the differences, and the "dos and don'ts".
If Microsoft doesn't have such a program in place then that's a big problem and should expect harsh criticisms when such events take place and if they do then it probably needs to be revised because it doesn't seem adequate.
On the other hand, outside the context of MS, if a software engineer doesn't feel they are doing something dirty as they are replacing the license or the thought of I might get in trouble with legal doing that doesn't cross their mind, then they probably shouldn't be allowed to be at the front line taking actions that represents the company's name.
...Given that several engineers employed at Microsoft have been part of armchairing this along everyone else now, why is not one of y'all (not necessarily you but come on, this is getting absurd, holidays aside) still just busy discussing around it rather than spending the <5 minutes required per repo to start actually fixing the fallout of it?
if I did this to microsoft do you think I’d be granted the same leeway? could I tell them they need to cut me some slack because i’m one person and “there’s a process”?
This isn't true – the only billing system bug I've seen undercharged. Also if it was an overcharge, they would have made customer whole, whereas they wrote off the undercharge.
Microsoft doesn't really gain anything here – there's a clear "forked from" qualifier in the repo, they aren't republishing these packages, etc. The only people who noticed noticed in a negative light.
To reiterate, I'm not saying there's malicious intent in any single bug. Yes, billing errors don't lead to more revenue for the firm. I'm describing rather a systemic bias in incentives for the people doing the work (programmers) and supervising the work (managers).
Approximately. Moral hazard typically refers to sins of commission. Deliberately taking on more risk because you're insured. Here I'm thinking more of sins of omission. You just forgot to do something. You didn't have enough attention to devote to the task, so you rationally apportioned the attention budget to the areas most likely to be checked by others.
I'm just curious, is Microsoft actually in violation of the MIT license here?
All future changes to this repo are copyright Microsoft, so Microsoft's copyright should be in the statement.
Arguably there should be an additional statement indicating that LesnyRumcajs holds copyright to bits of code that Microsoft hasn't changed.
But
(1) exactly which bits have LesnyRumcajs's copyright would have to be verified by examining source control history. Since LesnyRumcajs's copyright statement is visible on any commit where LesnyRumcajs holds copyright, this setup makes actually makes it easy to verify which portions LesnyRumcajs has copyright claims on.
(2) Including LesnyRumcajs's copyright statement in repo history seems to be all that the MIT license requires. The license doesn't forbid there being another more easily accessible copyright notice that doesn't list all copyright holders. It only requires that LesnyRumcajs's statement be included in all copies of the software, which it currently is.
What you're saying doesn't make any sense. If what you're saying was true you could take any MIT repro, fork it and replace the license with a fully proprietary copyright claim or any other license. You absolutely can't take code and just change the license to anything more permissive without the original copyright holders permission.
It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.
The license wasn't changed. But yes, generally you can make changes to MIT code that aren't released under the MIT license.
> It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.
This isn't in the license. Where is this laid out?
MIT license is very permissive but the original author retains copyright and one of the very few restrictions is that you must maintain the original authors copyright notice. So you can use MIT code in a GPL project but you can't remove the original copyright notice and MIT license text.
I don't quite follow your thinking about removing the notice but having it somewhere in history; a given snapshot/ revision will be a distribution where someone can show up and download just the master branch newest state and not the full git history. In which case you surely have distributed a copy of the copyrighted MIT licensed code without complying with the terms of the license, right?
Folks who work at mega corporations with outrageous amounts of power have a correspondingly large responsibility to the communities they interact with. Their mistakes have a much larger impact. Honest mistakes by hugely powerful entities are not mere trivia. They have an effect on the rest of the world commensurate with their power. Thus they should be held to a much higher standard than everyone else.
Everytime I've taken the route that there is some evil, no good as come out of it but when you give a group of people the benifit of the doubt, I would argue the majority of the time it's just a mistake.
I feel like the only people with an attitude against Microsoft these days are teenagers trying to look edgy and critical thinking or pretending they are insiders.
You should see how HN would react if Google has done anything remotely close to it. If it was Google your comment would be downvoted to oblivion instead of being the top comment. Not to mention you'd be disparaged for protecting your employer.
Most processes for that type of thing come about only after someone has made a mistake.
Source: experience in the industry. Including having made a similar mistake myself a couple of years back (and receiving a fair bit of internet hate for it)
Nobody manually changed a license. The commits were made by a bot named "microsoftopensource" that exclusively adds copies of Microsoft's license file, support file, readme file and code of conduct to every new repository under their account.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
For those of us that remember the “old” Microsoft, they are still obviously evil. Nothing they have done will change that view. Incidents like this prove that this zebra cannot change its stripes.
I think your comments does not add anything meaningful to discussion. Yes, Microsoft screwed up. Yes, a Microsoft employee is trying to make excuses for them. This does not mean we couldn't have a civilized discussion, though.
I don't think that just because some "bot" did this Microsoft is to be excused. Someone decided that using a piece of software to automatically alter license files. This is a genuinely stupid idea. And they already fucked up in the same way with the CUPS project. Will they learn without someone taking them to court over this? I don't think so.
I think people should be as forgiving as Microsoft would be if someone “accidentally” changed the licence of Microsoft software and started distributing it.
I don't know what point you're trying to prove here, since I don't think I've ever heard of Microsoft suing individuals for illegal Windows keys and certainly not in the past 10 years. If you start an LLC and attempt to commercialize on piracy then you'll probably get sued, but regardless they are a lot more lax than, say, Oracle on this issue.
FWIW it does look like a bug in a bit and not company policy to me. But having said that the equivalent situation would be some larger than Microsoft copying their work. For example the US Federal government distributing Windows under the MIT license.
The bot's job was to get MS-originated repos onto the correct standard license for MS open source code. That forked repos got their license changed is an unintentional bug, not something anyone "decided" to do.
> Someone decided that using a piece of software to automatically alter license files.
That doesn’t seem to be the purpose of the bot. It’s supposed to add them to new repos, not alter existing. This ensures that all their projects have an explicit license rather than ambiguously public.
This sort of attack will get you banned here, regardless of how right you are or feel you are. If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it. Note this one:
"When disagreeing, please reply to the argument instead of calling names. 'That is idiotic; 1 + 1 is 2, not 3' can be shortened to '1 + 1 is 2, not 3."
and this one:
"Please don't sneer, including at the rest of the community."
People on HN are completly crazy and uneducated... Whenever there is something like this you can be sure you will find hundreds of insulting or mean comments on the commit or PR... It gives a really bad image of the community.
This sort of name-calling breaks the site guidelines badly, regardless of how right you are, or how superior you feel to the rest of the community. If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
It looks like Jeff Wilcox who seems to be in a decision making position about this has addressed this (on Christmas no less), and I think whilst this is bad and definitely violating, I don’t think there was any ill intent, and I hope we can all put the pitchforks down for a while.
I observe some confused comments on this page that seem to argue that the MIT license doesn't come with a requirement to keep the copyright line intact (which is demonstrably false, you don't get two paragraphs into the license without finding the attribution requirement).
The part that caught my interest is: How many people consciously picked the MIT license when they actually meant a non-attribution license?
I think most people explicitly choose MIT for this. It's a very very free license, allowing you to do pretty much anything you want with the code. Among the opensource developers I know the one thing they consistently care about is attribution for the work they've done for free.
If you're attached to your copyright: 0-clause BSD is a thing that exists[0]. Toybox uses it.
If you want to throw your copyright out the window: The commonly accepted solution seems to be CC-0[1], which tries very hard to disclaim rights and limit liability in as many jurisdictions as possible, complete with a fallback license grant for failed public domain dedications. Because CC-0 makes some people uncomfortable despite the lengths it goes to reach its goals, some projects work with dual-licensing to cover the other side, such as Monocypher.
Neither of them address patents. If patents are something you want to/need to address, you could perhaps paste the patent clause from BSD-2-Clause-Patent onto 0-clause BSD.
I wondered why more FOSS projects aren't using CC0 instead of "permissive" licenses like MIT, considering a lot of folks who work in FOSS are against copyright/software patents system in general, and most of them don't really seem to care about attribution.
People who release code under MIT not only won't/can't take legal action but they probably won't even bother writing an email to the person who they believe violated the attribution part.
So sure, this is far from a good look. But the verdict is still out on if it is an unfortunate mistake or malicious.
It's far from the first time I see this kind of reaction and, IMO, rather than everyone spending time on piling on the flamewar, how about opening the door for MS to set this straight and do the right thing? Assume good faith even if you personally don't sincerely believe it? Give them an easy way to save face and present a plausible narrative rather than having everyone dig their trenches deeper? If you'd prefer MS not to screw people over, it helps no one to solidify them in doing just that.
Already so many people shouting "YOU ARE THE DEVIL", not one going "hey, looks like this is a mistake, let's sort it out". IMO the latter is more constructive. It's almost as if people want Microsoft to do bad things. Remember it's a huge organization with all kinds of people and ideologies internally. It's too early to tell which way the individual behind this particular change is leaning.
It took me all of 1-2 minutes to make this PR[0], probably less than any of the meme pictures in that commit thread. Let's see how it goes. Last time it went through[1].
EDIT: ...And, it's merged. I'm assuming the rest of the affected repos will be fixed as well and an apologetic blog post issued by Monday. Anyone who feels that's too long time can always open corresponding PRs instead of wasting their time by replying to this with how that's not our job. Happy holidays.
Another aspect of this: Rejecting such a change, or indefinitely leaving it hanging as open, is a much worse look than simply ignoring all the complaints (which is already bad enough but has more plausible deniability). Providing a ready-to-merge PR is effectively pushing them to take a public stance.
Why the scare quotes around mistake? Are you implying that it's intentional? Or negligence? It seems like nobody noticed the CUPS license change until now, so it's irrelevant, right?
How is it not intentional? To me it seems very clear that someone designed this bot to specifically alter the LICENSE file so that it matches some sort of predefind Microsoft file.
Edit: To give a bit more nuance, I would guess that the actual bot changing the LICENSE files is not a mistake, but working as intended. What could, however, be a mistake is thinking that licenses can be legally overwritten. It wouldn't be a "rogue engineer" kind of mistake. Certainly several people at Microsoft have signed off on this.
I'm sure it could be used, however that would probably be a similar problem. Microsoft has internal libraries with all sorts of licenses. Replacing the actual licenses with a template wouldn't be the correct move there either.
Because it was done intentionally by an employed individual in this case rather than a bot. You cannot in good conscious as an individual make this "mistake" without knowing or acting maliciously unless you are incompetent to begin with. Seems like a growing trend at MS. And I'll remind you that Apple actually uses CUPS for their print backend and funds it directly, they retain the original license and support the project, meanwhile MS takes it, doesn't contribute and acts like it's their own, sick.
MS dev here. I contacted the internal repo owners to bring this to their attention, people may be out for the holidays but I expect it to get fixed up soon.
Seems like a mistake to me. Microsoft recently adopted one of my Open Source projects and part of the agreement was they would keep the original license. This was a request on their part, I had no choice in the matter. They know what they're doing, I don't think they would do this deliberately. (Licence here: https://github.com/microsoft/vscode-gradle/blob/main/LICENSE...)
I would't call a honest mistake some bot that is created to change code to a MS license. First of all, this kind of thing needs to be done after careful review, if they're doing it in an automated fashion there is almost the certainty that they'll take somebody else's work as their own.
Which is fine, and surely an honest mistake. Automation is great, but the way I see it is, how many other projects have been forked and automatically re-licensed, and then profited from without proper attribution? An accident still needs to be flagged, and still needs to be corrected. They also need to be learned from and avoided in the future.
> An accident still needs to be flagged, and still needs to be corrected.
Yes. Additionally, the way such actions are performed is not great because the mechanism used does not provide any way to provide feedback - if the change was done by a user account, then they would have received notifications about the comments posted under the commit, but the ones received by the service account probably go nowhere.
> The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
MS would be in the wrong to redistribute this code without the notice that includes '(c) 2020 LesnyRumcajs' - however, just changing the line doesn't constitute copyright infringement or fraud if MS reverses the change and/or simply appends the original MIT license above their MIT license (since MS does indeed have '5 commits ahead' of the origin repo, all of those changes are copyright MS but still MIT licensed). They could even simply have a file called 'LICENSE2' with the original notice, if they can't easily exclude this repo from the bot.
> MS would be in the wrong to redistribute this code without the notice that includes '(c) 2020 LesnyRumcajs' - however, just changing the line doesn't constitute copyright infringement or fraud
Given that this change was committed to the main branch, if I download the code right now, haven't Microsoft redistributed it?
Things get philosophical rather quickly I'm afraid.
If I misconfigure an FTP server, and you download some MIT code that I stripped the copyrights from, does that count as redistribution?
Those two things are far more similar to each other than to a public repo whose intent is to redistribute. So no, this case is not the same as either a misconfigured FTP server or a misconfigured repo.
No. If you hack into my company and siphon out an EXE for an internal tool that uses GPL licensed code, you are not entitled to the source code of the package because the company did not “distribute” it to you; you took it without any right to have it.
There’s a whole philosophical debate we can have where we quibble over the definitions of words as they deal with technology, but the (US) courts generally don’t care about technicalities. An analogy is stolen property. If you purchase something that is stolen property, you have (almost) no legal right to it; the courts will often order its seizure for return to the original owner. By “hacking” (according to the CFAA), you “stole” the EXE.
Because “Microsoft Bad”. When a company gets big enough, there will always be a portion of the population you can never please, and Microsoft reached that size a long time ago.
From twenty year ago. You say it’s in their DNA, but I’ll bet that the majority of people there now were not there 20 years ago. Old habits die hard, yes, but they do die.
Microsoft has committed to open source. Maybe it’s self fulfilling reasons, but that doesn’t mean we should brush it off. If some higher up decided to go open source for PR reasons, who cares? We should be embracing it. Shunning it will just make other companies think twice about open sourcing.
Also, this was done by a bot. Microsoft is big enough to have their own in-house council, and I can’t imagine them being stupid enough to risk everything over a copyright lawsuit with evidence like this that the whole world can see.
Microsoft might have committed to open source for business reasons, to an extent ( see the recent .NET debacles), but they're still the same monopolist-abusing and anti-competitive company ( see the recent Edge debacles). They're an inherently bad and evil company, and even though they seemed to be improving, they've gone back to old tactics rather quickly.
Because it's a very stupid mistake. I have a hard time believing someone developed a bot to deal with repo normalisation on GitHub that doesn't know how GitHub functions, what forks are, and that you can't just change the LICENSE with a file of your own. I don't necessarily think it was done on purpose to steal copyrighted content ( that'd be too stupid even for Microsoft), but it's a weird mistake to make.
No judgment from me since I suspect it is also an accident and I’ve made enough in my life that I don’t get super judgy in most cases. But what purpose is there for a bot that forks and makes changes like adding template files? Copyright aside, I don’t understand the value of this bot.
If I were to guess, it would be that the action performed here (or the basis of the code implementing this action) was intended to be done on internal Microsoft repositories that should be open-sourced.
This is a clear violation of the MIT License. MSFT can and should get in hot water over this. The copyright doesn’t belong to them, just a license to use the software.
What is the point of using all caps? For me it makes legal texts like these really annoying to read. I'm not a native English speaker, is that really correct English writing? Aren't there clear rules when to use capitalization? Like, at the beginning of sentences. Feels like they are abusing the language.
Can they just lower case the paragraphs, to make things more convenient to read? Or does that change the legal meaning? For me it would feel like they would stop screaming :-)
Apparently it comes from commercial codes from the ‘50s, which says that important text must be conspicuous [1]
Conspicuous could mean all caps, contrasting text, or different colors. My guess is that CAPITALIZATION was used because most typewriters at the time could do caps, whereas doing different font sizes, colors, bold would have required a special expensive machine. When technology evolved, lawyers being process oriented creatures, stuck with all caps because it was the way things were always done, and therefore safe to do.
Disclaimer: I am not a lawyer. The following is not legal advice and, in particular, has not been tested in court to the best of my knowledge.
You can't use a different typeface, font size or color in a plain text document. That does not mean you have no options. The criterion is that it is “written, displayed, or presented that a reasonable person [...] ought to have noticed it.”
Consider the following:
Nihil harum autem impedit commodi ut occaecati. Nihil
quisquam ab molestiae veritatis consectetur. Quis molestias
sunt facere tempore est. Eum quia quisquam veritatis illo
minus sint atque ipsa. Omnis optio ducimus minus nemo non
deleniti voluptas. Blanditiis nisi eum eum beatae fugit
delectus. Optio neque sed nostrum veniam eos. Culpa ut no‐
bis rem est dignissimos est eum sed. Occaecati dignissimos
eveniet odit aut est ipsum minus nisi.
!! IMPORTANT !!
DISCLAIMER OF WARRANTY
The software is provided "as is", without warran‐
ty of any kind, express or implied, including but
not limited to the warranties of merchantability,
fitness for a particular purpose and noninfringe‐
ment. In no event shall the authors or copyright
holders be liable for any claim, damages or other
liability, whether in an action of contract, tort
or otherwise, arising from, out of or in connec‐
tion with the software or the use or other deal‐
ings in the software.
Unde sint ab qui ut. Debitis qui deserunt fugiat aut nihil
impedit vel saepe. Et ad voluptas quia. Omnis libero ni‐
hil perferendis aut ab. Illo et neque voluptatibus. Et
animi consequatur enim eius aut at veritatis. Modi error a
ratione tempore velit inventore. Accusantium accusantium
et quam quis nemo id.
This seems rather noticeable to me, gets to the point, and is considerably more readable.
By using the all-caps sparingly, we've made way to draw attention to the heading, then offset the passage with large amounts of whitespace to draw attention to the passage itself. At the same time, this keeps readability of the actual text that you want people to read.
BUT ALL - CAPS TEXT IS EASIEST AND AT LEAST TO ME SOUND RIGHTEOUS ENOUGH. I THINK THIS IS A CLASSIC CASE OF QUOTE IT AIN'T STUPID IF IT WORKS END QUOTE.
“Easy to read” is not part of the criteria. The definition is explicit.
> "Conspicuous", with reference to a term, means so written, displayed, or presented that a reasonable person against which it is to operate ought to have noticed it. Whether a term is "conspicuous" or not is a decision for the court. Conspicuous terms include the following: (A) a heading in capitals equal to or greater in size than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same or lesser size; and (B) language in the body of a record or display in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from surrounding text of the same size by symbols or other marks that call attention to the language.
There is a rampant practice where companies and organizations flippantly and often fraudulently stamp copyright notices on everything they touch—including public domain materials such as the U.S. Constitution, works of William Shakespeare, prints of the Mona Lisa, copies of the 9/11 Commission Report, and compositions of J.S. Bach. [0]
It seems Microsoft has now automated this practice.
Edit: It's easy to jump the gun and start accusing Microsoft of something nefarious here. To be clear, I'm personally giving Microsoft the benefit of the doubt and assuming that this was an honest mistake, and that the folks at Microsoft who had something to do with setting this up were well-meaning.
My point is that we're living in a culture that, as a standard practice, sprinkles "(c) [year] [company]" on things like salt, that such claims are frequently invalid or misleading, and that this broader issue may be partly to blame for incidents like the one we are discussing today.
I know I can run "Update Copyright" on my projects in JetBrains - could just be an innocent mistake that hit the wrong folder.
I know everyone jumps on the big corp as everything they do is intentional, but it's the holidays, someone was doing a bit of work, maybe not fully concentrating and hit push.
Seeing how quickly this was plastered everywhere, and the responses to it, do you really, like REALLY think that this is a deliberate play?
This is a perfect example of a huge company using the cover of bullshit to do whatever they want.
"Oops. We f*d up? Well, you can't talk with a human unless you pay us lots of money. Oh - you don't have money for a lawyer? Tough. Good luck getting through our layers of trained monkeys."
Reminder: if you want to protect your software or your community from similar issues you can use [A]GPL and let Free Software Conservancy handle any legal battle on your behalf:
What? no, this goes entirely against the idea of laws.
Copyright laws have one major purpose: protect the right holders. It does so by giving them tools to mitigate their loses by deterring people from infringing.
If a right holder has to invest more time in complaining on people about infringement than actually having time to do other stuff, like creating, then we've got it all wrong.
Someone did this at an university. They replaced my name in the MIT license with the name of the institute. After I let them know that this is not OK, they reverted it.
It seems people are outraged because they don't like it, but they don't seem to be talking about whether it's actually legal.
IANAL, but the MIT license specifically does not say you have to redistribute with the same copyright owner notice. It says the copyright notice and terms must remain, and that you can sublicense it. It doesn't say you can't change the copyright notice.
> This repo has been populated by an initial template to help get you started. Please make sure to update the content to build a great experience for community-building.
What's surprising to me about all the negative reactions Microsoft receives, especially on here, is that from my point of view, they are currently the most open out of all the big companies (Google, Facebook, Apple, etc). I cannot remember a time Apple has admitted to anything or made any effort to have anything that could be considered open, but they do no wrong in most people's eyes, where even a simple mistake by Microsoft gets turned into some nefarious narrative.
Please, Google contributes far more to open source than both. Between Chromium (which seemingly most other browsers are based on now as well as things like VSCode) to Android, GSoC, Golang, Dart/Flutter, the Linux kernel and a bunch of other random stuff, Google has probably done as much or more for the open source ecosystem than pretty much anyone.
Pretty much MS' only useful contributions to open source are from MS Research, everything else feels like a Trojan horse, designed to make you like them and then lock you in to something proprietary later.
Lots of plugins don't work on open-source VSCode, they tried a bait and switch with .NET features, Windows 11 has a bunch of anti-patterns, GitHub is being dodgy about how they train Copilot, etc...
Perhaps I'm the one misinterpreting your comment, and the others have it right.
I'm assuming you mean open as in communication. Apple basically is a stone wall, facebook just spouts empty platitudes, google processes are opaque and unyielding (unless you know a someone or raise a massive community response on social media), but Microsoft continues to be staffed by humans.
They aren't a shining pillar of FOSS, but they've taken some good steps in the right direction in the past few years. And of all of them, user feedback, support, and escalation seems to still be handled by people instead of algorithms
You didn't misinterpret and nailed it spot on. I didn't say anything specifically about open source. While that is a significant part and I personally think Microsoft is doing well, I find that Microsoft are the only ones even mildly open about their communication, documentation, and processes and actually seem to respond to negative feedback, at least more than zero like the other companies. Apple is opaque by design, Google is opaque in a sort of emergent way, and Facebook is opaque in a deceptive way, all three on purpose and working as intended. Microsoft is not perfect by any means, but people get riled up at them all the time for the simplest things and often the exact same things that Apple does, for example.
In the particular case of this post, I just can't imagine an Apple employee posting the exact link (on Christmas!) to a bug that they were responsible for to an issue that was posted on a forum. If someone would have simply made an issue on the GitHub repo instead of posting on Hacker News, it probably would have been fixed without fanfare.
Note these are thrown-over-the-wall source dumps, with no valuable VCS history, nothing more recent than at least 2 releases ago, and sending a PR will likely only receive crickets (said as someone who recently found an easily patchable bug in dyld, contemplated the idea of opening a PR and was told by an ex-colleague who now works at Apple that my best shot would be through feedbackassistant.apple.com).
I just got a security bug fixed last month in dyld in one release cycle. Didn't strike me as difficult. I emailed them, and they fixed it. Not much more to add then that. Have you actually tried?
Also dyld isn't just some thrown-over the wall code. It's completely designed and built by Apple and is the cornerstone to making the user-space runtime functional.
All the code designed and built by Apple is thrown-over-the-wall. That's old-version-of-source-available, barely open source.
I tried emailing ld64's author about a bug in the past without success. I don't remember how I found their name/address back then, but I sure can't find any names or contact information for dyld right now...
What on earth are you talking about? ld64 is a completely different beast than dyld in today's world.
Also, I'm not sure looking for individual points of contact in a large org is the best idea. I emailed security@apple.com. Even if it's not a security bug they will help direct you to the right team.
I'm talking about trying to contact people at Apple about bugs in their "open source" code.
Why would I send an email to security@apple.com for something that is not a security issue?
> Again, have you even tried?
Yes, I tried for ld64 in the past, and I tried through what I was told had the best chances to work by an Apple employee this time for dyld. I'm not holding my breath, though.
> ...from my point of view, they are currently the most open out of all the big companies (Google, Facebook, Apple, etc)
I'm curious to know how you're measuring openness. I agree Apple is the least open of the group, but Facebook and Google owe their existence to FLOSS, and were always in harmony with it from their origins.
You may have read something in my comment I didn't (mean to) express - none of thr companies open source their crown jewels (e.g. Windows). I subjectively don't see how Microsoft can be seen as the most open, and I was curious to know how parent came to that conclusion. Microsoft (and perhaps Apple too) are the ones with a history of antagonism with open-source/GPL.
> I cannot remember a time Apple has admitted to anything or made any effort to have anything that could be considered open…
This was a while back, but Tim Cook apologized[0] after a poorly received rollout of Apple Maps. That said, I applaud this response and agree that more like it is needed across the industry.
Although Google was the one which prepared it for production before its releasing, k8s originated from academia (more precisely, University of Massachusetts Amherst).
Ps.: check follow up comments. My comment in here is wrong.
My mistake. One of its founders has a PhD from there (thus my mistake), but k8s was actually created while he was working at Google, after his PhD (which has nothing to do with k8s..).
what surprises me the most about Microsoft related hate is that, despite the fact that they had (still have pretty much) control over the OS market they never locked their system down or charged people in any capacity.
People take it for granted that you can just run what you want on your windows machine but they could have turned it into smartphone style locked down system. Imagine if every app developer in history had to fork 15-30% of their sales over to Microsoft just for building on Windows, they could have made a trillion bucks or something.
While it's not locked, they're certainly pushing you that way. For example the only built-in installer for VS projects right now essentially gives you a choice of either a plain directory of files, or a nice process to release to the windows store. Want a simple MSI/installer - deal with the pain yourself.
Once you do try to distribute your own app, you need to shell out >$200/yr for code signing certificates which pass the smartscreen filter, otherwise your app will be randomly prevented from running.
And other issues... With every version things get just a tiny bit more inconvenient for out-of-store software releases.
They didn't do it because regulators were already on them, hard. They literally funded Apple to try have a competitor so they wouldn't be broken up. A judge did, at one point, rule that they should be broken up anyway.
I listed 5 reasons why we do that here: https://news.ycombinator.com/item?id=27132402. In this case I think it was a combination of (2) it was a step into more generic discussion and (5) the thread was top-heavy and we were trying to prune it.
Yes they are still working on world domination and needs to act kind and responsible, unlike Google and Apple that is ahead of them.
If Microsoft had the most popular search engine and the most popular mobile operating system, they would be gathering all our data and putting ai robots to answer our questions.
These big tech companies do not have the best interest of us in mind. They are a force for centralization of power into the hands of billionaires.
It doesn't have to be this way but it requires users to smell the coffee and want another Internet and another big tech industry.
Saas like Office 365 seems to be Microsoft's current flavor of proprietary, closed software moving forward.
MS has released some quality open source code, there are many organizations running fully open source stacks atop Dotnet Core, in our case atop Debian and Postgres. Microsoft makes no money off use cases like this (beyond hopefully selling Azure VMs)
Correct. You don’t own the code just because you forked it. The original copyright holders retain ownership, and you must abide by their license. You can’t swap out the license unless they explicitly allow you to do so.
That’s not true. You can change the license if the license allows you to. It’s copyright you can’t change unless the author assigns the copyright to you.
This comment highlights the ignorance of a lot of people in this thread jumping to conclusion and view MS instantly as an aggressor and themselves as victims of the obvious and horrible crime of copyright infringement.
A) Do you know it was not an honest mistake?
B) Why a complete understanding of esoteric legal copyright laws created by non-programmers all of a sudden so important to a mainly programmer HN audience?
Are you joking? Programming is all about intellectual property. A complete understanding of copyright laws is important for anyone in the tech industry.
Jurisprudence is a specialty beyond the skill level of an average lawyer. It's like saying to be able to eat you need to have a complete understanding of how to raise a chicken.
One can add their copyrights, relicense in some cases, but absolutely cannot remove existing copyrights. I don't think any FOSS license (save for the "public domain" ones) allow for that.
EDIT: also if there are any forks of your project, you should ask people who forked it to restore the original copyright notice as well. If the original copyright holder sees your name instead of theirs, they'll know who to sue.
You (or possibly your employer) own the copyright to the code you produce. And you are fine to say something like "copyright $me $yearIMadeACommit". What you can't do is claim copyright on work you did not produce or remove existing copyright notices.
Free or open source licenses aren’t a lack of copyright. They are an exercise of copyright. All of that code that you didn’t write is still copyrighted by their original authors. You simply have permission to use it under the criteria outlined in the license.
Sure this might be an innocent mistake, but if you were to infringe a nanometer on Microsoft intellectual property, never in hell would they be like „oh an innocent mistake, we don‘t sue you into oblivion then!“
I was asked to run out Intune on Android [0], which is a Mobile Device Manager from Microsoft, (aka MDM) [1].
We needed an always-on VPN. Intune supports several, but all insist you run some proprietary server software. If you don't understand why that would make someone feel uncomfortable, PulseSecure [2] was one of those options. There is open source GPL software that replaces the proprietary back ends called OpenConnect [3], but that violates their client licensing.
Then I discovered Microsoft has their own VPN called mstunnel. That's when I felt like I had fallen down the rabbit hole. I dismissed mstunnel initially because since it is a Microsoft Product, it would run only on Windows, right? Turns out it only runs on Linux. I thought you installed the mstunnel client on Android, because among other things it existed - but nope it was superceded by this thing called "Defender for EndPoint".
The server came as a Docker install, but we didn't have the required version of Docker so I unpacked it and ran it in a chroot. That all worked in the end, but in the process of unpacking it I discovered what it was under the hood. It had two things - an "agent" written in dotnet whose sole function as far as I could tell was verify with Microsoft's servers you have paid for it and ... a copy of free as in beer OpenConnect.
Nothing wrong with that really. In fact it's the reverse - it being OpenConnect under the hood gave me a lot of confidence I wasn't dealing with another PulseSecure. The only fly in the ointment is OpenConnect is GPL. They are completely free to use it the way they did - in fact I suspect the OpenConnect authors would be very happy to see the project used in that way. But you do have to comply with the licence. There was no attribution whatsoever, let alone instructions on a copy of the source as the licence requires.
I'm sure it's just an oversight, just like the subject of this article. Maybe it's another mess for Jeff to fix. I don't know you from a bar of soap Jeff, but keep up the good work.
[0] Intune provides a uniform MDM like experience across many platforms - including Windows. If you need to control Windows like that you probably don't have much choice, you have to use a Microsoft product. Maybe it works very well on Windows, but it's an ugly, buggy thing on Android, and the UI is a confusing mess. If you only need an MDM for Android I can heartily recommend headwind (https://h-mdm.com/), which we rolled out before Intune because it took literally months to get the licences (in fact, we still don't have them). Headwind is open source, is cheaper than Intune and has free tier, and frankly was a joy to work with - once you discovered their doco was all in the FAQ's.
[1] For the uninitiated, all Android devices (and iOS) allow a company to take control of a device by installing an MDM, something that can happen only immediately after a factory reset. Thereafter Android displays "your company can see everything you do on this device".
That "issue" is unrelated. You've just hijacked the thread to talk about it.
Also the point you're making is controversial, and definitely isn't widely agreed on. As a human, I can read public code on Github, and use my internal neural network (brain) to regurgitate sections of code, and don't need to attribute anyone (who can say which codebase I'm recalling code from? I certainly can't). So a neural network doing the same thing, but external to a human, is certainly questionanble, but it isn't a cut-and-dry case of copying without attribution.
You're making a false equivalence between copilot and a human brain. Neural networks are programs, programs don't have the same rights as humans. Implying the opposite is even more controversial than saying that copilot should respect licenses.
Also, humans sometimes have limitations on what code they should have seen. It's common in the emulator community to forbid anyone that has seen proprietary code from working on black-box implementations to avoid legal issues.
> The larger issue is that anyone using GitHub is donating their work for re-use without attribution through Copilot.
Wrong. Lets say a GPL project is not hosted on GitHub officially. I can easily setup a mirror for it though on GitHub as the GPL doesn't prevent me from doing it...
Point is that anyone can put my work on GitHub, even if I don't want to.Assuming the project is under a free license though.
I wonder what kind of language you would need to add to your license in order to explicitly forbid the ingestion of your code by Copilot and/or like projects.
> I wonder what kind of language you would need to add to your license in order to explicitly forbid the ingestion of your code by Copilot and/or like projects.
If Microsoft's theory is correct, under US law it is impossible to forbid this with a license, because a license is just an offer of additional permissions beyond what is available automatically under law, and Microsoft's theory is that ingesting code into GitHub is fair use and therefore permitted under law as an exception to copyright without any license from the copyright owner.
If Microsoft's theory is not correct, pretty much any license with an attribution requirement (among others, for other reasons) would work.
The idea that a special license is needed or of any use doesn't seem to have any justification, even in theory. (As is the idea that hosting publicly but not on GitHub changes the legal parameters.)
There's a part that I don't understand. If some software is mirrored on github by someone that isn't the copyright owner, it seems like github shouldn't be able to use it. Yet they said nothing about that specifically. In that case, is the only option to put code somewhere else than github under a license that forbids reuploading to github, and issue DMCAs when/if people reupload your code? It also sounds like when code is removed through DMCA, it should be removed from the training set and they should retrain copilot.
> If some software is mirrored on github by someone that isn't the copyright owner, it seems like github shouldn't be able to use it.
If they don't need permission from the copyright owner, either via license of GitHub T&C, because it's fair use, which is their overt legal theory, then why would it matter legally whether the code was posted to GitHub at all, much less by whom? Ingesting only code form GitHub is a practical convenience that has nothing to do with their legal theory of the right to do it.
> Yet they said nothing about that specifically
Their theory of fair use means they have the right to ingest any code, irrespective of who owns it and what conditions (if any) it is licensed under or where (or even if) it is hosted online. They don't need a separate justification for your scenario if the theory they’ve cited is correct.
> In that case, is the only option to put code somewhere else than github under a license that forbids reuploading to github, and issue DMCAs when/if people reupload your code
Nope, that doesn't help at all, legally; it may help practically as long as they are just using GitHub hosted code and not consuming code from other public hosting platforms, but it has no bearing on their legal theory of why they can ingest code without additional permissions.
Thanks for the clarification. So according to their theory, I could train a model on any code, even private Microsoft code, and that would be okay? That sounds surprising to me.
IANAL, but I have written licenses for that purpose. [1] (I'm trying to get them reviewed by a lawyer, but can't afford to; maybe I'll do a GoFundMe.)
What I did is say that if you feed copyrighted software to an algorithm that itself outputs software, then the license applies to the output. This covers the output of compilers and such, but it would also cover Copilot in my opinion. We'll see what a lawyer says.
However, even with a license, I wouldn't doubt that Microsoft would just put it through GitHub anyway because finding them out would be extraordinarily hard.
The “Yzena Copyleft License” states that it's a copyleft license, but it also states that it's not a viral license. According to Wikipedia, a viral license and a copyleft license are the same thing.
There is a difference between "strong" copyleft and "weak" copyleft. An example of "weak" (non-viral) copyleft is the CDDL. In fact, the CDDL's Wikipedia page talks about strong and weak copyleft.
You can read [1] for a breakdown of copyleft by an actual lawyer. Suffice it to say that Wikipedia's Copyleft page is woefully inadequate.
It is wrong as a specific statement about GitHub, because regardless of current practice, the legal theory for Copilot applies to any code anywhere, so anything that is publicly accessible would involve the same risk. It's not dependent on use of GitHub even if Microsoft has initially started their because it's easier for them.
Also, I don’t see how this is true. Code on my website is publicly accessible, but not in the public domain, nor licensed for re-use, unless I say that it is.
Licensing matters for things that would be forbidden without permission by copyright law. Fair use is an exception to copyright law. Microsoft's explicit legal theory around Copilot is that ingesting code for it (and ingesting content to train ML models more generally) is fair use. If there theory is correct, license is irrelevant, there is no legal (at least copyright-based) barrier to them using any source code they can get their hands on to train Copilot.
To be honest, can't humans go through various open source repositories and copy the bits they like?
If you don't like that,don't release your code as open source. I'm not going to host my open source projects on my own website. That's just hard, it's much more difficult to get people to check it out if it's on Broblog.net
I personally don't believe extremely short code snippets, like the ones copilot tends to copy are problematic.
I don't want to live in some dystopia where we have dozens of lawyers deciding who owns that above code snippet. If Amazon wants to use that snippet, fine, you can use it, etc.
All Co Pilot does is optimize taking code snippets from different sources.
If you treat copilot like a human, and you ask it a question ( like "#find median of list") that human either (A) will put together all the things they've learned over thousands of hours of simply looking at code in the programming language and how the syntax works, then provide a new code block, or (B) remember "oh, I remember this extract string of text and what comes after it. Here's the next 10 lines from that snippet". In that B scenario, would the human be infringing on the original's copyright? Arguably yes; but is situation (A) also copyright infringement, or is it like getting code help from a friend?
In these situations, whether it be originating from a human or robot, the knowledge comes from looking at public code on GitHub and it's always been a risk that your public code might not be used with proper attribution at some point. Think about how many OSS projects have core code and algorithms copied daily by companies with no public name and keep all of their source code private - it's surely caused more damage than CoPilot ever will.
As a human, if you memorize a book word-for-word and later reproduce whole passages of the book in your own writing then that is considered plagiarism and copyright infringement. It does not matter that you stored it in your human memory before reproducing it.
The test to use is to imagine you’re writing an essay in college. If your essay contains unattributed passages from another work then the professor will not care that you memorized them rather than just copying and pasting the text. In order to be in the clear you need to properly quote and cite the original author.
GitHub copilot does not provide attribution. All it does is obfuscate the original source to make attribution impossible. Copyright lawyers ought to have a field day with this one.
the following is my personal opinion, unrelated to my work
>In that B scenario, would the human be infringing on the original's copyright? //
Depends on jurisdiction but in general I'd say no as quoting, particularly an insubstantial portion, is allowed (certainly under USA Fair Use, possibly under UK Fair Dealing).
However, and again depends on jurisdiction, copying a whole work to use for AI training or searching can be restricted (though it's on the GitHub license in this case). The snippet might be allowed but copying into a training corpus may be excluded (I think UK have an exception for AI training, but I may have misremembered, it might be a suggestion??).
I think the answer is:
we don't know the copyright consequences of copilot yet. It's certainly a legal gray area, and it has not been challenged in court yet.
There are quite a few companies where copilot and copoilot-like technologies seem radioactive at least for the moment.
> The writing is on the wall. You MUST host your own code on a stand-alone website.
Even if Microsoft currently only uses GitHub-hosted code as an input to Copilot, their theory of the legality does not depend on code being hosted there and applies to any code they can get their hands on. The idea that hosting code publicly at some non-GitHub location is going to keep it out of Copilot is not well justified.
> The writing is on the wall. You MUST host your own code on a stand-alone website.
How would self hosting your code prevent Microsoft/GitHub from using it in the Copilot training dataset? If using content from GitHub irrespective of their license to train Copilot is legal, so is training from code available on your website.
Because it isn’t in compliance with the terms of many popular licenses to create derivative works without attribution. Therefore the only possible claim Microsoft have to do so is via terms and conditions, which would not apply to code hosted on a stand-alone website.
It might be time for popular licenses to update themselves for this new-found threat.
> Therefore the only possible claim Microsoft have to do so is via terms and conditions
No, Microsoft's claim is fair use, not GitHub terms and conditions. You don't have to speculate on what you think their possible claims are, when they've publicly stated their actual claims.
It's a question of handing it over and giving them a ToS shield to hide behind, versus making them work for it and risking license violations "in the wild".
Does their ToS give them additional rights to the code uploaded to GitHub? There are several unofficial copies of projects like glibc [1] uploaded by people who definitely do not have the authority to grant any additional rights to the code.
If it's legally sound to do that, then it's legally sound to scrape code from Stack overflow as well. No special license is granted to GitHub to train CoPilot; the hosting license in the ToS[0] specifically doesn't allow its use outside of GitHub itself[1], so i'd argue that applies to running copilot in VSCode for code not destined for GitHub - and i'm sure MS's lawyers reviewed such a product launch.
> Here is an example. This Go program (a compiler) generates and serves its own website: https://NN-512.com
Not a very good one - clicking the link produces a download dialog on Firefox (I'm guessing because the website neglects to indicate a Content-Type).
Ironically this is an argument against trying to do everything yourself - you might waste time chasing the long tail of thousands of little details that had been solved many times over elsewhere.
Edit: looks like this bug is triggered by the absence of Accept-Encoding in the request. When the server compresses the response, it neglects to include the Content-Type of the compressed content.
> You defend Microsoft, here and in other parts of this thread, as they sell the work of open source authors without attribution and in violation of explicit license statements in the code.
> The larger issue is that anyone using Github is donating their work for re-use without attribution through Copilot.
I think this can only be valid of Github's terms of use clearly specify that or the chosen license allows it.
I actually see copilot benefiting GPL projects: suppose a programmer uses copilot to develop a proprietary software and copilot regurgitates GPL'ed code: now the proprietary software is a derivative work and must be GPL'ed too.
Unless copilot serves as a legally effective "laundering" of gpl code. Which sounds silly, but we're now in a situation where that outcome is super desirable to GitHub/Microsoft.
Another potential outcome is that so many projects could now end up unknowingly using gpl code that enforcement becomes an impractical whack-a-mole, far more so than today. Being told to rework or relicense your project because of copiloted gpl code could easily end up with hobbyists wholesale begrudging the gpl license rather than copilot itself.
> Unless copilot serves as a legally effective "laundering" of gpl code.
It's quite interesting how it seems to have come full circle, at least according to this stackoverflow comment about Stallman releasing a paper in 1992 on how to effectively launder AT&T code via textual changes (I have no idea if he did, I just remembered the comment):
https://unix.stackexchange.com/a/591221
How does your license prevent someone redistributing source code over GitHub? What does copilot claim as far as licensing rights beyond fair use?
You may be practically limiting copilots use of your code but I don't see any licensing difference if Microsoft hosts Copyright code or scrapes copyright code.
I have good memory. I always stood one mile from anything that MS does. The new generation that is easily scammed by flashy stuff like VS code is in for a treat.
Anyone who puts anything on the web is at the same risk. For example, ask Google how old Queen Elizabeth is [1]. Google tells you the answer in a big font at the top of the result page. Google sourced the answer apparently from usnews.com but you didn't even have to click the usnews link. Google "took" the answer from them and deprived that website of a click.
So yeah, you are donating your work to Google when you put it on a publicly accessible web site.
If all of the useful information in a web page is mined and given away by a third party in an automated fashion, such that the copyright holder is deprived of revenue, then that's not the intention of 'right to quote'.
I'm pretty sure Google pays these types of content publishers (like Reuters) very handsomely. In this case, the content distributor (USNews) also went out of their way to SEO their site with microdata[1], so I'm going to guess a lot of their inbound traffic also comes from Google searches.
The following is pure conjecture with zero evidence:
I think that’s on purpose, not to “steal” code from GPL’ed softwares’ authors, but to get GPL’ed code into commercial projects. Then Microsoft can say “oops, we were right all along! The GPL is so dangerously viral that you can’t even host your software on the same server!”
I know that sounds stupid, unless you were there for the Halloween Documents. After all these years, it seems to me that Microsoft hasn’t done the 180 they portray.
You broke the site guidelines so badly and so repeatedly in this thread that I've banned the account. If it were just a question of a single thread, I'd put it down to going on tilt (which happens sometimes), but you've also been breaking the guidelines egregiously in other places too.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
It doesn’t matter that it was an accident; it’s still a serious issue that needs to be corrected and deserves an upvote. It’s also quite curious, and I appreciate hearing about the incident.
Incidents don’t need to be malicious to be newsworthy or intriguing.
> Leave a message when you realize that forking a repo on GitHub is not the same as publishing a copy under your name.
First, you send me a message when you realize you can't just change an MIT License's copyright line as you see fit, then we can discuss the rest.
Also, milking knowledge from someone with an implicit promise of hiring, and re-implementing the software and tossing the original developer aside like an orange pulp is nowhere ethical.
The mistake is not harmless. Corporations don't get to hide behind their bots' mistakes. Microsoft needs to reverse the change, explain why it happened and implement precautions so it doesn't happen again.
Problem is in a world of moderation actions being taken by bots and not humans often the only way to get a human to review its decision is to raise awareness on social media like HN.
How often have we seen closed accounts getting resolved after complaining about it on HN/Twitter/Etc.
I’m not saying tha to how it should be, just what it’s become.
How often did the bot make the same mistake? In how many of those cases does Microsoft now assume they have copyright and make their army of lawyers enforce it? Are you willing to go up against Microsoft in a court, rolling the dice?
It seems to have very plainly been a mistake, and your comment broke the site guidelines. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
I did warn everyone that Microsoft has gotten smarter and is 'using' open-source and Linux for EEE. We know how they embrace and extend.
Extinguish basically now means:
'We fork the best open-source tools and they sit on our cloud and are more secure and scale better than if you self-hosted it, and is completely free to use.'
Paid competitors can't compete or will struggle to compete with free, given that it is open-source and more secure and is sitting on the cloud and scales. Lastly, nobody got fired for buying products with Microsoft® stamps.
The original copyright holder claims on reddit[0] that it was forked, and there doesn't seem to be any implication of buying the rights to the software.
Crikey - surprised by the downvotes. I mentioned “Dismiss” because I remembered it as being a significant part of the process - attempting to “Take the wind out of the sails” of something innovative, to slow market adoption and to buy time to plan the Embrace, and decide how to best Extend to eventually win the competition.
...but aside from Eritrea, Ethiopia, Iran, Iraq, Marshall Islands, Nauru, Palau, Somalia, and South Sudan everyone is part of one or more (usually more) international treaties that cover copyright such as the Berne Convention or TRIPS or UCC, so you should expect in most places that most people on HN are likely to ever deal with have copyright law that isn't too different for the most common situations.
If that function always returned, say, the AACS key then it would likely be violating copyright in the US. Regardless of whether it was the result of a computation or statically defined.
It looks like Microsoft developed this all along. Yes, git keeps history, but it's unethical and ugly to begin with.
Also, I'm not sure you can just change the copyright information, and change the history of the code like that.
However, this is typical of Microsoft. Like DOS, like Windows App Store / Packaging ripoff (they asked the guy some questions, sherlocked his software, even didn't thank him later), etc.
A supercorp will have far more resources to succeed in courts than an individual person, such that the courts are not a fair avenue for resolving disputes. The court of public opinion is, unfortunately, far more accessible to the individual.
That being said, if someone were to sue Microsoft over this (they would have to be the original copyright holder), I think it's more likely Microsoft would try and settle out of court.
We have merged a pull request that restored the correct LICENSE file and copyright, and are in touch with the upstream author Leśny Rumcajs who emailed us this morning. We'll look to revert the entire commit that our bot made, too, since it updated the README with a boilerplate getting started guide.
The bug was caused by a bot that was designed to commit template files in new repositories. It's code that I wrote to try to prevent other problems we have had with releasing projects in the past. It's not supposed to run on forks.
I'm going to make sure that we sit down and audit all of our forked repositories and revert similar changes to any other projects.
We have a lot of process around forking, and have had to put controls in place to make sure that people are aware of that guidance. Starting a few years ago, we even "lock" forks to enforce our process. We prefer that people fork projects into their individual GitHub accounts, instead of our organization, to encourage that they participate with the upstream project. In this situation, a team got approval to fork the repository, but hasn't yet gotten started.
To be as open as I can, I'd like to point to the bug:
- The templates we apply on new repositories live at https://github.com/microsoft/repo-templates
- The bug seems to be at this line of the new repository workflow: https://github.com/microsoft/opensource-management-portal/bl...
- The system we have in place even tries to educate our engineers with this log message (https://github.com/microsoft/opensource-management-portal/bl...): "this.log.push({ message: `Repository ${subMessage}, template files will not be committed. Please check the LICENSE and other files to understand existing obligations.` });"