I lead the Microsoft Open Source Programs Office team. I'm sorry this happened.
We have merged a pull request that restored the correct LICENSE file and copyright, and are in touch with the upstream author Leśny Rumcajs who emailed us this morning. We'll look to revert the entire commit that our bot made, too, since it updated the README with a boilerplate getting started guide.
The bug was caused by a bot that was designed to commit template files in new repositories. It's code that I wrote to try to prevent other problems we have had with releasing projects in the past. It's not supposed to run on forks.
I'm going to make sure that we sit down and audit all of our forked repositories and revert similar changes to any other projects.
We have a lot of process around forking, and have had to put controls in place to make sure that people are aware of that guidance. Starting a few years ago, we even "lock" forks to enforce our process. We prefer that people fork projects into their individual GitHub accounts, instead of our organization, to encourage that they participate with the upstream project. In this situation, a team got approval to fork the repository, but hasn't yet gotten started.
To be as open as I can, I'd like to point to the bug:
- The system we have in place even tries to educate our engineers with this log message (https://github.com/microsoft/opensource-management-portal/bl...): "this.log.push({ message: `Repository ${subMessage}, template files will not be committed. Please check the LICENSE and other files to understand existing obligations.` });"
A lot of commenters are sharpening their pitchforks, but this comment, in my opinion, makes it very likely that it was an honest mistake. Amazing what taking personal responsibility and earnestly apologizing can do to restore trust and credibility!
Yeah, I think this is an example of addressing a mistake that other companies should take note of. I don’t trust Microsoft-sized corporations as a matter of principle, and I don’t typically give them the benefit of the doubt, but when one of their own engineers explains in human-readable terms what specifically happened—on a holiday, no less—I’m impressed enough to believe him. Some PR flack showing up with vague boilerplate about how Microsoft values the open-source community and they’ll look into it would only have encouraged more outrage.
I always appreciate communication that acknowledges I’m a person, not a data point or a customer. I wish more companies ditched the greasy PR approach and allowed folks like Jeff to do their talking for them.
I think a key reason that corps do try to avoid admitting fault, is because in a lawsuit that can be used as evidence for a guilty verdict in a civil lawsuit in some of the most slam dunk ways.
If we remove this feature of common law legal systems, I think you will get far more admissions of fault like this one.
If you hurt people, organizations, etc for admitting their mistakes, they're going to stop doing it.
The key take away is that apologizing and admitting fault doesn't absolve one of liability. There are a number of "amnesty" laws on the books where admitting fault can server to limit or reduce your sentence - especially with tax issues. I'm not sure how desirable such a thing would be in civil law among private parties. Especially in cases where a tort is minor to one party but a big deal to the other because of disparate wealth.
E.g. if Microsoft burned your house down would an apology and explanation be enough to settle the matter? How could we encode this principle into law for minor things but not large things?
I don’t think accidentally removing credits from a software license is exactly on the level of burning someone’s house down.
In general, I wouldn’t say that causing someone harm should be dismissible with an apology, but in a situation where the harm seems pretty limited, easily reversible, and unintentional—and the apology seems genuine and even informative—I don’t see a particular benefit to causing hardship to someone who made a mistake. The communal reaction as it is should give Microsoft/Google/etc an idea of what the blowback would be if this sort of thing was a deliberate corporate practice.
The harm is depriving the author of their moral rights, and the name recognition from their work. Depending on how popular the library becomes this could deprive the author of substantial business opportunities.
And if this was a deliberate decision that Microsoft refused to undo, I’d be as outraged as everyone else here would be.
But it wasn’t, and they did undo it, and I found their response impressively civilized and professional. So I’m not really understanding why everyone seems to want to hold this guy accountable for all the shitty stuff Microsoft could have done, didn’t do, and apparently did in the past.
> makes it very likely that it was an honest mistake.
I don’t have any doubt that it was an honest mistake. They also took accountability for the mistake, shared their steps to prevent it from happening again, and they’re in contact with the original repo author directly.
At this point, anyone digging for excuses to further demonize Microsoft isn’t interested in honest discussion about this issue. This is a textbook mistake followed by rapid resolution (on Christmas Day, no less), with great communication on top.
If you read the comments, most people believed it was an honest mistake. What we didn’t agree with was that it was an excusable mistake. Microsoft have since acknowledged it’s not excusable and thus will rectify that error. So as far as I see it, all parties, both for and against MS, should be satisfied with the outcome.
In a way I'm glad that this is not taken lightly. We all need to be informed and calm, but mega-corporations should be held to higher standards. They should feel breath of an angry mob once in a while. I imagine, that if reactions to things like that would be just "meh, it's probably just a mistake" it would not be resolved as quickly or it could just be ignored. But now that it is all cleared up let's go home and Merry Christmas.
Intent is a red herring, especially when the actions of an organization, rather than an individual are being considered. More important are the actions' consequences and the organization's propensity for repeating them.
What happened here was obviously a mistake. The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.
The thread would have been a lot more fun if we could have spent it talking about what prompted your team to build this thingy, and bounce other people's approaches to the same problem off, and maybe share some war stories about dumb things bots have done on our behalf.
Thanks, regardless, for the information you've provided here. It's interesting.
> The thread is full of lurid accusations, because those are fun to write and talk about, but it shouldn't take even a minute's thought to see how dumb a heist this would have been.
Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.
The issue looked like a mistake from the start to anyone paying attention (committed by a bot, changes were consistent with a boilerplate LICENSE file being checked in).
If someone at Microsoft wanted to steal some code, forking it on Github and then publicly documenting the history of the code in the most visible way possible would truly be the dumbest way to do it.
Especially here, when the smoking gun is a change to an MIT licensed project. One of the torch-holding commenters remarked that developers at Microsoft ought to know enough about how licenses work to know what a big deal this was. Physician, heal thyself.
> Another good reminder that Hacker News is not above assuming the worst and gathering pitchfork mobs like any other social media.
I would go so far as to say almost no group is, they just have different preconceptions that encourage assumptions of malice in different ways and directions.
There is no substitute for more facts about the situation, no matter how much we'd like to assume the details that aren't given.
It doesn't matter how "dumb a heist this would have been". This is Microsoft and their track record with respect to illicit and/or illegitimate behavior needs to be continually scrutinized. They put themselves in this position. They have made plenty of intentionally dishonest "mistakes" over the years.
Track records matter and Microsoft doesn't have a clean one. Scrutiny of companies of their size should be the norm. Maybe they would do more to improve "mistakes" if more people held them accountable in a continuous fashion.
"Scrutiny" doesn't mean making up nonsense issues, which is what this is. There's no amount of weasel words you're going to apply that's going to make changing an MIT license in a public git repository part of a terrifying conspiracy --- or a conspiracy of any sort.
Removing and applying an incorrect license to open source software by a multi-national software giant is a "nonsense issue"?
Hardly "weasel words" when you look at the action that took place. It wouldn't be OK for you to do it and it isn't OK for a bot that Microsoft deployed incorrectly to do either.
"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."
I understand the license. Based on your response and Microsoft's attribution change I don't think you understand the argument. I won't patronize you however based on the non-response.
No, do go ahead, because I don't understand really any of the dudgeon being worked up in this thread, given the original license gave Microsoft the right to do virtually anything it wanted to with the software already. Obviously, Microsoft shouldn't take credit for other people's work; equally obviously, to me at least, that's not what they were trying to do, since all it took was a single Github link to show what had happened.
This is my favorite part of the culture change which is happening at Microsoft.
We are still working on it. And, it will take time.
Jeff's team, my team, the java team whose forked repo this unintentionally highlighted are working with dozens of other teams every week. Satya says we're all in on open source.
Hold Jeff and Me and all the leaders of Microsoft to that vision. Keep us accountable. And, know this takes time. Let's make technology and humanity healthier and more sustainable in 2022.
I realize that Microsoft is composed of many pieces, but that doesnt prevent me from treating it like a single entity. And that entity has IMHO done horrible things to it's own products and customers, so I'd rather they keep theirs hands off FLOSS as much as possible.
But if you treat it like a single entity, that means you also treat all the people working there like that entity. The janitor working at Microsoft doesn't deserve your ire, nor the secretaries, etc. But they work there, and carry around their logos on their backpacks and what not. Those people have feelings, and those feelings feel bad when the entity they work for is lashed out at. It does make one feel bad when one's company is raked over the coals, because it makes one feel responsible, even if one doesn't even know what's going on.
So, for the sake of the feelings of the innocent people who work there, I would ask everyone to please modulate the volume and intensity of ire that they project. Please speak truth to power, but don't be harsher than is needed to get your point across.
But as for some background: I am a PM for Microsoft Build of OpenJDK and from late last year to around May this year I made contributions to the gRPC_bench repo as a Microsoft employee for some experiments we have been working on, to evaluate and improve different ways of implementing gRPC exchange in Java. [1]
This fork was intended for newer experiments, one of them being about coding and running these benchmarks on GitHub Codespaces. For that, I needed the repo on an org where we, as employees, have Codespaces enabled.
The rest is HN history (back to Jeff's reply above [2]).
FYI: when linking to a line of code, simply press Y on your keyboard to have Github switch from the _branchname/path/to/file.xyz_ URL to the _sha1/path/to/file.xyz_ URL. The former can result in your URL pointing to unrelated code if lines are added or removed in future commits on the referenced branch.
Really appreciate the prompt and transparent response, Jeff. Especially at a time when I assume you were not expecting to jump in on duty.
I hope that despite all the harsh words, you can have sympathy with that behind them are legitimate concerns and suspicion stemming from past bad behavior from various part of your organization. Due to this, and Microsoft's position of power, you have a much, much lower budget for these kinds of mistakes compared to the most other orgs.
Even if there was nothing intentionally malicious at play here, it would not be far-fetched for an outsider to interpret as "implicit maliciousness through neglect".
Here's hoping that 2022 will be a year of bridging the divide and sincere alignment.
Yes, it would be far-fetched. The conspiracy theory here is self-evidently implausible. We need to stop pretending that the accusations here were made in good faith, or are anything more than wishcasting. People write about these things because it's a lot more fun for them than to write about what actually might have happened, even if what actually happened is probably a better, more lastingly valuable conversation to have.
So, I'm of the opinion that a collective (for example a company) can exhibit malicious behavior despite no malicious intention of any particular individual in it. It can be emergent, and moreso the larger the organization. Along similar lines of systemic discrimination, there does not need to exist any conscious conspiracy or malintent. For better or worse, the whole is greater than the sum of its parts.
This comment speaks towards that this is the case:
> I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.
(I mostly agree with your sentiment, though. I do get the impression that leadership is sincere in wanting to do right. It's just that it's not that black-and-white or easy. As another MS employee commented, this is something that has to take time and they need to be held accountable along the way. https://news.ycombinator.com/item?id=29684127)
If there was a plausible evil plan behind this licensing silliness, I'd shut up about it. But there isn't. The insinuations being made on this thread (still! continously!) are embarrassing. It's not that I think Microsoft is incapable of putting together a solid heist; it's that observers here have such bad taste in heists.
Agree with you there. I see it as manifestations of fear, tribalism, and short-sighted oversimplification around complex issues. Without wanting to dive deeper into any of those topics, I believe there are similar mechanism at play on a larger scale in COVID-conspiracy theories and the re-emergence of Western xenophobia/nationalism.
It can be hard to assume good faith when your counterpart clearly isn't. But I think it can be at least as important then. We need to come together and find common ground.
I know Jeff personally and he's great. This happens all the time at Microsoft though. Teams try to do OSS themselves, haven't a clue how GitHub or licensing works (e.g. they think the CLA transfers copyright), and after a slap aside the head, I send them to Jeff for guidance and all is well.
>I certainly understand how scandalous this looks to crowds like Hacker News.
I don't. I'm with the Microsoft employee who was pissed at how people think it's edgy to diss on Microsoft. What were the chances that Microsoft was openly doing that? Some dude who has now deleted his post said Microsoft was trying to "create a monopoly of web IDEs". These are clearly people who barely have a passing knowledge of how Microsoft works these days.
People think critical thinking means complaining endlessly. It doesn't. You can't think critically if you don't think clearly. And you can't think clearly if you're only looking for a reason to lift the pitchforks.
It took significant public outrage and press coverage before either of those were even acknowledged, a long time after.
> What were the chances that Microsoft was openly doing that?
After reading the above, is it really that edgy to be assuming the worst? If it's truly just recurring instances of different rogue employees, doesn't that speak to a systemic and/or cultural issue that needs to be addressed with additional internal safeguards and/or deterrents to prevent it from happening again?
To the credit of the relevant team here, today this was promptly addressed as soon as it got their attention. But it will take more than that to set to rest decades of precedence.
(I did not partake in the flaming and don't find it constructive or beneficial; just saying I have full understanding of the suspicion and understand that MS are still on probation)
To late to edit or delete my comment above but just to set it straight I just learned that the whole lerna debacle linked above was a nothing-burger aka fake news.
Thanks for the response. Mistakes happen, human or computer, not the end of the world, and I get it. I was just more curious to know if there is a manual process for this type of forking that was not being vetted via the bot, and to bring another example to your attention.
If you read the repo history carefully, you'll see a bot was responsible for rewriting the "LICENSE" file from an Apache license to the Microsoft (c) stamped MIT license. This human commit simply copied that same language to the file named "LICENSE.txt". It's unclear why they did that, but that human was not responsible for introducing the license text into the repo.
? Instead of a software bug, it was a human error. Is it really surprising that with a company of Microsoft's size, some employees fuck up? Likely the employee was trying to say that the contributions in this fork that were not present in upstream are covered by the new license, but failed to do so properly (by leaving the original license intact and identifying precisely which files the new license applied to and which it didn't).
Courts will take a far more generous view than you are here. If Microsoft is not profiting from the change, and fixes it promptly when pointed out, the courts will shrug at any case - no harm, no foul. It's not even clear to me that it's illegal to have the wrong license on GitHub, assuming the shipping product does not violate the correct license. As nobody has pointed to any infringing Microsoft product... What are we talking about?
Damn dude. You posted this comment on CHRISTMAS no less. Either your phone exploded or you are a VERY PASSIONATE hacker news fan. Either way ... props to you for trying your best to straighten this out immediately.
This feels like the sort of thing where straightening it out immediately, even on christmas day, was well worthwhile simply because it would let him enjoy his christmas dinner without worrying about an inevitable building dramastorm.
That is not, however, a complaint - being smart enough and giving a damn enough to realise that straightening it out immediately was a really good idea is impressive and laudable in and of itself.
I saw your comment on the cups repo. Please don't feel horrible about it. An honest mistake is an honest mistake, as long as the issues are remediated. Merry Christmas
>SQL Operations Studio was built on the back of many open source projects that all use the MIT License for a reason: it's the right way to keep moving the community forward, empowering your users to do cool stuff and build useful things for the community.
>We're just asking SQL Operations Studio to use the same license that Visual Studio Code does.
Thanks for explaining. Out of curiosity, does Microsoft have any external-facing GPL-licensed projects? Are there any restrictions to using (i.e. open sourcing something developed internally or forking something from outside MS) GPL-licensed projects? Specifically, would teams be able to get approval to fork GPL repos?
Git for Windows comes to mind. Teams can absolutely get approval for any open source license; however, for a GPL project, we'd have their open source legal team work with them to brief them on the license obligations and requirements, such as publishing code to https://3rdpartysource.microsoft.com/.
Interesting, so that's specifically for GPL-licensed projects? Or am I misunderstanding and you would have dev teams work with Legal for any open source licensed project?
Copyleft has more process, since we absolutely need our engineers to understand the obligations we have, and for some of us, it may be the first time we're being introduced to open source communities and licensing, so we have to do more education in the GPL case.
Our process revolves more about _using_ open source than forking specifically.
Whenever a build runs at the company, we have a detection task that identifies the open source that is used, storing an inventory. We evaluate the open source licenses for that inventory, and have automation depending on the license that will help inform a team that has taken a new dependency with specific legal obligations - could be to get business and legal approval for something, to take training and learn about copyleft software and licensing, or that they need to post third-party buildable source. We're also able to use that inventory to help with incident response and blast radius analysis.
To scale, we need to make sure that our guidance and policies are in front of people, but we know that engineers want to get work done (or will find a way around what we have in place), and so need to be efficient and straightforward.
Not all situations will require a business or legal approval. Our motto has been "eliminate, automate, delegate" - eliminate onerous bureaucracy and policies - automate licensing compliance and inventory and approvals - and delegate to business leaders and others when there's a need for humans to be involved.
For those that don't know Polish it means Forest Rumcajs (https://en.wikipedia.org/wiki/Rumcajs), probably a joke of the author that wants to be anonymous.
I figured something like this was the cause. I must say I'm quite disappointed by all of the negative comments before anyone from MS had a chance to explain what happened.
Thank you for the full transparency, sadly we may hear for years of people saying how Microsoft blatantly ripped off someone else's copyright, but that's probably okay, those people probably wouldn't use your projects for whatever reason anyway, when in fact it was a bot meant to keep you guys from releasing code prematurely without a reasonable license to begin with (at least that's what it sounds like?).
Thanks for clarifying. This also highlights the lack of sufficient testing, and subpar processes, eg automation should be tested against critical paths, and changing a license should require human approval.
Agree. The lack of tests has been the biggest regret of mine for this project. It started as a hackathon project a long time ago, and as it grew up, it never got the testing investment it deserved. I imagine the code coverage is about 0.001% and there's no end-to-end tests in place.
Feels like the reverse Streisand effect at play here; a high-profile minor fuckup that helps popularize a positive thing. This was fun to meme on, but I'm glad Microsoft appears to be on an upward slant ethically. It also makes me more comfortable being a Microsoft customer.
And here I was ready to sharpen my pitchfork. Thanks for communicating the error and the correction. I know this time of year can be especially challenging.
So, you are adding licenses automatically? This seems pretty risky. Why not just prevent commits that don't have a license? Shouldn't there be a human somewhere in that loop?
The attitude in these threads always boggles my mind. When YOU, your teammates or someone else you know makes a mistake, then it’s just a mistake. But when someone at Microsoft makes a mistake it’s because Microsoft is evil and by extension so is the person who offended.
“It’s a big company”, you say. They should have a process! And I’m sad to say, they do/will have a process exactly because of this attitude. Then, everyone wonders why it takes forever to fix that bug they’re furious about or why features are slow to come.
Full disclosure: I work for MS, though have nothing to do with this. It’s a huge company. I know hundreds of people and most of them are upstanding and try to do the right thing.
This is a bot that is supposed to configure the right license when employees start a new repo in the Microsoft GitHub org.
It seems the automation is also triggered when Repos are forked into the Microsoft GitHub org which isn't correct behavior.
This isn't a deliberate action. If it were plenty of employees (myself included) would be outraged.
I assume it's a bug in the bot - an edge case that was not considered. It is very rare to fork something into the Microsoft GitHub org after all.
I looked at some of the other forked repos (95 out of 4.5K repos) and all the human commits from MS I saw seem to care about getting the licenses right. So it really is just a broken bot.
I hope the bot can be fixed soon and I'm going to put my figurative pitchfork down now.
He wrote a great response. Not many people I know would stand in front of a online mob and say "It's code that I wrote". And then fix it on Christmas!
While I'm glad this got resolved so quickly, I'm slightly ashamed of myself and the HN community for how we handled this. In hindsight the outrage was wildly out of proportion for a simple bug.
If you look at life as good & evil, you won't solve any conflicts. You should rather focus on "incentives". Correcting bugs and errors take time and other resources, therefore require incentive to prioritize.
If their bots were to stamp Microsoft projects with open source licenses, there would be huge incentive for them to tackle this problem within this sprint, and make sure it never happens again.
This bug profits them, or does not harm them at worst case. Therefore, by drawing attention and applying pressure, we should create the incentive for them to allocate resources to fix it, and make sure it does not repeat.
How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file? A certain degree of malfeasance cannot possibly be explained as incompetence.
Please don't pile on like this. You can make your substantive points without "how can someone be so bad at their job" hyperbole. Any mistake can be made to look terrible if you're uncharitable enough.
> A certain degree of malfeasance cannot possibly be explained as incompetence.
This is a missing conditional check, a mistake that is extremely easy to make and one I’m sure you’ve made at least once if you’ve been a professional programmer for any significant length of time.
or maybe they do not know/they missed that creating a fork from an existing project actually triggers “new repo created” event in the github organization, which has an unintended effect.
I agree with you in principle but "stamp out" and "be better" are phrases that produce the opposite of what you're aiming at. We're trying to avoid the online callout/shaming culture here.
These forks may be done for security purposes for projects that use source-based build systems so that the depending project doesn't have 3rd party repo dependencies.
As someone whose developed similar GH integrations, getting things right with their API is fairly tricky. What would actually be desirable is public-to-private forks so that the fork-dependency pattern is more enterprise friendly and this kind of confusion is mitigated.
Have you considered that the reason for the outrage is because people don't actually trust Microsoft to do the right thing? I can see this is a mistake, but surely the litany of awful business practices by Microsoft in the past precedes it?
Sorry, I didn't mean to imply you were. But no offense, so what if it isn't acceptable to employees? The decisions by Microsoft are made by the management of the company. As an example of another company with severe credibility problems, I'm sure there are plenty of employees at Facebook who don't like working there now, but they are still there. And still implementing the policies and directions of management.
MS dev here. Thanks for calling this out. I contacted the GH@MS admins to look into this and to consider adding some safeguards to the tooling so this doesn't happen in the future.
How is it remotely possible to not understand you cannot automatically overwrite a license file with your own. If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?
A simple solution prior to writing to a file in this case is to check if it already exists. It shouldn’t matter what triggers this bot if it’s programmed safe and idempotent.
Nuking the existing LICENSE file and replacing with the canonical one is a good move when it's your own developers' work. They could easily have picked "a" MIT license or screwed up the copyright string, and getting this normalized from the moment the repository is published is important.
But it's important that this -not- get applied to outside work from forks.
It should raise an exception that causes a person to have to deal with the matter. I should not be surprised if I were to find that this is actually in fact so and the extra step is responding to a prompt which people got used to not reading.
The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.
The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect. For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.
None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
I am not a MS employee but I do work as a software engineer at a small company and make six figures a year. Mistakes like this happen. In fact they happen all the time. There are a lot of people out there writing code on any given day. Some of them may have been staring at the screen for 12 straights hours trying to make a release date. Sure its a lot more visible when someone like MS makes one, but think about the actual issue here. They did not create a feature with the intent to overwrite existing licenses files, they made a feature to ensure the correct licenses were added to new repos. Now they forgot one edge case (out of how many thousands or millions?), took ownership of the mistake, and are taking actions to correct it. Overall to me that seems like a very small bug that they took/are taking steps to fix on Christmas no less.
>>None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
If the rest of the world thought like you we would not have any people left in high paying jobs. Everyone is bound to make mistakes. Owning up and setting things right is what is important in my eyes.
> The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.
Sometimes planes literally fall out of the sky. NASA caused a space shuttle to explode killing the entire crew. It is fundamentally untrue that anywhere in the world we have perfect people or processes.
> The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect.
I expect that occasionally sometimes people will ship bugs and neither they nor the processes in place will catch them. This is a very minor bug. This is not the sort of bug that keeps engineering leaders up at night.
> For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.
It’s really easy to point at others’ errors with the clarity of hindsight. But everything you said here boils down to just predicting the specific broken case, which is useless advice. Even your suggestion to check commit logs is useless unless you know the bug you’re looking for. It’s not as if Git spews errors when a license file is changed and it shouldn’t be. And if they knew what to look for in the logs, they wouldn’t have checked in the bug in the first place.
This team has doubtless shipped thousands of features. It’s unsurprising that they’ve shipped some bugs.
> None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.
You’re talking about a bug that caused a license file to be incorrectly changed and the fix is a revert. There is an audit trail of what happened and what repos were affected. It literally had no meaningful negative effect except to Microsoft’s image with the severest of critics, and to Jeff Wilcox’s holiday break. This is not a Therac-25 level incident.
I find it very interesting that none of the hyper-critical people in the comments here have discussed catching any broader class of issues. There are many comments criticizing the author for failing to check for an existing license file. (e.g.” How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file?”) None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.
The ability to criticize an error someone else already found is not valuable or constructive. And if this is the best you can bring, your judgement is certainly no better than the engineer who created the bug in the first place.
Disclosure: I’m a Microsoft employee.
Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.
> Further disclosure: If someone showed up to a postmortem for my team with this level of condescension and no useful advice, I’d tell them to be quiet or leave.
If I worked with you it would be my responsibility to support my coworker and help them improve. As it is neither of us has much of an obligation to the other we are uninvolved third parties giving our unsolicited opinions to one another. It is a privilege as an uninvolved observer to another to analyze it frankly without worrying about hurting someone's ego. It is OK I think to look at some mess or other and the inevitable conciliatory excuses and or hostile push back against criticism and call bullshit.
> None of those comments that I’ve seen addresses the fact that adding a license file during a fork at all is probably an error. No, just criticism about this one case because someone told them about the exact observed bug so now it’s obvious.
This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.
> This is an excellent point insofar as explaining why the bug might have happened. I disagree however that it is sufficient explanation. Such code should still check for the presence of an existing license file for another license and raise an error that requires human intervention to override. That is constructive and actionable.
Sure. In retrospect, that seems like a really good idea. But I'm sure you've done an awful lot of stuff that is dumb in retrospect, too.
Legal asks for tooling to ensure that the correct license file ends up on all developer projects. It's known that developers will often Google license agreements, copy them from places that don't belong, end up with the wrong LICENSE from a templating mistake. Someone builds tooling to just smash the correct LICENSE file in as a first commit on any repo that shows up in the Microsoft org: if it's an active developer and this is the rare case where this logic is wrong, surely they'll notice that this has happened, and this will prevent code from being up with an incorrect license.
Then, the use case evolves: people start to fork things into the Microsoft organization, and this code does the wrong thing an appreciable fraction of the time. But no one is scrutinizing commits on forked repos to the same extent and doesn't notice.
Maybe you do much better and have never made a mistake like this. But real people make real mistakes. Yes, when you encounter a mistake, you try to get better for next time! But that doesn't mean that we should expect a 0 mistake rate out of ______ org or not assume good faith with an ordinary rate of bad outcomes until proven otherwise.
Unlike the GP poster, I am not a MSFT employee-- I am often skeptical of MSFT actions but they get a pass here. Obliterating the license file has no advantage for MSFT, and has the risk of legal exposure and this kind of public black eye. Obviously someone screwed up, but screw ups happen. Now that Jeff Wilcox has had to work on Christmas, you can be sure he will be even more attuned to this type of issue in the future.
Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know? Especially if no one noticed these and called them out on it until now.
> Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know?
Is it wrong though? I mean, if Microsoft's reiterated pattern of license switches is automated, wouldn't this also mean that the error would be easily detected based on public feedback alone? And given this was not the first or second or third separate and independent occurrence of this pattern, if this was a honest mistake then wouldn't this already be addressed in any of the multiple past shout-out?
Microsoft, a collective group of people trying to do the right thing, has made many choices over their time. Many of those choices have been in direct violation of things like, but not limited to, the spirit of the Internet, anti-competiton, spying on their customers, and many other negative things. Should we have let those things slide because Microsoft employs others that weren't involved? No. You can say this may have been a mistake but that is a slippery slope. Microsoft deserves negative press on "mistakes" because this acts as a balance to keep the power they wield in check. Beyond that you have a significant bias against biting the hand that feeds.
In my opinion, this gets a strong reaction because:
1. They made similar mistakes in the past.
2. They didn't fix it for half a year.
3. They can expect strong financial benefits from making these mistakes.
4. They've recently burned a lot of goodwill by deliberately infringing licenses on a large scale when they trained Copilot.
5. They could have easily prevented this kind of mistakes.
My summary would be that Microsoft deserves to be punished for making this mistake. If nothing bad happens now, then we'll have the same discussion again in half a year from now.
In some cases, they changed other licenses to MIT. That would then allow them to train their AI models on this source code, or redistribute a closed-source monetized GPL rip-off.
Team A) makes a mistake and changes the license.
Team B) uses the fork under its new license and forgets to check the original branch's license.
Two honest mistakes leading to a de-GPL-ed library.
I was talking not only about this specific instance of it happening, but Microsoft had similar mistakes throughout the past 6 months. Here's the one from CUPS, a Linux printing library:
It used to be Apache License, then it became "MIT License (c) Microsoft Corporation". Thanks to the attention that this thread got, it has now been fixed:
But that source code was online with the wrong license for more than 6 months. Imagine if you had hosted Windows source code with a misattributed MIT license for 6 months... They would also bring out the pitchforks ;) Or even worse: well-paid lawyers.
I asked what Microsoft had to gain from altering an MIT license. You're answering a different question. But, fine, I'll bite: tell me how Microsoft stood to make a nickel by modifying an Apache license.
The MIT license puts essentially no restrictions on them that they would need to relicense out from under. They can't un-MIT it. So I'm still not clear on how you propose for them to make money by doing this. Do you have an answer to my question?
If they can change the copyright ownership from an individual to themselves, then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge, and could prevent anyone from using the software and associated documentation files in an unrestricted form.
> then they could (however unlikely) change the license on subsequent revisions to no longer provide the software free of charge,
You don't need to change the "ownership" to do this. MIT licensed software can be put under more restrictive licenses for subsequent revisions by anyone.
I think the OP is playing 20 questions for their own entertainment. I think what they're not telling you is that there's nothing to prevent someone from making a closed-source product incorporating something which is MIT licensed (but they're still supposed to give credit where due). That's also not the whole story. Squirrel!
If they don't know the answer to the question I actually asked, all they have to do is not answer it. I object to the notion that I'm the one playing games here.
It does seem like you are doing this. I have tried to answer you. Instead of asking questions, just state how you believe I’m wrong. I’m ok with this, if I’ve not understood something or made a mistake, I’m happy to concede.
Asking questions until you get an answer you want worked for Socrates, but for everyone else it is better to just state what is wrong about my and other’s argument and the reason why.
As was pointed out upthread: your theory about what Microsoft stood to gain from this license change was simply incorrect. I'm not sure what we're still discussing at this point.
You said I hadn’t answered your question. What I said was incorrect. Ergo, I answered your question. You told me I hadn’t answered your question, now you say I answered your question but I was wrong. Try to make up your mind.
If you are confused what is being argued about, perhaps stop.
Again, as was pointed out to you upthread, the license terms on that project already allow them to do the thing you claim Microsoft was hoping to do by altering the license. It's a MIT license! It's practically the least you can do beyond writing "these files are placed in the public domain".
I'm sorry to beat up on you. It's not your fault, but someone upthread wrote that Microsoft's developers should have known better than to have this bug, because developers should all understand licensing. That set me off, because in hate-reading this thread (something I should obviously not be doing), it's clear that a lot of Microsoft detractors here simply don't know what the MIT (or Apache) licenses do.
But then, the reason I started hate-reading this thread in the first place was that I clicked on the story link, saw an authorship edit to an MIT-licensed file, and thought to myself "how can so many people here give a shit about this?"
Ah. I see, that’s fair. You aren’t beating up on me, it’s better for me to find out about an error than not at all. Thank you for explaining the problem.
They're asserting ownership. By asserting ownership they're converting good will and assuming the mantle of authority, which will sway plenty of weak-minded people: hey it's Microsoft.
I see how that gets them a C-grade Mastodon lyric, but not how it gets them a nickel. Did I ask this question in a particularly weird way? The responses it's getting are a little confusing.
This isn’t just one person making a silly mistake. This is a catalogue of failings. Where’s the peer review? Are you suggesting that anything published in the main branch on Microsoft’s GH org gets commit without any branch protection? And as pointed out by others, this isn’t even an isolated case.
A healthy org doesn’t blame individuals, it blames failures in process. Thus Microsoft should own this mistake. Stating it’s the fault of an individual sounds more like your team operates a blame culture. Which, frankly, is a major red flag for a failing organisation.
I’m satisfied that the situation has been, or at least will be, resolved.m however there is still the unanswered question of who audits the changes the bot makes.
There is a definitely lesson to be learnt here that bots aren’t infallible themselves and thus need reviewing too. Automation undoubtedly enhances our developer experience but we do need to ensure that automation doesn’t make unchecked changes. This is something a great many engineers can learn from too.
Just pointing out this (reality distortion) is a general phenomenon. Have seen the same in all big companies (& many small). As an employee you want the best for the company and you naturally imbibe the company culture and that is perfectly fine. But there is a line and this is something one has to watch out for as an employee. As an example, seeing any critical comment from outside as an attack on the company.
It is good that an employee explained how this particular event happened and that is to their credit.
I respectfully, and vehemently disagree. Informing someone that they may be drinking too much of their company's Kool-Aid, without knowing what is in it, is a moral obligation.
Despicable that you present this as a bannable offense.
Sorry, but garden-variety internet comments and cheap personal attacks don't rise to the noble level of moral obligation. The comment plainly broke the site guidelines. That's not allowed here. If people have noble moral duties to fulfill, they can fulfill them without breaking the rules.
I too don't think there is any "moral obligation" involved but I did feel it was perfectly fine to point out what I did. I quoted their "I work for MS" to provide the context for my comment, nothing more.
Sorry, but that's definitely not accurate. You quoted it as part of a personal attack: implying that someone was lying about making a mistake, imputing sinister motivations to them instead, and adding a name-calling putdown into the mix (accusing them of being inside a "reality distortion field", as if you know more about their world than they do). All that is clearly against the site guidelines: https://news.ycombinator.com/newsguidelines.html.
You are insinuating astroturfing with no evidence other than "I work at Microsoft" and your personal, albeit somewhat justified, belief of "MS bad". It's not a constructive comment.
Ok, but anyone could say that about any comment, so from a moderation perspective that is either an empty point or means that we shouldn't moderate anything at all.
For practical purposes, someone has to make judgment calls about these things. The way we do that is that we have a set of guidelines (https://news.ycombinator.com/newsguidelines.html), and moderators who make calls about which accounts are breaking them. We try to be as even-handed as possible when we do that, but certainly no one is going to agree with every call we make. Nevertheless, someone has to do the job, and that includes banning accounts when people break the rules and aren't interested in modifying their behavior.
Moderation is absolutely necessary. What bothers me is that we are 4 or 5 comments deep, and you still seem to not understand why I spoke up in the first place.
The comment you initially replied to did not come off as a personal attack at all to me, in fact, there was nothing personal about it. They took data that was shared with them and used their experience to spit out their own thoughts on the matter.
So, I am calling you out for being a bit too zealous with the power you wield. What you do with my perspective being shared with you is up to you, but you're doing a lot to not just ask yourself "Was I being too harsh?" ... Here you have a human telling you that yes, that was too harsh.
Calling out the bitter flavor of a corporation's kool-aid is not a personal attack on anyone. Period.
If you (edit: I meant the original commenter) had just said it about the corporation, it would still not have been a high-quality HN comment, but I wouldn't have posted a moderation reply.
Sorry? I did not attack anyone. I am defending a comment by somebody else in which you presume they are personally attacking someone who has openly admitted they work for Microsoft.
You really are lost aren't you? Along with the irony of mentioning "high-quality" comments. Wow. What is the _level of quality_ when the commenter has lost track of the person with whom they are speaking...? In case you missed it, I'm talking about you.
I will re-iterate, because I'm patient. I am telling you that you were overzealous in moderating a harmless comment about Microsoft as a company. There is no personal attack in the comment, no matter how you choose to view it.
Feel free to understand the perspective of others before you blindly share more of yours. What a disgusting interpretation of "moderation." Censorship is a much better word to describe where you're headed.
You're right, of course: the comment I described as containing a personal attack was by bakul (https://news.ycombinator.com/item?id=29684540), not by you. Sorry for mixing that up! I've added edits to the GP to clarify.
> I took the comment to be a refreshing dose of reality.
This is how I meant it but I could have phrased it or presented it differently as this point got lost at least with the moderators and may be many more. Will try to be more careful in the future.
I appreciate your speaking up. And I also appreciate the moderators in trying to keep the discussion standards high. They have a tough job trying to decipher the intent of every commenter.
I don't work at Microsoft but I can confirm. There are so many "suggestions" for Microsoft Teams. I don't know if there exists another company whose employees are more critical of Microsoft Teams than Microsoft.
My personal conspiracy theory is Teams would have died long ago if not for strong support from the top.
Which is odd because Github doesn't use Teams, they're Slack based. As in, if I set up a meeting with my Github counterparts they're late because they had to install Teams.
when $new_repo in $msft_github:
echo $standard_license > LICENSE.md
Could just be normal practices, and doesn’t check if a license already exists because it’s usually handling non-forked OSS repos. What’s the phrase? “Never ascribe to malice that which is adequately explained by incompetence”.
Respecting a license is completely orthogonal to the unintended behavior of an automation used on something it wasn’t really meant for (fork rather than a new repo)
This is the peril of the imaginary "corporation" identity. People expect a company to be one coherent and consistent entity, but although a company can be managed well, establish culture and processes, and progress towards cohesion, it can never become as coherent as one person. And a person is not that coherent in the first place.
I am sure I subconsciously make the same mistake when I think about other companies. But I am making conscious effort to get better, take a more forgiving view on the humankind and give people as well as corporations chance to try again and be a better version of themselves, build the mental capability to remember that corporations are comprised of real people, and people make mistakes, and reasonable people who make up the majority of the population are constantly seeking (just struggling) to be better versions of themselves.
Ok. I worked at MS from 2005-2015. As I recall, there was this huge formal legal process and due diligence around including a single line of open source code. Is that not still the case? Am I remembering it wrong?
You have to take "companies doing good" always with a grain of salt. They're profit seeking companies, who act aggressively in their own interests.
It doesn't have to be a debate on "good vs evil" I've always hated those terms applied in these contexts, it's childish and for the naive. Fix the problem and move on.
'Profit-seeking companies' begs a common pejorative that actively reduces the variety in the pool of companies. It may not be descriptive of the companies for which this is not an overarching motivation. Many of them really want to make a happy customer by crafting as good a thing possible for the price they charge, and be well by their employees.
That said, I can relate the the cynicism especially for the giants. But painting them all as 'profit-seeking corporations' may deaden a satisfaction that comes from being a customer for a company you believe is good.
A company is merely a useful legal and organizational fiction. It's all people all the way down and those people don't act in a different moral context when they act on behalf of a company.
Microsoft is a rather special case of a company that has virtually no goodwill in the open source world. These are the dividends that result from statements and actions over decades. So when something like this occurs, the default reaction is often 'of course... it is Microsoft after all'.
Few people are likely to know <insert employee here> but many people are very familiar with decades of bad behavior undertaken by Microsoft not as isolated misdeeds but as a matter of policy. Lacking personal context misdeeds or mistakes are extremely apt to be interpreted in context of literal decades of bad behavior by Microsoft.
I mean come on the seismic change in leadership at Microsoft is just former lower echelon leaders during the time frame that MS was doing wrong now moving up and taking the helm.
We are after all talking about the company that tried to destroy the competition by funneling money into a fraudulent lawsuit/pr campaign that was a front for a pump and dump. The only thing separating MS leadership and felony charges is meeting notes between them and SCO and the fact that important people don't go prison in the US if can at all be avoided. Lest we forget the current CEO was at this time an executive VP as well.
Maybe it boggles your mind merely because you yourself are an ethical person who comports themselves properly professionally and would want people to see your efforts good and bad in context of who you are. This is entirely reasonable but people don't know you personally whereas your company makes headlines for bad behavior.
I am finding it hard to accept that it is an honest mistake.
From my personal experience, every software engineer that works in a company of this scale is obligated to take a training course on software licensing and understand the differences, and the "dos and don'ts".
If Microsoft doesn't have such a program in place then that's a big problem and should expect harsh criticisms when such events take place and if they do then it probably needs to be revised because it doesn't seem adequate.
On the other hand, outside the context of MS, if a software engineer doesn't feel they are doing something dirty as they are replacing the license or the thought of I might get in trouble with legal doing that doesn't cross their mind, then they probably shouldn't be allowed to be at the front line taking actions that represents the company's name.
...Given that several engineers employed at Microsoft have been part of armchairing this along everyone else now, why is not one of y'all (not necessarily you but come on, this is getting absurd, holidays aside) still just busy discussing around it rather than spending the <5 minutes required per repo to start actually fixing the fallout of it?
if I did this to microsoft do you think I’d be granted the same leeway? could I tell them they need to cut me some slack because i’m one person and “there’s a process”?
This isn't true – the only billing system bug I've seen undercharged. Also if it was an overcharge, they would have made customer whole, whereas they wrote off the undercharge.
Microsoft doesn't really gain anything here – there's a clear "forked from" qualifier in the repo, they aren't republishing these packages, etc. The only people who noticed noticed in a negative light.
To reiterate, I'm not saying there's malicious intent in any single bug. Yes, billing errors don't lead to more revenue for the firm. I'm describing rather a systemic bias in incentives for the people doing the work (programmers) and supervising the work (managers).
Approximately. Moral hazard typically refers to sins of commission. Deliberately taking on more risk because you're insured. Here I'm thinking more of sins of omission. You just forgot to do something. You didn't have enough attention to devote to the task, so you rationally apportioned the attention budget to the areas most likely to be checked by others.
I'm just curious, is Microsoft actually in violation of the MIT license here?
All future changes to this repo are copyright Microsoft, so Microsoft's copyright should be in the statement.
Arguably there should be an additional statement indicating that LesnyRumcajs holds copyright to bits of code that Microsoft hasn't changed.
But
(1) exactly which bits have LesnyRumcajs's copyright would have to be verified by examining source control history. Since LesnyRumcajs's copyright statement is visible on any commit where LesnyRumcajs holds copyright, this setup makes actually makes it easy to verify which portions LesnyRumcajs has copyright claims on.
(2) Including LesnyRumcajs's copyright statement in repo history seems to be all that the MIT license requires. The license doesn't forbid there being another more easily accessible copyright notice that doesn't list all copyright holders. It only requires that LesnyRumcajs's statement be included in all copies of the software, which it currently is.
What you're saying doesn't make any sense. If what you're saying was true you could take any MIT repro, fork it and replace the license with a fully proprietary copyright claim or any other license. You absolutely can't take code and just change the license to anything more permissive without the original copyright holders permission.
It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.
The license wasn't changed. But yes, generally you can make changes to MIT code that aren't released under the MIT license.
> It's definitely the case that at a given snapshot of the repository which has copyrighted code owned by someone else the copyright notice has to be there at that same revision.
This isn't in the license. Where is this laid out?
MIT license is very permissive but the original author retains copyright and one of the very few restrictions is that you must maintain the original authors copyright notice. So you can use MIT code in a GPL project but you can't remove the original copyright notice and MIT license text.
I don't quite follow your thinking about removing the notice but having it somewhere in history; a given snapshot/ revision will be a distribution where someone can show up and download just the master branch newest state and not the full git history. In which case you surely have distributed a copy of the copyrighted MIT licensed code without complying with the terms of the license, right?
Folks who work at mega corporations with outrageous amounts of power have a correspondingly large responsibility to the communities they interact with. Their mistakes have a much larger impact. Honest mistakes by hugely powerful entities are not mere trivia. They have an effect on the rest of the world commensurate with their power. Thus they should be held to a much higher standard than everyone else.
Everytime I've taken the route that there is some evil, no good as come out of it but when you give a group of people the benifit of the doubt, I would argue the majority of the time it's just a mistake.
I feel like the only people with an attitude against Microsoft these days are teenagers trying to look edgy and critical thinking or pretending they are insiders.
You should see how HN would react if Google has done anything remotely close to it. If it was Google your comment would be downvoted to oblivion instead of being the top comment. Not to mention you'd be disparaged for protecting your employer.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
For those of us that remember the “old” Microsoft, they are still obviously evil. Nothing they have done will change that view. Incidents like this prove that this zebra cannot change its stripes.
I think your comments does not add anything meaningful to discussion. Yes, Microsoft screwed up. Yes, a Microsoft employee is trying to make excuses for them. This does not mean we couldn't have a civilized discussion, though.
We have merged a pull request that restored the correct LICENSE file and copyright, and are in touch with the upstream author Leśny Rumcajs who emailed us this morning. We'll look to revert the entire commit that our bot made, too, since it updated the README with a boilerplate getting started guide.
The bug was caused by a bot that was designed to commit template files in new repositories. It's code that I wrote to try to prevent other problems we have had with releasing projects in the past. It's not supposed to run on forks.
I'm going to make sure that we sit down and audit all of our forked repositories and revert similar changes to any other projects.
We have a lot of process around forking, and have had to put controls in place to make sure that people are aware of that guidance. Starting a few years ago, we even "lock" forks to enforce our process. We prefer that people fork projects into their individual GitHub accounts, instead of our organization, to encourage that they participate with the upstream project. In this situation, a team got approval to fork the repository, but hasn't yet gotten started.
To be as open as I can, I'd like to point to the bug:
- The templates we apply on new repositories live at https://github.com/microsoft/repo-templates
- The bug seems to be at this line of the new repository workflow: https://github.com/microsoft/opensource-management-portal/bl...
- The system we have in place even tries to educate our engineers with this log message (https://github.com/microsoft/opensource-management-portal/bl...): "this.log.push({ message: `Repository ${subMessage}, template files will not be committed. Please check the LICENSE and other files to understand existing obligations.` });"