This project violates the MIT license of Gemstash

[indirect]

Hi. It's super cool that you're building a way to host gem servers on google cloud.

You forked this repo from the Gemstash repo at https://github.com/bundler/gemstash. Not only did you not credit the Gemstash project in any way, that repo is licensed MIT. As I'm sure you're aware, the MIT license requires you to preserve copyright information, and does not allow you to change the license.

Instead of following the MIT license, you removed the MIT license from the repo, removed the copyright information, and added the Apache license to every file.

That's not okay.

From a legal standpoint, this repo is not acceptable, and I'm prepared to get my lawyers involved if I don't hear back from you soon.

From an ethical standpoint, this is also super gross: Gemstash is a project created and maintained by the Ruby non-profit that I founded, Ruby Together. GCP has repeatedly declined to support Ruby Together in the work that it does to keep RubyGems.org, Bundler, and RubyGems itself maintained. Stealing software from a non-profit that you refuse to support, even though you depend on the work it does, is extremely not cool.

[jakemalachowski]

Could you explain how you see that Gemstash was forked?

[bhhaskin]

Well this is a bit awkward. It doesn't seem to be a fork at all. or share any code with gemstash...

Do you have any examples of files or commits in question? To me it looks like there are some files that are similar, but not exactly the same and pretty hard to say if its a fork or not.

[apetresc]

@indirect I legitimately fail to see where you got your assertion that he "forked this repo" from Gemstash. While Gemstash is obviously a dependency of this project, he is basically embedding it, I don't think a single Gemstash source file is being reproduced here.

[madnight]

https://softwareengineering.stackexchange.com/questions/105912/can-you-change-code-distributed-under-the-mit-license-and-re-distribute-it-unde

Im not working for google nor defending its move, but isn't it actually legal to reclicense MIT under Apache?

[ghost]

sometimes, we must learn to forgive.

[ghost]

"lawyers" "super gross" That's not how you first approach a problem.

[ghost]

@madnight

Im not working for google nor defending its move, but isn't it actually legal to reclicense MIT under Apache?

From your own link,

if you relicense the code under the GPL, and keep the MIT notice, then you've satisfied the terms of the MIT license and may legally redistribute the code

The author did not keep the MIT notice.

Also, GPL is incompatible with Apache, so I'm not 100% sure whether it is possible to do the same for Apache.

[jacobzlogar]

Google is going down the drain

[apetresc]

@light2yellow No relicensing of any code is occurring here. This repository wraps Gemstash to host it on GCP. It pulls it down as a Gem, the same as any project which depends on another Gem.

[sillsm]

Hi Andre, I'm Max from Google's open source office.

Thanks for bringing this to our attention. We've stared at both repos, and we're having trouble finding any actual copy/pasted code between them.

We don't strip license headers or change code licenses intentionally. We always aim to respect open source licenses. If we made a mistake here, please help us fix it.

It looks like GoogleCloudPlatform/google-cloud-gemserver depends on gemstash existing, but we can't find any copied code. It doesn't appear to be a fork.

We'd really appreciate it if you could give us pointers to the code you think was copied from your project, so we can fix it.

[NinoScript]

Hey @indirect, learn from @sillsm, that's exactly how you should approach a problem.

[herbig]

https://twitter.com/indirect/status/900461424865980416

"at a minimum, the readme is copied and pasted from the gemstash readme, and they don't credit gemstash at all"

what?

[ghost]

@herbig Lol they're not even similar. What are you smoking, @indirect?

[ocdtrekkie]

Layman/visitor query:

Would this actually be like a case of... whitelabeling, more than anything else? This repo sounds like it wraps the functionality of Gemstash and then calls the end result "Google Cloud Gemserver", which one might believe is a wholly separate product. Without it being a "license violation", I could understand why that would be unpleasant, and the documentation does seem to conspicuously not mention Gemstash (though it does link to it), despite it being... effectively a package of the same?

Is this something that would be better named "Gemstash for Google Cloud" or similar?

[enebo]

@ocdtrekkie I would guess I see two issues (although I am not a lawyer or on this team in any way):

1. gemstash may have a trademark
2. perhaps over time they plan on not wrapping gemstash

Just guesses...

[justinbaker999]

Wow. @indirect do research before you make accusations. Seriously?

[amolpatil89]

From an "ethical" standpoint, this is also "super gross"

[Marak]

Congratulations @indirect

You've worked hard and made something useful, accessible, and free enough that Google has decided to depend on your work.

Taking in gemstash as a dependency is perfectly within the legal rights of anyone ( including Google ) to use. If you didn't intend on bundling your code for others to use, you should have not published it with an MIT license to a public package directory.

In regards to a missing MIT license, as soon as someone runs bundle or gem install with google-cloud-gemserver, I believe your license will be downloaded with gemstash to the local machine which installed google-cloud-gemserver.

My personal advice is to stop working for free, or to continue to work for free and not complain when someone actually uses your work. This same thing here has happened to most of us. Consider it a badge of honor.

[ghost]

[zenspider]

Lies, Damned Lies, and André

This is a fraudulent claim that without proof from @indirect is equivalent to a shakedown.

I'm the author of flay (a code similarity analyzer). There is NO duplication across these projects. I've also run more generic text duplication analyzers across the codebases and, again, there is NO duplication across these projects. I went all the way back to the original commit on google-cloud-gemserver to make sure.

The burden of proof lies on the accuser, @indirect. Put up or apologize for your fraudulent claims.

[indirect]

@sillsm sure, I'm happy to talk about this. Could someone from Google please email me at andre@arko.net?

[indirect]

Hi everyone,

After talking to some people from Google and carefully checking over both this repo and the gemstash repo, I've concluded that I was wrong.

There are a lot of similarities in this gem's CLI and the Gemstash CLI, but those similarities are because this gem is a wrapper for Gemstash, not because this repo copied MIT-licensed code or docs from Gemstash.

@arhamahmed, I'm sorry for making these claims before I had time to dig in deeply, and I apologize that this turned into an ordeal for you. I think this project is a great achievement, and I would be happy to work with you to modify Gemstash to directly support this usecase without any monkeypatches. If you're interested, drop me an email at andre@arko.net.

[sillsm]

Thanks Andre. It's OK. These things happen. If you run into any licensing issues in the future, please don't hesitate to contact us.

Best, Max and the Google Open Source team

[vyp]

Also, GPL is incompatible with Apache, so I'm not 100% sure whether it is possible to do the same for Apache.

@light2yellow Note that GPLv3 is compatible with this Apache v2 license though: https://www.gnu.org/licenses/license-list.html#apache2

[ghost]

@indirect This was super gross of you. Maybe invest some of that lawyer money of yours into a reading comprehension course.

[AlekSi]

@sillsm it may be a good idea to lock this issue.

[willnorris]

yeah, good call @AlekSi. The matter is resolved, so I'll go ahead and lock this thread.