Misrepresenting Open Source for Business Benefit
Important Note: This post is written without legal knowledge nor expert understanding of open-source licenses, and is my own interpretation/speculation of scenarios and licenses. I mean no ill intent to any companies or people written about in this article. These are likely scenarios of mis-understandings or personal interpretations.
As I’ve spent more time working on, and looking at, open source projects & communities I’ve started to notice cases where open source appears to be treated as a marketing strategy rather than having an appreciation of what open source means. With the seemingly growing number of mixed license repos and growing use of source-available/fair-use licenses, as projects attempt to protect their SASS usage, the landscape is getting harder to navigate and there’s added confusion in this space. A prominent example is n8n who described themselves as an Open Source project until called out by Drew Devault. Yet there remain many references to n8n being open source, and subsequently many who believe it is.
For this post I want to dive a little into three different scenarios I’ve come across in the last year where licenses have potentially been mis-interpreted, or mis-represented, in ways that could appear to be in the interest of their parent business goals.
AGPLv3 means no private repos
This started from a Reddit post about the user “Making their latest project open-source”. I noticed the repo stated the following:
This repository is licensed under AGPLv3. To comply with AGPLv3, if cloning into a private repository, please acquire a commercial license
I provided some feedback, including a query about this, and they noted they were using the licence structure of the cal.com project as guidance.
Looking into the cal.com repo I first noticed there’s as closed source portion, requiring a paid commercial licence for “production” use, mixed in to support their enterprise offerings. That seems fair enough, especially as the closed license covering that portion does not seem to “trap” people by breaching upon clones/downloads. Then, looking in the readme, I see this in the development setup instructions:
- Clone the repo into a public GitHub repository (to comply with AGPLv3. To clone in a private repository, acquire a commercial license)
Ah, so that seems to be where this idea from the original repo is from. I am definitely no legal expert but, as far as I can tell, the AGPLv3 would in no way limit someone from cloning to a private repository. What is even meant by “private repository”? To me that could mean a clone to my PC, or a fork to a private GitHub account.
I jumped into the cal.com slack chat and questioned this in their development channel and promptly started a discussion with a project co-founder. The full discussion can be seen here. From the conversation I gathered their understanding to be that a fork/clone to a private GitHub repo would be prevented by the (AGPLv3) license, but a clone to a private folder is fine. Also, I cannot distribute in private.
This surprised me, since this is the product for a company that has recently raised $25M of funding and, if my understanding of AGPLv3 is correct (Again, not a lawyer) then they have quite a distorted idea of the licensing for their product.
LGPLv2.1 so advertise our company like this
Now for a more nuanced scenario. This is in reference to the TinyMCE project, a project I use and love and have much respect for in regards to the efforts involved. In addition, they’ve since changed to the MIT license and made their licensing requirements clearer.
So TinyMCE was licensed under the LGPLv2.1. No issues with that, it was amazing that the code was open, but the wording around branding was something I found a bit confusing. They have a page for the attribution requirements, which can be seen in its June 2021 state here. The bit I found confusing was as follows:
As per clause 6 of the LGPL 2.1, users using TinyMCE under the LGPL are required to give prominent notice that TinyMCE is in use. We recommend including attribution as described below.
To me this is a little cheeky, quoting the LGPL section directly then providing their own interpretation. Clause 6 of the LGPLv2.1 is quite long, but the sentence I believe most matches this requirement is as follows:
You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License.
Without being a lawyer at least, that could be interpreted quite differently to their suggestion of “prominent notice that TinyMCE is in use” with an example of an always-showing website link. My original interpretation was that “notice” is in respect to distribution & source code, so I ensured the full license was included in sources. I later looked to further respect the intent of the license by including full license detail within the web interface, where the library was used, although I did not implement this as an always-visible website link in the interface like their wording suggested.
I don’t think I was the only one finding this hard to understand, as this StackExchange post shows. One post there states that, after contacting TinyMCE for clarification, they responded “It is mandatory to show the branding when using the open source version of Tiny and would require a commercial contract to remove it.”.
MIT but not any more, so pay me
For this one I’m not going to name the project or author since I want to focus on the scenario, not the people, and I only have single-sided regurgitated account. This, once again, started from a Reddit post. It was a long account posted by a developer, but a heavily summarised version of the scenario is as follows:
- {Developer} forks a MIT-license repo from {Project} to learn from.
- {Developer} later updates their fork but finds it gets overwritten due to the original {Project} having since been updated (via force push) to only contain some doc files.
- This was because {Project} has since been made into a proprietary/paid-for/closed-source project.
- {Developer} finds an alternative (Non-destroyed) fork and updates their copy with that.
- {Project Maintainer} contacts {Developer} on Twitter and asks if they were interested in purchasing a subscription for the paid product. {Developer} responds no.
- On starts a long conversation of {Project Maintainer} pressuring {Developer} to pay for their work, apparently saying things like “This is not a sales pitch, it’s you undermining me. How many hours do you think I spent on R&D and testing on that version and this version of {Project}?”
- {Project Maintainer} also reportedly states: “{Project} had been deliberately revoked, as my intellectual property, I’m at liberty to do that. I wasn’t aware that you found a way to circumvent and deliberately undermine the actions taken to remove the deprecated version of {Project} from the internet.”
- The conversation ended with {Project Maintainer} pressuring {Developer} to delete the code, which {Developer} did.
The Reddit post was detailed with the names and project redacted, but they were discoverable with some GitHub snooping. I responded that it was fair if the maintainer wants to move to a paid-for model, but they can’t revoke previously published MIT code in this way. Soon the Reddit post was deleted though, so I contacted the {Developer} direct. It appeared that {Project Maintainer} had been made aware of the post had further threatened {Developer} to take down the post due to publishing the chat. The {Developer} genuinely seemed scared about the whole thing.
We found the latest intact version of the MIT licensed repo and I created a local copy and a detached copy on GitHub, for them to use as required.
Again, I only have the {Developer}’s account for this, but actions taken by the {Project} and other observed tweets at the time gave me additional confidence in the story. I really hate this kind of thing, this is essentially bullying by {Project Maintainer} over their own choices and misconceptions. This one plays in my head a lot since I often see {Project Maintainer} held up as an ambassador of Open Source.
This post was discussed on Hacker News here and Reddit here.