I just recevied an DMCA takedown from GitHub because upstream is “unopensourced”
Is this even possible?
The most interesting excerpts:
-------------8<---------
Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.
After DDN’s acquisition of the NexentaEdge source code (as described above), it was renamed “EdgeFS” and was subsequently improperly open sourced under [private] without DDN’s permission.
-------------8<---------
Is the work licensed under an open source license? If so, which open source license? Are the allegedly infringing files being used under the open source license, or are they in violation of the license?
No. EdgeFS was improperly contributed as open source without the authorization of DataDirect Networks, Inc. or its wholly-owned subsidiary, Nexenta by DDN, Inc., the copyright owners.
-------------8<---------
36 comments
[ 4.5 ms ] story [ 76.1 ms ] threadReading the former license would make sense. But I would be very surprised if any mainstream open source license can be revoked.
https://www.apache.org/licenses/LICENSE-2.0 was the license of EdgeFS if I believe in Google's cached result. There is no mention of a time limit or withdrawal possibility.
Some jurisdictions may restrict my conclusion because they don't allow authors to renounce all their rights - to put something in the public domain for example. But giving an open source license is like selling one, you can not just roll back six years later "please give me this back, I don't want this to have happened"
Plus, if EdgeFS has/had external contribution, changing the license of the project without prior allowance from other authors is an infringement of they copyright.
If it was released under an open source license by people who did not legally have permission to change the license, then yes this is possible.
It sucks, and you should likely still challenge it. But they may have the legal high ground.
It's like if a stolen painting is given away or sold. The recipient is may have no knowledge the painting is stolen and acting in good faith. But the original owners before it was stolen are still the legal owners.
This is kind of an interesting question in open-source. Developers tend to just assume that a license is valid, but that's only true if the license issuer had full copyright of the code to begin with (work-product agreements become a possible source of complication here). There is always a chance that someone could come along later and claim copyright over some/all of that code, which could by then be forked and/or incorporated into various projects.
I'm no lawyer, but I would guess that if senior management of a subdivision is doing something it's hard to claim "rouge employee" :)
Otherwise, corporations would break all sorts of contracts claiming they were never valid in the first place.
They also tend to assume that if the license is valid then the code is also not implementing any unlicensed patents.
But it sounds like they are claiming that that happened a year ago... and they just noticed now? I think they would have a difficult time convincing a court that that is actually what happened.
Of course this is only relevant if you're willing to go to court over this, which is probably only the case if (at a minimum) you have a fairly substantial financial investment riding on this - or you have "fuck you money". And if you are willing to go to court over this go find a real lawyer instead of listening to HN.
Let's say I go into a bank. The bank requires an officer to approve all loans. A minimum-wage teller offers me a loan with a 2% interest rate, with absolutely no authority to do so. I don't know that, and I come out thinking I have a 2% loan. The bank is generally still required to honor the terms of that loan.
https://en.wikipedia.org/wiki/Apparent_authority
If forensics here prove that the person who open-sourced did not have the authority to do so (but was affiliated with whoever holds copyright on EdgeFS), and that OP had no reasonable way to know they did not have that authority, the most likely outcome is that:
* Nextenra could not pull back the license.
* Nextenta's recourse would be to go after whatever employee open-sourced it without authority, not OP.
This contrasts with an example where an unaffiliated party posted Nextenta's source under an open source license. If you post the Windows source code under the GPL, and you don't work for Microsoft, and I make use of that source code, that's when I'm also liable.
I'm not a lawyer. This isn't legal advice, which I couldn't give without knowing specifics of what happened when and how. This is merely a correction to the post which says: "If it was released under an open source license by people who did not legally have permission to change the license, then yes this is possible." This was statement is misleading, at least under US law. I'll also mention you can't get reasonable even legal information without posting a lot more background (two short exerts aren't adequate for anyone to have a legal opinion).
There isn't that much more to show but here is the entire DMCA takedown request which I received: https://gist.github.com/siepkes/8e1f51e2ce9e44ba7116ed79e492...
> If forensics here prove that the person who open-sourced did not have the authority to do so
Announcements of the opensourcing were made on various places (like Reddit [1]) by Dmitry Yusupov who is Co-founder and CTO of Nexenta. He also made a lot of commits in the OSS Github repo which was Apache licensed.
[1] https://www.reddit.com/r/edgefs/comments/cf0o2b/edgefs_open_...
Lol. They're clearly bullshitting. I'd believe that excuse if a mere developer had open sourced it, but not someone that high up.
I remain skeptical... but it's important to get the facts right.
FWIW, "co-founder" is not the title that matters. The title with the word "officer" is the operative one. Officer is a word that has a legal meaning and generally means the person can speak on behalf of the company, regardless of what a parent entity may later say. They entrusted him with the title. It's why you often see the elevation of someone to an "officer" position comes with a whole new round of background checks and interviews.
1) Contact the maintainers of the other repositories.
2) Draft a DMCA counter-notice, laying out that:
"The repository was open-sourced by Dmitry Yusupov who is co-founder and CTO of Nexenta. This was publicly advertised on multiple public forums, including [], as well as the github repository itself. As a CTO, he had either authority (or, at least, apparent authority) to open-source this tool. This tool continued to be publicly advertised under a [insert license] license by Nextenta for [insert number] months in Nextenta's official github repository.
I cloned this tool in full compliance with the license under which Nextenta licensed this tool, and continue to comply with this license. Whereas this license has no expiration clause, Nextenta has no legal grounds under which to withdraw the [insert license] license under which it licensed this code to us.
I, and others, have invested significant time, cost, and effort, in reliance on Nextenta's advertising. In addition, Nextenta's business has generated significant value from the goodwill from their announcement of the open-sourcing of EdgeFS. Nextenta has no grounds on which to retroactively withhold continued rights to users who use their code under this license.
Shutting down this repository causes ongoing harm to myself and to [others who have signed on] and continue to rely on this repository for [whatever value you derive].
If Nextenta believes its CTO and employees were not authorized to take this action, Nextenta's recourse is to seek damages from those employees. It has no grounds to retroactively deny rights to [list of people]. If it chooses to do so, [standard language about seeking maximum damages, expressly reserving all rights, etc.]"
Find legal language online in other such filings, and stitch it together. Try to understand what it says and why.
3) Chip in for a 1-hour consultation with a GOOD lawyer (high per-hour costs, likely, but low time commitment). Have them revise this letter. Good lawyers can do this FAST. Note that you want to have EVERYTHING organized and lined up going into this meeting. The more time you spend beforehand, the less you'll need to pay the lawyer. That's the point of the draft.
4) If you have sufficient funds, have them ship this letter off on their letterhead (looks scarier). Lacking funds, do it yourself (still shows you know your rights).
Most companies will back down at this point. However, if they don't, these things can either get super-expensive (if you hire a lawyer) or completely life-consuming (if you decide to handle the legal work yourself). One upside is you do learn /a lot/ in the process either way. Lawyer friends who can help you unofficially are also super-useful.
I'll mention that's what I'd do. Most people would back down and get on with their life.
Another pressure point are an adversary's customers. Those are often awesome. If customers don't believe a company follows contracts, they're f-ed. Often, this just takes communicating what happened, but sometimes it needs to be adapted to customer culture. But you do need to be careful how you pursue this (again, being careful to stay well within the right side of the law).
The article also indicates "The agent must have been held out by someone with actual authority to carry out the transaction and an agent cannot hold himself out as having authority for this purpose." Which makes it seem that EdgeFS would not be bound to any actions taken by someone who they had never presented as having the authority to take those actions.
So, very complex here, and appears that the issue of apparent authority is largely bound to a lot of other factors, not just association or lack thereof.
Given that this was:
(a) In an official github repo from the organization
(b) The announcement was made by the co-founder and CTO
It would need to be a complex set of circumstance for apparent authority to NOT apply. I can come up with such circumstances which might apply, but it would have to be a lot more than just saying they didn't authorize their CTO to do this. If you can't take the statements of a CTO at face-value, the world of business would collapse.
(And to re-emphasize: I am not a lawyer. "In my law class" should not convey I went to law school, and taking a couple of law classes does not a lawyer make).
I had read into "After DDN’s acquisition ... subsequently improperly open sourced ... without DDN’s permission" to mean that the code had been acquired from another entity, but then someone associated with that entity which no longer had any rights to the code released it as open source.
The agency criteria is much narrower and easier to challenge.
As a company, they open sourced it. If they had a rogue employee open sourcing software without, that's their problem.
I'd be a bit more willing to hear them out if they reached out 2-3 days later. But 9 months, and with work having been done based on it, is unacceptable.
Plus, you DO have a licence for this code; that's literally written permission to use this code under those terms. I hope it doesn't say anything about revocation though.
https://web.archive.org/web/20200312165928/https://github.co...
... and probably further back too - here's an HN post referencing the licensing from around Q3 2019:
https://news.ycombinator.com/item?id=20671417
I hadn't heard of DataDirect Networks before; it looks like their acquisition of Nexenta closed in May 2019:
https://www.theregister.co.uk/2019/05/07/ddn_is_buying_nexen...
"Nexenta by DDN will be run as a separate entity, retaining its own sales and engineering teams. The Nexenta sales people now get a wider DDN channel to use and there are cross-selling opportunities for both."
As far as I understand -- I'm not a lawyer -- changing a license requires that existing contributors are notified and agree to the change of licensing.
https://softwareengineering.stackexchange.com/questions/5532...
Not the contributors, but the copyright holders. That's why usually projects require a CLA (Contributor License Agreement) to be signed, so they get the copyrights (or they get the rights to relicense the work).
UPDATE 2: Found possible confirmation unfortunately that EdgeFS was not Open Source before May 2019 (retrieved May 8,2020 [3]):
That said, if Github tells you when you forked, and you can show their license file at the time was an Open Source license, then you should be able to point that out. Where things get murky and you may be SOL are if any of these are the case:* You Open Sourced it yourself rather than forking via Github
* There was no license file
* You worked on the project for them as your employer at any point
* The fork occurred in May 2019 or afterwards
* The project was uploaded to Github, or Open Sourced, in May 2019 or afterwards
Fighting a DMCA is an uphill battle, as there is no risk to Github in enforcing it, but a big risk for them in fighting it. They make their money off of commercial users I suspect, so if commercial users stop believing Github will uphold their IPR, then they'll stop paying.
If any of the above conditions are true I would expect it to be a steep uphill battle. It may be a steep uphill battle requiring lawyers to fight anyway, since it revolves around IP in an acquisition. What it may come down to is that code Open Sourced before May 2019 is ok, code Open Sourced after that might be under a cloud (and basically means you shouldn't use it unless you're willing to fund a long and painful legal battle).
A sad end to one of the flag bearers of the Illumos effort (I believe I remember reading Adam Leventhal of Nexenta on the Developers Council[1]).
[1] https://web.archive.org/web/20160710123826/http://wiki.illum...
[2] https://web.archive.org/web/20200312165928/https://github.co...
[3] https://www.reddit.com/user/dmitry_yus/
If you still have a local check-out of the source repository, do not publish or edit it, but keep a read-only copy of it (including commit history) somewhere safe for evidential purposes if you intend to pursue any legal investigation and recourse.
And find a software & intellectual property lawyer if so, too :)
But then again, maybe the CTO is the rogue employee...
Edit: here is an archive in case it is taken down: http://archive.is/WZYl2
Edit2: here is a tweet from their official handle: https://twitter.com/EdgefsIo/status/1156309079968514048?s=20
It seems to be BS though. Citing from the DMCA:
Both blog posts were tagged as written by Dimitry.
[0] http://archive.is/ms5eu
[1] http://archive.is/XzGLt
[2] http://archive.is/fhXnA
Edit: And this appears to be a copy of a press release put out by DDN's PR agency describing EdgeFS as open core http://archive.vn/eFIls
That line is in the DMCA request.
I'd guess the investors were told they were paying for this IP but didn't take fast enough steps to prevent a legitimate officer of the company from open-sourcing it.
This post make me never use egdefs in any form.
Tweet text : Next week, our CTO and Nexenta Founder @dmitryy will be speaking at #KubeCon 2019 in Shanghai, on NexentaEdge, and the power of open-source projects (@edgeFS and @rook_io !). Get details here: http://ow.ly/SeTD50uJ0yX