Octotree censorship / AGPL violation

[christianbundy]

Since @buunguyen has decided to suppress this conversation via censorship, I thought I'd move the discussion here.

• Previous discussion -- https://github.com/ovity/octotree/issues/1040
• Archive (with deleted evidence) -- https://web.archive.org/web/20201031182128/https://github.com/ovity/octotree/issues/1040

Thread summary

This thread is long, I've summarized it for folks who are just now tuning in.

EDIT: This thread has devolved into uninformed opinions by drive-by commenters. I've already explained all of the basics multiple times throughout the thread, and honestly don't have the energy to engage with people who can't be bothered to read what others have already written. I have unsubscribed to this thread.

TL;DR

Contributions to the Octotree project were licensed under the AGPL, which requires that all improvements are also published under the AGPL. Octotree is now closed-source, and @buunguyen is claiming that it's a "complete rewrite", but I've looked at the proprietary bundle (octotree.zip`) and it doesn't look like a rewrite to me.

Example

AGPL

From src/view.tree.js:

_showHeader(repo) {
  const adapter = this.adapter;

  this.$view
    .find(".octotree-view-header")
    .html(
      `<div class="octotree-header-summary">
        <div class="octotree-header-repo">
        <i class="octotree-icon-repo"></i>
        <a href="/${repo.username}">${repo.username}</a> /
        <a data-pjax href="/${repo.username}/${repo.reponame}">${
        repo.reponame
      }</a>
        </div>
        <div class="octotree-header-branch">
        <i class="octotree-icon-branch"></i>
        ${deXss((repo.displayBranch || repo.branch).toString())}
        </div>
        </div>`
    )
    .on("click", "a[data-pjax]", function (event) {
      event.preventDefault();
      // A.href always return absolute URL, don't want that
      const href = $(this).attr("href");
      const newTab = event.shiftKey || event.ctrlKey || event.metaKey;
      newTab ? adapter.openInNewTab(href) : adapter.selectFile(href);
    });
}

Proprietary "complete rewrite"

From octotree.zip/src/content.js (both formatted with Prettier for easier comparison):

_showHeader() {
  const e = this._adapter,
    t = e.getRepo();
  this.$view
    .find(".octotree-view-header")
    .html(
      `<div class="octotree-header-summary">
        <div class="octotree-header-repo">
        <i class="octotree-icon-repo"></i>
        <a href="/${t.username}">${t.username}</a> /
      <a data-pjax href="/${t.username}/${t.reponame}">${t.reponame}</a>
      </div>
      <div class="octotree-header-branch">
      <i class="octotree-icon-branch"></i>
      ${I((t.displayBranch || t.branch).toString())}
      </div>
      </div>`
    )
    .on("click", "a[data-pjax]", function (t) {
      t.preventDefault();
      const i = $(this).attr("href");
      t.shiftKey || t.ctrlKey || t.metaKey ? L(i) : e.selectFile(i);
    });
}

[buunguyen]

Once you have linked with AGPL'd code and shipped software with it, you are required to release the source code under the terms of the AGPL. You can't un-ship the software. You are required to release the code.

This is insane. Now you're just making things up.

[ddevault]

This is insane. Now you're just making things up.

You should read the licenses you use.

Section 5:

You may convey a work based on the Program, or the modifications to produce it from the Program [...] provided that you also meet all of these conditions:[...]

• c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.

Section 6:

You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source.

[zacanger]

This is insane. Now you're just making things up.

I would recommend you read the license that you chose to use. Github sums it up pretty well.

Permissions of this strongest copyleft license are conditioned on making available complete source code of licensed works and modifications, which include larger works using a licensed work, under the same license. Copyright and license notices must be preserved. Contributors provide an express grant of patent rights. When a modified version is used to provide a service over a network, the complete source code of the modified version must be made available.

[j1elo]

@fabianhjr

The complain was mainly about injury to contributors that didn't consent to their code being relicensed and removing it, rewritting it, or acquiring consent would be enough to address that legal/copyright concern.

Does that work retroactively? I think what @ddevault says is that all users who have received octotree during all this time are actually entitled to access of the source code under AGPL terms. This is after all the whole purpose of GPL licenses being contagious: even if it is 0.1% of code being AGPL, it makes the whole project AGPL. And license can be changed since the point where the copyright is owned, but not retroactively (but IANAL)

[buunguyen]

You should read the licenses you use.

I was talking about your claim that we "linked or shipped with AGPL code". That is not true. My response was here . (Not to mention, I am the copyright holder to said AGPL code, not some random AGPL code. But that is besides the point.)

[ddevault]

If you were the sole copyright holder, then yes, but you aren't. You are, as you said, the owner of "99.9%" (a figure you made up). Several cases where code was included that you do not hold the copyright to were presented, and as such you have created a derivative work of AGPL licensed code and you are obligated to release the source code.

Cut the crap, @buunguyen. You need to release this code and you know it.

Again, anyone who wants to sue this jerk has got my full financial backing to do so.

[Lattyware]

The reality is this comes down to law, and that is never simple. (And I am not a lawyer.)

As I understand it, @ddevault's reading of the license is absolutely correct. You only had a license to use that code under the terms the contributors gave it, which was that you licensed any derivative work under the AGPL.

That said, the reality is one of those contributors would have to take @buunguyen to court over this, and I sincerely doubt a court would actually think that licensing over the whole rewrite would be justified from a very small amount of misused code. The damages simply are not great enough. (But to be clear: who the hell knows? My understanding is that these things essentially always get settled and no one really knows how it would go down in a court. This is my speculation and opinion.)

Agreeing to remove the code they can't re-licence (or get a licensing agreement with the authors) seems like a reasonable way to settle the issue, to me at least, but fundamentally it comes down to the parties who are involved.

I would suggest to @ddevault and others that I do not believe @buunguyen was aiming to profit off other people's work here. The reality is he wrote the vast majority of the program, and while it is true he was in the wrong by using other people's contributions in the way he did, I think it is a little unreasonable to act like he was aiming to profiteer from other's work. I suspect the reality is a poor understanding of the legality of licensing and genuine mistakes. I understand, given the terrible response, why people see him as a bad faith actor, but devolving further into this won't solve the problem.

[zacanger]

I was talking about your claim that we "linked or shipped with AGPL code". That is not true. My response was here . (Not to mention, I am the copyright holder to said AGPL code, not some random AGPL code. But that is besides the point.)

As I understand it, everyone who contributed to the project who didn't expressly give you their copyright is a copyright holder to portions of the AGPL code. Like you've said, you're the author of almost all of it, but not 100%. The fact that you didn't clearly understand how the license works when you chose to use it doesn't change the fact that you used it and people contributed under that license.

[ddevault]

The entire purpose of the AGPL is to prevent this kind of abuse. Sucks that you didn't consider your future change of heart.

[kordless]

Everyone who contributed to the project who didn't expressly give you their copyright is a copyright holder to portions of the AGPL code. Like you've said, you're the author of almost all of it, but not 100%. The fact that you didn't clearly understand how the license works when you chose to use it doesn't change the fact that you used it and people contributed under that license.

And I assume that there is still nobody who meets those conditions having this conversation with the author AND anyone here still yacking at him on this ticket isn't wiling to do the discovery work for the project itself.

[zacanger]

And I assume that there is still nobody who meets those conditions having this conversation with the author AND anyone here still yacking at him on this ticket isn't wiling to do the discovery work for the project itself.

I meet those conditions, as do a couple other people in this thread. We're not all just here because we're bored :smile:. I already said they can have the rights to the one-line fix I contributed, but that doesn't mean the other contributors made the same agreement. And even if they do, that wouldn't change the fact that not releasing the pro-version code under the same license is a violation of the license.

[buunguyen]

Now that some people start losing their head and resorting to threats and name calling, I will stop engaging with them because we all know how fruitful such conversation would be.

Bottom line is I'll follow up with the remaining action mentioned in this post by reviewing the source to address any piece that is indeed proprietary, i.e. not written by me or my team and not obvious, like adding a string to the whitelist of reserved repositories etc. I don't expect to see many of these, but we'll get to the bottom of it. The AGPL license was added back to the open-source repo, as advised by some of the folks here.

Thanks everyone for your inputs. I really appreciate those who have been constructive and giving me advice, especially the people who actually took the time to view things from my perspectives.

Ever since Octotree had a paid plan, I have stood up to a lot of hateful comments and threats directly at me from people who expected me to continue laboring myself for free, especially after I had done exactly so for over 4 years. I just did a quick search and the phrases "f you" and "ahole" appear in more than a dozen of these comments. This kind of behaviors has made me very allergic to people who appear to make demand of me (or open-source maintainers in general). As can be seen in this thread and the linked HN thread, some people were quick in making threats and calling names based on assumptions of bad faith. I sincerely apologize if I appear dismissive in some of the comments, but I do hope people understand why it's hard to keep cool at times.

[buunguyen]

@zacanger can you point me to the commit you made? I'll check to see if it's in the closed source version and resolve it. Thank you.

[ddevault]

Since @buunguyen is deaf to it, I'll just re-iterate that you are entitled to the full source code of the paid version, under the terms of the AGPL, and I will pay the legal fees necessary to get it for any contributor whose code is included in the paid version. You don't have to settle for "we'll refactor your code out". Just send me an email: sir@cmpwn.com.

[zacanger]

@buunguyen I said it before but I'll state it formally:

I (Zac Anger) grant you (Buu Nguyen) copyright to the code I've contributed to the repo https://github.com/ovity/octotree/ (https://github.com/ovity/octotree/commit/5c16b62f6e36fef1b8b249a217d28bc4316f80c6). Meaning you don't need to do anything about that line, it's yours.

But like I said above, that's only good for my commit, I can't speak for other developers. The correct thing to do according to the license you picked would be to release the code of the paid version, and I hope you consider it.

I don't want to be involved in a legal fight over it, but if someone who has contributed more than 11 characters feels that it's necessary they should get in touch with Drew. And in case you're still not really clear on why that would be the right thing to do, Google's policy on AGPL code might help explain it:

The primary risk presented by AGPL is that any product or service that depends on AGPL-licensed code, or includes anything copied or derived from AGPL-licensed code, may be subject to the virality of the AGPL license. This viral effect requires that the complete corresponding source code of the product or service be released to the world under the AGPL license. This is triggered if the product or service can be accessed over a remote network interface, so it does not even require that the product or service is actually distributed.

[saagarjha]

@ddevault Not a lawyer, nor do I have any horses in this race. But I'm pretty sure your (as a copyright owner, not as a random person on the internet) option under (A)GPL is "I think you are not following the terms of this license. Either follow the license or I will sue you and ask you to pay me damages." Demanding source code is not one of your options–the best you can do is sue the person, and the court makes them stop distributing the code and pay damages for the code they took from you. The "third option" where you ask for source code is not really something that you can force, it's mostly an agreement of "if you comply with the license we can forget this whole thing". While this is the ideal and expected goal, it is by no means required by the license–the intention is just that if you are making this request the threat of litigation for the specific things I just mentioned and desire to preserve your public image is enough to get you to publish code. If @buunguyen takes out the AGPL contributions that have not been relicensed (which seems like what is happening here) the most you can do is find one of the contributors and have them sue for some amount of money, not demand that source code is released.

[buunguyen]

@zacanger thanks a bunch. Appreciate that.

BTW, this 1-line change is exactly what I meant when saying this:

reviewing the source to address any piece that is indeed proprietary, i.e. not written by me or my team and not obvious, like adding a string to the whitelist of reserved repositories etc

I wonder what to do if people refuse to grant the permission to changes like this? I mean, I do appreciate people took the time to send a PR instead of just reporting the bug which anyone could fix easily. But I think the idea that we could be potentially held hostage to changes that are obvious, minor and I'm not even sure copyrightable is weird. Again, not to dismiss the effort of Zac Anger or any other contributor, just want to learn something.

[jamesluke]

If someone wanted to provide PRO features not under AGPL I imagine it would have been perfectly legal to create "pro" features which come in the form of javascript "packages/modules" that are written, published, and licensed separate from the "core" work, yes?

Possibly. Though even if two pieces of code are technically separate, they can be linked together or depend on each other in such a way that they effectively form a single piece of software for licensing reasons. AFAIK, putting plug-ins in different modules would certainly be necessary, but not in itself sufficient.

@buunguyen: I know it is a burden, but you may wish to get in contact with a lawyer. (Or if the expense is too great, surely there is a fellow familiar with the (A)GPL who could give you a base of understanding.) I think it is unlikely any copyright holder will actually sue for the source assuming you act in a reasonable way, but it is possible. You and your team are responsible for writing virtually all the code, but legal consequences that hinge on the technical reading of contracts do not always follow from what feels obvious or "right". It would be good to do this now, as future statements on your part may inadvertently harm your legal case. (For example, your comment: "If we didn't rewrite certain lines made by contributors it was because we couldn't think of any other way to do it." could be spun to play terribly in court.)

@ddevault: I love your work and respect you tremendously, but that post is a bit hostile. @buunyguyen initially appeared unreasonable and almost paranoid for his tone of persecution, but he has cooled off and is clearly trying to understand. I know that you do not feel he has addressed your argument (and I agree that you may have a strong one), but differences of opinion and legal understanding can be expressed in a more dispassionate way. After all, this is an early stage, and may ultimately be due to nothing more than a misunderstanding which (once identified) can be solved to the complete satisfaction of all parties.

@saagarjha: I believe @ddevault was speaking specifically to those who hold copyright, not to anyone who downloaded the software. (I had to re-read it as it's easy to overlook, but the comment does specify "for any contributor whose code is included".)

[morotti]

I'd say these 22 commits are potentially copyrightable out of the the 702 commits.

Plus a lot of changes from Ephemera, too many too list. Guess he/she is part of the project?

Would be nice to know who was part of the development team?

christianbundy/octotree@bb77ca4 Steven Noto 31/12/2019 christianbundy/octotree@0530bf6 Jacob Dreesen 30/12/2019 christianbundy/octotree@15f0adc Samvel Abrahamyan 23/02/2019 christianbundy/octotree@445bbd1 GyuYong Jung 16/01/2018 christianbundy/octotree@c3ad03d Kevin Conaway 20/10/2017 christianbundy/octotree@f9bb5b7 Will Simons 29/08/2017 christianbundy/octotree@3b56842 GyuYong Jung 18/07/2017 christianbundy/octotree@770e1e1 Xiao Tan 16/05/2017 christianbundy/octotree@2b63178 Pia Mancini 15/03/2017 christianbundy/octotree@4bc8570 Dima Merkurev 10/03/2017 christianbundy/octotree@f2812bf Philipp Meier 07/01/2016 christianbundy/octotree@88a3e8a MonwF 22/01/2015 christianbundy/octotree@58af96b Zaven Muradyan 04/10/2014 christianbundy/octotree@f642811 Jerry Wang 18/05/2014 christianbundy/octotree@ad3e344 Le Tung Lam 18/05/2014 christianbundy/octotree@d3f59a8 Jerry Wang 17/05/2014 christianbundy/octotree@1e8e4ef alexanderbeletsky 16/05/2014 christianbundy/octotree@78312e9 Mike Anderson 14/05/2014 christianbundy/octotree@248ecdd Luegg 14/05/2014 christianbundy/octotree@c2be04b Le Tung Lam 11/05/2014 christianbundy/octotree@6914246 Lam Le 10/05/2014 christianbundy/octotree@8ead059 Lam Le 10/05/2014

edit: got the links working

[randy408]

@ddevault Do you know what you're getting into? The third party contributions by lines of code don't even add up to 2%. If Mozilla's lawyers decided control over 95% of the source code is enough for relicensing then there is no case to be made here.

@buunguyen I recommend getting a lawyer to look over this, it appears that no one here is entitled to anything by virtue of being a 0.1% contributor. Also you have to be more careful about the third-party libraries that were previously credited, you have to include their license texts somewhere. It is important to know what rights you have to the code and when to ignore people like @christianbundy who spend all their life on GitHub and try to bait you with legal arguments.

I would also look into what options you have in terms of recouping damages, Hacker News took this guy's premise and ran with it, that thread's a mess and it's gonna be around forever.

[ngphi]

This thread is heartbroken for people who largely contributed the hard-works into this project due to legal bindings.

I’m Phi Nguyen who grants Buu Nguyen copyright to all the code that I contributed into The Octotree repo.

[sodatea]

@morotti the license was changed from MIT to AGPL on March 2, 2016. https://github.com/ovity/octotree/commit/83e3578a9ae9f7d313dfe4c0606c11ab04d50151

I'm not a lawyer, but does this mean commits made before that date are fine to be closed sourced? If so, then only these 10 commits matter:

bb77ca4 Steven Noto 31/12/2019 0530bf6 Jacob Dreesen 30/12/2019 15f0adc Samvel Abrahamyan 23/02/2019 445bbd1 GyuYong Jung 16/01/2018 c3ad03d Kevin Conaway 20/10/2017 f9bb5b7 Will Simons 29/08/2017 3b56842 GyuYong Jung 18/07/2017 770e1e1 Xiao Tan 16/05/2017 2b63178 Pia Mancini 15/03/2017 4bc8570 Dima Merkurev 10/03/2017

[endyquang]

Hi, I'm a member the Octotree core team here. 2nd biggest LOCs. @sodatea Thank you for filtering out the commits. After going through each of those 10 commits. Let's do another filter based on the number of "violated" LOCs

• From 1 to 5 LOCs:

bb77ca4 Steven Noto 31/12/2019 0530bf6 Jacob Dreesen 30/12/2019 c3ad03d Kevin Conaway 20/10/2017

• More LOCs:

f9bb5b7 Will Simons 29/08/2017

And there might be a bit more if we keep looking and looking and filtering. In fact we're working on it right now and trying to fix it so this won't happen again. And we appriciate any help in finding these.

[endyquang]

I’m busy now and can’t continue today. So far, I haven’t found any problem in our code. I will continue to check commits to make sure we don’t miss any

[christianbundy]

Hi @endyquang.

1. Could you explain how you're counting "violated LOCs"? For example, you call https://github.com/christianbundy/octotree/commit/0530bf6 1-5 LOCs but the diff shows 48 additions and 22 deletions across two files. I haven't looked at any of the others you've linked.
2. In one of the first comments in this thread I pointed out that commit (https://github.com/christianbundy/octotree/issues/1#issuecomment-719980414), but it still hasn't been addressed. Could you confirm that the closed-source product is a derivative of the AGPL-licensed contribution?
3. This started because @buunguyen claimed to be exempt from the AGPL because the closed-source product was a "complete rewrite", and therefore deleted my comments proving otherwise. Could you confirm that the closed-source product is the result of iterative changes to the AGPL-licensed project (not a clean room design)?

[endyquang]

Hi @christianbundy

1. I should put 0530bf6 in the second group. As I say earlier, I haven't found any problem.
2. Isn't it clear that the code is different? What info do you want me to give?
3. I'm not sure why you asked the question twice but the closed source project is not the same at all. It has completely different architecture and all code were rewritten from ground up plus what we think originated from our team’s work

[letunglam]

@morotti I'm Lam Le (and Le Tung Lam), owner of 4 commits in your list. I don't know how much of my code is still in Octotree because it was a very long time ago, but if there is still any, I grant @buunguyen the permission to do anything he wants with it.

@buunguyen:

On the contrary, during the 4+ years I created and maintained Octotree completely free and open-source, I couldn't recall 3 people who personally thanked me for my work

Thank you for your work. I've been using Octotree almost every day for the last 6 years and I can't appreciate it enough.

[christianbundy]

@endyquang You aren't answering my questions. I'll try asking one question at a time and provide the possible answers.

• Is the closed source project a derivative of the AGPL-licensed open source project?
  • :heavy_check_mark: Yes -- You took the open source project and made a derivative with improvements that were not published as open source. (This would violate the AGPL.)
  • :x: No -- You used a clean room design and the closed source project shares no history or code with the open source project. (This would contradict all of the evidence I've seen.)

[endyquang]

@christianbundy is this a job interview 😂? Look, I answered your questions very clearly. You may have a lot of time, I don't have.

[ddevault]

There's evidence to the contrary. Stop lying through your teeth.

[bigredwill]

I would also like to release any claim I have to the contributions I made to this project. Octotree gave me a place to make a first open source contribution and the product itself has made me more productive working on code.

I really appreciate @buunguyen ’s commitment to making this project work. I won’t pretend to understand the licensing issues, but I hope this can be resolved in an easy way. @buunguyen best of luck and thank you for all your work!!

[eligrey]

Buu Nguyen blocked me on GitHub (preventing native forking) last year when I suggested that I would fork Octotree to restore previously-free functionality that he has since started charging for.

It's time to wake up and leave @buunguyen's branch in the dust. We could maintain a new community fork together without his toxicity.

[zacanger]

@eligrey I got one started at https://github.com/zacanger/octotree. So far I got dependencies up to date and cleaned up some code a bit, and my plan is to move it to a GitHub Org (see https://github.com/zacanger/octotree/issues/8).

[randy408]

3. This started because @buunguyen claimed to be exempt from the AGPL because the closed-source product was a "complete rewrite", and therefore deleted my comments proving otherwise. Could you confirm that the closed-source product is the result of iterative changes to the AGPL-licensed project (not a clean room design)?

You started a witch hunt on a project you had no stake in, you have no idea what constitutes a significant copyright interest, octotree has less than 5% third-party code, actual contributors are showing up claiming no interest in any of this, making this even less relevant.

There are numerous cases where relicensing happens with 90-95% coverage, it is well known that you don't need 100% of the code approved for a license change.

You and @ddevault are missing the forest for the trees, he has every right to make it proprietary, thus whether it's a rewrite or not is irrelevant and frankly, none of your business.

[ddevault]

He has no such right. It's laid out plain and clear in the goddamn license.

[buunguyen]

@eligrey was blocked because he called us, quote, "greedy rent-seeking maintainers." After he was blocked, he went on Twitter posting a conspiracy about me stalking his GitHub and secretly delete his fork (don't ask me how 🤷‍♂️). He also hijacked conversations about Octotree on Twitter to post defamation stuff. When some people objected to his tweets, he deleted them, changing his tone to thanking my open-source contribution (!), just to later post more defamations in other conversations. That went on for several days. When I finally had enough and sent him an email questioning the bizarre behaviors, he apologized for "the language" and said he already deleted the "incorrect tweets" (talking about understatement). Hopefully, those tweets still exist in some internet archives (between ~4/13/2019-4/17/2019). I still have the emails though.

Yesterday, I said this:

Ever since Octotree had a paid plan, I have stood up to a lot of hateful comments and threats directly at me from people who expected me to continue laboring myself for free, especially after I had done exactly so for over 4 years. I just did a quick search and the phrases "f you" and "ahole" appear in more than a dozen of these comments. This kind of behaviors has made me very allergic to people who appear to make demand of me (or open-source maintainers in general).

I was thinking of people like Eli when posting that comment. I'm not one to publicly shame people and I would have never specifically called out Eli, or anyone who has harassed me, if he didn't show up today, piling on the attack and telling people about my "toxicity". If I have indeed grown to become toxic in dealing with certain behaviors, it was party because of people like Eli.

[ddevault]

Maybe you shouldn't be a greedy rent-seeker, @buunguyen.

Remember not to be distracted by this nonsense that @buunguyen is posting. You have a right to the source code of the paid version, and @buunguyen is obligated to release it under the AGPL.

[Lattyware]

@ddevault Then take this to a court of law and prove it. Frankly, you are being ridiculous here, and refusing to accept a perfectly reasonable resolution to this problem in order to demand something entirely unreasonable. I am very much a proponent of the rights of those who contributed code under the AGPL, but you are taking this to an extreme.

@buunguyen got this particular part wrong, undoubtedly, but "greedy rent-seeking" is an insane way to characterise making a commercial product largely from code he wrote and previously released for free, and failing to correctly handle a few pieces of contributed code.

[ddevault]

It's entirely reasonable - in fact, it's the whole point of the GPL family of licenses. It's a promise to your contributors and to your users, and a defense against exactly they kind of behavior @buunguyen is pulling.

WE ARE ENTITLED TO THE CODE.

Yes, I will happily prove it in a court of law. I've offered (and will repeat my offer) to pay the legal fees for any contributors who were slighted by @buunguyen's "greedy rent-seeking" bullshit.

[Edwingate8]

@buunguyen I hope you can secure the other contributor's permission to relicense the code. It doesn't seem like they are the problem. These do-nothing code SJW's who stick their nose in other people's business are. Though it is unfortunate that you didn't put more thought into the license you used.

[eligrey]

@buunguyen You did delete my fork. Read the GitHub policy on blocking users. Blocking a user deletes their forks of your repos.

This anti-open-source 'feature' is a shortcoming on GitHub's part, and I don't blame you for not being aware of it the first time. I do blame you for not educating yourself after this happened.

[ddevault]

"I have received a lot of hate and angry emails"

Clearly it is the haters who are wrong - myself, of course, being above reproach.

[max-hk]

@Lattyware He has a point. According to opensource.guide, which is maintained by GitHub,

Your project’s existing copyright holders. If you’re the sole contributor to your project then either you or your company is the project’s sole copyright holder. You can add or change to whatever license you or your company wants to. Otherwise there may be other copyright holders that you need agreement from in order to change licenses.

https://opensource.guide/legal/#what-if-i-want-to-change-the-license-of-my-project

If @buunguyen redistribute code which is written and copyrighted by other maintainers, then he must license his code under AGPL too, at least for the version he did released to Chrome Web Store.

License agreement's restriction applies to both sides, original author and the public.

[Lattyware]

@Lattyware He has a point. According to opensource.guide, which is maintained by GitHub,

Your project’s existing copyright holders. If you’re the sole contributor to your project then either you or your company is the project’s sole copyright holder. You can add or change to whatever license you or your company wants to. Otherwise there may be other copyright holders that you need agreement from in order to change licenses. https://opensource.guide/legal/#what-if-i-want-to-change-the-license-of-my-project

If @buunguyen redistribute code which is written and copyrighted by other maintainers, then he must license his code in AGPL too.

License agreement's restrictions works on both side, original author and the public.

I'm not sure why you responded to me with that, I have said exactly that above. However, you are missing the important point that he can also obtain licenses from the people who wrote the code, or remove that code—either way, the AGPL is no longer relevant.

While it is true he was in violation by releasing a version containing the AGPL code, the reality is that would have to be enforced, and if you can find precedent for someone being forced to open source a much larger code base for such small violations, then I'd be surprised. These cases are almost always settled, and in this case, no one with standing is even looking to pursue the matter, the few that have shown up have given him a license.

Fundamentally the harmed party is the copyright owner, not the public. You can disagree with it, but that's fundamentally how these licenses legally work.

Personally, while I fully support the AGPL licence and license my own code under it (you can see higher up in this thread that I very much went to bat pursuing this) and believe there is a moral argument as well as a legal argument to be made, I don't believe that the use of the license to try and gotcha large codebases from tiny portions of AGPL code is morally justified, so long as the infringement is dealt with in a reasonable form.

[christianbundy]

Thread summary

• AGPL violation -- Clear evidence has been provided that the closed source product is violating the AGPL. Anyone who has contributed to Octotree is legally entitled to receive the source code of their closed-source fork, licensed under the AGPL.
• Distractions -- The Octotree team refuses to answer questions and is instead using this thread as a podium to complain about unrelated "harassment" they've faced over their product pricing. This thread is about the license, not their pricing, and the complaints are an off-topic distraction.
• "But we changed the license" The Octotree team has changed the LICENSE file in their project, but refuses to actually follow the license and publish any changes they made in their closed-source fork. This is another distraction.
• Legal assistance -- @ddevault has offered to assist with the legal costs for any contributor who wants to enforce their rights and stand up against the deceitful behavior displayed in these threads.
• Gaslighting -- The Octotree team is [poorly] attempting to gaslight and refusing to answer simple yes/no questions. They want a one-sided conversation, and since they can't use censorship in my thread they're trying to control the narrative instead.
• A polite request -- Octotree team: Please either answer this one simple question or leave the thread. Any further deflection should be interpreted as an admission of guilt.
• Another one -- While you're at it: Please comply with the AGPL and provide the source code for your closed-source fork. You can still charge money for it, but hiding the source code for your fork violates the rights of your contributors and disrespects everyone who works on open source projects.

[christianbundy]

so long as the infringement is dealt with in a reasonable form.

@Lattyware Absolutely, but the Octotree team is doing the exact opposite of dealing with the infringement in a reasonable form. All they have to do:

1. Admit it
2. Fix it
3. Move on

They're stuck on step 1, and apparently think that if they say "complete rewrite" enough times that everyone will believe them. It's maddening, and honestly feels like trying to argue with a starfish.

[Lattyware]

so long as the infringement is dealt with in a reasonable form.

@Lattyware Absolutely, but the Octotree team is doing the exact opposite of dealing with the infringement in a reasonable form. All they have to do:

1. Admit it

2. Fix it

3. Move on

They're stuck on step 1, and apparently think that if they say "complete rewrite" enough times that everyone will believe them. It's maddening, and honestly feels like trying to argue with a starfish.

This is flatly untrue, earlier in this thread they committed to contacting contributors and asking for licensing or removing the offending segments of code, which I think is a very reasonable resolution to the issue given the situation (and, I would note, the only outcome I could imagine being likely from legal action, if—as seems unlikely at this point—anyone actually wanted to pursue that).

I said earlier that I thought your argument was in good faith at the start of this, and I would hope that is true and you just missed this in the admittedly busy thread, but your summary is just misleading and confrontational given the response.

[ddevault]

It would be more accurate to say that they've admitted it (that'll be useful in court, thanks!), but then tried to worm their way out of their legal obligation to release the source code as a conseqeunce.

[christianbundy]

You're right, I didn't realize they admitted that their closed-source fork was a derivative and that their "complete rewrite" thing wasn't true. That's very useful, but I'm still concerned about this:

Bottom line is I'll follow up with the remaining action mentioned in this post by reviewing the source to address any piece that is indeed proprietary, i.e. not written by me or my team and not obvious, like adding a string to the whitelist of reserved repositories etc.

But if you click the link, you'll see this:

That said, we'll trace through the code and if there are pieces we believe weren't rewritten, we'll either ask the original author to re-assign the license, remove it, or find a way to rewrite it.

This demonstrates a fundamental misunderstanding of what we're talking about: derivatives.

• If you write add() and I rewrite it as sum(), I have to share my source.
• If add() takes two arguments and I add support for a third argument, I have to share my source.
• If I completely refactor add() using your implementation as my reference, I have to share my source.

The closed-source fork of Octotree is not a clean-room implementation, it's a derivative of the open source project, and unless they convince every contributor to give up their rights then they'll need to share the source code of their fork. Instead of trying to comply with the license, the Octotree team is trying to disenfranchise its contributors, but their preferred method doesn't even work. The whole point of the AGPL is that most code is inspired by (and derived from) previous code, and therefore it's intentionally difficult to dissolve the rights of the people who have contributed to your project.

Their options:

• Follow the law and share the source code.
• Convince all contributors to give up their rights.
• Perform a clean room implementation of the project with zero shared provenance.
  • Remember, they don't just need to reimplement AGPL contributions -- they need to reimplement any piece of code that has shared provenance with an AGPL contribution. If add() ballons to an 80,000-line library, the whole thing is covered under the AGPL and all contributors have the right to its complete source code.

Unfortunately "refactor all of the obvious AGPL violations so it's harder to notice" is not an option here.

[max-hk]

@christianbundy I don't think "Perform a clean room implementation of the project with zero shared provenance." is an option. They already have derivative works released to the Chrome Web Store, which, in theory, should fall under AGPL unless they convince all contributors to give up their rights.

Any new versions without AGPL licensed code from outsiders could be proprietary though.