> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.
Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".
If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!
If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.
If you use a permissive licence, then a rug pull is part of the deal.
> my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA.
Just to clarify, this depends upon the exact CLA you sign. Canonical's CLA (CCLA) [1] for example, contains this clause in Section 2.3 Outbound license:
> We may license the Contribution under any licence, including copyleft, permissive, commercial, or proprietary licences. As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the licence or licences which We are using for the Material on the Submission Date.
This means that they promise to release your contribution under the original license as well. Or in other words, they won't relicense the old contributions retroactively. There may be other CLAs that don't make this promise. It's generally a good idea to read and understand what you are signing up for. (Applicable for any agreements, not just CLAs, since your argument is to avoid them.)
Almost all CLAs let the contributor retain the copyright. (If I understand correctly, copyright transfers are involved only in CAAs.) So that option is also available for you to do whatever you want to do with your contributions. In any case, the actual problem is the breach of an unwritten trust you place in the project owners. Since you generously contributed your work to them and everyone else, you'd expect the same favor in return for the contributions by others in the future. But CLAs leave that open and under the sole control of the project owners, primed for a rug-pull. The only way you'll ever get the benefit of those contributions after a rug-pull is if you collaborate directly with the other contributors - a fork in essence.
> If you don't want a rug pull, you should use a copyleft licence and not sign a CLA
There is an odd and particularly hideous combination of those two - AGPL + CLA. I'm generally a proponent of AGPL. However, I believe that this combination is worse than a permissive license + CLA. Copyleft licenses require you to supply the source code (including your custom modifications) upon request to anyone you distributed the application to. In AGPL, the use of an online service also falls under the definition of 'distribution of application'. So you have to distribute the modifications of the server-side code to anyone who uses your service. I see this as a good thing - because someone else with a lot of resources can't just improve and host your service, denying you the benefit of those improvements. However with a CLA, the project owner (perhaps a company) can host a relicensed version with undisclosed improvements, while you will be forced to reveal your improvements if you try to do the same (since you're using AGPLed code). You wouldn't have the same problem if the source was under a permissive license + CLA.
But here is where it gets particularly egregious. The above problem can also affect software under just a permissive license and no CLA. This is what happened to Incus and LXD. LXD was initially under the Apache license and the linux containers community, in collaboration with Canonical. One fine morning, Canonical just decided to take control of the project, prompting the linux containers community to fork it as Incus. For a while after that, both projects used to borrow code from each other since they had the same license. But then Canonical decided to relicense LXD under AGPLv3 + CLA. This means that it was no longer possible for Incus to borrow code from LXD due to license incompatibility, while Canonical continued to do so under a slightly odd arrangement. You can read about it in detail here: [2]
This open source purism is toxic. Projects have to be sustainable.
Hyperscalers have hoovered up the entire Internet and own the entire mobile device category. We're over here bickering about small developers writing source available / OSS-with-CLA.
If the community cares so damned much, they can take the last open version and maintain it themselves.
Please take all of this negative energy and fight for a breakup of big tech instead.
Yes, it's a pretty weird notion. The only "rug pull" is wrt. ongoing maintenance of the project, but any maintainer may end up abandoning their own project for any reason or no reason at all. This is why essentially all FLOSS licenses have long provided for the right to fork the existing codebase under a new maintainership.
Unless you can sustain a fork, it is a rug pull if you’ve incorporated the software in other projects. Imagine if a non-trivial critical project like OpenSSL had this happen.
Shitty behavior like this is more common with software both OSS and commercial than in the past. Treat any meaningful software engagement like a celebrity marriage.
The biggest issue is that companies which depend on something like OpenSSL do not do enough to sustain it, leaving its maintainers working often uncompensated, for the benefit of people making far more money.
Would it be a rug pull if those maintainers simply burned out and decided "I'm moving onto something else," Leaving the project in limbo, with nobody maintaining it?
Or maybe they really do enjoy working on the project, but it doesn't pay the bills, so they have to look for an alternative way to monetize it, and that way can continue working on it.
My opinion is that unless you genuinely just enjoy working on something and sharing it, you are not obliged to do unpaid labour for the benefit of anyone else. Companies depending on FOSS software should be contributing financially to each and every one of them. This is the real shitty behavior - the expectation these companies have of getting bugfixes and improvements for free.
In the Mongo/Elastic and Amazon cases for example, this is far smaller companies being taking advantage of by a giant. IMO they were right to "rug pull" by relicensing under SSPL. Amazon can easily afford to maintain forks for these projects - but it probably would've been cheaper for them to just contribute financially, and they wouldn't have needed to switch from AGPL. Anyone who works on OpenSearch without compensation is a fool - essentially doing unpaid labour for one of the wealthiest companies on the planet.
Though note that redhat is doing this with all GPL software, but without a CLA.
They retaliate against customers that share source code, and claim that this doesn’t fall under the “without further restrictions” clause in the redistribution of source code phrase in the GPL.
Anyway, rug pulls are apparently possible, even with the GPL, at least until this is taken to court and IBM loses.
> Contributors and maintainers often have less power than even the smaller companies, and users have less power yet.
If contributors/maintainers are not happy with what the small company does, they can fork the project (assuming a liberal license) and continue in their own way. Valkey is a good example (with an interesting twist of license dynamics where Redis can use Valkey code now, but not the other way around).
> We have built a world where it is often easiest to just use whatever a cloud provider offers
And, IMHO, this is the major problem in the dev community these days - we've become lazy and focused on nonsense ("pretty"/unusable UIs, web gymnastics, llm, "productivity" etc.). We didn't have problems in the past to fork or reimplement OSes (various BSD instances), compilers (gcc versions), databases (MariaDB), and so on. There are tons of geniuses around hacking on cool stuff, but, sadly, the loudness of various hipsters and evangelists limits their visibility.
> Those providers may not contribute back to the projects they turn into services, though, upsetting the smaller companies that are,
The significant contribution that these providers (AWS, et al.) make to these projects is often overlooked - free advertisement. If I can remember correctly, ElasticSearch got popular when AWS started to offer it as a service. Additionally, cloud providers usually contribute (by employing core developers, shipping patches or testing) to the kernel, gcc or jdk, from which these small companies benefit significantly. In contrast, they themselves could do none of this.
But it is easier to blame "big scary clouds" than to rethink your business model. Be honest, start closed; no one will touch that and no one will be standing in your way.
Building the software you rely on from source by default is one way to reduce the impact these events have on you and shift the power dynamic. If you're installing binaries/images from a vendor (free or otherwise), transitioning to a fork may be an undertaking and a sweaty risk-assessment.
Switching your existing build-infra to sync sources from a new remote should be a snap.
Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.
This is one of the reasons I like Guix so much: its packaging system treats source builds as the normal case, with binary packages available via caching. So if you go to install a package and there's no cached binary, Guix will happily build it for you on the spot, with bitwise reproducibility if it can. You still get the benefits of prebuilt packages, but you always have that escape hatch.
This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).
Debian has been like this in practice for at least 25 years (when I first switched to it).
The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)
Depends on the actual software licence, many commercial vendors do provide source code, however the licence doesn't allow you to do whatever you feel like with code, even if technically it is possible to do so.
This happens a lot in commercial products where scripting languages are used, for example.
Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.
IMO if you're a technical decision maker, you should ignore fair source/business source stuff with extreme prejudice. These are fundamentally incompatible with the goal of having autonomy for your systems.
Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.
This whole discussion is about FLOSS projects where the right to "do whatever you feel like with code" is well established - even literally so, in the case of purely private/internal changes that are not distributed to or publicly performed for any third party.
These days you just blindsight a project's community by instating a process heavy (you want the technical people to self-opt-out) 'board of governance', then put in place a draconian Orwellian regime in the name of 'safety', revoking project access from all that do not support the coup, or worse, still dare to speak out againt you.
Why do we need to maximize profits? With current technology we shouldn't need to work 8 hours per day, maybe 2-3 hours max to maintain quality of living. Instead we should work to make everyone's life easier, including your own life of course.
This is causing management at the current company to run in circles a bit as well. The company has been fairly adamant about having support contracts for systems, and it has encountered a number of these stunts. Opscode with chef a long time ago, CentOS exit, VMWare, Broadcom has a number of more ugly things available in Tanzu.
And we were either paying these companies (looking at VMWare), or looked for quotes and intending to pay these companies. But suddenly, your configuration management is supposed to cost almost 6 digits per year. Very basic services should suddenly cost a mid-6-digit range per year for a basic suport contract. Sorry but what the fuck? And - again, looking at VMWare - even then we can't really rely on it?
I've been recommending to instead sponsor foundations, or straight up paying maintainers and developers of OSS we use regularly. The giggles when suggesting that have been getting quieter. But I'd rather hire a Proxmox/qemu dev than start paying the next VMWare.
I believe there should be a broader family of terms besides rug pull for when the intentions of vendors and developers change over time to become extractive and negative. No, enshittification is not the right word.
It's not ill intent. The CLA clearly states what the intent is. It says "You give the company permission to relicense your work". The intent is there from the beginning - they want to be able to monetize the work. If you dislike such intent, then you wouldn't sign the CLA.
The concern is if they stop dual-licensing, and future releases don't come under a free license, but they only work on their proprietary relicensed version. You have the option to fork, under the same free license that it was originally under - you just won't get further updates from the company involved. I don't see the problem here: You aren't entitled to those updates just because you made some contributions.
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair, but I think it
is also more harmful.
On balance, using the AGPL is better.
Oh stop. When someone gives you free stuff and then changes the terms a little that isn’t a “rug pull” and it’s not “feudalism.” If you contributed a little and voluntarily signed a CLA this is also not a “rug pull.”
The whole reason for these “rug pulls” is abuse of the open source ethos by big companies using it as free labor for SaaS and giving nothing back.
SaaS is more like feudalism than any other software model, yet the open source community seems committed to making sure the SaaS industry can continue its free ride.
Part of why I’d hesitate to ever again make free (as in beer) software is this whole toxic shitty mentality. If I give you a ton of work for free, say thank you. If a bunch of investors fund that, say thank you. This entitlement mentality from a bunch of people with careers that mostly put them in or near the global 1% is gross. It’s not like you people need stuff for free. You ain’t poor.
Why are you trying to distract from the content of the article? I don’t know why her hair color is so triggering for you but she has a couple decades working in open source, multiple relevant degrees, is on the CNCF Contributor Strategy TAG, and is talking about some real issues affecting a lot of projects.
If you can’t get over her physical appearance long enough to engage with the topic, it’s healthier to leave the thread and do something else.
I engaged with the article in another comment and did not want to be redundant so I choose a different aspect of the article to discuss which is about why LWN is focusing on "social issues" in open source and how I do not think it is something valuable for LWN to spend time on and lowers their brand.
Why does her hair color matter to you? Why is open source longevity and viability not on-topic for LWN discussion?
Dr Foster holds a PhD, did her dissertation about the Linux kernel, and has had a respectably long career in technology with a focus on open source and governance. The topic is literally straight in her professional wheelhouse.
It signals the group of people she belongs to which allows me to make a good prediction of her world view. Similar to how after seeing "Since the beginning of history, Foster began, those in power have tended to use it against those who were weaker.", I already knew the type of person who was giving the talk and seeing a picture of her did not surprise me in the least.
>holds a PhD, did her dissertation about the Linux kernel
But it's not about Linix's scheduler, nor it's network stack. It's not technical at all. "Understanding Collaboration in Fluid Organizations, a Proximity Approach" is about looking at collaboration for the development of Linux.
>Why is open source longevity and viability not on-topic for LWN discussion?
Because LWN should focus on the Linux kernel and not about "evil companies" running other projects changing their licenses.
It's nice to see an article that is just interesting. Although trying to model an environment of extreme freedom as 'feudal' is one of the big philosophic mistakes in the current discourse. Although it is easy to establish that the majors are very sticky they're only sticky as long as they do a good job. Groups like AWS or Google are actually pretty vulnerable - the US right wing looked like it was about to build a complete alternative internet for a while there until the management in tech relented and allowed them to speak up in public. Places like AWS had to pull their head in and the spin offs from that like Rumble or Truth Social haven't gone away, they just partially marginalised when the censorship backed off. That isn't how feudal revolts work in my understanding; typically peasants just got squished by better armed, armoured and organised soldier classes.
> they're only sticky as long as they do a good job
> Groups like AWS or Google are actually pretty vulnerable (...) build a complete alternative internet for a while there until the management in tech relented and allowed them to speak up in public
The part of AWS or Google infrastructure necessary to "speak up in public", relative to their total infrastructure, is probably close to the tiniest number you can imagine. I can't see how an alternative web forum or short text message service, even if used and supported by many, could make AWS or Google vulnerable. And as a reminder, the public is not a customer for Google nor AWS.
Or maybe by "the US right wing" you meant a handful of billionaires who would fund an alternative to Google and AWS? That still sounds naive to me. The estimated assets of Google or AWS in datacenters only is somewhere in the hundredth of billions, plus a good fraction of that every year for maintenance. Their current valuation is between $2 and $3 trillion.
Having no exeprience about peasants revolts (yet ;)) I only meant to comment on that part of your message.
Exactly; there are many mechanism in-place that allow us (anybody) to create alternatives if the currently dominant players start to misbehave too much; they just have not
And there are mechanism that restrict you. The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.
Otherwise, im am really wishing for alternative payment processors ... could someone proove me wrong here please.
You worldview is incredibly foreign to me, but I'll try to engage fairly with it.
> the US right wing looked like it was about to build a complete alternative internet for a while there
This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?
> they just partially marginalised when the censorship backed off.
Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?
> That isn't how feudal revolts work in my understanding; typically peasants just got squished by better armed, armoured and organised soldier classes.
I think it's interesting that you posit this as a fight between the "peasants" and the "soliders". I'm assuming, to make sense of your analogy, that the "peasants" in this case is the current president of the united states and Elon Musk. the "soliders" would then be "Jeff Bezos" and "Sundar Pichai"
> This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?
No, the left wing wasn't really involved. It looked from the outside like a pocket of authoritarians settled in the US intelligence services. Given the priorities of the Trump establishment on starting Term 2 when they moved very quickly to gut the US propaganda services I think Trump's people came to a similar view. And the relenting came when it was obvious that the companies involved were going to start suffering commercial consequences. Or, in cases like Twitter, got bought out by prominent right-wing figures.
> Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?
Yeah. It isn't really operating on the same scale as Twitter and it only exists because Twitter felt the obvious way to construe "To all of those who have asked, I will not be going to the Inauguration on January 20th." was as glorification of violence [0]. It's commercial wisdom is unclear.
> I think it's interesting that you posit this as a fight between the "peasants" and the "soliders".
I'm almost positing the opposite, NOT(it is a fight between peasants and soldiers). That is why I think the feudal meme is a mistake - this isn't a situation where the powers that be in the tech world can actually bring consequences down on a class of people. The people have freedom.
[0] It was bizarre. I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.
The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.
Feudalism is formed by birth right privileges, excluding peasants or merit. With a look to present wealth distribution mechanisms (inheritance), its is no far fetch to apply that polarization effect to software infrastructure too, because software isnt really that immaterial.
> Feudalism is formed by birth right privileges, excluding peasants or merit
Lots of systems have that property, including many democracies (the UK political system, for example, is quite democratic yet embraces birthright privilege excluding peasants). It doesn't characterise or get to the important parts of feudalism.
unless you make that privilege about a universal resource like money, which can be translated to political power. You are right, many societies have that feudalism-like problem (social mobility), when you look at it that way, even without a royal family.
I have 0 trouble understanding why Twitter didn't want to be whipping up fury against democracy using their power to do so. Six days before that ban Trump had definitively crossed the line over to full-blown treason with the Reffensperger call. Two days before the ban he sat quietly, waiting and hoping a mob of his supporters whipped up by his verbal diarrhea would sieze power for him, ending democracy. Make no mistake, Twitter did exactly what they had every legal and moral obligation to do.
I’ll just add that the quote in the comment you replied to was one of the least offensive things Trump said during that incident (if he even tweeted that).
The news ran a video of him inciting a riot, etc, etc.
That's fair. You didn't mention the left wing at any point, and I made an assumption.
This is veering quite quickly into unsubstantiated claims of collusion and conspiracy. You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace. It's honestly pretty close to QAnon, which is a huge red flag for me. I can't follow you there, and therefore can't make any substantial arguments for you.
What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces. He tried to get out of the deal, but the establishment forced him to see it through.
> I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.
The announcement twitter made mentions that you have to take those tweets in context of the whole Jan 6. insurrection event. When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump? or do you believe that it was but that the further tweets weren't a further escalation of that conflict?
> The people have freedom.
I understand your argument for that then. I would caution that by saying that your conclusion hinges heavily on whether you believe Donald Trump is actually a popular reformist, or if you believe he is an elitist authoritarian. Your argument is quite close to "This can't be feudalism, the lords wants what's best for us", which is a quite unconvincing argument.
> You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace.
I'm really not, I just read political news from time to time. The Twitter files [0] were front page material for a few weeks, there isn't really any argument about whether the big social media companies are coordinating with US intelligence. They have regular meetings and there is some cross-pollination of employees.
It's hardly traceless, and it is good stuff to keep abreast of.
> What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces.
Again, you seem to be reading more than I'm writing with this one. You asked when the relenting happened, I picked a rough date on the timeline. I don't think it is remotely controversial to say that he's made Twitter more accommodating for voices from the US right wing.
> When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump?
I mean, if we're talking about the ~100 people who turned up armed [1] then I think it would have been easier for Trump to maintain the element of surprise and just hire some goons rather than making whiny statements on Twitter that require a Doctorate of Crazy to detect violent intent. Maybe even arm them all with guns. He is said to be quite wealthy.
It is an interesting open question of how many of those hundred people decided to come armed because he wasn't going to attend the inauguration. Although I have always applauded Trump's ingenious follow-up of not attending said inauguration to make it look like he was serious rather than the modern Machiavellian puppetmaster he actually is.
> The Twitter files [0] were front page material for a few weeks
You're again making vague gesturing towards "coordination" and "regular meetings" in service of justifying claims of "a pocket of authoritarians settled in the US intelligence services". You must know that "regular meetings" don't signal "packet of authoritarians" to anybody but the most diehard conspiracy theorists. Who were these authoritarians? what were they doing? and how were they doing it? The "Twitter Files" holds none of these answers, having been widely reported (according to the Wikipedia page you linked) as being a misrepresentation of normal communication between governmental entities and private companies.
> Again, you seem to be reading more than I'm writing with this one.
I disagree that I'm making any assumption outside of what you've written there, but I'll leave it there.
> I mean, if we're talking about the ~100 people who turned up armed
You're not answering the question. From your tone I can tell your answer is most likely that you don't consider the armed insurrection of the US capitol building connected to Donald Trump. What caused it then? Does Trump have any culpability for letting armed people take part of his march?
>This would seem to imply that the established internet, what we had before this relenting, was somehow left wing.
I would omit the left-wing characterization as a debatable generalization. Perhaps it would be better described as the specificplatforms being opposition partisans, rather than the Internet itself.
> Perhaps it would be better described as the specific platforms being opposition partisans
I'm sympathetic to such an argument, but it does beg the question: Which platforms? The original comments choices of singling out Rumble and Truth Social, would imply that YouTube and Twitter would at least be _among_ those "specific platforms" but neither of those platforms are, at least according to the left, particularly left wing. Both platform have repeatedly been criticized for creating and propagating structures that lead people down what was called "the alt-right pipeline" and has, historically, hosted some of the most active alt-right figureheads.
That's not to say either platform is or was right-wing either. I'm not the one making an argument. Though I'm not convinced they were particularly left-wing or partisan before the creation of Rumble and Truth Social.
Just to be clear, I never said anything about the left wing. I don't think they were involved in that one. Suppressing speech is generally opposed by the leftists.
Just compare X and Blue Sky. There may be some principled leftists who oppose suppressing speech, but in recent times, it has been the left that has been censoring/blocking peoples speech. Another comparison is what is actually censored. Of course there is a certain amount that would be censored by both sides - criticism of power.
It's not possible to rug pull an open-source project by just switching new work to a different license. The real issue with open-source is that we don't live in a utopia where you can publish all of your work for free and still live a quality of life comparable to working at an average developer job. Maintainers come and go. Without sponsorship, the half life on maintainers is going to be relatively short, and more developers are going to be pushed to publishing less permissively.
> Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.
Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".
If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!
If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.
If you use a permissive licence, then a rug pull is part of the deal.
But what about GNU their projects require signing a CLA and I don't think they will do a rug pull
There's also Eclipse Project's CLA and DCO. They are going for 20+ years.
> my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA.
Just to clarify, this depends upon the exact CLA you sign. Canonical's CLA (CCLA) [1] for example, contains this clause in Section 2.3 Outbound license:
> We may license the Contribution under any licence, including copyleft, permissive, commercial, or proprietary licences. As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the licence or licences which We are using for the Material on the Submission Date.
This means that they promise to release your contribution under the original license as well. Or in other words, they won't relicense the old contributions retroactively. There may be other CLAs that don't make this promise. It's generally a good idea to read and understand what you are signing up for. (Applicable for any agreements, not just CLAs, since your argument is to avoid them.)
Almost all CLAs let the contributor retain the copyright. (If I understand correctly, copyright transfers are involved only in CAAs.) So that option is also available for you to do whatever you want to do with your contributions. In any case, the actual problem is the breach of an unwritten trust you place in the project owners. Since you generously contributed your work to them and everyone else, you'd expect the same favor in return for the contributions by others in the future. But CLAs leave that open and under the sole control of the project owners, primed for a rug-pull. The only way you'll ever get the benefit of those contributions after a rug-pull is if you collaborate directly with the other contributors - a fork in essence.
> If you don't want a rug pull, you should use a copyleft licence and not sign a CLA
There is an odd and particularly hideous combination of those two - AGPL + CLA. I'm generally a proponent of AGPL. However, I believe that this combination is worse than a permissive license + CLA. Copyleft licenses require you to supply the source code (including your custom modifications) upon request to anyone you distributed the application to. In AGPL, the use of an online service also falls under the definition of 'distribution of application'. So you have to distribute the modifications of the server-side code to anyone who uses your service. I see this as a good thing - because someone else with a lot of resources can't just improve and host your service, denying you the benefit of those improvements. However with a CLA, the project owner (perhaps a company) can host a relicensed version with undisclosed improvements, while you will be forced to reveal your improvements if you try to do the same (since you're using AGPLed code). You wouldn't have the same problem if the source was under a permissive license + CLA.
But here is where it gets particularly egregious. The above problem can also affect software under just a permissive license and no CLA. This is what happened to Incus and LXD. LXD was initially under the Apache license and the linux containers community, in collaboration with Canonical. One fine morning, Canonical just decided to take control of the project, prompting the linux containers community to fork it as Incus. For a while after that, both projects used to borrow code from each other since they had the same license. But then Canonical decided to relicense LXD under AGPLv3 + CLA. This means that it was no longer possible for Incus to borrow code from LXD due to license incompatibility, while Canonical continued to do so under a slightly odd arrangement. You can read about it in detail here: [2]
[1] https://canonical.com/legal/contributors/agreement?type=indi...
[2] https://stgraber.org/2023/12/12/lxd-now-re-licensed-and-unde...
> If you use a permissive licence, then a rug pull is part of the deal.
True. Yet CLAs do not always give away all rights.
> commonly are subject to rug pulls
This open source purism is toxic. Projects have to be sustainable.
Hyperscalers have hoovered up the entire Internet and own the entire mobile device category. We're over here bickering about small developers writing source available / OSS-with-CLA.
If the community cares so damned much, they can take the last open version and maintain it themselves.
Please take all of this negative energy and fight for a breakup of big tech instead.
And this has always depended on hardware and never really software.
There is no such thing as a rug pull in regards to open source. A GPL copy of your code will exist forever.
Yes, it's a pretty weird notion. The only "rug pull" is wrt. ongoing maintenance of the project, but any maintainer may end up abandoning their own project for any reason or no reason at all. This is why essentially all FLOSS licenses have long provided for the right to fork the existing codebase under a new maintainership.
Unless you can sustain a fork, it is a rug pull if you’ve incorporated the software in other projects. Imagine if a non-trivial critical project like OpenSSL had this happen.
Shitty behavior like this is more common with software both OSS and commercial than in the past. Treat any meaningful software engagement like a celebrity marriage.
The biggest issue is that companies which depend on something like OpenSSL do not do enough to sustain it, leaving its maintainers working often uncompensated, for the benefit of people making far more money.
Would it be a rug pull if those maintainers simply burned out and decided "I'm moving onto something else," Leaving the project in limbo, with nobody maintaining it?
Or maybe they really do enjoy working on the project, but it doesn't pay the bills, so they have to look for an alternative way to monetize it, and that way can continue working on it.
My opinion is that unless you genuinely just enjoy working on something and sharing it, you are not obliged to do unpaid labour for the benefit of anyone else. Companies depending on FOSS software should be contributing financially to each and every one of them. This is the real shitty behavior - the expectation these companies have of getting bugfixes and improvements for free.
In the Mongo/Elastic and Amazon cases for example, this is far smaller companies being taking advantage of by a giant. IMO they were right to "rug pull" by relicensing under SSPL. Amazon can easily afford to maintain forks for these projects - but it probably would've been cheaper for them to just contribute financially, and they wouldn't have needed to switch from AGPL. Anyone who works on OpenSearch without compensation is a fool - essentially doing unpaid labour for one of the wealthiest companies on the planet.
The pull is that a CLA allows someone to circumvent the GPL at some point in the future at their leisure
It's open-washing
Though note that redhat is doing this with all GPL software, but without a CLA.
They retaliate against customers that share source code, and claim that this doesn’t fall under the “without further restrictions” clause in the redistribution of source code phrase in the GPL.
Anyway, rug pulls are apparently possible, even with the GPL, at least until this is taken to court and IBM loses.
How does Rocky Linux continue to get timely updates from upstream?
Do they have to use shells or other subterfuge?
> Contributors and maintainers often have less power than even the smaller companies, and users have less power yet.
If contributors/maintainers are not happy with what the small company does, they can fork the project (assuming a liberal license) and continue in their own way. Valkey is a good example (with an interesting twist of license dynamics where Redis can use Valkey code now, but not the other way around).
> We have built a world where it is often easiest to just use whatever a cloud provider offers
And, IMHO, this is the major problem in the dev community these days - we've become lazy and focused on nonsense ("pretty"/unusable UIs, web gymnastics, llm, "productivity" etc.). We didn't have problems in the past to fork or reimplement OSes (various BSD instances), compilers (gcc versions), databases (MariaDB), and so on. There are tons of geniuses around hacking on cool stuff, but, sadly, the loudness of various hipsters and evangelists limits their visibility.
> Those providers may not contribute back to the projects they turn into services, though, upsetting the smaller companies that are,
The significant contribution that these providers (AWS, et al.) make to these projects is often overlooked - free advertisement. If I can remember correctly, ElasticSearch got popular when AWS started to offer it as a service. Additionally, cloud providers usually contribute (by employing core developers, shipping patches or testing) to the kernel, gcc or jdk, from which these small companies benefit significantly. In contrast, they themselves could do none of this.
But it is easier to blame "big scary clouds" than to rethink your business model. Be honest, start closed; no one will touch that and no one will be standing in your way.
Building the software you rely on from source by default is one way to reduce the impact these events have on you and shift the power dynamic. If you're installing binaries/images from a vendor (free or otherwise), transitioning to a fork may be an undertaking and a sweaty risk-assessment.
Switching your existing build-infra to sync sources from a new remote should be a snap.
Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.
This is one of the reasons I like Guix so much: its packaging system treats source builds as the normal case, with binary packages available via caching. So if you go to install a package and there's no cached binary, Guix will happily build it for you on the spot, with bitwise reproducibility if it can. You still get the benefits of prebuilt packages, but you always have that escape hatch.
This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).
Debian has been like this in practice for at least 25 years (when I first switched to it).
The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)
Not sure why this is getting down votes but I agree. Also building from source doesn't have to be hard (see sqlite).
> Not sure why this is getting down votes
Guessing unrelated to the comment itself, prolly got a minor downvote army on my back after a different recent comment on Gaza matters.
Downvotes are just a noisy signal in general and I wouldn't read that much into a few here and there, it comes with the territory.
Oh and yeah, this meta makes for tedious threads so site guidelines and all that.
Depends on the actual software licence, many commercial vendors do provide source code, however the licence doesn't allow you to do whatever you feel like with code, even if technically it is possible to do so.
This happens a lot in commercial products where scripting languages are used, for example.
Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.
IMO if you're a technical decision maker, you should ignore fair source/business source stuff with extreme prejudice. These are fundamentally incompatible with the goal of having autonomy for your systems.
Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.
This whole discussion is about FLOSS projects where the right to "do whatever you feel like with code" is well established - even literally so, in the case of purely private/internal changes that are not distributed to or publicly performed for any third party.
It's hard to feel any sympathy for people who spend money and still bend over.
For most people it is only business, there is zero FOSS ideology.
A hard lesson many have come to learn when there are bills to pay, and coffee priced donations hardly make it.
These days you just blindsight a project's community by instating a process heavy (you want the technical people to self-opt-out) 'board of governance', then put in place a draconian Orwellian regime in the name of 'safety', revoking project access from all that do not support the coup, or worse, still dare to speak out againt you.
Why do we need to maximize profits? With current technology we shouldn't need to work 8 hours per day, maybe 2-3 hours max to maintain quality of living. Instead we should work to make everyone's life easier, including your own life of course.
There's a need to make money faster than the government & central bank dilute it.
Need to fix the money before everything else can be fixed.
This is causing management at the current company to run in circles a bit as well. The company has been fairly adamant about having support contracts for systems, and it has encountered a number of these stunts. Opscode with chef a long time ago, CentOS exit, VMWare, Broadcom has a number of more ugly things available in Tanzu.
And we were either paying these companies (looking at VMWare), or looked for quotes and intending to pay these companies. But suddenly, your configuration management is supposed to cost almost 6 digits per year. Very basic services should suddenly cost a mid-6-digit range per year for a basic suport contract. Sorry but what the fuck? And - again, looking at VMWare - even then we can't really rely on it?
I've been recommending to instead sponsor foundations, or straight up paying maintainers and developers of OSS we use regularly. The giggles when suggesting that have been getting quieter. But I'd rather hire a Proxmox/qemu dev than start paying the next VMWare.
Isn't it paradoxal, that those mentioned companies had set up an OSPO (to do OSS the right/community way... with the right/community minded people)
I believe this kind of schizophrenia is the price to pay of (too) big organizations.
> There is typically a spike in these clones after a relicensing event, suggesting that people are considering creating a hard fork of the project
That, or maybe people make a "snapshot" just in case. I don't believe many people seriously consider leading the effort of maintaining a fork...
I believe there should be a broader family of terms besides rug pull for when the intentions of vendors and developers change over time to become extractive and negative. No, enshittification is not the right word.
"bait and switch"
The FOSS license is the bait, and the CLA is evidence that they had ill intent from the start
It's not ill intent. The CLA clearly states what the intent is. It says "You give the company permission to relicense your work". The intent is there from the beginning - they want to be able to monetize the work. If you dislike such intent, then you wouldn't sign the CLA.
The concern is if they stop dual-licensing, and future releases don't come under a free license, but they only work on their proprietary relicensed version. You have the option to fork, under the same free license that it was originally under - you just won't get further updates from the company involved. I don't see the problem here: You aren't entitled to those updates just because you made some contributions.
I emailed Stallman about the ethics of using AGPLv3 with a CLA to allow selling exceptions. Here's his reply:
https://news.ycombinator.com/item?id=42601846
Checks notes,
RIP VibeVoice Large 7B
https://arxiv.org/pdf/2508.19205
https://github.com/microsoft/VibeVoice
Nice to have forks & downloadable models now 'innit
Oh stop. When someone gives you free stuff and then changes the terms a little that isn’t a “rug pull” and it’s not “feudalism.” If you contributed a little and voluntarily signed a CLA this is also not a “rug pull.”
The whole reason for these “rug pulls” is abuse of the open source ethos by big companies using it as free labor for SaaS and giving nothing back.
SaaS is more like feudalism than any other software model, yet the open source community seems committed to making sure the SaaS industry can continue its free ride.
Part of why I’d hesitate to ever again make free (as in beer) software is this whole toxic shitty mentality. If I give you a ton of work for free, say thank you. If a bunch of investors fund that, say thank you. This entitlement mentality from a bunch of people with careers that mostly put them in or near the global 1% is gross. It’s not like you people need stuff for free. You ain’t poor.
[flagged]
Why are you trying to distract from the content of the article? I don’t know why her hair color is so triggering for you but she has a couple decades working in open source, multiple relevant degrees, is on the CNCF Contributor Strategy TAG, and is talking about some real issues affecting a lot of projects.
If you can’t get over her physical appearance long enough to engage with the topic, it’s healthier to leave the thread and do something else.
> I don’t know why her hair color is so triggering for you
It isn't hard to guess.
I engaged with the article in another comment and did not want to be redundant so I choose a different aspect of the article to discuss which is about why LWN is focusing on "social issues" in open source and how I do not think it is something valuable for LWN to spend time on and lowers their brand.
It's literally impossible for open source development to be an asocial or apolitical endeavor.
Why does her hair color matter to you? Why is open source longevity and viability not on-topic for LWN discussion?
Dr Foster holds a PhD, did her dissertation about the Linux kernel, and has had a respectably long career in technology with a focus on open source and governance. The topic is literally straight in her professional wheelhouse.
>Why does her hair color matter to you?
It signals the group of people she belongs to which allows me to make a good prediction of her world view. Similar to how after seeing "Since the beginning of history, Foster began, those in power have tended to use it against those who were weaker.", I already knew the type of person who was giving the talk and seeing a picture of her did not surprise me in the least.
>holds a PhD, did her dissertation about the Linux kernel
But it's not about Linix's scheduler, nor it's network stack. It's not technical at all. "Understanding Collaboration in Fluid Organizations, a Proximity Approach" is about looking at collaboration for the development of Linux.
>Why is open source longevity and viability not on-topic for LWN discussion?
Because LWN should focus on the Linux kernel and not about "evil companies" running other projects changing their licenses.
"LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities."
FOSS beyond Linux itself is still explicitly on-topic by the site's own self-description.
But we all know what this was about anyway. Good luck to you out there.
[flagged]
[dead]
A lot of words without any mention of copyleft, protective licenses, GPL. Difficult to take the article seriously.
It's nice to see an article that is just interesting. Although trying to model an environment of extreme freedom as 'feudal' is one of the big philosophic mistakes in the current discourse. Although it is easy to establish that the majors are very sticky they're only sticky as long as they do a good job. Groups like AWS or Google are actually pretty vulnerable - the US right wing looked like it was about to build a complete alternative internet for a while there until the management in tech relented and allowed them to speak up in public. Places like AWS had to pull their head in and the spin offs from that like Rumble or Truth Social haven't gone away, they just partially marginalised when the censorship backed off. That isn't how feudal revolts work in my understanding; typically peasants just got squished by better armed, armoured and organised soldier classes.
> they're only sticky as long as they do a good job
> Groups like AWS or Google are actually pretty vulnerable (...) build a complete alternative internet for a while there until the management in tech relented and allowed them to speak up in public
The part of AWS or Google infrastructure necessary to "speak up in public", relative to their total infrastructure, is probably close to the tiniest number you can imagine. I can't see how an alternative web forum or short text message service, even if used and supported by many, could make AWS or Google vulnerable. And as a reminder, the public is not a customer for Google nor AWS.
Or maybe by "the US right wing" you meant a handful of billionaires who would fund an alternative to Google and AWS? That still sounds naive to me. The estimated assets of Google or AWS in datacenters only is somewhere in the hundredth of billions, plus a good fraction of that every year for maintenance. Their current valuation is between $2 and $3 trillion.
Having no exeprience about peasants revolts (yet ;)) I only meant to comment on that part of your message.
Exactly; there are many mechanism in-place that allow us (anybody) to create alternatives if the currently dominant players start to misbehave too much; they just have not
And there are mechanism that restrict you. The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.
Otherwise, im am really wishing for alternative payment processors ... could someone proove me wrong here please.
BTC ecosystem is growing strong :) Especially the Lightning Network
You worldview is incredibly foreign to me, but I'll try to engage fairly with it.
> the US right wing looked like it was about to build a complete alternative internet for a while there
This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?
> they just partially marginalised when the censorship backed off.
Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?
> That isn't how feudal revolts work in my understanding; typically peasants just got squished by better armed, armoured and organised soldier classes.
I think it's interesting that you posit this as a fight between the "peasants" and the "soliders". I'm assuming, to make sense of your analogy, that the "peasants" in this case is the current president of the united states and Elon Musk. the "soliders" would then be "Jeff Bezos" and "Sundar Pichai"
> This would seem to imply that the established internet, what we had before this relenting, was somehow left wing. Is that an accurate description of your view? When did this relenting take place?
No, the left wing wasn't really involved. It looked from the outside like a pocket of authoritarians settled in the US intelligence services. Given the priorities of the Trump establishment on starting Term 2 when they moved very quickly to gut the US propaganda services I think Trump's people came to a similar view. And the relenting came when it was obvious that the companies involved were going to start suffering commercial consequences. Or, in cases like Twitter, got bought out by prominent right-wing figures.
> Is it your position that Truth Social (the social network started by the current president of the united states) is currently a marginalized space?
Yeah. It isn't really operating on the same scale as Twitter and it only exists because Twitter felt the obvious way to construe "To all of those who have asked, I will not be going to the Inauguration on January 20th." was as glorification of violence [0]. It's commercial wisdom is unclear.
> I think it's interesting that you posit this as a fight between the "peasants" and the "soliders".
I'm almost positing the opposite, NOT(it is a fight between peasants and soldiers). That is why I think the feudal meme is a mistake - this isn't a situation where the powers that be in the tech world can actually bring consequences down on a class of people. The people have freedom.
[0] It was bizarre. I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.
> The people have freedom.
I repeat my other reply:
The article states it too: There is a resource (for software, id add knowhow) asymmetry and market innertia at play here.
Feudalism is formed by birth right privileges, excluding peasants or merit. With a look to present wealth distribution mechanisms (inheritance), its is no far fetch to apply that polarization effect to software infrastructure too, because software isnt really that immaterial.
> Feudalism is formed by birth right privileges, excluding peasants or merit
Lots of systems have that property, including many democracies (the UK political system, for example, is quite democratic yet embraces birthright privilege excluding peasants). It doesn't characterise or get to the important parts of feudalism.
unless you make that privilege about a universal resource like money, which can be translated to political power. You are right, many societies have that feudalism-like problem (social mobility), when you look at it that way, even without a royal family.
https://www.wired.com/story/yanis-varoufakis-technofeudalism...
I have 0 trouble understanding why Twitter didn't want to be whipping up fury against democracy using their power to do so. Six days before that ban Trump had definitively crossed the line over to full-blown treason with the Reffensperger call. Two days before the ban he sat quietly, waiting and hoping a mob of his supporters whipped up by his verbal diarrhea would sieze power for him, ending democracy. Make no mistake, Twitter did exactly what they had every legal and moral obligation to do.
I’ll just add that the quote in the comment you replied to was one of the least offensive things Trump said during that incident (if he even tweeted that).
The news ran a video of him inciting a riot, etc, etc.
> No, the left wing wasn't really involved.
That's fair. You didn't mention the left wing at any point, and I made an assumption.
This is veering quite quickly into unsubstantiated claims of collusion and conspiracy. You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace. It's honestly pretty close to QAnon, which is a huge red flag for me. I can't follow you there, and therefore can't make any substantial arguments for you.
What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces. He tried to get out of the deal, but the establishment forced him to see it through.
> I've kept a copy of Titter's announcement saved to disk as a reminder of how crazy groupthink can get. Anyone willing to state such a stupid theory in public has to believe it.
The announcement twitter made mentions that you have to take those tweets in context of the whole Jan 6. insurrection event. When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump? or do you believe that it was but that the further tweets weren't a further escalation of that conflict?
> The people have freedom.
I understand your argument for that then. I would caution that by saying that your conclusion hinges heavily on whether you believe Donald Trump is actually a popular reformist, or if you believe he is an elitist authoritarian. Your argument is quite close to "This can't be feudalism, the lords wants what's best for us", which is a quite unconvincing argument.
> You're weaving a network of secret deep state authoritarians secretly colluding with tech CEOs, and leaving no trace.
I'm really not, I just read political news from time to time. The Twitter files [0] were front page material for a few weeks, there isn't really any argument about whether the big social media companies are coordinating with US intelligence. They have regular meetings and there is some cross-pollination of employees.
It's hardly traceless, and it is good stuff to keep abreast of.
> What I would like to point out is the historical revisionism of Elon Musk buying twitter to weed out the subversive forces.
Again, you seem to be reading more than I'm writing with this one. You asked when the relenting happened, I picked a rough date on the timeline. I don't think it is remotely controversial to say that he's made Twitter more accommodating for voices from the US right wing.
> When you say that it's not incitement of violence, should I take that to mean you believe that the armed insurrection was not connected to Donald Trump?
I mean, if we're talking about the ~100 people who turned up armed [1] then I think it would have been easier for Trump to maintain the element of surprise and just hire some goons rather than making whiny statements on Twitter that require a Doctorate of Crazy to detect violent intent. Maybe even arm them all with guns. He is said to be quite wealthy.
It is an interesting open question of how many of those hundred people decided to come armed because he wasn't going to attend the inauguration. Although I have always applauded Trump's ingenious follow-up of not attending said inauguration to make it look like he was serious rather than the modern Machiavellian puppetmaster he actually is.
[0] https://en.wikipedia.org/wiki/Twitter_Files
[1] https://en.wikipedia.org/wiki/January_6_United_States_Capito...
> The Twitter files [0] were front page material for a few weeks
You're again making vague gesturing towards "coordination" and "regular meetings" in service of justifying claims of "a pocket of authoritarians settled in the US intelligence services". You must know that "regular meetings" don't signal "packet of authoritarians" to anybody but the most diehard conspiracy theorists. Who were these authoritarians? what were they doing? and how were they doing it? The "Twitter Files" holds none of these answers, having been widely reported (according to the Wikipedia page you linked) as being a misrepresentation of normal communication between governmental entities and private companies.
> Again, you seem to be reading more than I'm writing with this one.
I disagree that I'm making any assumption outside of what you've written there, but I'll leave it there.
> I mean, if we're talking about the ~100 people who turned up armed
You're not answering the question. From your tone I can tell your answer is most likely that you don't consider the armed insurrection of the US capitol building connected to Donald Trump. What caused it then? Does Trump have any culpability for letting armed people take part of his march?
>This would seem to imply that the established internet, what we had before this relenting, was somehow left wing.
I would omit the left-wing characterization as a debatable generalization. Perhaps it would be better described as the specific platforms being opposition partisans, rather than the Internet itself.
> Perhaps it would be better described as the specific platforms being opposition partisans
I'm sympathetic to such an argument, but it does beg the question: Which platforms? The original comments choices of singling out Rumble and Truth Social, would imply that YouTube and Twitter would at least be _among_ those "specific platforms" but neither of those platforms are, at least according to the left, particularly left wing. Both platform have repeatedly been criticized for creating and propagating structures that lead people down what was called "the alt-right pipeline" and has, historically, hosted some of the most active alt-right figureheads.
That's not to say either platform is or was right-wing either. I'm not the one making an argument. Though I'm not convinced they were particularly left-wing or partisan before the creation of Rumble and Truth Social.
Just to be clear, I never said anything about the left wing. I don't think they were involved in that one. Suppressing speech is generally opposed by the leftists.
Just compare X and Blue Sky. There may be some principled leftists who oppose suppressing speech, but in recent times, it has been the left that has been censoring/blocking peoples speech. Another comparison is what is actually censored. Of course there is a certain amount that would be censored by both sides - criticism of power.
It's not possible to rug pull an open-source project by just switching new work to a different license. The real issue with open-source is that we don't live in a utopia where you can publish all of your work for free and still live a quality of life comparable to working at an average developer job. Maintainers come and go. Without sponsorship, the half life on maintainers is going to be relatively short, and more developers are going to be pushed to publishing less permissively.