It's also very possible they had been working on it already and wanted to compare notes, I certainly would if I were working on something internal and found a similar project, but I agree, ask them for a consultation fee. I don't see why they wouldn't pay it.
Both projects also share in license, so I have less of an issue with it personally. They're both MIT licensed.
It seems like a pretty minor violation, to be fair. They do reference the project in the repo.
The real question is why did the author choose MIT if they didn’t want allow mega corps to benefit from their work without contributing back. That’s a feature of the license, not a bug.
It's not a "pretty minor violation", that's the only condition of the MIT license.
Yes, they mentioned Spegel, but only to thank the authors for "generously sharing their insights" -- that's not even close to the required statement that part of the project is owned and copyrighted by the authors of Spegel.
Ok, so MS will see this thread and re-add the missing header to a few files.
You really think the author is going to then feel 100% better about it?
They are just another data point in the long list of authors who chose a permissive license and are then shocked when a billion dollar company takes advantage of it.
I can't speak for the author, but I when I release code as open-source I think carefully about the license that I use (usually either MIT, GPL, or CC0). If I choose MIT, then it's because I'm fine with companies "taking advantage" of my code. I'd probably mainly feel glad that I created something useful to someone.
What I'm not OK with is a company doing that without attribution. If XYZ company's product is built on code I wrote, I want to be credited -- both so that I can show it to potential employers, and so that users of XYZ company's product are aware that some of the code in it is something they can use for free and modify for their own purposes. If the attribution wasn't important to me, I would have chosen CC0 instead of MIT.
So yeah, if I was the author, I'd probably feel a lot better about if MS re-added the correct attribution. I'd probably still feel miffed that they tried to pull one over on me in the first place -- but I wouldn't be offended by the fact that they're using my software.
There's a difference between what the license does/doesn't allow and what is/isn't a dick move.
MIT is commonly used for cases where you don't want to scare away potential corporate USERS by the "virality" of something like the GPL. This does not mean that the authors are completely fine with their work being repackaged and DISTRIBUTED as if the company wrote it themselves.
If I write something useful and convenient for people, something that makes peoples' lives better, it's probably not going to see a lot of use realistically speaking. I'm not out there making a name for myself, I'm just doing some stuff.
If Microsoft takes my code, turns it into a separate project with a separate name, distributes it as part of their own commercial offering, uses it in their marketing... great! It means that my ideas are making people's lives better. Yes, it's enriching a giant soulless megacorp who, at a high-level, does not actually care about how people feel and only cares about making money off my work, but I care about how people feel, and if it means that my work gets to make people's lives better then that's great - I wasn't going to make money off it anyway, so I lose nothing.
Unless they take implicit or explicit credit for what I made. I don't need my name on the marketing or an invitation to a launch party, but at least make a note in the docs somewhere that "this project was forked from ...." so that I can point to it and say hey, look at this cool thing I helped make happen.
I guess what would really irritate me, when it comes down to it, is not that the giant corporation did this, but that the individual developers did this - some dev out there found my project, decided to use my code, and made the conscious decision to strip out my attribution and claim it as their own. That's what would actually hurt.
I mean, the author understands the MIT license, and is upset that the terms of that license aren't being honored. If I were them, I would absolutely feel better getting credit where credit is due.
If they wanted a less permissive license, they could have used one.
That seems to be exactly the thing they are complaining about:
> Spegel was published with an MIT license. Software released under an MIT license allows for forking and modifications, without any requirement to contribute these changes back. I default to using the MIT license as it is simple and permissive. The license does not allow removing the original license and purport that the code was created by someone else. It looks as if large parts of the project were copied directly from Spegel without any mention of the original source.
Can you share what you think the author is really complaining about?
> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that".
Hacker News. Temporarily embarrassed billionaires who want to vouchsafe evil behavior in case their own future offers them an opportunity to steal from the community on a similar scale.
If you lose open source you lose a major resource. You should be looking for ways to protect these authors instead of explaining how "technically it's all actually their fault for being generous in the first place."
Ah yes, “temporarily embarrassed billionaires” — spoken by someone defending billion-dollar companies blowing past the only condition of a permissive license, then getting mad when people point that out.
You don’t get to posture as anti-corporate while handwaving away an actual license violation just because the license was permissive. That’s not protecting the community - that’s making it easier to exploit. You’re not railing against theft, you’re normalizing it.
Either the community’s rights matter, or they don’t. Pick a side.
> It seems like a pretty minor violation, to be fair.
Quite the contrary. The licence does not have many constraints, but this one is important. Volunteer developers let their code being used in closed source commercial programs. Recognition is the only thing they expect and the whole point of the licence.
It is literally the only violation that the license is concerned with therefore it is major!!!
MIT and BSD type licenses say you can do almost anything you want, but just don't plagiarize, because that would be intellectual misconduct.
In addition to not just removing the copyright notice from sources, the MIT license requires the copyright notice to be present in all derived works. It makes no mention that if you compile a program, the binaries don't have to have copyright notices.
People here keep saying that they removed copyright headers. I can't find a single copyright header in the Spegel source files. Can someone help me find which headers Microsoft actually removed?
What I see is that Microsoft added headers to their Peerd files. Now they read "Copyright Microsoft", which is correct because Microsoft owns some copyright over those modified files. If those files had had a "Copyright Spegel project" before, Microsoft should have kept it and added their own. But those files did not contain such a header as far as I can see.
Right. So Microsoft should just have a copy of this LICENSE file somewhere? Can't we just open a PR to add it to the repo? Did the author do that and did Microsoft decline the PR?
Feels like Microsoft was not necessarily trying to steal work (they link the original project in their README).
It needs to be present in the headers of each file that they took from. Attribution matters and in mixed projects you need that clarification at the file level.
Does the MIT licence text say that? I don't understand it like this. I understand that a copy of the licence should be preserved, not that the licence should be copied into source files.
I think the fork needs to preserve the LICENSE file in the repo and in distributed code (e.g. packages), right? But not replicated as a file header in every blessed file in the repo.
The author talks about changing his licensing as the only stone he can throw.
As I understand it, changing the licensing will do nothing to affect the fork Microsoft already made. It might affect the next megacorp from doing the same thing in the future, but Microsoft can keep working on their fork without giving it a second thought.
This is for sure a cautionary tale for every open source contributor. Choose the original open source license very carefully.
Edit: Might I suggest that when picking the original license, you try to imagine how you might feel if the company that you hate the most (could be Microsoft, Google, Amazon, or other) does the most extreme thing allowed by the license.
They might not be able to copy new code, but you can't stop them from fixing bugs that you also fixed, or adding similar new features as you (using code they wrote after carefully examining what you did).
Microsoft got tremendous value for free by forking. Which makes the obligation to deal ethically and honestly very serious.
You don’t get to take something from anyone without meeting the terms they have set for you to take them. That is theft.
(For clarity, I am saying theft of a right. As it does negatively impact the original creator, in terms of competition and lost attribution to the code they wrote, and Microsoft is not paying the “fee” that taking that right depends on.)
And no third person can can ethically speak for the source of the value and state that it’s no big deal for another party to break some part of a contract/license.
How do you know how much this aspect of the license impacted the original creators decision to share their work, their choice of license, or how they feel and and practically impacted about it now!
In this case, we know they clearly feel the violation was harmful to them at some level. They were snubbed, their work left unacknowledged, while Microsoft leached off them, even though doing the right thing would cost Microsoft essentially nothing.
Please don’t socially absolve the powerful from bad behavior toward smaller parties. That’s bad faith, after the fact, and you are not even benefiting from your own disrespect for the license. Always support the (credibly) injured party.
As for offenses against you, you have every right to be generous and overlook those.
(I once took a year sabbatical to work collaboratively on a project, with the presumed (based on what was a clear discussion to me) attributions being a key factor in me deciding it was worth the time and effort, when other factors made that a difficult decision. Only to have my attribution expectations unfulfilled, and no attempt was made by other parties to work things out. The situation was fraught enough that I couldn’t but help feel bitter about it for some time. I am long over it, but I would certainly take the year back if I could.)
The other thing is that Microsoft does not own the copyright for any of the code they used. Facing their work on code they don’t own the copyright to is incredibly messy from an IP point of view.
It’s why con contributor licenses agreements exist in most open source popular projects.
You don't understand my point (probably my mistake).
If the file starts with:
// <MIT header>
// Copyright evantbyrne
Then a fork should read:
// <MIT header>
// Copyright evantbyrne
// Copyright Microsoft
But if you did not add "// Copyright evantbyrne", the MIT license doesn't say that Microsoft should add it. I don't even know if it's legal for Microsoft to do it. You have to add your own copyright to the files where you own a copyright.
Right. So they should just copy this licence somewhere in a subfolder, saying "parts of this project derive from Spegel, with licence: <copy of the licence>"?
They can still do it now, and probably they should (someone can even open a PR?).
They have to say what code where is copied from the other project. It can't just be "parts", because that obscures the authorship.
You can open that PR, if you care to identify which parts were copied and label them all. Really, the people who copied the code in the first place should have done so, and really should have known better, given they work for a massive corporation that claims to love open source and has had a massive interest in copyright over the past three decades. It's not just a "mistake", it's unacceptable for a professional programmer for a corporation to take code from a FOSS project without crediting it. That's a level of incompetence bordering on malpractice for a profession that deals so heavily with copyright on a day to day basis.
edit: According to the MIT license, the notice itself just needs to accompany the code, so I was wrong about the specificity needed. Still, it does mean that any further forks would be unable to remove the license without personally identifying if all the original code was removed. It's always better to identify what code belongs to who.
> It can't just be "parts", because that obscures the authorship.
Wait. When I contribute to an open source project without signing a CLA, I keep the copyright over the lines I contributed. Still, I don't add a comment above every single line saying that it belongs to me. Nobody would accept such a contribution. Even for fairly big patches.
Are you saying that every single open source project that does not make contributors sign a CLA is doing it wrong?
Nope, I made a mistake there. It's good practice, when copying code from software with a different license, to call out what code is copied from where, but such a thing is not mandatory.
I'd say one of the things you have suggested. Copying the license file from spegel into a SPEGEL_LICENSE file in the repository would be sufficient. So would be actually crediting the project properly in the README with something like "portions of this code were taken from the Spegel project, under the MIT license" with a following copy of the MIT license.
You could open the PR and it would also be faster than writing all these comments here about opening a PR.
That's not the point, it is not the author's duty to do that and him pointing out Microsoft's wrongdoing is meaningful at least to me because I will be more cautious if I'm ever being approached in a similar way.
> Microsoft's wrongdoing is meaningful at least to me because I will be more cautious if I'm ever being approached in a similar way.
That's the thing: Microsoft approaching the author has nothing to do with the wrong attribution. And I am not sure if the original author here is frustrated because of the wrong attribution or just because they would have hope money and fame from the fact that Microsoft reused their code.
Because it's not like Spegel lacks visibility (given the numbers they shared in the article), the link on Peerd's README is probably not bad for Spegel, and the attention here is publicity again. Probably infinitely more than if Microsoft had done the attribution correctly.
The MIT license does not seem to dictate the exact ___location of inclusion. Logically, I would think you would want to associate it with the specific parts of code that you are copying. In the past, I've listed licenses together in the root license file for forks, and other times when the included code was a minor part of the overall project placed forked licenses within impacted files.
It may not be perfect for all cases (e.g. if some sort of dependency is linked but not present in the source tree it is naturally not really accounted for by Debian copyright files) but then there is always the options of either adding copyright information to every source code file (I don't like that style for redundancy but it is for sure a very clear way to do it) or to hand-craft a human-readable variant similar to the Debian approach but less formally.
In any case it seems that nothing is new aobut this and developers working with FOSS software should very well be aware of these concepts.
The number one rule about creating clean source (and IP) is not to look at competing implementations / patents. Was drilled in to me by legal over the years to avoid such issues. Really easy to unconsciously incorporate ideas from other projects.
This is not that though. Seems to be exactly what the maintainer is asserting and that's not OK. :/
It's not the money, it's the red tape. Setting up a new vendor, finding the right account, getting the PO approved. Even in a company where that stuff is relatively easy, it's way more friction than a simple meeting where you don't have to ask anyone for permission for anything.
The person that wanted to setup the meeting likely has no budget control. Big corps like to keep the ability to pay for stuff out of the hands of individuals and isolated in bureaucratic nightmares.
You'd be more than reasonable to demand "$1000/hr with 1 hour minimum" for such a consulting and I'd see HR in MS doing an immediate "hell no" to that.
One of the prerequisites for a successful negotiation is the willingness to walk away. This applies to both sides. I did consulting for a few years, years ago, and you'd be surprised what people are willing to pay. You'd also never know that unless you named your rate and were willing to walk away. I'm pretty sure any manager at Microsoft could easily swing a couple K. The main complication would be that this wouldn't be just a "meeting" then, and you'd need to set up a contract etc. Not insurmountable, just onerous and time consuming. So I'd insist on a much larger minimum, and would be willing to trade that for a lower price.
> you'd be surprised what people are willing to pay.
At least in my company, it very much depends on who's initiating the meeting. If one of our VPs did, then easy, any amount could be approved. However, if it's a team lead, we'd be told to pound sand.
I assumed other companies would be pretty similar.
But realize, that from the standpoint of the OP someone who can't swing a couple of K also can't swing a couple hundred thousand K _per year_ to hire more contributors or provide other funding to the project. They are, therefore, completely pointless to talk to - the decision makers won't be in the room.
> Big corps like to keep the ability to pay for stuff out of the hands of individuals and isolated in bureaucratic nightmares
I'd say my experience is exactly the contrary. Middle managers in my experience in mega corps have a lot of expense latitude for these kinds of things, expedited approvals, corporate credit cards. At least in the finance and tech world.
Could very well just be my company that's jaded me a bit about spending along with the work I did at HP. Both have a pretty strong penny-pinching attitude for common employees and lower-level management.
This is not an HR decision. This is a Director or VP decision in the relevant business line... BUT those guys can absolutely be 'canny' enough to suggest trying to get the person to do it for free first.
Their trackrecord is such that if I got a similar call my first question when possible would be how I was being reimbursed. They are welcome to fork anything of mine if they observe the license attached. I will take a look at any PR. I will NOT spend time explaining anything to their engineers unless reimbursed at my regular rates.
Blatantly copying the code without proper attribution is a violation. Regardless, it's not your issue to be OK with it, if the author himself is uncomfortable with it
> Blatantly copying the code without proper attribution is a violation
Except that they did not do that. They forked it (as the MIT licence permits), added an attribution to their README, and added their own header to the files with their own copyright. It's not their fault if the original author did not add a header in the first place...
Or where do you see that they actually removed a copyright header from the author? None of the source files I checked in Spegel have one.
MIT license requires attribution, not "a copyright header". It's not concerned when headers, or with sources being pristine, but with people being credited. If I release my software MIT-licenced, but don't have copyright headers, you are not free to copy files without crediting me.
And no, their note in the readme is not an attribution. It's thanking them for "sharing their insights", which in no way is code attribution.
Microsoft violated copyright here, bar none. There is no other reasonable interpretation.
Maybe they will, maybe they won't. I refuse to believe that Microsoft doesn't understand how attribution, copyright, or open source licenses work, though. I believe this is a mistake, but it's a very egregious one that showcases a lack of respect for the communities that Microsoft is exploiting. This mistake should not be possible from an entity like Microsoft.
Maybe the engineers did not go through a 12 months process with their legal department and did it wrong.
And with the bad publicity coming back to Microsoft, maybe those engineers will now understand that they should just avoid re-using open source projects when possible. And the next HN post will be about "BigTech reinvents the wheel in order to have control".
We're all nitpicking here: they mentioned the original project in the README. Peerd is quite different from Spegel, it's not just a copy with a small patch.
Sure, they should do it right. But really, a polite, small PR fixing that would probably be a good first step.
You don't need a 12 month process with a legal department to not take code without giving credit. This is not untrodden ground.
> they mentioned the original project in the README
They thank them for their "generous insights". That's not the same thing. If I take chapters unmodified from Harry Potter and thank Rowling for her "generous insight", that's still not okay.
> Peerd is quite different from Spegel, it's not just a copy with a small patch.
Nobody said it was. It does, however, copy functions and other entire blocks of code with comments directly from Spegel without giving attribution. That is wrong. That is plagiarism.
> You don't need a 12 month process with a legal department to not take code without giving credit. This is not untrodden ground.
Well, I have been in big companies where it takes a lot of time for the legal department to check those things. Not because it's fundamentally hard, but because the queue of things they have to do is pretty big.
> They thank them for their "generous insights". That's not the same thing.
Sure, it's wrong. But it's not "purposely stealing without giving any credit at all" either. It feels like an engineer did that, tried to give credit and did it wrong. And now we go on and on saying how this engineer is evil.
It's not that an engineer is evil, it's that this mistake should not be happening in a company like Microsoft. It's professionally incompetent at the very best. No trained and professional programmer should be accidentally plagiarizing code.
Your argument is fairly asinine. When you fork an open source project under the MIT license you have an obligation to include the original license in all copies or substantial copies of the code. The author of the fork may also sublicense, which allows them to add new terms to the license, but not remove the original license.
Forking and/or copying files from the Spegel code base into the Peerd code base is permitted, but since the Spegel code base had a single license file covering the entire repo, then the onus is on Microsofts engineers to update the code they copied and include the original license terms, for example, by including something like:
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
// Some code Copyright (c) 2024 The Spegel Authors, under MIT license
If your argument is that they aren't required to do this because the original code didn't have a license header in the file, then it would follow that you are arguing that the MIT license doesn't apply to the code that was copied, in which case Microsoft is using unlicensed code stolen from an open source project.
While I haven't worked at MS specifically, I would assume that like every other tech company I have worked at, they have a team or working group that specializes in adherence to open source licenses specifically to avoid both the legal implications and the bad PR implications of misusing open source software.
The details are less important. The code that is copied needs to be attributed, either with comments, or a license file that states which files came from the project, or something else, but the specific code does need to be recognizable by a reader as coming from that other source. Comments and copyright headers are the easiest way to do this.
Still, to me it's not even clear if "substantial parts of the code" were copied. What the article shows is really small snippets of pretty generic code. Ok, it keeps the original comment and the overall form. But if it's 15 lines, it may even count as "fair use", couldn't it? Remembering how LLMs use the concept of "fair-use" by stealing everything everywhere...
My point is that Peerd seems like it's loosely based on Spegel. Maybe a fork that was heavily modified. Not sure if they should track all the code that looks like it was not modified enough and attribute it everywhere.
Probably they should keep a copy of the original LICENSE file somewhere, sure. And if one asks politely, maybe they will do it.
Again: they did credit the original project. So it feels a bit aggressive to say that they "stole it without giving any credit".
> Still, to me it's not even clear if "substantial parts of the code" were copied. What the article shows is really small snippets of pretty generic code. Ok, it keeps the original comment and the overall form. But if it's 15 lines, it may even count as "fair use", couldn't it? Remembering how LLMs use the concept of "fair-use" by stealing everything everywhere...
Fair use allows for commentary, news reporting, criticism, teaching, research, and scholarship and there are guidelines. Most cases where fair use is sought as a defense requires litigation to clear it up. The other alternative when forking an extremely permissive MIT license is to just follow the license.
> Probably they should keep a copy of the original LICENSE file somewhere, sure. And if one asks politely, maybe they will do it.
They are required to do so by the original license of Spegel. Does Microsoft ask politely when people violate MS licensing by say, pirating their software, or do they work with 3 letter agencies and a massive enforcement team to ensure their licenses are followed?
> My point is that Peerd seems like it's loosely based on Spegel. Maybe a fork that was heavily modified. Not sure if they should track all the code that looks like it was not modified enough and attribute it everywhere.
Yes. Every other tech company I have worked at, including Mozilla, a company that publishes almost everything they do as open source, has had folks dedicated to ensuring license compliance.
> Again: they did credit the original project. So it feels a bit aggressive to say that they "stole it without giving any credit".
They didn't provide credit in the way that the license requires. This isn't a case where a new community member forked or copied code into their first open source project. This is one of the biggest companies in the world with a well-known history of taking and using OSS without proper attribution. I like and use many MS products, but they absolutely do not deserve the benefit of the doubt.
> This isn't a case where a new community member forked or copied code into their first open source project. This is one of the biggest companies in the world with a well-known history of taking and using OSS without proper attribution.
Next time you work in a big company and you feel that the legal department is a PITA and slows you down, remember how people react when they are not, like here :-).
I don't know why you are trying so hard to carry water for a team of engineers at a company that has the history to know better.
The team that built peerd had the good sense to consult with the author of Spegel before moving forward with their project. A simple note to their business line lawyer (or whatever they call them at Microsoft) at work to say "hey, we are going to use some of this code from this open source project, what do we need to do?" would have taken less time and effort than setting up the meeting with the Spegel person/folks. That is assuming there isn't an easy to find page on how to consume open source software on Microsoft intranet. Every major company I have worked for (HSBC, Mozilla, Amazon, Fastly, Cisco, to name some) has had this going back to 2005. This isn't rocket science.
You also don't need to be a legal expert to comply with most open source licenses, and the MIT license in particular is really easy to comply with. Just copy the code, and whatever file you copy the code into gets an attribution comment at the top.
I'm all for going against leadership when they purposely abuse people (like Zuckerberg telling his engineers to torrent copyrighted data for their LLM).
I would be in favour of checking what small companies do with licences. In my experience, the vast majority of startups blatantly abuse open source all the time.
But here it seems like it's all about an engineer who did some kind of attribution, but didn't do it correctly. And people are happy to say that it's all part of a big evil plan by Microsoft to take over the world.
But it doesn't here! You are totally allowed to completely copy an MIT file, modify it and add your copyright to it!
You should just keep the copyright that is already present in the file! But in the case of Spegel, I don't think that the files contain a copyright header in the first place.
Very possible, from the in repo documentation (which credits Spegel yet again) https://github.com/Azure/peerd/blob/main/docs/design.md it seems like there was a particular engineer at Microsoft who was working on Azure Container Registry who found it useful to integrate Azure Container Registry.
If they contributed it upstream, would we be discussing a blog post "how dare evil megacorp submit a PR that only implements their API! embrace extend extinguish!"? Probably.
> If they contributed it upstream, would we be discussing a blog post "how dare evil megacorp submit a PR that only implements their API! embrace extend extinguish!"? Probably.
Considering how often that happens VS how little times stories like that appear on the frontpage of HN, I'd wager a guess that we wouldn't be discussing it like we're discussing the current license violation.
Both projects also share in license, so I have less of an issue with it personally. They're both MIT licensed.