Octotree censorship / AGPL violation

[christianbundy]

Since @buunguyen has decided to suppress this conversation via censorship, I thought I'd move the discussion here.

• Previous discussion -- https://github.com/ovity/octotree/issues/1040
• Archive (with deleted evidence) -- https://web.archive.org/web/20201031182128/https://github.com/ovity/octotree/issues/1040

Thread summary

This thread is long, I've summarized it for folks who are just now tuning in.

EDIT: This thread has devolved into uninformed opinions by drive-by commenters. I've already explained all of the basics multiple times throughout the thread, and honestly don't have the energy to engage with people who can't be bothered to read what others have already written. I have unsubscribed to this thread.

TL;DR

Contributions to the Octotree project were licensed under the AGPL, which requires that all improvements are also published under the AGPL. Octotree is now closed-source, and @buunguyen is claiming that it's a "complete rewrite", but I've looked at the proprietary bundle (octotree.zip`) and it doesn't look like a rewrite to me.

Example

AGPL

From src/view.tree.js:

_showHeader(repo) {
  const adapter = this.adapter;

  this.$view
    .find(".octotree-view-header")
    .html(
      `<div class="octotree-header-summary">
        <div class="octotree-header-repo">
        <i class="octotree-icon-repo"></i>
        <a href="/${repo.username}">${repo.username}</a> /
        <a data-pjax href="/${repo.username}/${repo.reponame}">${
        repo.reponame
      }</a>
        </div>
        <div class="octotree-header-branch">
        <i class="octotree-icon-branch"></i>
        ${deXss((repo.displayBranch || repo.branch).toString())}
        </div>
        </div>`
    )
    .on("click", "a[data-pjax]", function (event) {
      event.preventDefault();
      // A.href always return absolute URL, don't want that
      const href = $(this).attr("href");
      const newTab = event.shiftKey || event.ctrlKey || event.metaKey;
      newTab ? adapter.openInNewTab(href) : adapter.selectFile(href);
    });
}

Proprietary "complete rewrite"

From octotree.zip/src/content.js (both formatted with Prettier for easier comparison):

_showHeader() {
  const e = this._adapter,
    t = e.getRepo();
  this.$view
    .find(".octotree-view-header")
    .html(
      `<div class="octotree-header-summary">
        <div class="octotree-header-repo">
        <i class="octotree-icon-repo"></i>
        <a href="/${t.username}">${t.username}</a> /
      <a data-pjax href="/${t.username}/${t.reponame}">${t.reponame}</a>
      </div>
      <div class="octotree-header-branch">
      <i class="octotree-icon-branch"></i>
      ${I((t.displayBranch || t.branch).toString())}
      </div>
      </div>`
    )
    .on("click", "a[data-pjax]", function (t) {
      t.preventDefault();
      const i = $(this).attr("href");
      t.shiftKey || t.ctrlKey || t.metaKey ? L(i) : e.selectFile(i);
    });
}

[quannt]

Not a lawyer, but isn't the source code of the Pro version already provided to the end-user publicly. That's sort of how Javascript works, you guys know it, right? When you download the browser extension, you download the source code too, it's right here.

This whole drama started because @christianbundy was able to look at the source code of the Pro version, inspected it, and saw some similarities in the _showHeader. If the Pro version is really closed source, there would be no case. It's right here in his issue

Octotree is now closed-source, and @buunguyen is claiming that it's a "complete rewrite", but I've looked at the proprietary bundle (octotree.zip`) and it doesn't look like a rewrite to me.

Imagine how this would go in a court

• They must release the source of the Pro version because there are similarities between the Pro version and the free one.
• How do you know there are similarities between them?
• Because I was able to look at the Pro source code and the free source code to inspect and ...
• Then what are you suing them for

[judge2020]

Then what are you suing them for

Given that some code currently in the distributed closed-source version was indeed contributed by someone not working for them and thus hasn't re-licensed it (or assigned it) to a different license, the agpl applies.

From the AGPL:

You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:

a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section > 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.

Given that there isn't notice about AGPL code being in the release, and no copy of the AGPL, it is in violation of the licenses of other contributors' code.

[reanimus]

Not a lawyer, but isn't the source code of the Pro version already provided to the end-user publicly. That's sort of how Javascript works, you guys know it, right? When you download the browser extension, you download the source code too, it's right here.

Unless they're shipping unminified, I don't think you can call the shipped JS "the source".

[quannt]

@reanimus That's very much debatable and up to the court to decide, no? To me, it is the source code, unminified or not. Are we really starting a witchhunt because a guy ships his JS code minified? Doesn't it seem ridiculous to you?

The fact that @christianbundy was able to point out the similarities between the two versions of the method _showHeader clearly shows that the minified version of the source code is in fact the source code.

[reanimus]

@reanimus That's very much debatable and up to the court to decide, no? To me, it is the source code, unminified or not. Are we really starting a witchhunt because a guy ships his JS code minified? Doesn't it seem ridiculous to you?

The fact that @christianbundy was able to point out the similarities between the two versions of the method _showHeader clearly shows that the minified version of the source code is in fact the source code.

It's not debatable, it's pretty well established. You're obligated to distribute the source you edit.

https://softwareengineering.stackexchange.com/questions/62885/must-source-code-released-under-gpl-be-human-readable

Directly from the AGPL:

The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work.

[quannt]

@reanimus Again, "the preferred form of the work for making modifications" is subjective, what's "preferred form" anyway, preferred by whom?

And then the story becomes

Are we really starting a witchhunt because a guy ships his JS code minified? Doesn't it seem ridiculous to you?

I'm all for open-sourcing and free software, but this is getting blown way out of proportion.

[reanimus]

@reanimus Again, "the preferred form of the work for making modifications" is subjective, what's "preferred form" anyway, preferred by whom?

And then the story becomes

Are we really starting a witchhunt because a guy ships his JS code minified? Doesn't it seem ridiculous to you?

I'm all for open-sourcing and free software, but this is getting blown way out of proportion.

With AGPLv1 you (might) have an argument, but not v3 (which is based on GPLv3).

From https://copyleft.org/guide/monolithic/

First, GPLv3 §1 retains GPLv2’s definition of “source code” and adds an explicit definition of “object code” as “any non-source version of a work”. Object code is not restricted to a narrow technical meaning and is understood broadly to include any form of the work other than the preferred form for making modifications to it. Object code therefore includes any kind of transformed version of source code, such as bytecode or minified Javascript. The definition of object code also ensures that licensees cannot escape their obligations under the GPL by resorting to shrouded source or obfuscated programming.

[hyiltiz]

I am astonished to see so many developers out there who just sticks a license file into their source directory without either reading the full license body (GPL is pretty readable and not one of those legalese) or even some dummy summary of the license somewhere (e.g. Github shows some bullet points).

For anyone who'd like to make up for this missing homework, at least read up parts of AGPL that mentions obfuscated, derivative and release.

[christianbundy]

For anyone who'd like to make up for this missing homework, at least read up parts of AGPL that mentions 'obfuscated', 'derivative' and 'release'.

Small nit-pick: I couldn't find any of those words in the AGPL 3.0. These are the closest definitions that I could find:

• Obfuscated → Object code
• Derivative → Modified version
• Release → Propagate

---

EDIT: Oh, maybe you meant https://copyleft.org/guide/monolithic/?

[buunguyen]

Hi, everyone. Thanks for voicing your opinions. I've just posted this in the Octotree forum to clear up some misunderstandings and have a dialog with Octotree contributors. Octotree contributors and I will discuss to address any concern and see how we can keep Octotree continue being a useful tool.

[hyiltiz]

Cannot seem to be able to participate in that discussion in any way, because while you closed this issue [0], you also blocked me from your "organization". I am sure many others here also were "not invited to the party".

[0] https://github.com/ovity/octotree/issues/1041

[crashbell]

@hyiltiz I think he made it clear:

Octotree contributors and I will discuss to address any concern and see how we can keep Octotree continue being a useful tool."

"blocked" seems to be a misleading word in this context. That thread would be a discussion between contributors and @buunguyen

[christianbundy]

@crashbell:

To be clear, I (and others who have tried asking questions) are blocked from Octotree repository and Ovity organization. That issue might be contributor-specific, but that doesn't mean that @buunguyen hasn't blocked us and deleted our comments.

---

@buunguyen:

I will spare you from most of the details but the last few days have been some of the worst days of my life.

It shouldn't have to be said, I'd like to condemn any harassment you've experienced. You should be obligated to fulfill the terms of your license agreement and face the consequences of censorship/etc, but that doesn't require name-calling or harassment.

I hope you can take some time to prioritize yourself and your family, and then I'd ask you to reconsider your stance on this issue. I think the right thing to do is follow the agreement and publish your closed-source fork under the AGPL.

When we wanted to reuse some legacy code, we reused those we believed were ours (or under MIT license) and rewrote others. It's worth noting that current and former Octotree team members (Buu Nguyen, NDQ/endyquang, Phi/nphi, Fahme, An/crashbell, Danh, duylam) own the vast majority of code in the open-source version. Coupled with the rewrite, it's unlikely AGPL code from non-team members exists without having been rewritten.

Again, I want to highlight that the "rewritten" code is still licensed under the AGPL if it was ever mixed with or derived from AGPL'd code. If your "rewrite" has any shared history with non-trivial AGPL code, it's a derivative. The point of the AGPL is to prevent closed-sourced forks like yours, and I'm disappointed that you're still trying to avoid the terms of the agreement that you have with contributors.

Copyleft is a viral, so any changes that touch AGPL code are bound under the AGPL themselves. Any changes to that code is bound under the AGPL, and so on. Unless you've been very careful to avoid touching any AGPL code anywhere, I'd imagine that most of your codebase has been 'contaminated' by the APGL -- which is exactly what the license is designed to do.

Again, I'd highlight that the best option is to share the source of your paid product under the AGPL, at least with people who download it (your don't have to put it on GitHub). This solves the problem, highlights that Octotree is committed to the principles of open source software, and [most importantly] is the right thing to do.

[haiphucnguyen]

@christianbundy

If your "rewrite" has any shared history with non-trivial AGPL code, it's a derivative

If you have time, please read the copyleft https://copyleft.org/guide/monolithic/#x1-300004 especially sections 6 and 7. I do think you misunderstand what is the derivative means. I can extract the source from the above link that does matter

• Likewise, the similarity between the organizational charts of the two programs was not substantial enough to support a finding of infringement because they were too simple and obvious to contain any original expression.

To answer the problem if you replace a simple method add(int a, int b) with another method sum(int x, int y) does not support this case. I will claim @buunguyen violates the license if he just decorates his code for an advanced algorithm from a source code of the AGPL license.

@buunguyen also tried to solve any issue with the contributors of the project, which the license requires he needs to get the grant permission from contributors. Let them solve by themselves. From the license terms from the above official document, the claim of derivative for your sample is not convincible.

For your reference, you can read these threads and also read my above link

• https://softwareengineering.stackexchange.com/questions/148317/what-do-i-need-to-do-to-not-steal-hello-world-code-with-a-gpl-license

• https://opensource.stackexchange.com/questions/1421/how-is-oracle-suing-google-for-copyright-infringement-when-java-is-open-source

I'd like to say instead of claiming, and act as a magistrate. Let @buunguyen and his contributors do their jobs, and let them keep maintain and improve that good software to the community. Is that your main purpose?

[christianbundy]

Likewise, the similarity between the organizational charts of the two programs was not substantial enough to support a finding of infringement because they were too simple and obvious to contain any original expression.

What does this mean? Org charts? You're writing as if your opinion was backed by a court or something. I'm confused at both your tone and the content of your message.

@buunguyen also tried to solve any issue with the contributors of the project

No, they tried to claim that they weren't infringing and censored any discussion that provided contradicting evidence. They're now trying to avoid complying with the license agreement by asking for consent from contributors, but that's because they want to circumvent the agreement rather than follow it.

For your reference, you can read these threads and also read my above link

Did you read your links? It literally says "first, Google never 'forked Java' for Android", which is exactly what we're talking about here. @buunguyen forked a project that was published under the AGPL and is now refusing to comply with the terms of the AGPL because they think their derivative has enough changes that it's a "complete rewrite". That's not how derivatives work. Every time you make a change, your change is covered under the AGPL. If they want to have a closed-source project then they need to do what Google did: create a clean-room implementation with similar behavior and zero shared provenance.

[haiphucnguyen]

They're now trying to avoid complying with the license agreement by asking for consent from contributors

Huh? Where do they say that in their post? Show me.

No, they tried to claim that they weren't infringing and censored any discussion that provided contradicting evidence.

Their post explains the reason your comments were deleted. And infringement how? Did you read the part they said they did rewrite and willing to let Octotree contributors look at their code to prove it? Did we read the same post or what? I talk about this post

I see a pattern here @christianbundy, you make some guess then talk about it like it is fact. You are like that from the beginning when you insisted they use code on master with little changes and now you insisted they avoid complying, they infringe, they try to get around compliance, must do clean room blah blah.

Someone here said earlier you didn't act in good faith. I now see that is exactly true. You posted here, you posted on hacker news, you tagged a lot of people, keep add flame to the thread, ignore constructive comments from other people. Why are you working so hard to cancel this guy? Because he hurt your feeling by deleting your comments? Because you didn't get the source code you wanted?

[christianbundy]

Please answer my questions before throwing a barrage of questions at me. I'm trying to be polite so I'll answer, but I'm really not interested in hashing this out repeatedly with drive-by commenters.

Huh? Where do they say that in their post? Show me.

Please read the thread. Remember to click 'show 55 hidden comments' because GitHub truncates long discussions. I've repeatedly clarified that claiming "rewrite" doesn't solve the problem, so they want to ask contributors to give up their rights and re-assign the license: https://github.com/christianbundy/octotree/issues/1#issuecomment-720002568

Their post explains the reason your comments were deleted.

Yes, exactly: "Had I responded to that instead of throwing a tantrum, this whole ordeal probably wouldn't have happened."

And infringement how?

Read the AGPL.

Did you read the part they said they did rewrite and willing to let Octotree contributors look at their code to prove it?

Yes, I've taken the liberty to read the subject we're discussing. I would respectfully request that you do the same. I've already proven that there's AGPL code in their fork, which they've admitted to, and an offer to see more infringement after signing an NDA really doesn't contradict that evidence.

My best guess is that they're usually nice people who actually just misunderstand how the AGPL works. They probably think that their fork is fine because they've made lots of improvements to the point that it's hard to recognize the infringement. The problem is that the point of the AGPL is to capture these types of improvements and prevent a closed-source fork. I've tried to talk this over with them repeatedly, but when you bring up the facts they delete your comments and accuse you of spam or trolling.

You are like that from the beginning when you insisted they use code on master with little changes and now you insisted they avoid complying, they infringe, they try to get around compliance, must do clean room blah blah.

Yes, this is called "staying on-topic". It's not as fun as the alternative, but it's generally preferred when facts and evidence are on your side.

If you'd like to contribute something useful to this thread, feel free, but I won't be replying to any more drive-by comments from folks who can't be bothered to read the discussion they're commenting on.

[haiphucnguyen]

Updated: another thing @christianbundy, stop making the demand. Let the actual contributors speak their own mind [1][2][3]

1: https://github.com/ovity/octotree/issues/1046 2: https://github.com/christianbundy/octotree/issues/1#issuecomment-720122388 3: https://github.com/christianbundy/octotree/issues/1#issuecomment-720096191

[christianbundy]

@haiphucnguyen

I asked you to please actually read the thread and your response is now "shut up". Cool.

Look, if you don't want to hear what I have to say I'd recommend spending more time in the Octotree repo, where I'm banned. It's unbelievably silly to join a conversation that I started and then complain that I'm part of the discussion. Also, you're doing the exact thing that you're arguing against: advocating for other people. It's just that we're advocating for different people for different reasons:

• Me -- Octotree should not violate the rights of its contributors, because they agreed to the AGPL.
• You -- Nobody should talk about the rights of contributors or how Octotree is violating them, because ???.

It's clear that you only want a one-way conversation where you can avoid reading or addressing the points that other people make. I'd like to respectfully challenge you to do better in conversations with other people, but my personal budget for this kind of behavior is spent. I won't be replying to any similar comments. Cheers.

[haiphucnguyen]

@christianbundy

Me -- Octotree should not violate the rights of its contributors, because they agreed to the AGPL. You -- Nobody should talk about the rights of contributors or how Octotree is violating them, because ???.

This is an example of a one-way conversation when you assume my reasons without reading carefully my point. I don't want to waste my energy to argue because every new conversation, you lead people to go in a new direction. I sympathize with @buunguyen because just like him I have my own paid job, and working on open source is a hobby. I iterate my points from the first post.

You claim @buunguyen to violate the AGPL rule here, and according to me, it is not convinced if you read this post about the copyleft. I read your comments about the derivative but please interpret the derivative from the legal terms not the word of mouth or you assume that it is. If you can find another example that @buunguyen and his team get from the AGPL code a complex function or a complex algorithm (like I stated clearly in my post) then I am at your side.

The similar of such a simple API (and I don't spend time to verify whether @buunguyen get from AGPL code), and I give you a discussion of other voices when we talk about the derivative. So I don't think your example convince me @buunguyen violates the AGPL terms. I respect you have different ideas, but I hope you get my points precisely. It is Octotree does not violate the rights of its contributors

You or anyone have the right to talk to the rights of contributors, and I also have that right. @buunguyen stated that contributors can review his commercial code, and clarify whether he gets their codes. Octotree product belongs to the right of its contributors, who wrote the codes and they know the Octotree architect, codebase so if they assess whether @buunguyen do the derivative works make more sense to me. I did write a project that lasts 6-7 years with a very long history, I am going to look into the real code, review the code carefully to detect any infringement, not only a simple API. From my perspective, the contributors have more knowledge about the Octotree to give their assessment rather than give an output of simple API and claim the entire product. Does it make sense?

You can fight the right to contributors and the open-source community if you think so, but I do believe in who understands the Octotree architect, API, and worked with @buunguyen and evaluate whether @buunguyen steal their works. If you have the skills to review the code that you are not familiar with, then you can review the code because they are javascript and prove whether they use the same architect just changes a little bit from API, naming conventions, etc then again I am on your side. What you claim them about derivative or clean-room does not make sense to me, and I wonder who agree with you about the AGPL actually read the AGPL terms, or know the difference between the MIT, BSD, and Apache v2, that means some of the open-source licenses without searching Google. If @buunguyen has the intention to make a commercial in Octotree, the license he should choose is Apache v2 (not MIT originally then AGPL). So when I read the Octotree license history, I sympathize with him and I do believe he just had a plan to commercialize the product recently to keep the product alive because he is busy with his current job.

I am using the Octotree free edition, and I don't have a plan to pay their team. I don't think they can earn money more than their time and effort. When they don't violate the AGPL (until you give more convincible evidence), let encourage and help them if you think they make mistake (per your opinion). That toxic action just kills the emotion of people when they want to contribute to the open-source community.

I will be back if you give clearer evidence of how @buunguyen got the AGPL code, with the arguments against the terms here https://copyleft.org/guide/monolithic/#x1-300004. I will be on your side if you do so. Otherwise, I mute from now because I don't want to talk to the wall if we don't have the same page on legal terms, an open and constructive mindset. Thanks and bye-bye.

[haiphucnguyen]

@christianbundy

I give you some more examples. Regarding the derivative or claiming, @buunguyen got the AGPL code, and you didn't understand my original point well:

• I write a simple Hello world program, and I license my code is AGPL (I am the first people to grant a hello world program the GPL license). You click and view my program, so from now on please not write any Hello world program because you get my idea. Does it make sense?

• If you want to replace a simple method sum(a,b) because it belongs to the GPL code, then do you rewrite this method to

  public int sumTwoNumbers(int a, int b) {
  int c = a - b;
  int d = c + b;
  return d + b; // to return the a + b
  }

  Do you think people claim this code is appropriate?

• If you found me to get the algorithm to encode the video in h264 format from ffmpeg (which has GPL license), even I change the number of parameters but the ideas of the encoding byte stream the same as the original code. If I am an experienced engineer then I can do so, so do I violate the GPL license?

According to me, in example 3 I violate the GPL license, and experience expert engineers can assess that I violate the GPL license. Hope that helps

[13rac1]

Trying to avoid wading into the rest of this as I am not a Octotree contributor, but care deeply about licensing and the GPL. I write libraries and applications with GPL, AGPL, MIT, or Apache licensing depending on use case. I hope to clarify the licensing questions.

I wonder who agree with you about the AGPL actually read the AGPL terms, or know the difference between the MIT, BSD, and Apache v2, that means some of the open-source licenses without searching Google

I have read these licenses. I know the differences without a Google search. You violate the AGPL/GPL license if you copy a single line of code into a closed source or MIT/BSD/Apache licensed application. It is best to not look at GPL/AGPL/LGPL code if you are writing a closed source application.

I write a simple Hello world program, and I license my code is AGPL (I am the first people to grant a hello world program the GPL license). You click and view my program, so from now on please not write any Hello world program because you get my idea. Does it make sense?

Only the code is covered under the GPL/AGPL. It is only a license violation if I copy the code. Your license does not cover every application which outputs the text Hello World.

If you want to replace a simple method sum(a,b) because it belongs to the GPL code, then do you rewrite this method to [code] Do you think people claim this code is appropriate?

It is already too late if you are in this situation. Do not look at the GPL code. See https://en.wikipedia.org/wiki/Clean_room_design

If you found me to get the algorithm to encode the video in h264 format from ffmpeg (which has GPL license), even I change the number of parameters but the ideas of the encoding byte stream the same as the original code. If I am an experienced engineer then I can do so, so do I violate the GPL license?

Yes, it is a GPL violation. Don't do it.

[hyiltiz]

For anyone interested, here is a AGPL compliant fork: https://github.com/treepanel/treepanel