the security industry is a machine that turns
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND

into
YOU ARE PART OF A SUPPLY CHAIN ATTACK, SHAME ON YOU

@alexia it really does doesn’t it 🤭

@alexia It's probably time to reconsider the whole throw code into the world and assume zero responsibility thing. I get why it was important to have that for free software to be protected and take off, but as a general attitude it's become problematic.

@alexia while providing no assistance to said supply chain.

@axx @alexia No. Publishing your source code should not become a liability just because you decided to do it. Just like with writing, art, etc, so long as you're not outright spreading violent/dangerous ideas.

Imagine you set up a public bookcase somewhere; if someone comes across your bookcase and decides to build a for-profit book empire out of it and other ones around only to find yourself blamed for lack of profitability, you'd obviously and rightfully tell them to fuck off. No different here.

@alexia they want to change the DO WHAT THE F YOU WANT TO PUBLIC LICENSE

into

YOU DO WHAT THE F WE WANT, TO KEEP OUR SYSTEMS SECURE AND OPERATIONAL, AND YOU BETTER DO IT ON YOUR OWN FREE TIME KIDDO PUBLIC LICENSE

@axx @alexia counterpoint: anybody who wants guarantees from me gets to pay me

@axx @alexia The way its solved in the UK for the most part with digital works and the sale of goods rules is that liability attaches to whoever sells, leases, or a catchall for other sneaky ways of trying to dodge it, carries the liability and cannot escape it.

That's a reasonable model for software - you sell or lease it as a product you own the consequences and it avoids problems with things like user groups and communities around software being commercial - if they are not the sellers

@axx @alexia The other issue is negligence - that's kind of baked into law already and you can certainly be sued in a lot of countries if your drone software say causes a drone to crash and injure someone.

Remarkably many big companies have a totally different process for software that can do this. One that looks like what they should but don't do for the rest of it.

It's not even hard to write software properly - in fact there are arguments its ultimately cheaper too

@axx @alexia You have thrown words out into the world and taken zero responsibility for them. Somebody told you why you're wrong 2 hours ago and you still haven't applied a patch!

Oh and by the way, I need you to provide me with a Toot Bill of Materials by Friday at the latest. New EU regulations, you see. Thanks!

@axx @alexia if I want to code for fun and show it to my friends, who are you to prevent me? If a big ass company wants to use my side project, they are on their own.

@alexia Don't make me tap the sign

@axx

@alexia the problem is picking code found in the code-dumpster (the internet) and assuming that it comes with warranties

@axx @alexia
i mean, it's probably time to reconsider building elaborate sandcastles of bullshit that doesn't fucking do anything useful in the first place

@etchedpixels @axx @alexia

Yea and the security industry knows this. Hence why they opt for guilt tripping instead...

@alexia
Just waiting for a project to respond to this by adding the stated vulnerability as a feature and archiving the project...

@Umbreon @alexia

And deny any involvement or fault of their own.

@charlotte @axx @alexia LLM scraping is the same pattern writ larger with even less oversight, so I wouldn't say I'm hopeful for the direction of the trend here

more OSS needs "no commercial use" clauses. does that make it non-free? yes. but I think we have ample evidence that letting commercial users lift community work is a net negative

@axx @alexia If a downstream user wants any kind of guarantee I’d be happy to negotiate an hourly rate.

@axx @alexia are you talking about AI companies?

@LionsPhil @charlotte @axx @alexia

You cannot have "more OSS" be non-commercial, exactly because it makes it non-free. Want to advocate for NC software? Fine, but don't call it OSS.

@axx @alexia "free software" should be the "general attitude"

….ngl I don’t like the social expectations that come from offering something to the world

the problem is that they’re reasonable, because you expect responsibility and accountability by default

@xerz they are not reasonable tho

if you want guarantees and accountability, hire the person and pay them

otherwise - I mean it’s like picking a tv from a dumpster and then coming with a warranty paper to whoever threw it away when it breaks

@alexia Also

"we have money to pay people to find vulnerability."

"please fix it for free and quick, or we'll shame you. Sorry we have no money for that."

@marado you didn't read the following sentence, did you. plonk.

@alexia THANK YOU.

@LionsPhil
@axx @alexia LLM scrapers at least don't expect extra free unpaid labor on my end

@hub @alexia

Google's side-hustle.

@alexia I saw some discussion somewhere else on fedi about how the MIT license allows people to walk all over OSS developers. I'm starting to think that people should use "MIT except if you're a commercial user you have to pay $10/mo" or something like that. Personally I like GPL licensing my stuff, but if you want something more permissive, that might work better.

@cwg1231

at this point I’m considering to license all my personal projects under the OQL because screw companies

@developing_agent@mastodon.social I literally have no idea which word you think is a slur there, but you're welcome to join them in the block list with that attitude. Have fun.

@alexia Thanks for showing me this, I might put it on my projects from now on. :) I really like the "fuck around and find out" license linked to as inspiration by the OQL.

@axx @alexia This seems like misallocating the responsibility. It wasn't the people publishing the code who decided to integrate it into major commercial systems without acquiring any sort of guarantee for its functioning

@axx @alexia this is definitely a take

@alexia @cwg1231 Please don’t use a proprietary software license. Entities that ignore human rights law are likely to also ignore copyright law, restrictions on use in copyright licenses simply should not exist (I think the FSF article explains this well), and if everyone puts different use restrictions we’re going to end up with thousands of slightly different possibly-incompatible licenses.

Also, that specific license doesn’t seem to have been reviewed by a lawyer. I noticed several problems (I am not a lawyer):

• It appears be written in such a way that would prohibit even distributing the software on a physical medium (like a CD) for the cost of the physical medium.
• “No entity that commits such abuses or materially supports entities that do may use the Work for any reason.” seems overly broad and like it would prevent anyone who pays taxes (to a government which commits human rights abuses) from using the Work.

If you want to scare off companies, just use the AGPL. It’s a free software license and companies seem to be scared of it (Google doesn’t allow use of any AGPL software apparently)

@whitequark
along the same line: anyone who wants timely patches from my little hobby project can open a PR and provide them

@axx @alexia

@alexia@shrimp.starlightnet.work The opensource equivilent of a risk letter

@wren6991 @alexia Looks like it got an update since the Sam Hocevar version...

@wren6991 @alexia I'd probably add a third point as well: "If you distribute any modifications, don't claim we made them"

@wren6991 @alexia Wait LICENSE, not LICENCE, or is the distinction a US/UK thing?

@wren6991 @alexia So you're responsible when it fucking works ? Brave.

@revk @wren6991 @alexia UK spelling uses "licence" for the noun, "license" for the verb. US uses "license" for both.

@revk US/UK difference. US generally uses "License" as both noun and verb AFAIK.

@revk I thought “licence” was the noun, and “license” the verb (like advice/advise)

@dakkar @revk in the UK, yes. Not for those heathens on the other side of the pond :)

@noisytoot @cwg1231

what use is there in (L/A)GPL if your first paragraph is about ignoring law

in a world like that, the GPL having been reviewed by a lawyer also doesn't make a difference

@alexia

YOU ARE PART OF A SUPPLY CHAIN ATTACK... SHAME ON YOU!

SENDING THIS SUPPLY CHAIN ATTACK WAS IMPORTANT TO US. WE CONSIDERED OURSELVES AS HAVING A ROBUST SUPPLY CHAIN.

OUR THEFT OF LABOR WAS NOT AN HONORABLE ACTION... NO HIGHLY ESTEEMED IDEOLOGY IS COMMEMORATED HERE... NOTHING VALUED IS HERE.

@alexia @cwg1231 Because not everyone is going to ignore the law, but anyone who's already ignoring the law (by violating human rights) is probably fine with ignoring copyright law too.

The GPL is useful despite the existence of some companies (like Allwinner) that continue to violate it, and it being reviewed by a lawyer is important because an overly broad clause could make everyone accidentally violate the license (which would make the license meaningless and equivalent to all-rights-reserved).

I think the clause of the OQL prohibiting materially supporting violators of human rights could plausibly be interpreted as prohibiting anyone who pays taxes from using the software, and this makes using any OQL-licensed software risky since the copyright holder could arbitrarily decide to sue you/tell you to stop using the software for this.

Another thing you could to to scare off companies from using your software without actually making it non-free is to require some sort of manifesto (similar to the GPL's preamble, or the Invariant Sections in various GNU manuals) to be distributed verbatim along with your software. Make it something that no company would want to distribute.

@noisytoot @alexia I really do appreciate your perspective on this, but I think the FSF's position on this comes from a rather privileged place that doesn't acknowledge the number of OSS devs struggling to make a living under capitalism. I think nonfree licenses, especially those that discourage commercial exploitation of OSS software without compensating the developers, are fine, and even necessary until we implement UBI or something similar to guarantee that open source developers can put food on the table for their OSS work, not by holding down another job at the same time.

I agree with the ideals of the FSF, but I don't think achieving them under the current state of capitalism is realistic. That's not to say I think they can't be achieved, but I think acting as if they are achievable now will not produce productive discussion.

I'll put in a PR to make some of the changes you suggested, and ask a lawyer I know to review the OQL.

@alexia *slaps top of software* This baby can fit so few warranties of any kind

@cwg1231 @alexia I assume you're suggesting using OQL + selling exceptions to it to companies in order to earn money? Since just using OQL and not doing that isn't going to help to earn any money.

Many people use the AGPL and sell exceptions, it's not necessary to use a non-free license for this. I don't particularly like this practice and would avoid contributing to such software because it requires a CLA of some sort which gives the maintainer more rights over the code than anyone else, which are often abused to go completely proprietary (most recently: minio), but it's better than proprietary software.

@alexia and companies are going to put some blame on their workers, making them responsible if they don't comply to installing privacy problematic tools that can spy on all the things they are doing on their machine. Welcome to distopia. No collective funding, no collective training and empowerment, just police and surveillance tactics. This supply chain problem seemed an interesting one to solve, it's becoming a shit show.

@noisytoot @alexia Yes, I'm suggesting selling exceptions. It seems like you're missing my entire previous point, which is that open source developers need to make a living under capitalism. Using the GPL would still allow massive for-profit companies to use the software without compensating developers at all. I think putting food on the table for open source developers is more important than use of completely free licenses.

About the section that says "No entity that commits such abuses or materially supports entities that do may use the Work for any reason," that section was actually not there when I made the original post. That section is in the new OQL v1.3, from two weeks ago, whereas v1.2 was current at the time of the original post. I will suggest a change to the language anyway.

Finally, I don't understand your argument about minio. Minio itself is licensed under AGPL, the very license you suggest would solve these problems. Its contributing page doesn't list any sort of contributor licensing agreement (which is what I assume you mean by CLA). I'm completely at a loss as to how the AGPL was supposed to prevent this, since in this case it clearly did not.

@cwg1231 @alexia Open source developers need to make a living under capitalism, but if they do so by writing proprietary software then they’re not open source developers because their software isn’t open source (ignoring the fact that they could be developing other open source software, but the point is that non-commercial licenses are neither free nor open source, which is in fact explicitly stated on the OQL’s website). I’m not missing the point, I’m suggesting AGPL as a compromise that doesn’t make the software non-free but still puts off companies enough that they might buy a license.

The Minio thing is referring to the fact that it was recently put into maintenance only mode in favour of a proprietary fork called “Minio AIStor”. Minio apparently had a requirement that contributions be licensed under Apache-2.0 to project maintainers only, which is essentially equivalent to a CLA (it gives unequal rights to project maintainers and allows them to make a proprietary fork, as they did). AGPL would’ve prevented this if it wasn’t for that.

Personally, I have no idea what I will do to make a living when I finish full-time education. I don’t want to write proprietary software. My plan is to get elected as a politician, introduce UBI (and generally attempt to improve society), then when I’m done resign and write free software. This does seem quite difficult and likely to fail though.

@noisytoot @alexia
The minio thing is shitty, but also not at all the same as what the OQL is suggesting. Also, the AGPL seems like it forbids selling license exceptions. See section 12:

"If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program."

(from https://www.gnu.org/licenses/agpl-3.0.en.html)

The above section seems wholly incompatible with what I'm suggesting. The point isn't scaring off companies, I want my software to be used, but only to better the world. The point is that under the current state of capitalism, incorporating OSS into your supply chain should require compensating developers commensurate to the responsibility you're placing on them.

If you're seriously suggesting that you're not missing the point immediately after no-true-scotsmaning open source development, I suspect there's little productive discussion we can have. Despite the fact that we have pretty similar goals (UBI, propagation of free software), I'm getting the distinct impression that you don't understand the concept of coalition building, which you will need to go into politics. Please go volunteer at a soup kitchen before proselytizing further about a license that won't put food on my table or those of my struggling queer friends who work in tech.

@cwg1231 @alexia

The minio thing is shitty, but also not at all the same as what the OQL is suggesting. Also, the AGPL seems like it forbids selling license exceptions.

Correct. in order to sell exceptions you need to use a separate license for that. It’s kind-of like dual-licensing except instead of the alternative terms being available to anyone, they’re only available to those who buy them. The FSF wrote an article about this. I am using the terms “selling exceptions” and “selling an alternative license” interchangeably.

If you are the only copyright holder you can easily do that (no license can forbid the copyright from also releasing their code under another license), but if there are any other copyright holders then they must agree too, or you need some sort of CLA which gives the maintainer extra rights.

It’s exactly the same if you use the OQL instead of the AGPL. If you release your software under any license and accept contributions without some sort of copyright assignment or CLA (meaning you are not the sole copyright holder and have equal rights to the code as any other user), you cannot sell exceptions to that license.

That’s the relevance of the minio thing - I wasn’t saying it was similar to the OQL, I was saying that it’s a danger of using a CLA, which is necessary in order to sell license exceptions (whether to the OQL or the AGPL, or any other license) unless you are the only copyright holder. I’m not sure if there’s a way to mitigate this with a more restricted CLA.

The point isn’t scaring off companies, I want my software to be used, but only to better the world. The point is that under the current state of capitalism, incorporating OSS into your supply chain should require compensating developers commensurate to the responsibility you’re placing on them.

If I understand your point correctly, what you want is for companies that use your software to pay you. There are two ways to achieve this:

• Explicitly forbid them from using your software (using the OQL), and sell an alternative license.
• Scare them off from using your software without explicitly forbidding them (using the AGPL), and sell an alternative license.

They both achieve the same goal (companies will pay you for the alternative license), but the latter does so without making your software non-free. Perhaps the OQL is more effective at getting companies to pay (I’m not sure by how much), because some companies are fine with the AGPL, but using the AGPL and selling exceptions is a business model that people have successfully used.