Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft forked MIT licensed repo and changed the copyright [fixed] (github.com/microsoft)
1326 points by mkdirp on Dec 25, 2021 | hide | past | favorite | 538 comments

I lead the Microsoft Open Source Programs Office team. I'm sorry this happened.

We have merged a pull request that restored the correct LICENSE file and copyright, and are in touch with the upstream author Leśny Rumcajs who emailed us this morning. We'll look to revert the entire commit that our bot made, too, since it updated the README with a boilerplate getting started guide.

The bug was caused by a bot that was designed to commit template files in new repositories. It's code that I wrote to try to prevent other problems we have had with releasing projects in the past. It's not supposed to run on forks.

I'm going to make sure that we sit down and audit all of our forked repositories and revert similar changes to any other projects.

We have a lot of process around forking, and have had to put controls in place to make sure that people are aware of that guidance. Starting a few years ago, we even "lock" forks to enforce our process. We prefer that people fork projects into their individual GitHub accounts, instead of our organization, to encourage that they participate with the upstream project. In this situation, a team got approval to fork the repository, but hasn't yet gotten started.

To be as open as I can, I'd like to point to the bug:

- The templates we apply on new repositories live at https://github.com/microsoft/repo-templates

- The bug seems to be at this line of the new repository workflow: https://github.com/microsoft/opensource-management-portal/bl...

- The system we have in place even tries to educate our engineers with this log message (https://github.com/microsoft/opensource-management-portal/bl...): "this.log.push({ message: `Repository ${subMessage}, template files will not be committed. Please check the LICENSE and other files to understand existing obligations.` });"

A lot of commenters are sharpening their pitchforks, but this comment, in my opinion, makes it very likely that it was an honest mistake. Amazing what taking personal responsibility and earnestly apologizing can do to restore trust and credibility!

Yeah, I think this is an example of addressing a mistake that other companies should take note of. I don’t trust Microsoft-sized corporations as a matter of principle, and I don’t typically give them the benefit of the doubt, but when one of their own engineers explains in human-readable terms what specifically happened—on a holiday, no less—I’m impressed enough to believe him. Some PR flack showing up with vague boilerplate about how Microsoft values the open-source community and they’ll look into it would only have encouraged more outrage.

I always appreciate communication that acknowledges I’m a person, not a data point or a customer. I wish more companies ditched the greasy PR approach and allowed folks like Jeff to do their talking for them.

I think a key reason that corps do try to avoid admitting fault, is because in a lawsuit that can be used as evidence for a guilty verdict in a civil lawsuit in some of the most slam dunk ways.

If we remove this feature of common law legal systems, I think you will get far more admissions of fault like this one.

If you hurt people, organizations, etc for admitting their mistakes, they're going to stop doing it.

The key take away is that apologizing and admitting fault doesn't absolve one of liability. There are a number of "amnesty" laws on the books where admitting fault can server to limit or reduce your sentence - especially with tax issues. I'm not sure how desirable such a thing would be in civil law among private parties. Especially in cases where a tort is minor to one party but a big deal to the other because of disparate wealth.

E.g. if Microsoft burned your house down would an apology and explanation be enough to settle the matter? How could we encode this principle into law for minor things but not large things?

I don’t think accidentally removing credits from a software license is exactly on the level of burning someone’s house down.

In general, I wouldn’t say that causing someone harm should be dismissible with an apology, but in a situation where the harm seems pretty limited, easily reversible, and unintentional—and the apology seems genuine and even informative—I don’t see a particular benefit to causing hardship to someone who made a mistake. The communal reaction as it is should give Microsoft/Google/etc an idea of what the blowback would be if this sort of thing was a deliberate corporate practice.

The harm is depriving the author of their moral rights, and the name recognition from their work. Depending on how popular the library becomes this could deprive the author of substantial business opportunities.

And if this was a deliberate decision that Microsoft refused to undo, I’d be as outraged as everyone else here would be.

But it wasn’t, and they did undo it, and I found their response impressively civilized and professional. So I’m not really understanding why everyone seems to want to hold this guy accountable for all the shitty stuff Microsoft could have done, didn’t do, and apparently did in the past.


Alright... What is a proper response to an honest mistake in your book? We have links to a bug, explanation of what happened, a clear response (that they will check to see if this happened on other forks), they reversed the change...

Unsure why the bar would need to be higher. This is all reasonable given the circumstances.

An engineer who can write straightforwardly is worth 100 PR people in situations like this.

They're not paid like that, but they are worth that.

Fully agreed. And yeah, when it comes to my expectations as far as how large companies respond to embarrassments, the bar is about as low as it gets. A tone-deaf non-apology that sounds like a robot wrote it is what I expect to hear, and I’m almost invariably right.

And that offends me. The idea that someone thinks I’d be convinced by such a response—that I’d find it persuasive and acceptable—is fucking insulting.

So when the guy who’s actually responsible for the mistake—and not some polished corporate drone—actually shows up in the comments section, explains what happened, and talks to me the way one of my colleagues would: yeah, that is above and beyond by most standards, certainly the ones I have for evil empires like FAAN(M)G companies, and I give major credit for that.

Agreed. It's mostly I think because the press can only really do bikeshedding, and so the form of what people say is all they can comment on and amplify, and so we need professional spokespeople to keep up with the rules of what's okay to say, rather than more people to make better products.


How has Microsoft reformed? Windows 11 is more intrusive than ever, it changes default programms more frequently to their desired programms and it is so annyoing to switch browser. THey still are the same old.

> makes it very likely that it was an honest mistake.

I don’t have any doubt that it was an honest mistake. They also took accountability for the mistake, shared their steps to prevent it from happening again, and they’re in contact with the original repo author directly.

At this point, anyone digging for excuses to further demonize Microsoft isn’t interested in honest discussion about this issue. This is a textbook mistake followed by rapid resolution (on Christmas Day, no less), with great communication on top.

Here in "honest mistake" they try to patent somebody's method: https://www.theregister.com/2021/03/13/microsoft_ans_patent/

It was obviously a mistake. Still nice to have someone involved give the backstory.

Yes, very nice writeup from Microsoft.

Had a similar experience with AzureCli v2.30, where the environment variable to ignore certificate errors suddenly did not work anymore.

It turned out it was removed but there was no mention of it in the release notes.

On the GitHub page quick response was provided by Microsoft.

If you read the comments, most people believed it was an honest mistake. What we didn’t agree with was that it was an excusable mistake. Microsoft have since acknowledged it’s not excusable and thus will rectify that error. So as far as I see it, all parties, both for and against MS, should be satisfied with the outcome.

In a way I'm glad that this is not taken lightly. We all need to be informed and calm, but mega-corporations should be held to higher standards. They should feel breath of an angry mob once in a while. I imagine, that if reactions to things like that would be just "meh, it's probably just a mistake" it would not be resolved as quickly or it could just be ignored. But now that it is all cleared up let's go home and Merry Christmas.

A phrase I've come to appreciate:

> Prescribe not to malice that which may well be a buggy edge case.

Intent is a red herring, especially when the actions of an organization, rather than an individual are being considered. More important are the actions' consequences and the organization's propensity for repeating them.

Honestly, doing this all on Christmas nonetheless. This sort of thing is why I never want to be in leadership roles.


I’d rather we all ceased the collective regressive delusion that is copyright.

There are other ways to make sure artists and inventors can eat than by using the threat of violence to make the unscarce scarce.

Lets also get rid of web search engines while we are at it, or transparent caching CDNs /s

Web search engines claim fair use for snippets, and MS claims fair use for Copilot. However, a web search engine result page is only an aggregate of the excerpted pages, and it refers back to them; unlike software authored using Copilot, it does not draw those snippets together into a coherent purposeful whole, strip all reference to the original author. and claim complete originality.

That MS went ahead with training Copilot on open source code authored by people who are clearly not OK with it is why they are so short on goodwill.

Why is Copilot any different from a human doing essentially the same thing? Complete originality doesn't exist. I think the people who are complaining about Copilot have likely done the same thing themselves. I can't erase the memory of all the code I have read and written that somebody else 'own' the copyright to, so my brain will subconsciously use copyrighted code when writing software.

Because copilot is not a human and can do things that humans can't. Moreover I encourage you to learn music pieces by listening to them and then selling/giving away snippets. You will have big corporations on your heels fairly quickly even though you are a human.


Could you please stop breaking the site guidelines? You've unfortunately been doing it repeatedly in your HN comments. People are supposed to get the benefit of the doubt here.


What happened here was obviously a mistake. The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.

The thread would have been a lot more fun if we could have spent it talking about what prompted your team to build this thingy, and bounce other people's approaches to the same problem off, and maybe share some war stories about dumb things bots have done on our behalf.

Thanks, regardless, for the information you've provided here. It's interesting.

> The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.

Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.

The issue looked like a mistake from the start to anyone paying attention (committed by a bot, changes were consistent with a boilerplate LICENSE file being checked in).

If someone at Microsoft wanted to steal some code, forking it on Github and then publicly documenting the history of the code in the most visible way possible would truly be the dumbest way to do it.

Especially here, when the smoking gun is a change to an MIT licensed project. One of the torch-holding commenters remarked that developers at Microsoft ought to know enough about how licenses work to know what a big deal this was. Physician, heal thyself.

> Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.

I would go so far as to say almost no group is, they just have different preconceptions that encourage assumptions of malice in different ways and directions.

There is no substitute for more facts about the situation, no matter how much we'd like to assume the details that aren't given.

How is this commit in May related to the current thread? Your post doesn't contain enough information for me to understand your meaning.

Apparently that's a commit made by a human re-assigning copyright of a forked FOSS project [0] to MSFT, presumably without attribution [1]

[0] https://openprinting.github.io/cups

[1] MSFT moved attribution to NOTICE file, which is cleaner, but trips people who aren't paying attention: https://github.com/microsoft/cups/blob/main/NOTICE


The obligation you're not living up to is to HN, not to Microsoft. If you want to participate here, the onus is on you not to be knee-jerk; avoiding knee-jerkism is the subtext of like 3/4 of the site guidelines.

This is veering to the meta, however, one of the best things came out of my HN experience is how to converse and discuss better. Actually I strive hard to not to be a knee-jerk person. I always take my time while writing something and try to back-up with actual events and/or facts.

The point I was trying to make that for companies like Microsoft, reaching for the pitchfork is not always a knee-jerk reaction IMHO. For all the things they have done, my initial reaction is always Oof, not again..., which is actually sad for a company of this size.

It's actually unfathomable to me for a company like Microsoft to not test these flows adequately and allowing this to happen.

For a change, I want to see a more open computing platform, a less intrusive Windows version, or a longer maintenance window for CentOS, but we all have is a brawl.

One big clue you have that the reactions here were knee-jerk is that they all turned out to be totally wrong. There's a lot of corncob dot gif happening in the aftermath.

I'm glad that my assumption proven to be wrong, by Microsoft itself, nonetheless. However, is being wrong is always equal to being a knee-jerk? Does the reputation of the company in question doesn't play a role here?

Or, shall we be stateless, and evaluate every events without any prior experience? I don't think that holds a lot of water in real world, either.

Another clue that it's knee-jerkism is that the accusations make no sense. It's hard to see what Microsoft plausibly stood to gain by modifying an MIT license. I suspect a lot of the accusations here are being made by people who simply don't know what an MIT license means. For that matter: even with a restrictive license like the GPL, it's hard to make sense of this as a heist, especially since it's right there in the public git log.

I don't think it's going to be possible to salvage the torch and pitchfork comments on this thread. For lack of a better way to put it: they're pretty dumb.

> It's hard to see what Microsoft plausibly stood to gain by modifying an MIT license.

Actually, not being able to find a plausible gain in five minutes doesn't automatically clear Microsoft (or any company) in my mind. From top of my head, I can list three technologies which I find suspicious in the long run: LSP, WSL, SecureBoot.

All in all, I just don't trust Microsoft, and think about the worst of their actions first. They're the only company (ORACLE being a firm second) which evoke this reaction for me, and this their own making over the years.

Just because I don't trust a company and assume the worst of them, and telling this openly makes me a knee-jerk person, so be it.

As I said, I'm happy to be proven wrong, but I refuse to be stateless, and look every action of this company with completely neutral eyes.

If you don't have anything well-considered to say about an event on HN, the best thing to do is not to say anything at all. Believe it or not, your personal distrust of a giant company isn't all that interesting to the rest of HN.

I think what he has to say is well-considered, and interesting. Meanwhile, the fact that you consider yourself qualified to speak for "the rest of HN" is... deeply fascinating.

I’m sure you meant to qualify that statement to say it is deeply interesting to you, rather than imply that your assessment of the interestingness is somehow objective or represents what other people think.

It doesn't matter how "dumb a heist this would have been". This is Microsoft and their track record with respect to illicit and/or illegitimate behavior needs to be continually scrutinized. They put themselves in this position. They have made plenty of intentionally dishonest "mistakes" over the years.

Track records matter and Microsoft doesn't have a clean one. Scrutiny of companies of their size should be the norm. Maybe they would do more to improve "mistakes" if more people held them accountable in a continuous fashion.

"Scrutiny" doesn't mean making up nonsense issues, which is what this is. There's no amount of weasel words you're going to apply that's going to make changing an MIT license in a public git repository part of a terrifying conspiracy --- or a conspiracy of any sort.

Removing and applying an incorrect license to open source software by a multi-national software giant is a "nonsense issue"?

Hardly "weasel words" when you look at the action that took place. It wouldn't be OK for you to do it and it isn't OK for a bot that Microsoft deployed incorrectly to do either.

How much of the operation of the MIT license do you want explained to you? I’m happy to do it but don’t want to patronize you either.

"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."

I understand the license. Based on your response and Microsoft's attribution change I don't think you understand the argument. I won't patronize you however based on the non-response.

No, do go ahead, because I don't understand really any of the dudgeon being worked up in this thread, given the original license gave Microsoft the right to do virtually anything it wanted to with the software already. Obviously, Microsoft shouldn't take credit for other people's work; equally obviously, to me at least, that's not what they were trying to do, since all it took was a single Github link to show what had happened.

So, yes, nonsense issue. What am I missing?

> The thread would have been a lot more fun

The Microsoft STL issues are usually quite fun and entertaining, at least if you don't have to use it: https://github.com/microsoft/STL/issues/1603


Are you still trying to make this a thing? I'm pretty sure it's over.

ad hominem

This is my favorite part of the culture change which is happening at Microsoft.

We are still working on it. And, it will take time.

Jeff's team, my team, the java team whose forked repo this unintentionally highlighted are working with dozens of other teams every week. Satya says we're all in on open source.

Hold Jeff and Me and all the leaders of Microsoft to that vision. Keep us accountable. And, know this takes time. Let's make technology and humanity healthier and more sustainable in 2022.

Unlike the sibling to my comment, I appreciate both this and the GP.

I was all in on MS as a kid/young teen.

Eventually I started looking at the actions of Microsoft, and as stupid as it is, felt betrayed.

I still don't trust MS, and still hate the direction Windows is heading, I will probably never daily drive it again.

However, comments like these give me hope that MS can turn itself around. Maybe some day MS will be the company I thought it was!

Tl;dr: Thanks for making changes!

> Satya says we're all in on open source.

You're not, just as your competitors aren't.

None of the secret sauces are Open Source: Windows, Office, Visual Studio, SQL Server, the Azure control stuff, and I don't expect them to be.

You're half in, at best, only Red Hat was all in. And they were bought out by IBM, so here we are.

Edit: I guess the truth hurts :-)

I realize that Microsoft is composed of many pieces, but that doesnt prevent me from treating it like a single entity. And that entity has IMHO done horrible things to it's own products and customers, so I'd rather they keep theirs hands off FLOSS as much as possible.

But if you treat it like a single entity, that means you also treat all the people working there like that entity. The janitor working at Microsoft doesn't deserve your ire, nor the secretaries, etc. But they work there, and carry around their logos on their backpacks and what not. Those people have feelings, and those feelings feel bad when the entity they work for is lashed out at. It does make one feel bad when one's company is raked over the coals, because it makes one feel responsible, even if one doesn't even know what's going on.

So, for the sake of the feelings of the innocent people who work there, I would ask everyone to please modulate the volume and intensity of ire that they project. Please speak truth to power, but don't be harsher than is needed to get your point across.


We've banned this account. Nobody gets to attack others like that here.


Jeff's reply needs no addendum.

But as for some background: I am a PM for Microsoft Build of OpenJDK and from late last year to around May this year I made contributions to the gRPC_bench repo as a Microsoft employee for some experiments we have been working on, to evaluate and improve different ways of implementing gRPC exchange in Java. [1]

This fork was intended for newer experiments, one of them being about coding and running these benchmarks on GitHub Codespaces. For that, I needed the repo on an org where we, as employees, have Codespaces enabled.

The rest is HN history (back to Jeff's reply above [2]).

Merry Christmas all!

[1] https://github.com/LesnyRumcajs/grpc_bench/commits?author=br...

[2] https://news.ycombinator.com/item?id=29685628

FYI: when linking to a line of code, simply press Y on your keyboard to have Github switch from the _branchname/path/to/file.xyz_ URL to the _sha1/path/to/file.xyz_ URL. The former can result in your URL pointing to unrelated code if lines are added or removed in future commits on the referenced branch.


TIL. Thanks!

Amusingly, this works on gitlab too. I was surprised that the shortcut was "so good that competitors had to implement it."

It's like Super+E: You never know you need it until you try it, and it doesn't work on your DE :-(

Really appreciate the prompt and transparent response, Jeff. Especially at a time when I assume you were not expecting to jump in on duty.

I hope that despite all the harsh words, you can have sympathy with that behind them are legitimate concerns and suspicion stemming from past bad behavior from various part of your organization. Due to this, and Microsoft's position of power, you have a much, much lower budget for these kinds of mistakes compared to the most other orgs.

Even if there was nothing intentionally malicious at play here, it would not be far-fetched for an outsider to interpret as "implicit maliciousness through neglect".

Here's hoping that 2022 will be a year of bridging the divide and sincere alignment.

Yes, it would be far-fetched. The conspiracy theory here is self-evidently implausible. We need to stop pretending that the accusations here were made in good faith, or are anything more than wishcasting. People write about these things because it's a lot more fun for them than to write about what actually might have happened, even if what actually happened is probably a better, more lastingly valuable conversation to have.

So, I'm of the opinion that a collective (for example a company) can exhibit malicious behavior despite no malicious intention of any particular individual in it. It can be emergent, and moreso the larger the organization. Along similar lines of systemic discrimination, there does not need to exist any conscious conspiracy or malintent. For better or worse, the whole is greater than the sum of its parts.

This comment speaks towards that this is the case:


> I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.

(I mostly agree with your sentiment, though. I do get the impression that leadership is sincere in wanting to do right. It's just that it's not that black-and-white or easy. As another MS employee commented, this is something that has to take time and they need to be held accountable along the way. https://news.ycombinator.com/item?id=29684127)

If there was a plausible evil plan behind this licensing silliness, I'd shut up about it. But there isn't. The insinuations being made on this thread (still! continously!) are embarrassing. It's not that I think Microsoft is incapable of putting together a solid heist; it's that observers here have such bad taste in heists.

Agree with you there. I see it as manifestations of fear, tribalism, and short-sighted oversimplification around complex issues. Without wanting to dive deeper into any of those topics, I believe there are similar mechanism at play on a larger scale in COVID-conspiracy theories and the re-emergence of Western xenophobia/nationalism.

It can be hard to assume good faith when your counterpart clearly isn't. But I think it can be at least as important then. We need to come together and find common ground.

I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.

I'm really sorry you had to deal with this during the festive period.

I certainly understand how scandalous this looks to crowds like Hacker News.

But this seems a little bit blown out of proportion, as if Microsoft just forked the kernel or something and put their name on the license.

>I certainly understand how scandalous this looks to crowds like Hacker News.

I don't. I'm with the Microsoft employee who was pissed at how people think it's edgy to diss on Microsoft. What were the chances that Microsoft was openly doing that? Some dude who has now deleted his post said Microsoft was trying to "create a monopoly of web IDEs". These are clearly people who barely have a passing knowledge of how Microsoft works these days.

People think critical thinking means complaining endlessly. It doesn't. You can't think critically if you don't think clearly. And you can't think clearly if you're only looking for a reason to lift the pitchforks.

I don't know if you're aware of other not-that-ancient incidents like these?



It took significant public outrage and press coverage before either of those were even acknowledged, a long time after.

> What were the chances that Microsoft was openly doing that?

After reading the above, is it really that edgy to be assuming the worst? If it's truly just recurring instances of different rogue employees, doesn't that speak to a systemic and/or cultural issue that needs to be addressed with additional internal safeguards and/or deterrents to prevent it from happening again?

To the credit of the relevant team here, today this was promptly addressed as soon as it got their attention. But it will take more than that to set to rest decades of precedence.

(I did not partake in the flaming and don't find it constructive or beneficial; just saying I have full understanding of the suspicion and understand that MS are still on probation)

> After reading the above, is it really that edgy to be assuming the worst?

Yes. Neither of this are particularly damning.

> doesn't that speak to a systemic and/or cultural issue

No, not particularly. I think it says more about the person jumping to such conclusions considering the evidence.

To late to edit or delete my comment above but just to set it straight I just learned that the whole lerna debacle linked above was a nothing-burger aka fake news.


Sorry for using it without fact-checking it properly, I guess.

Do you mind addressing the reason why an employee did exactly what you are claiming the bot did in error?


Again, this is a person, not a robot. How does this play into a "software bug"?

Honestly, I'm not sure what happened here.

My guess is that they were going through a checklist of what to do when releasing open source changes, and didn't understand what they were doing.

A lot of why we've had to put some guardrails in our system has been to point people to guidance and training on open source.

I've sent the team that works on this repository an e-mail, but I don't expect to get a response on the holiday.

Thanks for the response. Mistakes happen, human or computer, not the end of the world, and I get it. I was just more curious to know if there is a manual process for this type of forking that was not being vetted via the bot, and to bring another example to your attention.

Just don't shoot down the poor schmuck, mistakes happen.

The pitchforks will come down, anyway :-)

If you read the repo history carefully, you'll see a bot was responsible for rewriting the "LICENSE" file from an Apache license to the Microsoft (c) stamped MIT license. This human commit simply copied that same language to the file named "LICENSE.txt". It's unclear why they did that, but that human was not responsible for introducing the license text into the repo.

? Instead of a software bug, it was a human error. Is it really surprising that with a company of Microsoft's size, some employees fuck up? Likely the employee was trying to say that the contributions in this fork that were not present in upstream are covered by the new license, but failed to do so properly (by leaving the original license intact and identifying precisely which files the new license applied to and which it didn't).

Courts will take a far more generous view than you are here. If Microsoft is not profiting from the change, and fixes it promptly when pointed out, the courts will shrug at any case - no harm, no foul. It's not even clear to me that it's illegal to have the wrong license on GitHub, assuming the shipping product does not violate the correct license. As nobody has pointed to any infringing Microsoft product... What are we talking about?

Damn dude. You posted this comment on CHRISTMAS no less. Either your phone exploded or you are a VERY PASSIONATE hacker news fan. Either way ... props to you for trying your best to straighten this out immediately.

This feels like the sort of thing where straightening it out immediately, even on christmas day, was well worthwhile simply because it would let him enjoy his christmas dinner without worrying about an inevitable building dramastorm.

That is not, however, a complaint - being smart enough and giving a damn enough to realise that straightening it out immediately was a really good idea is impressive and laudable in and of itself.

I saw your comment on the cups repo. Please don't feel horrible about it. An honest mistake is an honest mistake, as long as the issues are remediated. Merry Christmas

Please consider https://github.com/microsoft/azuredatastudio/issues/102#issu...

>SQL Operations Studio was built on the back of many open source projects that all use the MIT License for a reason: it's the right way to keep moving the community forward, empowering your users to do cool stuff and build useful things for the community.

>We're just asking SQL Operations Studio to use the same license that Visual Studio Code does.

Thanks for explaining. Out of curiosity, does Microsoft have any external-facing GPL-licensed projects? Are there any restrictions to using (i.e. open sourcing something developed internally or forking something from outside MS) GPL-licensed projects? Specifically, would teams be able to get approval to fork GPL repos?

Git for Windows comes to mind. Teams can absolutely get approval for any open source license; however, for a GPL project, we'd have their open source legal team work with them to brief them on the license obligations and requirements, such as publishing code to https://3rdpartysource.microsoft.com/.

Interesting, so that's specifically for GPL-licensed projects? Or am I misunderstanding and you would have dev teams work with Legal for any open source licensed project?

Copyleft has more process, since we absolutely need our engineers to understand the obligations we have, and for some of us, it may be the first time we're being introduced to open source communities and licensing, so we have to do more education in the GPL case.

Our process revolves more about _using_ open source than forking specifically.

Whenever a build runs at the company, we have a detection task that identifies the open source that is used, storing an inventory. We evaluate the open source licenses for that inventory, and have automation depending on the license that will help inform a team that has taken a new dependency with specific legal obligations - could be to get business and legal approval for something, to take training and learn about copyleft software and licensing, or that they need to post third-party buildable source. We're also able to use that inventory to help with incident response and blast radius analysis.

To scale, we need to make sure that our guidance and policies are in front of people, but we know that engineers want to get work done (or will find a way around what we have in place), and so need to be efficient and straightforward.

Not all situations will require a business or legal approval. Our motto has been "eliminate, automate, delegate" - eliminate onerous bureaucracy and policies - automate licensing compliance and inventory and approvals - and delegate to business leaders and others when there's a need for humans to be involved.

Sorry for the long answer.

Thank you–very informative answer.

Leśny Rumcajs? :)

For those that don't know Polish it means Forest Rumcajs (https://en.wikipedia.org/wiki/Rumcajs), probably a joke of the author that wants to be anonymous.

Thanks, this is the correct sort of response to this problem. It wasn't clear by the title this was an automated change, hence the pitchforks.

I figured something like this was the cause. I must say I'm quite disappointed by all of the negative comments before anyone from MS had a chance to explain what happened.

Hugs Jeff, keep up the good work and hopefully the rest of your holidays are a lot more cheerful

Thank you for the full transparency, sadly we may hear for years of people saying how Microsoft blatantly ripped off someone else's copyright, but that's probably okay, those people probably wouldn't use your projects for whatever reason anyway, when in fact it was a bot meant to keep you guys from releasing code prematurely without a reasonable license to begin with (at least that's what it sounds like?).

Thank you for being transparent about this and dealing with it appropriately, even on Christmas. I think that goes a long way.

Thanks for clarifying. This also highlights the lack of sufficient testing, and subpar processes, eg automation should be tested against critical paths, and changing a license should require human approval.

Agree. The lack of tests has been the biggest regret of mine for this project. It started as a hackathon project a long time ago, and as it grew up, it never got the testing investment it deserved. I imagine the code coverage is about 0.001% and there's no end-to-end tests in place.

My local tooling doesn't fail as visibly as this but it certain fails just as catastrophically leaving me feeling excessively silly.

So, yeah, hugops, mate.

Thank you for taking responsibility for this and for the transparency.

It is good to be reminded that care and integrity can exist, even in large corporations.

Feels like the reverse Streisand effect at play here; a high-profile minor fuckup that helps popularize a positive thing. This was fun to meme on, but I'm glad Microsoft appears to be on an upward slant ethically. It also makes me more comfortable being a Microsoft customer.

> It's code that I wrote to try to prevent other problems [...]

Don't worry, man, nobody expects people from Microsoft to write code that behaves as intended. Merry Christmas.

And here I was ready to sharpen my pitchfork. Thanks for communicating the error and the correction. I know this time of year can be especially challenging.

I have enormous respect for your response here.

It was immediately obvious that it was a script gone awry. Sorry your team had to spend your holiday on something so trivial.

Thank you for showing up on Christmas to address this. Have a great holiday!

Good job owning the mistake and planning to prevent it in the future.

Very nice to see someone take ownership of a problem. Thanks Jeff :)

Thanks for jumping in and trying to explain what actually happened.

Very well handled, kudos

So, you are adding licenses automatically? This seems pretty risky. Why not just prevent commits that don't have a license? Shouldn't there be a human somewhere in that loop?

Hanlon's razor to the rescue!

The attitude in these threads always boggles my mind. When YOU, your teammates or someone else you know makes a mistake, then it’s just a mistake. But when someone at Microsoft makes a mistake it’s because Microsoft is evil and by extension so is the person who offended.

“It’s a big company”, you say. They should have a process! And I’m sad to say, they do/will have a process exactly because of this attitude. Then, everyone wonders why it takes forever to fix that bug they’re furious about or why features are slow to come.

Full disclosure: I work for MS, though have nothing to do with this. It’s a huge company. I know hundreds of people and most of them are upstanding and try to do the right thing.

This is their process. Very hard to argue these are all mistakes:

ippsample (Apache -> MIT) https://github.com/microsoft/ippsample/commit/938bff17c72868...

huggingface-transformers (Apache -> MIT): https://github.com/microsoft/huggingface-transformers/commit...

health-cards-tests (MIT changed) https://github.com/microsoft/health-cards-tests/commit/5649b...

CUPS (Apache -> MIT) https://github.com/microsoft/cups/commit/ad69bcc78bdea3fea3f...

Credit to this reddit comment: https://www.reddit.com/r/opensource/comments/roa9xz/comment/...

This is a bot that is supposed to configure the right license when employees start a new repo in the Microsoft GitHub org.

It seems the automation is also triggered when Repos are forked into the Microsoft GitHub org which isn't correct behavior.

This isn't a deliberate action. If it were plenty of employees (myself included) would be outraged. I assume it's a bug in the bot - an edge case that was not considered. It is very rare to fork something into the Microsoft GitHub org after all.

I'll pass it along to some people I know.

Thank you. So these are in fact all mistakes.

I looked at some of the other forked repos (95 out of 4.5K repos) and all the human commits from MS I saw seem to care about getting the licenses right. So it really is just a broken bot.

I hope the bot can be fixed soon and I'm going to put my figurative pitchfork down now.

I reached out to Jeff Wilcox who runs the Open Source Programs Office now earlier (see Tweet https://twitter.com/berndverst/status/1474789173882089472?s=...).

He since commented on this post with a lot more detail.

He wrote a great response. Not many people I know would stand in front of a online mob and say "It's code that I wrote". And then fix it on Christmas!

While I'm glad this got resolved so quickly, I'm slightly ashamed of myself and the HN community for how we handled this. In hindsight the outrage was wildly out of proportion for a simple bug.

I'll make a mental note to do better in 2022.

Thanks for saying this.

I'll consider it an unusual bug report.

Hopefully the bot can be fixed soon and the affected licenses changed back.

Realistically I'm not sure folks are working over the holidays, so give it a bit of time :)

As noted elsewhere in this thread this one looks like human misunderstanding and has already been raised internally for fixage.

Shame it slipped through the cracks, but at scale eventually something's going to no matter how hard you try.

Are they deliberately getting their modifications under an pseudo-incompatible* license? This is the only reasonable explanation I can think of.

* IANAL. Although Apache 2.0 and MIT are compatible, using a different license makes it awkward for changes to be merged upstream.

The biggest change between Apache 2.0 and MIT are related to patents. INAL but the Apache 2.0 is a lot more safe in this aspect.

Things break all the time, so errors will happen.

If you look at life as good & evil, you won't solve any conflicts. You should rather focus on "incentives". Correcting bugs and errors take time and other resources, therefore require incentive to prioritize. If their bots were to stamp Microsoft projects with open source licenses, there would be huge incentive for them to tackle this problem within this sprint, and make sure it never happens again.

This bug profits them, or does not harm them at worst case. Therefore, by drawing attention and applying pressure, we should create the incentive for them to allocate resources to fix it, and make sure it does not repeat.

How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file? A certain degree of malfeasance cannot possibly be explained as incompetence.

Please don't pile on like this. You can make your substantive points without "how can someone be so bad at their job" hyperbole. Any mistake can be made to look terrible if you're uncharitable enough.


> A certain degree of malfeasance cannot possibly be explained as incompetence.

This is a missing conditional check, a mistake that is extremely easy to make and one I’m sure you’ve made at least once if you’ve been a professional programmer for any significant length of time.

or maybe they do not know/they missed that creating a fork from an existing project actually triggers “new repo created” event in the github organization, which has an unintended effect.

This is the type of online rage that we as a community need to stamp out.

Be better.

I agree with you in principle but "stamp out" and "be better" are phrases that produce the opposite of what you're aiming at. We're trying to avoid the online callout/shaming culture here.


These forks may be done for security purposes for projects that use source-based build systems so that the depending project doesn't have 3rd party repo dependencies.

As someone whose developed similar GH integrations, getting things right with their API is fairly tricky. What would actually be desirable is public-to-private forks so that the fork-dependency pattern is more enterprise friendly and this kind of confusion is mitigated.

Why would anyone write that so it changes the license to the right one instead of just flagging it as incorrect for review?

Have you considered that the reason for the outrage is because people don't actually trust Microsoft to do the right thing? I can see this is a mistake, but surely the litany of awful business practices by Microsoft in the past precedes it?

I didn't say anything about the outrage of others. I said a deliberate license change would be unacceptable to employees.

I'm no official representative of Microsoft...

Sorry, I didn't mean to imply you were. But no offense, so what if it isn't acceptable to employees? The decisions by Microsoft are made by the management of the company. As an example of another company with severe credibility problems, I'm sure there are plenty of employees at Facebook who don't like working there now, but they are still there. And still implementing the policies and directions of management.

MS dev here. Thanks for calling this out. I contacted the GH@MS admins to look into this and to consider adding some safeguards to the tooling so this doesn't happen in the future.

How is it remotely possible to not understand you cannot automatically overwrite a license file with your own. If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?

If you think of the use case of forks, sure.

If you think of employees creating new repos in the org--- smash the correct LICENSE in there ASAP.

The problem is that forking a different repo into the org triggers the logic of a "new repository".

A simple solution prior to writing to a file in this case is to check if it already exists. It shouldn’t matter what triggers this bot if it’s programmed safe and idempotent.

Nuking the existing LICENSE file and replacing with the canonical one is a good move when it's your own developers' work. They could easily have picked "a" MIT license or screwed up the copyright string, and getting this normalized from the moment the repository is published is important.

But it's important that this -not- get applied to outside work from forks.

It should raise an exception that causes a person to have to deal with the matter. I should not be surprised if I were to find that this is actually in fact so and the extra step is responding to a prompt which people got used to not reading.

So your simple solution is to not have the bug. Wish I’d thought of this for all the bugs I’ve ever shipped.

Disclosure: Microsoft employee who sometimes writes bugs.

The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.

The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect. For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.

None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.

I am not a MS employee but I do work as a software engineer at a small company and make six figures a year. Mistakes like this happen. In fact they happen all the time. There are a lot of people out there writing code on any given day. Some of them may have been staring at the screen for 12 straights hours trying to make a release date. Sure its a lot more visible when someone like MS makes one, but think about the actual issue here. They did not create a feature with the intent to overwrite existing licenses files, they made a feature to ensure the correct licenses were added to new repos. Now they forgot one edge case (out of how many thousands or millions?), took ownership of the mistake, and are taking actions to correct it. Overall to me that seems like a very small bug that they took/are taking steps to fix on Christmas no less.

>>None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.

If the rest of the world thought like you we would not have any people left in high paying jobs. Everyone is bound to make mistakes. Owning up and setting things right is what is important in my eyes.

edit: missed a couple words

> The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.

Sometimes planes literally fall out of the sky. NASA caused a space shuttle to explode killing the entire crew. It is fundamentally untrue that anywhere in the world we have perfect people or processes.

> The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect.

I expect that occasionally sometimes people will ship bugs and neither they nor the processes in place will catch them. This is a very minor bug. This is not the sort of bug that keeps engineering leaders up at night.

> For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.

It’s really easy to point at others’ errors with the clarity of hindsight. But everything you said here boils down to just predicting the specific broken case, which is useless advice. Even your suggestion to check commit logs is useless unless you know the bug you’re looking for. It’s not as if Git spews errors when a license file is changed and it shouldn’t be. And if they knew what to look for in the logs, they wouldn’t have checked in the bug in the first place.

This team has doubtless shipped thousands of features. It’s unsurprising that they’ve shipped some bugs.

> None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.

You’re talking about a bug that caused a license file to be incorrectly changed and the fix is a revert. There is an audit trail of what happened and what repos were affected. It literally had no meaningful negative effect except to Microsoft’s image with the severest of critics, and to Jeff Wilcox’s holiday break. This is not a Therac-25 level incident.

I find it very interesting that none of the hyper-critical people in the comments here have discussed catching any broader class of issues. There are many comments criticizing the author for failing to check for an existing license file. (e.g.” How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file?”) None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.

The ability to criticize an error someone else already found is not valuable or constructive. And if this is the best you can bring, your judgement is certainly no better than the engineer who created the bug in the first place.

Disclosure: I’m a Microsoft employee.

Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.

> Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.

If I worked with you it would be my responsibility to support my coworker and help them improve. As it is neither of us has much of an obligation to the other we are uninvolved third parties giving our unsolicited opinions to one another. It is a privilege as an uninvolved observer to another to analyze it frankly without worrying about hurting someone's ego. It is OK I think to look at some mess or other and the inevitable conciliatory excuses and or hostile push back against criticism and call bullshit.

> None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.

This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.

> This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.

Sure. In retrospect, that seems like a really good idea. But I'm sure you've done an awful lot of stuff that is dumb in retrospect, too.

Legal asks for tooling to ensure that the correct license file ends up on all developer projects. It's known that developers will often Google license agreements, copy them from places that don't belong, end up with the wrong LICENSE from a templating mistake. Someone builds tooling to just smash the correct LICENSE file in as a first commit on any repo that shows up in the Microsoft org: if it's an active developer and this is the rare case where this logic is wrong, surely they'll notice that this has happened, and this will prevent code from being up with an incorrect license.

Then, the use case evolves: people start to fork things into the Microsoft organization, and this code does the wrong thing an appreciable fraction of the time. But no one is scrutinizing commits on forked repos to the same extent and doesn't notice.

Maybe you do much better and have never made a mistake like this. But real people make real mistakes. Yes, when you encounter a mistake, you try to get better for next time! But that doesn't mean that we should expect a 0 mistake rate out of ______ org or not assume good faith with an ordinary rate of bad outcomes until proven otherwise.

Unlike the GP poster, I am not a MSFT employee-- I am often skeptical of MSFT actions but they get a pass here. Obliterating the license file has no advantage for MSFT, and has the risk of legal exposure and this kind of public black eye. Obviously someone screwed up, but screw ups happen. Now that Jeff Wilcox has had to work on Christmas, you can be sure he will be even more attuned to this type of issue in the future.

Do you never write code with bugs or do your employers just judge you much less harshly than you judge others?

> If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?

Probably not, because it sounds like this was not intended to ever run on forked repos at all.

And so ther revert the ones done in the past I hope...

Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know? Especially if no one noticed these and called them out on it until now.

> Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know?

Is it wrong though? I mean, if Microsoft's reiterated pattern of license switches is automated, wouldn't this also mean that the error would be easily detected based on public feedback alone? And given this was not the first or second or third separate and independent occurrence of this pattern, if this was a honest mistake then wouldn't this already be addressed in any of the multiple past shout-out?

> wouldn't this also mean that the error would be easily detected based on public feedback alone

Please see the entire public feedback you’re a part of right now.

Thanks for the call out. Here's a helpful link to the announcement.



MS acquired that extension, Don works at MS now.

You're right. Saw the reviewer on that PR but you were too quick and I couldn't delete my comment anymore.

Microsoft, a collective group of people trying to do the right thing, has made many choices over their time. Many of those choices have been in direct violation of things like, but not limited to, the spirit of the Internet, anti-competiton, spying on their customers, and many other negative things. Should we have let those things slide because Microsoft employs others that weren't involved? No. You can say this may have been a mistake but that is a slippery slope. Microsoft deserves negative press on "mistakes" because this acts as a balance to keep the power they wield in check. Beyond that you have a significant bias against biting the hand that feeds.

In my opinion, this gets a strong reaction because:

1. They made similar mistakes in the past.

2. They didn't fix it for half a year.

3. They can expect strong financial benefits from making these mistakes.

4. They've recently burned a lot of goodwill by deliberately infringing licenses on a large scale when they trained Copilot.

5. They could have easily prevented this kind of mistakes.

My summary would be that Microsoft deserves to be punished for making this mistake. If nothing bad happens now, then we'll have the same discussion again in half a year from now.

What financial benefits do they stand to gain by changing the name on an MIT license?

In some cases, they changed other licenses to MIT. That would then allow them to train their AI models on this source code, or redistribute a closed-source monetized GPL rip-off.

Team A) makes a mistake and changes the license. Team B) uses the fork under its new license and forgets to check the original branch's license.

Two honest mistakes leading to a de-GPL-ed library.

Here, they're changed the name on an MIT license. What financial benefit do they stand to accrue from doing so? That's the question I'm asking.

I was talking not only about this specific instance of it happening, but Microsoft had similar mistakes throughout the past 6 months. Here's the one from CUPS, a Linux printing library:


It used to be Apache License, then it became "MIT License (c) Microsoft Corporation". Thanks to the attention that this thread got, it has now been fixed:


But that source code was online with the wrong license for more than 6 months. Imagine if you had hosted Windows source code with a misattributed MIT license for 6 months... They would also bring out the pitchforks ;) Or even worse: well-paid lawyers.

I asked what Microsoft had to gain from altering an MIT license. You're answering a different question. But, fine, I'll bite: tell me how Microsoft stood to make a nickel by modifying an Apache license.

Um, it changes the ownership? If they wanted to relicense it, then they could say "well, hey, it's our license!".

The MIT license puts essentially no restrictions on them that they would need to relicense out from under. They can't un-MIT it. So I'm still not clear on how you propose for them to make money by doing this. Do you have an answer to my question?

If they can change the copyright ownership from an individual to themselves, then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge, and could prevent anyone from using the software and associated documentation files in an unrestricted form.

> then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge,

You don't need to change the "ownership" to do this. MIT licensed software can be put under more restrictive licenses for subsequent revisions by anyone.

I think the OP is playing 20 questions for their own entertainment. I think what they're not telling you is that there's nothing to prevent someone from making a closed-source product incorporating something which is MIT licensed (but they're still supposed to give credit where due). That's also not the whole story. Squirrel!

If they don't know the answer to the question I actually asked, all they have to do is not answer it. I object to the notion that I'm the one playing games here.

It does seem like you are doing this. I have tried to answer you. Instead of asking questions, just state how you believe I’m wrong. I’m ok with this, if I’ve not understood something or made a mistake, I’m happy to concede.

Asking questions until you get an answer you want worked for Socrates, but for everyone else it is better to just state what is wrong about my and other’s argument and the reason why.

As was pointed out upthread: your theory about what Microsoft stood to gain from this license change was simply incorrect. I'm not sure what we're still discussing at this point.

You said I hadn’t answered your question. What I said was incorrect. Ergo, I answered your question. You told me I hadn’t answered your question, now you say I answered your question but I was wrong. Try to make up your mind.

If you are confused what is being argued about, perhaps stop.

Putting the wrong info in a file doesn't change the copyright ownership.

And thus the flaw in my argument. I concede the point. Thank you.

The copyright ownership isn't the real flaw in your argument!

What is the flaw? Perhaps you should actually say what it is.

Again, as was pointed out to you upthread, the license terms on that project already allow them to do the thing you claim Microsoft was hoping to do by altering the license. It's a MIT license! It's practically the least you can do beyond writing "these files are placed in the public domain".

I'm sorry to beat up on you. It's not your fault, but someone upthread wrote that Microsoft's developers should have known better than to have this bug, because developers should all understand licensing. That set me off, because in hate-reading this thread (something I should obviously not be doing), it's clear that a lot of Microsoft detractors here simply don't know what the MIT (or Apache) licenses do.

But then, the reason I started hate-reading this thread in the first place was that I clicked on the story link, saw an authorship edit to an MIT-licensed file, and thought to myself "how can so many people here give a shit about this?"

Ah. I see, that’s fair. You aren’t beating up on me, it’s better for me to find out about an error than not at all. Thank you for explaining the problem.

They're asserting ownership. By asserting ownership they're converting good will and assuming the mantle of authority, which will sway plenty of weak-minded people: hey it's Microsoft.

I see how that gets them a C-grade Mastodon lyric, but not how it gets them a nickel. Did I ask this question in a particularly weird way? The responses it's getting are a little confusing.

This isn’t just one person making a silly mistake. This is a catalogue of failings. Where’s the peer review? Are you suggesting that anything published in the main branch on Microsoft’s GH org gets commit without any branch protection? And as pointed out by others, this isn’t even an isolated case.

A healthy org doesn’t blame individuals, it blames failures in process. Thus Microsoft should own this mistake. Stating it’s the fault of an individual sounds more like your team operates a blame culture. Which, frankly, is a major red flag for a failing organisation.

It's an automated bot, and it's an edge case that wasn't considered and is going to get fixed soon.

I’m satisfied that the situation has been, or at least will be, resolved.m however there is still the unanswered question of who audits the changes the bot makes.

There is a definitely lesson to be learnt here that bots aren’t infallible themselves and thus need reviewing too. Automation undoubtedly enhances our developer experience but we do need to ensure that automation doesn’t make unchecked changes. This is something a great many engineers can learn from too.

Is forking on Github edge case?

Apparently forking a 3rd party repo INTO the Microsoft github org is, yes.

There are genuine mistakes, and there are some due to incompetency. Both can be somewhat execused.

However, if you look at the changelog, I don't know how you are gonna say with a straight face that it's a "mistake".

How is running a bot to change copyright notices a /mistake/?

> Full disclosure: I work for MS

It is difficult to see the reality distortion field you are in from the inside.

This breaks several of the HN guidelines and crosses into personal attack. We ban accounts that post like that, so please don't.


Just pointing out this (reality distortion) is a general phenomenon. Have seen the same in all big companies (& many small). As an employee you want the best for the company and you naturally imbibe the company culture and that is perfectly fine. But there is a line and this is something one has to watch out for as an employee. As an example, seeing any critical comment from outside as an attack on the company.

It is good that an employee explained how this particular event happened and that is to their credit.

I respectfully, and vehemently disagree. Informing someone that they may be drinking too much of their company's Kool-Aid, without knowing what is in it, is a moral obligation.

Despicable that you present this as a bannable offense.

Sorry, but garden-variety internet comments and cheap personal attacks don't rise to the noble level of moral obligation. The comment plainly broke the site guidelines. That's not allowed here. If people have noble moral duties to fulfill, they can fulfill them without breaking the rules.


I too don't think there is any "moral obligation" involved but I did feel it was perfectly fine to point out what I did. I quoted their "I work for MS" to provide the context for my comment, nothing more.

Sorry, but that's definitely not accurate. You quoted it as part of a personal attack: implying that someone was lying about making a mistake, imputing sinister motivations to them instead, and adding a name-calling putdown into the mix (accusing them of being inside a "reality distortion field", as if you know more about their world than they do). All that is clearly against the site guidelines: https://news.ycombinator.com/newsguidelines.html.

I'm sure you didn't intend it that way, but we have to go by effects, not intent (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...). Intent doesn't communicate itself, so the burden is on the commenter to disambiguate (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...).

You are insinuating astroturfing with no evidence other than "I work at Microsoft" and your personal, albeit somewhat justified, belief of "MS bad". It's not a constructive comment.

> garden-variety internet comments and cheap personal attacks

That is how you took the comment.

I took the comment to be a refreshing dose of reality.

Perspective matters a lot.

Ok, but anyone could say that about any comment, so from a moderation perspective that is either an empty point or means that we shouldn't moderate anything at all.

For practical purposes, someone has to make judgment calls about these things. The way we do that is that we have a set of guidelines (https://news.ycombinator.com/newsguidelines.html), and moderators who make calls about which accounts are breaking them. We try to be as even-handed as possible when we do that, but certainly no one is going to agree with every call we make. Nevertheless, someone has to do the job, and that includes banning accounts when people break the rules and aren't interested in modifying their behavior.

> we shouldn't moderate anything at all

Moderation is absolutely necessary. What bothers me is that we are 4 or 5 comments deep, and you still seem to not understand why I spoke up in the first place.

The comment you initially replied to did not come off as a personal attack at all to me, in fact, there was nothing personal about it. They took data that was shared with them and used their experience to spit out their own thoughts on the matter.

So, I am calling you out for being a bit too zealous with the power you wield. What you do with my perspective being shared with you is up to you, but you're doing a lot to not just ask yourself "Was I being too harsh?" ... Here you have a human telling you that yes, that was too harsh.

Calling out the bitter flavor of a corporation's kool-aid is not a personal attack on anyone. Period.

You (edit: I meant the original commenter) very much attacked the person ("you"). I'm sorry, but this was not a particularly borderline call. See https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor... for past similar examples.

If you (edit: I meant the original commenter) had just said it about the corporation, it would still not have been a high-quality HN comment, but I wouldn't have posted a moderation reply.

> You very much attacked the person

Sorry? I did not attack anyone. I am defending a comment by somebody else in which you presume they are personally attacking someone who has openly admitted they work for Microsoft.

You really are lost aren't you? Along with the irony of mentioning "high-quality" comments. Wow. What is the _level of quality_ when the commenter has lost track of the person with whom they are speaking...? In case you missed it, I'm talking about you.

I will re-iterate, because I'm patient. I am telling you that you were overzealous in moderating a harmless comment about Microsoft as a company. There is no personal attack in the comment, no matter how you choose to view it.

Feel free to understand the perspective of others before you blindly share more of yours. What a disgusting interpretation of "moderation." Censorship is a much better word to describe where you're headed.

You're right, of course: the comment I described as containing a personal attack was by bakul (https://news.ycombinator.com/item?id=29684540), not by you. Sorry for mixing that up! I've added edits to the GP to clarify.

The core moderation point there is unchanged.

> I took the comment to be a refreshing dose of reality.

This is how I meant it but I could have phrased it or presented it differently as this point got lost at least with the moderators and may be many more. Will try to be more careful in the future.

I appreciate your speaking up. And I also appreciate the moderators in trying to keep the discussion standards high. They have a tough job trying to decipher the intent of every commenter.

I used to work for MS and... it's still easy to see it from the inside lol

I don't work at Microsoft but I can confirm. There are so many "suggestions" for Microsoft Teams. I don't know if there exists another company whose employees are more critical of Microsoft Teams than Microsoft.

My personal conspiracy theory is Teams would have died long ago if not for strong support from the top.

Teams is garbage, every time I use it I loathe computing in general.

teams seems important strategically for microsoft however, if it truly wants to remain as the standard 'operating system' for enterprises.

but yeah, friends of mine who work at github say the worst thing about the acquisition was Teams

Which is odd because Github doesn't use Teams, they're Slack based. As in, if I set up a meeting with my Github counterparts they're late because they had to install Teams.

How is this inconsistent with “Teams is awful, and we avoid it as much as possible”?

when $new_repo in $msft_github: echo $standard_license > LICENSE.md

Could just be normal practices, and doesn’t check if a license already exists because it’s usually handling non-forked OSS repos. What’s the phrase? “Never ascribe to malice that which is adequately explained by incompetence”.


They forgot that a bot may overwrite the license when they fork a repo. That's different from forgetting to check if a license exists.

I don’t know why people assume the more money you make the more infallible you are. Trust me that every FAANG engineer has written code with some similar pitfall that seems so obvious from the outside.

The difference is, most engineers I know respect and understand licenses. If you work at Microsoft - a software company - you should too.

Respecting a license is completely orthogonal to the unintended behavior of an automation used on something it wasn’t really meant for (fork rather than a new repo)


This is the peril of the imaginary "corporation" identity. People expect a company to be one coherent and consistent entity, but although a company can be managed well, establish culture and processes, and progress towards cohesion, it can never become as coherent as one person. And a person is not that coherent in the first place.

I am sure I subconsciously make the same mistake when I think about other companies. But I am making conscious effort to get better, take a more forgiving view on the humankind and give people as well as corporations chance to try again and be a better version of themselves, build the mental capability to remember that corporations are comprised of real people, and people make mistakes, and reasonable people who make up the majority of the population are constantly seeking (just struggling) to be better versions of themselves.

Ok. I worked at MS from 2005-2015. As I recall, there was this huge formal legal process and due diligence around including a single line of open source code. Is that not still the case? Am I remembering it wrong?

Github changed everything. All sorts of automation and open source involvement happened, with new bots and systems.

Y'know, it actually slipped my mind that Microsoft transformed into a much more open-source friendly company. That makes some sense now.

You have to take "companies doing good" always with a grain of salt. They're profit seeking companies, who act aggressively in their own interests.

It doesn't have to be a debate on "good vs evil" I've always hated those terms applied in these contexts, it's childish and for the naive. Fix the problem and move on.

'Profit-seeking companies' begs a common pejorative that actively reduces the variety in the pool of companies. It may not be descriptive of the companies for which this is not an overarching motivation. Many of them really want to make a happy customer by crafting as good a thing possible for the price they charge, and be well by their employees.

That said, I can relate the the cynicism especially for the giants. But painting them all as 'profit-seeking corporations' may deaden a satisfaction that comes from being a customer for a company you believe is good.

A company is merely a useful legal and organizational fiction. It's all people all the way down and those people don't act in a different moral context when they act on behalf of a company.

Microsoft is a rather special case of a company that has virtually no goodwill in the open source world. These are the dividends that result from statements and actions over decades. So when something like this occurs, the default reaction is often 'of course... it is Microsoft after all'.

Few people are likely to know <insert employee here> but many people are very familiar with decades of bad behavior undertaken by Microsoft not as isolated misdeeds but as a matter of policy. Lacking personal context misdeeds or mistakes are extremely apt to be interpreted in context of literal decades of bad behavior by Microsoft.

I mean come on the seismic change in leadership at Microsoft is just former lower echelon leaders during the time frame that MS was doing wrong now moving up and taking the helm.

We are after all talking about the company that tried to destroy the competition by funneling money into a fraudulent lawsuit/pr campaign that was a front for a pump and dump. The only thing separating MS leadership and felony charges is meeting notes between them and SCO and the fact that important people don't go prison in the US if can at all be avoided. Lest we forget the current CEO was at this time an executive VP as well.

Maybe it boggles your mind merely because you yourself are an ethical person who comports themselves properly professionally and would want people to see your efforts good and bad in context of who you are. This is entirely reasonable but people don't know you personally whereas your company makes headlines for bad behavior.

If you had a history of behaving as badly as Microsoft, I'd be as harsh on you as I am on Microsoft.

But when someone at Microsoft makes a mistake…

For many it’s not just Microsoft. Many assume negative intent from others most of the time. It much be such a frustrating, draining way to live.

I am finding it hard to accept that it is an honest mistake.

From my personal experience, every software engineer that works in a company of this scale is obligated to take a training course on software licensing and understand the differences, and the "dos and don'ts".

If Microsoft doesn't have such a program in place then that's a big problem and should expect harsh criticisms when such events take place and if they do then it probably needs to be revised because it doesn't seem adequate.

On the other hand, outside the context of MS, if a software engineer doesn't feel they are doing something dirty as they are replacing the license or the thought of I might get in trouble with legal doing that doesn't cross their mind, then they probably shouldn't be allowed to be at the front line taking actions that represents the company's name.

It was a bug in a bot, not someone deliberately changing the license.

Along similar lines as my comment here: https://news.ycombinator.com/item?id=29684127

...Given that several engineers employed at Microsoft have been part of armchairing this along everyone else now, why is not one of y'all (not necessarily you but come on, this is getting absurd, holidays aside) still just busy discussing around it rather than spending the <5 minutes required per repo to start actually fixing the fallout of it?

if I did this to microsoft do you think I’d be granted the same leeway? could I tell them they need to cut me some slack because i’m one person and “there’s a process”?

It's a bug, but it's also an example of what I think of as differential accountability:

* Bugs in the bot inevitably assign ownership to the writer rather than from the writer.

* Bugs in the billing system invariably overcharge customers

* Bugs in the image recognition system invariably select white people.

Well-meaning people still follow their incentives. Corners have to get cut somewhere.

I totally agree this isn't specific to MS. We have seen the enemy, and it is us.

This isn't true – the only billing system bug I've seen undercharged. Also if it was an overcharge, they would have made customer whole, whereas they wrote off the undercharge.

Microsoft doesn't really gain anything here – there's a clear "forked from" qualifier in the repo, they aren't republishing these packages, etc. The only people who noticed noticed in a negative light.

To reiterate, I'm not saying there's malicious intent in any single bug. Yes, billing errors don't lead to more revenue for the firm. I'm describing rather a systemic bias in incentives for the people doing the work (programmers) and supervising the work (managers).

I believe "moral hazard" is the term of art for what you describe.

Approximately. Moral hazard typically refers to sins of commission. Deliberately taking on more risk because you're insured. Here I'm thinking more of sins of omission. You just forgot to do something. You didn't have enough attention to devote to the task, so you rationally apportioned the attention budget to the areas most likely to be checked by others.

I'm just curious, is Microsoft actually in violation of the MIT license here?

All future changes to this repo are copyright Microsoft, so Microsoft's copyright should be in the statement.

Arguably there should be an additional statement indicating that LesnyRumcajs holds copyright to bits of code that Microsoft hasn't changed.


(1) exactly which bits have LesnyRumcajs's copyright would have to be verified by examining source control history. Since LesnyRumcajs's copyright statement is visible on any commit where LesnyRumcajs holds copyright, this setup makes actually makes it easy to verify which portions LesnyRumcajs has copyright claims on.

(2) Including LesnyRumcajs's copyright statement in repo history seems to be all that the MIT license requires. The license doesn't forbid there being another more easily accessible copyright notice that doesn't list all copyright holders. It only requires that LesnyRumcajs's statement be included in all copies of the software, which it currently is.

What you're saying doesn't make any sense. If what you're saying was true you could take any MIT repro, fork it and replace the license with a fully proprietary copyright claim or any other license. You absolutely can't take code and just change the license to anything more permissive without the original copyright holders permission.

It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.

The license wasn't changed. But yes, generally you can make changes to MIT code that aren't released under the MIT license.

> It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.

This isn't in the license. Where is this laid out?

MIT license is very permissive but the original author retains copyright and one of the very few restrictions is that you must maintain the original authors copyright notice. So you can use MIT code in a GPL project but you can't remove the original copyright notice and MIT license text.

I don't quite follow your thinking about removing the notice but having it somewhere in history; a given snapshot/ revision will be a distribution where someone can show up and download just the master branch newest state and not the full git history. In which case you surely have distributed a copy of the copyrighted MIT licensed code without complying with the terms of the license, right?

Microsoft has lawyers and more layers of management than grandma's lasagna.

MS and other bigcos have a history of being evil. It’s the correct assumption.

> I know hundreds of people and most of them are upstanding and try to do the right thing.

How can you work for Microsoft AND do the "right" thing? I guess it depends on your role, but still...

Folks who work at mega corporations with outrageous amounts of power have a correspondingly large responsibility to the communities they interact with. Their mistakes have a much larger impact. Honest mistakes by hugely powerful entities are not mere trivia. They have an effect on the rest of the world commensurate with their power. Thus they should be held to a much higher standard than everyone else.

It is reasonable to have different expectations from large corporations with enormous resources than you would have for an independent developer.

The road to hell is paved with good intentions.

I highly agree with this.

Everytime I've taken the route that there is some evil, no good as come out of it but when you give a group of people the benifit of the doubt, I would argue the majority of the time it's just a mistake.

I feel like the only people with an attitude against Microsoft these days are teenagers trying to look edgy and critical thinking or pretending they are insiders.

I don't work for Microsoft.

There is not an attitude for the whole thread. Understandably you feel defensive but there is no need to.

If you care about this issue, try to get it fixed within your company and move on.

You can't ascribe one attitude to a thread of hundreds of commenters and then shame us for ascribing an attitude to a company.

A third way: individual people can make an honest mistake and Microsoft is still evil.

You should see how HN would react if Google has done anything remotely close to it. If it was Google your comment would be downvoted to oblivion instead of being the top comment. Not to mention you'd be disparaged for protecting your employer.


Most processes for that type of thing come about only after someone has made a mistake.

Source: experience in the industry. Including having made a similar mistake myself a couple of years back (and receiving a fair bit of internet hate for it)

Processes are built ahead of time if people take a risk seriously.

This is also true and is not mutually exclusive. People and organizations are fallible - much process is developed from learning.


FS I’m not sure about. Office goes into massive nag mode.

What’s your point?


Nobody manually changed a license. The commits were made by a bot named "microsoftopensource" that exclusively adds copies of Microsoft's license file, support file, readme file and code of conduct to every new repository under their account.

Y’all are not entitled to the benefit of the doubt any more than obviously-evil companies like Facebook are.

We've banned this account for repeatedly breaking the site guidelines and ignoring our requests to stop (most recently https://news.ycombinator.com/item?id=29501677).

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.

We particularly don't want the online callout/shaming culture here. nhttps://hn.algolia.com/?sort=byDate&type=comment&dateRange=a...

For those of us that remember the “old” Microsoft, they are still obviously evil. Nothing they have done will change that view. Incidents like this prove that this zebra cannot change its stripes.

Never. Trust. Microsoft.

> Never. Trust. Microsoft.

Good advice.

> Incidents like this prove that this zebra cannot change its stripes.

Nope! This was a simple mistake that would have gained them nothing.

I mean yeah. But for a few years there, they were at least not as obviously horrible as they used to be, or as some other companies were.

Yeah, get that promotion! Developers, developers, developers!

I think your comments does not add anything meaningful to discussion. Yes, Microsoft screwed up. Yes, a Microsoft employee is trying to make excuses for them. This does not mean we couldn't have a civilized discussion, though.

All discussions are civilized until you start throwing stones at each other.

Posting like this will get you banned here, so please don't. It's not what this site is for, and it destroys what it is for.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact