So, speaking for Google (for once):
We're on it (and about to post a response), but a number of us have looked at this, and having trouble finding any actual code in common between the repos at all (let alone any where the license was changed).
I can find parts that depend on the gemstash project being installed, but nothing that appears to actually have been taken from the gemstash project .
I'd someone here sees some, i'd really appreciate letting us know (here, or email me at dannyb@google) so we can go fix it.
Nothing to find as far as i can see. All that's done is import a gem like anyone would who's project who depends on an external gem. Mr. Indirect seems to have had a bad day, take it easy :)]
Edit: Seems more just a google criticaster https://indirect.tumblr.com/post/164152747613/so-ive-been-th...
As an update looks like he thinks he was wrong.
As Max said, mistakes happen, and most people are not very willing to publicly admit when they make them, so I'm generally very supportive of anyone who is willing to do that move on.
From what I see, google-cloud-gemserver uses gemstash[1] but does not include its source. Am I somehow misunderstanding the accusation "You forked this repo from the Gemstash repo"?
I'm on mobile so reading the code is hard, but after digging through much of both repos, this doesn't look like a fork at all. I see some code that looks like it's from gemstash, but that's far different than a fork -- not better, just significantly different, as evidenced by the comments here suggesting malice and license stripping.
Is the allegation that it was forked and then more than half of gemstash deleted? Seriously, read the code, even the gem architecture is different. "I found some gemstash code which btw is MIT and can be embedded all day long" does not deserve lawyer threats, and I say that disliking Google.
More embarrassed for the issue author here, who went straight for an outrage jugular without understanding the entire situation, and probably submitted this thread to HN too.
Hi Andre, I'm Max from Google's open source office.
Thanks for bringing this to our attention. We've stared at both repos, and we're having
trouble finding any actual copy/pasted code between them.
We don't strip license headers or change code licenses intentionally.
We always aim to respect open source licenses. If we made a mistake
here, please help us fix it.
It looks like GoogleCloudPlatform/google-cloud-gemserver depends on
gemstash existing, but we can't find any copied code. It doesn't
appear to be a fork.
We'd really appreciate it if you could give us pointers to the code
you think was copied from your project, so we can fix it.
This is what I'm seeing as well. Seems like the only mistake the author made was forgetting to include the MIT license, which is not as nefarious as scrubbing it.
But there is a distinction between redistributing a work and merely referencing it. It doesn't look like this repository actually copies anything from the other, and just listing the other one as a dependency doesn't require including the license.
It might have not been a mistake at all. The thread shows a comment by a more senior Google employee asking for clarification as there is no infringement he can see.
I may be in the minority that agrees with you here.
Giving constructive feedback / discussion that may lead to GCP supporting the OP's project may be a better way than going directly to "I'm going to get my lawyers involved".
From the current discussion it also looks like some people don't even agree that this repo steals from the OP.
This is a teachable moment for the guy who posted the comment, not the intern, since the repo isn't even a fork of his stuff and he comes off like a petulant asshole that would have been better served trying to solve this issue through some more direct line of communication as a first step. At the very least it would have saved him the embarrassment of being so publically wrong.
If you look at the repo it's not clear at all if there is an issue. It's certainly not a fork of a repo. It actually includes gemstash as a dependency [1] which is a really weird thing to do if it was actually a copy of gemstash.
Or the original allegation is totally baseless, which appears to be the case. You should have investigated the issue before insinuating the accused is a serial plagiarizer.
Well. When your mistake involves stealing other peoples work (yes, I equate "using without proper attribution" and "changing the license" with stealing), I think a few crosses and nails are in order.
One of the primary beefs from the person filing the issue seems to be that the project in question (google-cloud-gemserver) is not also licensed as MIT:
> As I'm sure you're aware, the MIT license [...] does not allow you to change the license.
This demonstrates a poor understanding of licensing. The MIT license is a permissive license, not a reciprocal ("viral") one. I.e., you're free to incorporate it into other projects even when those projects themselves are not licensed as MIT.
This wouldn't look so silly if it weren't the case that:
1. The MIT license text's brevity is very to-the-point
2. It goes further than similar licenses (e.g., ISC, BSD) and explicitly names sublicensing when enumerating its (inexhaustive) list of permissable uses
3. The other software project in question is licensed under Apache License version 2.0, which is more or less functionally equivalent to MIT, modulo some patent termination stuff.
EDIT to everyone commenting about "relicensed MIT files", and "changing the license": Stop that.
If you mean that it's required to reproduce the text of the license and the copyright notice somewhere in the end result (a la Firefox's about:license), then say that. This conversation would go a lot smoother that way instead of you endlessly repeating about a "license change". Say what you mean.
No, OP is correct here (assuming the project includes source from gemstash, as opposed to merely being something that links gemstash at runtime). You can certainly reuse code under the MIT license in an Apache-licensed project, but the license states clearly:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
That is, you cannot remove the copyright notice nor the text of the MIT license.
I don't know what "MIT [doesn't let] you change the license" is supposed to mean.
The original project is licensed under MIT. The Google project said to incorporate that code is licensed under Apache 2.0. This is permitted by the terms of the MIT license.
If there is any wrongdoing here, it looks like a failure to `git add ./NOTICES.txt`, and that's as simple as the remedy to it would be, too.
> I don't know what "MIT [doesn't let] you change the license" is supposed to mean.
You cannot take code licensed under MIT, delete the MIT license, and supply a different license instead.
> This is permitted by the terms of the MIT license.
It is permitted to include MIT licensed code in a project that also contains Apache licensed code, but it is not permitted to change the MIT licensed code to be Apache licensed.
The result is a project where different code has different licensing.
The problem is not that the project is Apache licensed, it's that (according to TFA anyway) the project relicensed MIT files as Apache 2 and removed attribution, both of which are verboten.
You can have MIT-licensed files in an Apache-licensed project, you can not strip out their original licenses and put yours instead.
Licenses aren't per project, they are for any copyrightable piece of code, you can have multiple even inside a single file. MIT lets you mix with Apache licensed code, but you still have to indicate the original license.
> The MIT license is a permissive license, not a reciprocal ("viral") one. I.e., you're free to incorporate it into other projects even when those projects themselves are not licensed as MIT.
Sure but you are not allowed to relicense it nilly willy, only the copyright holder can do that (which incidentally is part of the reason for the copyright assignment of the FSF of big projects).
The MIT license still requires that the MIT license be distributed in anything using that license. That includes the list of all copyright holders that contributed to the MIT licensed code.
Quoting from the license:
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
So if this was a fork, the MIT license was violated.
> Stealing software from a non-profit that you refuse to support, even though you depend on the work it does, is extremely not cool.
If this truely was an intern who did this, "you refuse to support" and "you depend on the work it does" are kind of stretches.
Obviously stripping the crediting and copyright details is an incredibly poor decision, but not like this intern has any part of Google's decision to support Ruby Together or not.
I am reading "you" as addressed to Google, not to the intern. The project is owned by Google, copyright is held by Google, the GitHub organization is for Google, etc.
Sure, the intern is not personally morally culpable, but they were told what project to work on by a manager, no? And any open-source release was approved by a fairly sizable Google committee that is deeply aware of what open-source projects Google depends on and which ones they choose to support, isn't it?
If this were on the intern's personal GitHub account on their own time (and Google were so kind as to allow the intern to do work on their own time and retain copyright), this would be a totally different matter, yes.
Linking to someone's linkedin page is not doxxing. That's information about himself he freely chose to make publicly available. It's linked from his github profile, which is two links away from the the Github issue that is the subject of this post.
Doxxing would be revealing his home address, phone number, private email, etc.
>Why are you providing a link to this person's LinkedIn? This IS NOT a place to provide material for a witchhunt.
If someone wanted to launch a witch hunt, it wouldn't take long for them to find his linkedin page on their own. The linkedin page is relevant because it provides verification that he is in fact a Google intern.
The author of Gemstash is clearly trying to wring as much outrage from this as he possibly can. This is blatantly NOT a fork, it's a wrapper. On Twitter he's stepped down from the "fork" accusation and downgraded it to "he used our README", but seems to be enjoying the attention too much to amend his original complaint.
A lot of people are talking about this being a teachable moment. I suppose that's true. [EDIT: or is it? This intern probably didn't do anything wrong? Rest of comment relevant to discussion more than the link.]
But I've managed someone who took code from the internet (multiple files, a whole sub-project, really) and tried to pass it off as their own. I pointed out they left the license info at the top of the files, and so it was pretty easy to tell it violated the license terms. I got push-back about it, saying they just wanted to deliver the feature (the code didn't do that, but whatever). I said I was glad the code didn't get deployed, and said we could work on requirements so a clean room implementation could be done. So far, yes, teachable.
Then he committed the same code with the license information removed.
Then I fired him.
There's simply no other way to handle these situations. It's unprofessional in the extreme to plagiarize, and is a lawsuit magnet to boot.
What is up with the tone of that post? It seems that this is his first attempt of contacting them and yet words like "lawyers" and "super gross" are brought up.
Yes, they clearly came with pitchforks ready, probably from feeling burned by GCP ("GCP has repeatedly declined to support Ruby Together in the work [...]").
It also doesn't seem clear that the code was forked at all, making this whole exercise pointless.
I'm getting the feeling that this is more of an attention seeking thing. The way that this seems to be so unnecessarily inflammatory and posted with a throwaway account. I'm sure that some people are going to see this non-profit org and make donations to spite Google.
"Hi Andre, I'm Max from Google's open source office.
Thanks for bringing this to our attention. We've stared at both repos, and we're having trouble finding any actual copy/pasted code between them.
We don't strip license headers or change code licenses intentionally. We always aim to respect open source licenses. If we made a mistake here, please help us fix it.
It looks like GoogleCloudPlatform/google-cloud-gemserver depends on gemstash existing, but we can't find any copied code. It doesn't appear to be a fork.
We'd really appreciate it if you could give us pointers to the code you think was copied from your project, so we can fix it."
Whoever used a throwaway account to get this onto the front page of HN, less than an hour after that issue was posted on GitHub: that was an irresponsible and wrong thing to do.
From what I can tell, it looks like Gemstash was used as a reference to build google-cloud-gemserver. There are certainly pattern similarities, but a lot of the codebase has been rewritten. The foundational structure is definitely very similar, but the code within it is different.
Is there any examples of concrete source code matching exactly?
I'm not familiar with ruby, but what if it's just how ruby projects are set up usually?
The version file content, and the file structure might just be both taken from a tutorial on how to create a basic ruby package?
This happens for other languages, a lot of CMakeLists.txt files looks very similar for instance, including the exact location of version files and whatnot if people follow tutorials like [1]
These are all pretty generic Ruby things - the first file is just configuring which components of gemstash to auto load, the other two are most probably auto generated when you make a new gem
Title should be changed, its unclear if the license was actually violated, all that has happened is that the author of gemstash has claimed that is the case.
I'd be willing to believe that removal of a license file could be accidental. However, what is being discussed here is wholesale replacement of a license notice in multiple files, which is much harder for me to believe is a mistake made out of ignorance or stupidity.
I could easily see someone who hasn't actually read the license and not knowing anything about software licenses other than that he needs Googles doing this.
Don't you have to be pretty ignorant though to strip out the old license and then just replace it with another one? I mean you have to consciously do it.
Then now is his moment to learn about open source licensing. Doesn't mean the infraction does not count or we should let it slide. As any license, even MIT with its few requirements must be enforced to be worth its bytes.
Ignorance would be misunderstanding or even misrepresenting the actual license with the wrong license. I maintain a FLOSS project that ships libraries with various FLOSS licenses, and it's within the realm of possibility that somewhere in there is a README that conflicts with the license at the top of a corresponding C source or header file. (Hypothetical example: README says gplv2 and the c file is 3-clause BSD.)
But removing a copyright where condition #1 is a single sentence that tells you not to remove the copyright? And replacing it with a different license? That certainly isn't ignorance.
Eh, charitably guessing here, I could imagine an intern being told something, "it's okay to use Open Source software, just make sure it's Apache license otherwise we have to get the legal team to review." And then an intern naively treating that as a directive, without the understanding that it was wrong.
Hoping the intern learns lots, and that he isn't raked over the coals.
He didn't delete it or replace it, it was never there. There's no code shared between this project and Gemstash, it simply `require`s Gemstash the way any Ruby project would depend on any other gem.
HN Editors should revise the headline since it seems far from established fact that the intern violated the MIT license.
If it actually turns out that the intern did't violate the MIT license after all (as some seem to suggest), he should retain an attorney for having his reputation smeared.
Looking at the two repos it's not clear to me whether it's even a fork or not. The issue owner didn't state which files he thinks are forked from the Gemstash repo. Also, MIT license is a permissive license and does allow sub-licensing, so his comment that you cannot change the license is not entirely correct. However the intern should have kept the original MIT license along with the Apache license, adding a note that MIT license only applies to specific portion of the project (that is, if he forked that repository in the first place..)
Undoubtedly a very bad thing to do from the intern, however I feel that if we treated this correctly we could open a debate and encourage GCP to add support. Let's not forget that this can likely ruin someone's career. It's a stupid intern mistake, let's try to get something good out of it.
When I read this issue I think it just reflects poorly on the author of the issue. I see no reason to assume ill will. Notification of violating the license is definitely needed, but the tone of the issue is uncalled for.
What would you call what actually happened here? Whitelabeling? It doesn't appear to be a license violation since no code from the other project is included here, but I presume this repo basically wraps Gemstash's functionality, and doesn't really mention (outside of the code itself) that that is what it is doing.
It may not be a license violation, but "Google Cloud Gemserver", if it is functionally similar to Gemstash's own functionality, sounds like a rebranding, which... feels uncomfortable?
This looks more like a case of Google hate more than a MIT license violation. I've looked at the repos and as others mention, the project is not a fork but a wrapper and they share no code. Others have also mentioned that the author of the issue has made clear his dislike for Google. Combined with the throwaway account posting to HN 30 mins after, this smells fishy.
I bet his manager did not emphasize the importance of licensing external codes, although this kind of licensing issue must have been covered during some orientations at google.
So, it seems there is way more backstory to this than the issue spells out (or only starts to). Can anyone provide a bit more context? Was this done in a backhanded, malicious way? Did Google tell their intern to start this project, or is it his side project? I mean, it's not cool either way, just curious.
> according to the complaint he removed the existing licenses and replaced them with apache. That sounds kinda sneaky
That can't be the whole of it, though, right? Because the MIT license allows relicensing. For example, I can redistribute an MIT-licensed project as part of a GPL-licensed one, although I do still have to include the original MIT license as part of the project, even if the whole project is redistributed under different terms.
It's not really the right way to handle a relicensing, but to be quite honest, it's easy to make minor technical mistakes with free software licensing even if you're acting in good faith and trying to do something that is ultimately permitted by the license
Heck, even the term "MIT license" is technically not recommended by the FSF, as it's ambiguous (they recommend the unambiguous and equivalent term "X11 license")
I can find parts that depend on the gemstash project being installed, but nothing that appears to actually have been taken from the gemstash project .
I'd someone here sees some, i'd really appreciate letting us know (here, or email me at dannyb@google) so we can go fix it.