search

natf17 / shopify-embedded-app

Enables any web app using Spring Security to operate as a Shopify embedded app.
22 stars 8 forks source link

Contact Information for Notice of License Issue #14

Open cynthiaio opened 9 months ago

cynthiaio commented 9 months ago

Hello,

We apologize for contacting you here, however, we are unable to find author contact.

Our company was delivered your code by a vendor who plagiarized it.

Please contact us at your earliest convenience.

cynthia@cynthia.io

Thank you.

cynthiaio commented 8 months ago

Hello @natf17,

We trust you're well. We wanted to shed light on a rather concerning matter.

Our company Cynthia.io Inc. had engaged Overdose Digital for the development of a specific software project. During this engagement, it came to our attention that significant portions of the code delivered to us had been directly lifted from your repository here on GitHub, without adherence to the licensing terms, and more importantly, without any proper attribution.

We were deeply dismayed to discover this, especially given the fact that Overdose Digital subsequently charged us for what they claimed was original work. When we confronted them about this and asked for clarifications, the narrative provided was less than satisfactory. This entire episode has raised serious questions about ethics and professionalism, and we felt it necessary to reach out and inform you, given it's your intellectual property in question.

The specific commit we're talking about is hash 8bd800dd2d5cb54880b12a9f42443ee06f7953e8. It appears to have copied content verbatim from the security folder of this repository.

While we understand and respect the open-source nature of the Apache license under which you've released your code, it is evident that Overdose Digital did not adhere to the stipulations of that license, especially when it comes to appropriate attribution and ensuring derivative works also honor the same license.

You might want to be aware of such misuses of your work, especially if others in the industry are also using your repository as a 'shortcut' while bypassing the ethical and legal obligations of open-source contributions.

We value and deeply respect the open-source community's efforts, and we believe in giving credit where credit is due. We apologize for the inadvertent involvement in this unfortunate incident and want to assure you that we are taking steps to address this from our end.

Thank you for your understanding, and we'd appreciate any insights or thoughts you might have on this matter.

commit 8bd800dd2d5cb54880b12a9f42443ee06f7953e8 Author: Overdose Digital (PII redacted) Date: Wed Jun 28 23:32:44 2023 -0300

SHOP-103 working on implement oauth flow using Spring Security

pom.xml src/main/java/io/cynthia/shopify/connector/Main.java src/main/java/io/cynthia/shopify/connector/controllers/InstallController.java src/main/java/io/cynthia/shopify/connector/security/authentication/CipherPassword.java src/main/java/io/cynthia/shopify/connector/security/authentication/ShopifyInstallAuthenticationStrategy.java src/main/java/io/cynthia/shopify/connector/security/authentication/ShopifyOriginToken.java src/main/java/io/cynthia/shopify/connector/security/configuration/JdbcConfig.java src/main/java/io/cynthia/shopify/connector/security/configuration/SecurityBeansConfig.java src/main/java/io/cynthia/shopify/connector/security/configuration/ShopifyPaths.java src/main/java/io/cynthia/shopify/connector/security/configuration/ShopifySecurityConfiguration.java src/main/java/io/cynthia/shopify/connector/security/configurer/ShopifySecurityConfigurer.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/HttpSecurityBuilderConfigurerDelegate.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/ShopifyChannelSecurity.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/ShopifyCsrf.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/ShopifyHeaders.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/ShopifyLogout.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/ShopifyOAuth2.java src/main/java/io/cynthia/shopify/connector/security/configurer/delegates/package-info.java src/main/java/io/cynthia/shopify/connector/security/converter/ShopifyOAuth2AccessTokenResponseConverter.java src/main/java/io/cynthia/shopify/connector/security/filters/DefaultAuthenticationFailureFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/DefaultAuthorizationRedirectPathFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/DefaultInstallFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/DefaultLoginEndpointFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/DefaultUserInfoFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/ShopifyExistingTokenFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/ShopifyOriginFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/UninstallFilter.java src/main/java/io/cynthia/shopify/connector/security/filters/package-info.java src/main/java/io/cynthia/shopify/connector/security/repository/PersistedStoreUtility.java src/main/java/io/cynthia/shopify/connector/security/repository/ShopifyStoreRepository.java src/main/java/io/cynthia/shopify/connector/security/repository/Store.java src/main/java/io/cynthia/shopify/connector/security/repository/StoreRepository.java src/main/java/io/cynthia/shopify/connector/security/service/DecryptedTokenAndSalt.java src/main/java/io/cynthia/shopify/connector/security/service/DefaultShopifyUserService.java src/main/java/io/cynthia/shopify/connector/security/service/EncryptedTokenAndSalt.java src/main/java/io/cynthia/shopify/connector/security/service/ShopifyBeansUtils.java src/main/java/io/cynthia/shopify/connector/security/service/ShopifyOAuth2AuthorizedClientService.java src/main/java/io/cynthia/shopify/connector/security/service/ShopifyStore.java src/main/java/io/cynthia/shopify/connector/security/service/TokenService.java src/main/java/io/cynthia/shopify/connector/security/service/package-info.java src/main/java/io/cynthia/shopify/connector/security/web/AuthorizationSuccessPageStrategy.java src/main/java/io/cynthia/shopify/connector/security/web/ForwardAuthorizationSuccessPageStrategy.java src/main/java/io/cynthia/shopify/connector/security/web/GenerateDefaultAuthorizationPageStrategy.java src/main/java/io/cynthia/shopify/connector/security/web/NoRedirectSuccessHandler.java src/main/java/io/cynthia/shopify/connector/security/web/ShopifyAuthorizationCodeTokenResponseClient.java src/main/java/io/cynthia/shopify/connector/security/web/ShopifyHttpSessionOAuth2AuthorizationRequestRepository.java src/main/java/io/cynthia/shopify/connector/security/web/ShopifyOAuth2AuthorizationRequestResolver.java src/main/java/io/cynthia/shopify/connector/security/web/ShopifyRedirectStrategy.java

cynthiaio commented 8 months ago

Dear Nathanael,

What has been particularly alarming and is a clear indication of malevolent intent is the approach adopted by Overdose Digital in their handling of your code. Rather than following standard industry practices of merely importing the library, they chose to copy all of it into our repository.

Screenshot 2023-10-11 at 1 16 15 PM

This move is not just an oversight but a deliberate action. This choice—instead of a straightforward library import, which would realistically account for perhaps $10 worth of time—resulted in us being billed a staggering $100,000. This act is not only a blatant disregard for coding ethics but also hints at a more profound level of financial deception and exploitation based on someone else's hard work.

We truly value and respect the effort of developers like you in the open-source community, and it's deeply unsettling to witness such misuse of genuine contributions.

cynthiaio commented 7 months ago

Hello Nat17,

I hope this message finds you well. Since we have not received a response from you regarding our previous communication, we wanted to update you on the progression of our case.

We are proceeding with our complaint against Overdose Americas, Inc., which is being filed in the Superior Court of California, Santa Clara, Civil Division. I thought it pertinent to inform you that our complaint extensively references this repository, given its central role in the matter.

Should you have any interest in reviewing our complaint or if you require further information, please do not hesitate to contact us. We are more than willing to provide you with the necessary details.

Furthermore, to assist you and any interested parties in understanding the discovery process we undertook, we have included a screenshot of the directory diff, as viewed in IntelliJ WebStorm. For your convenience, instructions on how to use this feature can be found here: https://www.jetbrains.com/help/webstorm/comparing-files-and-folders.html.

IMG_1812

We appreciate your time and attention to this matter and wish you all the best.

cynthiaio commented 7 months ago

Hello Everyone,

I wanted to reach out to inform you all that we will be closing this issue as we prepare for the upcoming litigation. This step is being taken to streamline our focus and resources towards the legal proceedings.

We understand that this discussion has been an important platform for engagement and information sharing. However, the shift to a legal framework necessitates this closure to ensure proper handling of the case.

For those who have been actively participating or following this issue, please know that your contributions and insights have been invaluable. Should there be any significant updates or outcomes from the litigation that are relevant to this issue, we will endeavor to communicate them appropriately.

Thank you all for your understanding and engagement thus far.

cynthiaio commented 6 months ago

Dear Nat17 and all those following this pivotal development,

I wanted to take a moment to extend my respect and appreciation for the open-source community and its contributors like Nat17, who are often the unsung heroes of the digital world. At Cynthia Systems, we have recently taken a significant step to protect the integrity of this community by initiating legal action against Overdose Americas for their unethical practices, including the plagiarism of open-source code and deceptive billing.

This lawsuit is not just about one instance of infringement but a broader stand against the misuse of open-source material and the importance of upholding ethical standards in the tech industry. The situation we've uncovered, detailed in our latest blog post, highlights a troubling trend where the efforts of genuine creators are overshadowed by those who seek shortcuts at the expense of others' hard work and dedication.

I encourage you, Nat17, and all interested parties to read our blog post, which sheds light on these issues and underscores our commitment to defending the principles of fair use and recognition in software development. Your work and contributions to the open-source community are invaluable, and it's crucial that we collectively ensure such efforts are respected and protected.

For a detailed insight into our stance and the actions we are undertaking, please visit:

https://www.linkedin.com/feed/update/urn:li:activity:7146254211528204288

Thank you for your dedication to the open-source community, and let's continue to support and protect the integrity of our digital ecosystems.

Best regards

natf17 commented 6 months ago

Good evening,

I apologize for being "off the grid". I will look into this matter this week.

Thank you,

Nathan Farciert

On Thu, Dec 28, 2023 at 5:55 PM cynthiaio @.***> wrote:

Reopened #14 https://github.com/natf17/shopify-embedded-app/issues/14.

— Reply to this email directly, view it on GitHub https://github.com/natf17/shopify-embedded-app/issues/14#event-11354068258, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG5EPH4JB26SW5IKRUSWFRTYLX2HRAVCNFSM6AAAAAA5IDHXRCVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGM2TIMBWHAZDKOA . You are receiving this because you were mentioned.Message ID: @.***>

cynthiaio commented 6 months ago

Dear Nathan Farciert,

Thank you for your response and welcome back to the grid, so to speak. We understand and respect the need to occasionally disconnect, and we appreciate your willingness to engage with us upon your return.

We wanted to inform you that we have made a Google Drive publicly available, which contains pertinent documents regarding our ongoing legal case. This includes our Complaint and Supplemental Declaration. We invite you to peruse these documents at your convenience. Please be assured that there is no pressure or rush, and no immediate action is required on your part.

If you have any feedback, questions, or need further clarification, please feel free to reach out to us here or directly to the founder and plaintiff, whose contact details can be found within the Complaint.

For your information, our case has been filed and is set for a hearing in the Superior Court of California, Santa Clara, Civil Division, presided over by the Honorable Judge Amber S. Rosen. We extend an open invitation for you to attend the hearing, should you wish to do so. The hearing details, including the stamped information, can be accessed via the following link:

https://drive.google.com/drive/folders/1ZH3vFS-WYkL-yS9Q_loRXSTw9Q-hQNha?usp=sharing

We want to emphasize that our stance in this legal matter is not only to address the damages we have suffered at the hands of Overdose Americas, but also to champion and defend the integrity of your work and your commendable decision to open-source it under the Apache License 2.0. Your approach to open-sourcing has been admirable, and it has inspired our own choices in software development, leading us to adopt Spring controllers over servlet filters after our experience.

Thank you once again for your time and consideration. We look forward to any input you might have and remain committed to upholding the values of open-source development and fair practice.

Warm regards

cynthiaio commented 6 months ago

Dear Nat17,

I hope this message finds you well. We have made available the evidence related to our ongoing litigation in a Google Drive folder for ease of access and transparency. Here is the direct link to the evidence file:

EVIDENCE.tar.gz

The MD5 hash for this file is: 11dbd60caa632c8f919a928457469a23

Should you wish to confirm the authenticity of this evidence, you can verify it using the provided MD5 hash. In particular, we draw your attention to EXHIBIT I, starting on page 117 of the Complaint, which details the precise removal of your authorship information. Your optional confirmation of this evidence would be greatly appreciated, though there is no obligation to do so.

We appreciate your attention to this matter and look forward to any feedback or questions you may have.

Best regards.