Honestly that’s why part of the reason why I posted this here. If this made HN Frontend page I feel like they’re gonna notice and have to respond, a lot of potential customers reside on this forum
would it be possible to require a session token or some other secret in order for images from fakercloud.com to resolve? I know of a few services that do this for map tiles to prevent scraping or hot linking.
It is MIT licensed so theres nothing wrong them reselling faker but the stuff theyre doing here looks quite dodgy.
I am a user of retool but for companies with access to your data you expect a bit of integrity. Would be really interested to know what retools response is.
You should follow up a couple of weeks from now on HN if nothing happens.
I think the main problem is Retool is using the faker cloud api directly behind the scene (?) and the generated data is hosted on the faker cloud CDN (?).
It's MIT licensed. If they're actually reselling the API (and not hosting their own instance) then it could potentially be in violation of the terms of service, but that's it.
Using images from Faker's CDN is scummy and potentially illegal, but fairly minor overall.
If you are using images that someone else createdbwithout permission or license that is copyright infringement. If you are also using data created from a service and use it in your product again without permission or license this is also copyright infringement.
All of these stories in the last few months about big tech companies "abusing" open source software is straight out of /r/leopardsatemyface. "I want to build an open source project with a license that lets anyone use it any way they want for free! No, don't use it like that!"
faker.js - the MIT licensed free software - generates links to fakercloud.com. The error is in faker.js creating links to a paid-service CDN, not in how Retool is using the MIT licensed software.
I have been seeing a lot of Retool lately on my Facebook News feed.
What's amazing to me is that they're using his CDN. Does this company have such terrible code review that they forgot to use their own CDN? Definitely makes me think twice about the quality of Retool's software.
Have you considered just turning it off? Or adding a requirement for API keys and disabling any that they hand out to their customers. It would be pretty embarrassing for a large company that had a service go down because they refused to pay for it.
Yeah, I mean this story sucks, I feel for the creator. But my gut is telling me this is a perfect example we all shouldn’t just default to MIT license out of the ‘goodness of our hearts’.
I mean, actually using Goatse here would probably be a bad idea, but what I really meant by my comment is "maybe you ought to treat this like any other hotlinking abuse situation, for which there are many commonly employed mitigations."
Serving shock images or other rude content is just the particular mitigation that makes me giggle.
I think the “professional” way to handle this is to implement API keys and rate limit requests without API keys heavily. (Possibly putting a link to your pricing page in the “too many requests” header.)
No, it is not. That being said, I certainly would move to another service if they don’t make it right. However, I also run a business and don’t make knee-jerk reactions to cancel support services on a Saturday evening without giving any sort of time for the provider to respond.
Always amazes me how intent people are at trying to frame comments in the least charitable way possible. We all support this person getting paid for their work. End of story.
Ditto. I was eager to set up a manufacturing sector client with Retool this coming week, but holy shit, assholes acting with impunity like this is infuriating, and I'm putting in extra time to try to find an alternative. Open to suggestions
If the code is already fairly mature then the big companies using it can just fork it (and make their new fork entirely closed if they feel like it) and the creator of the original code won't be able to do a thing about it.
You can change your license, but it's not retroactive, the code released so far keeps the old license (and can be forked from there). Note that it would be unsustainable otherwise, e.g. release as free, force people to pay later
If they use AGPL, how would they get companies to actually use the software before extorti^w shaming them into paying some money for a product they are licensed to use for free?
Developers: think long and hard about the license that's right for your project before you push out to the world. I can't help but feel that free/open source software has become a lot less altruistic in the era of Github. We gained quantity and quality, but lost something else that's difficult to express: innocence? Not every project needs to be a job/startup/foundation (cue Left-Pad LLC). I daresay, not all projects ought to be monetized, period.
no need to shame everyone, of course if the license is AGPL you won't be asking small users to get a license right away, but it gives you leverage with large companies to justify them doing business with you. I don't think a large company would want a core component to die just because it's no longer mantained, nor they want to dedicate the resources to mantain a fork.
I was being snarky - MIT-/BSD-style licenses are licenses and they grant companies license to use your software, without having to "do business" with author (but companies can be publicly pressured to do so (see the fine article), once they start using said software). The snark is rooted on the fact that large companies avoid AGPL software like a leper - they won't even install it, let alone do business with the author. So anyone hoping to do a long-con is better off avoiding AGPL.
Looks like this hasn't happened to him for the first time either. First page results for faker.js show how he has been ripped off before too(1). Really sad how big companies abuse OSS.
He needs to figure out if he wants to be paid or not. Offering a free product and support and then complaining people don’t pay you is honestly fucking weird.
You’re assuming things he didn’t say. He didn’t investigate that in depth. All we saw is the hosted images. Which is wrong, but most likely a mistake done by the devs charged with copying him.
And you’re being incredibly charitable to Retool, who haven’t even said their side of the story.
Those URLs don’t create themselves. It looks to be using a hash of some sort, which means it needs to be something generating them, it’s not just them appending a hash to https://fakercloud.com. And even if it were, why use fakercloud, a paid service that you don’t subscribe to, and not your own?
In either case, your original complaint is that the author can’t decide between working for free or paid. It’s clear that isn’t the case considering, as I pointed out, they have a cloud service that’s paid. They clearly have figured out some way to be paid for their work.
And I’m not charitable to retool. They’re opportunists. But they were provided with a screaming opportunity here.
It’s like getting naked, rubbing some condiments on yourself, going to the woods and screaming EAT ME. Eventually something will start chewing on you, and then you start whining about how unfair life is? Please.
Retool operates within their own budget, not with the budget of the US tech world.
How many other OSS libraries are they using? If Retool should get 10x that amount, how much should they be paying out to every other library author that published an open source/free-as-in-freedom library?
I'm sure Retool can afford to pay for their use of Faker, but this divide between "the poor individual" and "the rich with infinite money" that has become culturally accepted in society is pulling us farther and farther away from truth.
Can't blame Retool for deciding $500 is adequate, when the author's advertised price for Faker is $0.
It's like something out of Curb Your Enthusiasm: "I don't want money" means "I want money". And "anything helps" means "actually anything below UNSPECIFIED AMOUNT is insulting". Like, how the F do you deal with such people? It's just bait and switch blackmail.
He should have licensed it under AGPL, or chosen a non-free license. His problem was wanting the benefits of open-sourcing his code without wanting the detriments. That said, Retool using images hosted from his own site is pretty scummy.
For when Retool’s team inevitably reads through this: compensate for, and fix this. Until I can see genuine efforts made to repair this situation, I’ve cancelled my account. Shame.
I may have missed it but I didn't see anywhere that Retool is paying for a subscription. Even if they are, I'm not sure that entitles them to free use of the Fakercloud CDN.
I hate to be that guy, but idealism in software needs to die.
Don't use a license that's more permissive than you're willing to tolerate.
It's absurd to me for a project to publish something with a 100% open source license and then complain when somebody tries to profit off of it.
Doesn't really matter how egregious or large the perpetrator is. If you want exceptions, write it into the license. People want the goodwill that comes with open source, without accepting the consequences.
That being said, I do empathize with the plight of the author. Perhaps they were naive to this possibility.
The U.S. legislature hasn’t touched computer laws in forever, so an armchair guess is hard, but chances are that causing an extreme financial burden by hotlinking someone else’s images is illegal - although maybe the fact that fakercloud could just block hotlinking based on the referrer header means it’s not as open-and-shut of a case.
In my view, if your web server responds to an arbitrary HTTP GET with the asset and 200 error code, then your intention is that the asset is public and any browser can request it. If you don’t like a particular request, return 403 and get on with your life.
I am sure that they can change that if marek requests it. But he doesn’t instead he wants a two year consulting contract where he continues to work on his own project.
But, in the long run, doesn't this turn us into proverbial paperclip collecting AIs? The mode of sharing and using shared software is also a matter of social responsibility.
E.g., if the author is obviously asking for sponsorship to maintain the project, as a major user/customer, you should consider a donation. Otherwise, you should be stripped of the benefit of the doubt, regarding the question, whether you are a civil person or not. Likewise, you shouldn't engage in actions, which are prone to doom (economically or otherwise) the project you're profiting from.
It's not fatalism. I don't want to live in a world where a guy says I can do something with his software, and then gets upset and tries to rally people against me when I do. I've had girlfriends like that.
If you don't want people to make money off your software, or use it a certain way, don't put it under a license that says it's fine to do so.
To be clear they’re violating the terms of service of fakercloud.com is the implication I took from this
Not so much an issue with them using faker.JS, though honestly companies should do more to pay for development of these kinds of libraries that they depend on, it isn’t the core issue here
Which by the way is a great service if you are in the market and would fully managed fake data api
I think they should make that clearer in the blog post because it really wasn’t clear to me. So they’re paying for fakercloud and providing that data to their customers? It seems like this would then be a TOS issue as you mentioned.
If faker.js, an open source library, creates links to fakercloud.com - a for-profit offering, then someone who is merely using faker.js isn't falling afoul of the fakercloud.com TOS since they were never even presented with it in the first place.
To me, that is the idealistic stance. If there’s a world in which an indie developer can muster up the legal guns to win an IP battle against a VC-funded behemoth, it ain’t this one.
Writing restrictions into the license makes sense in theory. Actually enforcing that license against an uncooperative company will take far more time, money and effort than most people are willing to spend.
Large companies won't violate terms of a license knowingly.
Certainly an individual dev could pull in a library with a non permissive license without the broader business being aware. Or, I do agree, there may be particularly corrupt companies that knowingly violate terms of a license... But that's going to be less common than not.
Having worked for big tech, I can assure you they are very strict with licensing.
In this case it's a fast and loose startup, so I agree that it may have happened regardless. But at a certain scale these kind of things will be caught.
But you're not going to get AWS cloning your project if your license doesn't permit it.
I can imagine that big Western or multinational companies won't knowingly violate a FOSS license.
That being said, AFAIU violating the GPL of the Linux kernel is very common in the embedded world. A lot of that is made in places largely out of reach of Western IP laws, and by the time anybody gets around to do something, the fly by night company responsible has ceased existing, replaced by a new company currently working on a device five generations ahead, again committing GPL violations.
which means either the market they serve don't care, or don't have enforcement within reach of the western courts. But then, them "stealing" GPL nor not won't really affect the owner of the GPL software, since the world would've been the same to them whether the fly-by-night company violated them, or did not exist in the first place.
For me the perfect license would be something that allows using the code freely in any project or company that makes no money or is smaller than X people.
If you are using my code and you have a lot of cash from investments or revenue - it would only be fair if you pay for the license.
> Don't use a license that's more permissive than you're willing to tolerate.
From tfa:
Most Fortune 500s are using Faker in some capacity. The scope of the Faker project is not small... Who pays for Faker development? No one... Most of these donations are from fellow developers, and not enterprises or corporations.
I don't think there's a single OSS license that'd force corps to pony up. Too restrictive terms and they'll simply go looking elsewhere.
Google does OSS right. Open source to commoditize your competitor's advantages, not to strengthen your own.
> I don't think there's a single OSS license that'd force corps to pony up. Too restrictive terms and they'll simply go looking elsewhere.
There is no such license, and there can't be. Just as a license that prohibits use by the military can't be open source, neither can a license that prohibits use by, or requires payment from, corporations.
Dual licensing under GPL (or AGPL) and a commercial license is the closest you'll get, and it relies on the aversion many corporations have to the GPL, rather than adding restrictions per-se.
Mongo did just that (AGPL or custom license), but they moved to create SSPL; for some reason it didn't work out for them?
Redis and Elastic tried something Frankenstein by mixing Apache and custom license code in the same repo, which spooked them and the community for good measure, with Elastic, later, notoriously doubling-down on "open" with SSPL.
Of all the source-available licenses, I like BSL by MariaDB, better.
The reasons for using GPL and AGPL is that it advertises 'other licences are available - for a cost - but this is the only one you get for free'.
The cost of using GPL licences is that any changes you make to it everybody gets to have and anything you create with it has to be licensed under that licence. It was designed to create a viral effect so that free software remained free and that people could make money from those who didn't like free.
The MIT licence says "I have tenure in some organisation that is getting its money from something else and which can pay me to spend time on this".
> people could make money from those who didn't like free.
Does GPL ever work this way? In practice, GPL discourages corporate (=widespread) adoption, driving down the quality of open-source software, and creating the market for paid closed-source software (which is often worse than open-source software, but packaged better). I'd love to see cases where a GPL-dev successfully negotiates a reasonable "cost-plus" arrangement with a company for a non-free license.
and i believe this is because most GPL software doesn't provide enough value over the cost. But for MIT style licenses, there is zero cost, and thus, adoption must be high by the laws of supply/demand!
In other words, the excess value provided by the software under an MIT license is extracted and kept by the corporations using it. GPL licenses forces some sort of non-monetary compensation in the form of contributions, and thus, the corp cannot extract and retain the full value of the software (and hence, they correctly decide to make a cost/benefit analysis, and choose the most profitable decision).
> GPL licenses forces some sort of non-monetary compensation in the form of contributions, and thus, the corp cannot extract and retain the full value of the software
No, this is false.
- You can use a GPL library without making changes and contributing anything upstream
- You can use a GPL library internally and make changes without contributing anything upstream
- You can use a GPL library, make changes and distribute it to 3rd parties and, only in that case, you simply have to share the changes with the 3rd parties. [Not with upstream]
> You can use a GPL library without making changes and contributing anything upstream
which is fine - your usage of GPL software doesn't affect anyone else. If you decide to charge for it, that's OK too - since if the market exists for such software, the price would equalize to the break-even point of the cost of production.
> You can use a GPL library internally and make changes without contributing anything upstream
If it's "internal", aka, not visible to the outside world, then that's fine too. There's no effect from anyone else's perspective.
> You can use a GPL library, make changes ... share the changes with the 3rd parties
This is the point i was trying to make - in this case, where you make changes, you have to share it. Even tho it's just the 3rd party, this 3rd party has the right to distribute these changes. And anyone that has access to the software is also the 3r party.
So, in other words, if you have visible effects to the outside world with your (changed) GPL software, you are effectively bound to contribute those changes for free, or relicense with the owner to hide those changes.
I have never worked at an organization that does not use GPL software in some way. It discourages shipping GPL components/dependencies in binaries which is the whole point of the license.
My org is currently evaluating several PDF generation (as well as general BI reporting software) solutions. Several of the options we're considering offer a free AGPL version and a paid commercial version. AGPL is a deal breaker for several members of my team (though not for me) so they would prefer the paid versions of the AGPL software.
So at least in my experience, yes dual-licensing can work
> In practice, GPL discourages corporate (=widespread) adoption, driving down the quality of open-source software
On the contrary, GPL tends to be associated with software from the era that predates the new "social coding" phenomenon. The tendency of folks whose first contact with OSS was GitHub and who are most likely to choose the MIT License usually give us brittle, highly niche devops boondoggle that is the byproduct of their responsibilities at their dayjob and that gets abandoned a couple years after being pushed out to GitHub (when the creator realizes the futility of trying to convince other programmers churning out corporate boondoggle that they or their company should pay the creator for their contribution to the mudpie).
As someone who has fallen into the idealism trap, I couldn't agree more.
Here's another opinion I've been mulling - the emphasis on FOSS is actively damaging to our community and we need to take steps to end it. We're highly trained professionals who often sacraficed a lot to get to where we are. Having this culture of giving away our professional work for free - often to people and organizations who can readily afford to pay for it - borders on masochism.
Instead of constantly singing the praises of open source, we should be encouraging a deep level of self-esteem in younger engineers by encouraging them to "know their worth".
There are of course clear and obvious benefits to FOSS - like no licensing friction and better security - but we have to find a sustainable way to reward the developers. Little donations here and there aren't going to do it either.
> Instead of constantly singing the praises of open source
i would differ in my opinion, because it's not the 'singing praises' that's the root cause, but that the creator of said FOSS library expecting money in some form for having provided value up front (either contributions or donations etc).
That's an expectation that will never live up to reality.
> we have to find a sustainable way to reward the developers
this exists already - charging for the software you develop. Or, develop a business model around the software - aka, the software is free, but is just the bait for consulting business.
My argument was not about one person being disappointed by expecting value and getting none - it was a broader point about the cultural encouragement - prevalent in engineering circles - of working for free.
To be specific - I think a good argument could be made for free development in the service of the underprivileged or other altruistic causes. However, a large portion or most development ends up benefitting large public corporations who make large profits. But because, as a culture, we encourage this work, we have basically set ourselves up to be exploited.
I recognize that this is an unpopular opinion and is difficult to make well, in a thread, without being downvoted. But I think there is always value at questioning our underlying cultural assumptions.
You have to use a permissive license, otherwise your software will be ignored by all distributions. Which means it won't be available even for non-profit users.
There should be a non-profit-software Linux distribution that is only for non-leeches. But as it is, the OSS landscape favors corporations.
I'm beginning to wonder how much that software-needs-to-be-free propaganda has been spread in the 90s and early 00s by the beneficiaries (corporations and foundations).
I think Retool is in the wrong, though I also think your emails were quite indirect.
Better to be direct. I think it's very possible the CEO did not fully internalize what you were implying by stating they're using your CDN, etc, and instead it just seemed like a sales email.
Hi all! I'm David, CEO @ Retool. I'm looking in to this right now and will update my comment here with a response in the next two hours.
Edit: just did a bit of digging.
It looks like we have a Retool template that has some fake data in it (https://retool.com/api-generator/). This is an app built in Retool, and has a few thousand rows of hard-coded data.
I just spoke to the engineers who worked on this project, and we are sorry for including links to fakercloud. This wasn’t intentional, and we just pushed a commit removing all avatars from the template. This is already deployed. I hope you all can understand why we trusted the data generated by the MIT licensed project, and didn’t think it would link to anything proprietary.
I myself am an engineer (and avid HN reader, as evinced by how I found this while reading HN on a Sat night), understand Marak’s frustration, and agree that monetizing OSS is hard. While we’ve already contributed around $10k to various libraries we use (https://opencollective.com/retool), including faker.js, Babel, ESLint, and JSON Schema, I’m going to see if there is more we can do. We’ll be writing a blog post about it this week and I will follow up with more next steps. I wonder whether there is a better way of sponsoring OSS, other than just donating dollars every month? (Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily?) In the meantime, we'll certainly continue sponsoring all the libraries we’re sponsoring already, including faker.js.
If it’s rectified upon the CEO finding out about it and he makes a true apology, and implements policy to prevent it from happening again, that’s better than just not saying anything and not doing anything to rectify the situation; however, most people here would agree that doing so doesn’t excuse the fact that he let it happen in the first place.
When Marak sent me the email, I read it as a "Hi, I built Faker, might you be interested in acquiring it?". I responded with a "yes, that could be interesting, give me a day to work on this". In the end, we decided that acquiring Faker didn't make sense, and I'm sorry to Marak for not sending a follow-up email telling him we weren't interested. In this case, the content is different (i.e. we are potentially abusing OSS), which is why I’m responding to this.
(FWIW, I typically receive 50 - 100 sales emails every day. I do try and reply to the ones that look interesting, but I do forget to follow-up sometimes if we're not interested! This does not excuse my behavior in this particular case, and I’m sorry to Marak for not following up.)
I wasn't convinced by this reply either, then I went back and read the actual email. It doesn't mention the problem at all, it's a straightforward sales pitch. Even I ignore tons of those regularly, it's kind of dishonest on the part of the developer to say "oh they caused me a problem, I emailed them and they didn't reply" without mentioning that he didn't mention the problem in the email at all!
Frankly the author of Faker seems like he went into this project with the clear intention of profit, but by releasing it for free, and then pressuring people into giving him money. It's almost predatory.
Especially since Faker.js doesn't do anything that much useful which can't be replicated in trivial time. You use it because it's available, like we all do with MIT licensed libraries.
He promised to look into the possibility of buying faker. The initial email said nothing about the gripes in this article. In fact, the author of the article did absolutely nothing to resolve this problem before writing the article itself.
David you're probably just getting nonstop flak for this and as the CEO of the "big bad" here just let me say that I feel genuinely bad for you. Whatever conversation you have to have behind the scenes is a truly stupid thing to have to do in this situation. The CDN thing is dumb and maybe arguably not how this should have been done but your team and their work doesn't deserve to be villified for doing basically nothing wrong other than a very simple email miscommunication.
Put another way, he forgot to get back to the guy whose project/hosting space his company was using, for a whole month, and he came back with a classy response and decent amount of detail. Everybody wins. Except the people who think there's a court in session here and are worried us plebians are putting _CEOs of companies_ on trial
Atleast put some effort into reading all the material if you want to shame somebody.
1) Initial email was sales pitch that did not touch the problem at all. Which retool responded to by the way.
2) CDN is hardcoded into the JS library. Why would you even do that and then shame people? If it’s against the ToS then you need people point to the ToS first. It’s the author’s fault here.
3) MIT license. How many times do we have to go through this. Retool could just fuck off but even before this witch hunt began, they were already donating.
4) Some human communication explaining the problem wouldn’t hurt. Personally I’m more likely to turn down using faker.js now.
This is a very good overview of the situation. It's sad how Retool's name was dragged through the mud for daring to use an MIT licensed open source project.
They still need to be dragged a bit for copying someone's project. There is nothing against it in the license, but it is still pretty crappy to copy someone's offering and offer it up for free. Especially when you built your free offering on the back of the product you are killing.
I disagree. If you don't want anyone just come by, copy your product and offer it for free, don't release it under MIT. There is no "bro code" when it comes to software licenses.
It's generally considered bad form to privatize OSS for your own gain, whether there's a price tag on it on day 1 or not. Ex. VLCs issues over the years
By its very nature, the "bro code" refers to a "code" that doesn't actually exist, which makes your comment quite ironic. On measures of aptness, that makes it a comparison that's not apposite at all, but instead opposite.
> CDN is hardcoded into the JS library. Why would you even do that and then shame people?
It’s worth noting that before the fakercloud.com URLs were hard-coded into the library, the library was hard-coding a different service’s S3 URLs (uifaces.co) and only stopped when they became inaccessible:
So it seems a little unfair to complain that Retool are embedding URLs to your CDN when this library was doing the same thing to UI Faces a few months ago.
Is there some reason that, at least 13 hours later, the blog post hasn’t been replaced with a mea culpa for accusing these folks of something that ended up being a problem in your own library?
My understanding is they used faker.js to generate urls, and those urls referenced fakercloud. So the open source project faker.js ends up pointing you at fakercloud without realizing it.
Oh, damn. I thought I’d read further down the thread that they were one and the same but I see he specifically says otherwise. I guess it’s me that owes the mea culpa.
I don't think your company did anything wrong. The CDN is hard codes into the library as far as I can tell.
Ultimately there are two separate issues.
1. The CDN thing, of course.
2. The open source monetization never ending problem.
The first can be fixed with a simple change to the library. The second your company is already trying to help in part. Ultimately open source is not easily monetizable...
They voluntarily donated $2000 to faker.js as I can see from opencollective link. It definitely looks like they love supporting open-source and not trying to rip-off small devs.
It's a bit odd that if they hadn't done that, faker.js wouldn't have found out that they were using it that much, and couldn't have sent them the sales pitch in the first place.
In an a bit odd way, this time, donating to OSS, resulted in "bad press" at least for a while.
I hope things will end in a good way, somehow, for everyone
Hey David, I really feel for you. These PR-esque situations are never fun, but I think you’ve done an excellent job of handling this.
I believe there is a bias people have of viewing (somewhat ironically) things in terms of a “David vs. Goliath” lens. Everyone loves rooting for the little guy, even when the little guy is objectively incorrect.
Hope your weekend goes better than it has been so far! Retool is an excellent product by the way :)
“Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily”
This could be more disruptive than helpful as very few engineers would contribute much one day a month. Would you hire a developer for 1 day per month? They would more likely burden the experienced developers with questions and poor code submissions that need to be reviewed and then forget what they learned a month before.
Time to go back to Stallmanism and license with GPL or AGPL. Besides using your own cloud service (obviously terrible) there’s no theft of “Intellectual Property” when someone takes your MIT licensed code and sells it under their own name.
One of the things I liked about this submission was its tone: the lack of vindictiveness.
We are quickly made aware that we are reading an article made by the author of faker.js. The facts are laid out, mostly without embellishment. Though we understand the author is biased, they leave it to the reader to form their own conclusion. Overall, I appreciated how I was treated as a reader while reading this piece.
As for the matter at hand: despite the MIT license's permissive attitude in this case, it just speaks to the company being complicit somehow in... I don't know what to call it? Shady-ness? I hope you find a worthwhile resolution.
I see clear vindictiveness laid out in the facts, or at least passive aggressiveness stemming from fear of conflict.
Note that in the initial email spurned on by the actions of the company, the concern with them using the paid service to generate a free service is not mentioned at all. Just a sales pitch for a product. He is lucky he even got a response.
A proper email would have directly addressed the concern the author actually had. But he didn't do that. He didn't say "you guys are using my service to provide it to others for free" he said "hey I see you guys use my product, want to buy it?" And then when they didn't he wrote an article about how they're basically stealing from him.
1. If you wanted Retool to stop using your service, you should have said it up front instead of beating around the bush. From what I can gather from your emails, you sent their CEO a random sales pitch and he ignored it. Hard to fault him for that.
2. I love faker.js. I have used it in the past, and I'm sure several teams in my company use it today. I would, however, never ever pay for your cloud service, simply because taking a dependency on a third party hosted website to run unit tests is madness. The old school corporate software licensing model might be losing favor, but that does not mean it isn't apt for any use case. If faker.js was still downloadable but needed a license key to run I'm sure people would pay for it. It would probably be the easiest thing in the world to bypass, but the same Fortune 500 companies you mention would gladly break our their checkbooks rather than risk getting sued.
Exactly: Most modern browsers respect CORS. If you send response header "Access-Control-Allow-Origin: *", you're saying any origin can load the response. Clearly, the owner of cdn.fakercloud.com didn't want that behavior.
The server can inspect the Origin header, and if the maintainer doesn't want to support the domain, then don't send the CORS Access-Control-Allow-Origin response header.
No... it was pretty hard to know what Marak wanted just by that email. Knowing the backstory, yes, you could see that. Just reading that email alone, no way would someone understand that "you're using my product in a way I'm not happy about" was the intent.
233 comments
[ 3.0 ms ] story [ 267 ms ] threadI am a user of retool but for companies with access to your data you expect a bit of integrity. Would be really interested to know what retools response is.
You should follow up a couple of weeks from now on HN if nothing happens.
Using images from Faker's CDN is scummy and potentially illegal, but fairly minor overall.
But everything else is.
You don’t want startups using your IP? Don’t license it to them for free with no restrictions. Duh.
1) Write open source code
2) ???
3) Profit
https://github.com/Marak/faker.js/blob/c9764abd20a198e318367...
1. Have paid service.
2. Have free MIT software that violates the TOS of your own paid service.
3. Comes along a company, uses your MIT software as is.
4. Whine for money, because your TOS is violated.
What's amazing to me is that they're using his CDN. Does this company have such terrible code review that they forgot to use their own CDN? Definitely makes me think twice about the quality of Retool's software.
https://github.com/Marak/faker.js/blob/c9764abd20a198e318367...
Still something Retool should have caught, but a poor choice on Marak's end too
Would it be a good option to relicense the project under the AGPL/SSPL or whatever licenses (how MongoDB/Elastic/Anaconda have done) to get credit?
Serving shock images or other rude content is just the particular mitigation that makes me giggle.
If Retool sees that their customers don't care enough to leave because of this, then why would they bother making things right?
Always amazes me how intent people are at trying to frame comments in the least charitable way possible. We all support this person getting paid for their work. End of story.
This needs attention though that's for sure. I'm sure at least one of the Retool engineers read Hacker News so hopefully that will help get traction.
Developers: think long and hard about the license that's right for your project before you push out to the world. I can't help but feel that free/open source software has become a lot less altruistic in the era of Github. We gained quantity and quality, but lost something else that's difficult to express: innocence? Not every project needs to be a job/startup/foundation (cue Left-Pad LLC). I daresay, not all projects ought to be monetized, period.
Unless you are super rich, you can't afford to do open source.
Also I noticed that the tool[0] that is referenced in the blog post no longer contains the "Avatar" field.
0. https://retool.com/api-generator
(1) https://www.reddit.com/r/javascript/comments/jquo97/fakerjs_...
And I’m not charitable to retool. They’re opportunists. But they were provided with a screaming opportunity here.
It’s like getting naked, rubbing some condiments on yourself, going to the woods and screaming EAT ME. Eventually something will start chewing on you, and then you start whining about how unfair life is? Please.
How many other OSS libraries are they using? If Retool should get 10x that amount, how much should they be paying out to every other library author that published an open source/free-as-in-freedom library?
Can't blame Retool for deciding $500 is adequate, when the author's advertised price for Faker is $0.
It's like something out of Curb Your Enthusiasm: "I don't want money" means "I want money". And "anything helps" means "actually anything below UNSPECIFIED AMOUNT is insulting". Like, how the F do you deal with such people? It's just bait and switch blackmail.
This is probably retool using faker assets for testing and forgetting this in production.
Retool is paying a fakercloud subscription and using it to power their product which does not sounds like an issue at all?
Actually it sounds like you gave them permission, then regretted it.
If so, do your TOS prohibit reselling?
If so, call a lawyer. If not, rewrite your TOS, then call a lawyer.
Don't use a license that's more permissive than you're willing to tolerate.
It's absurd to me for a project to publish something with a 100% open source license and then complain when somebody tries to profit off of it.
Doesn't really matter how egregious or large the perpetrator is. If you want exceptions, write it into the license. People want the goodwill that comes with open source, without accepting the consequences.
That being said, I do empathize with the plight of the author. Perhaps they were naive to this possibility.
"If you can't see the image, Retool's new service is using images hosted from fakercloud.com"
There's a difference between using someone's software and using someone's servers.
But it seems very similar in concept to automated web scraping, which has been deemed legal in the US.
Please nobody hear listen to this guy. I don't want to live in that world.
There are simply those who choose to accept it and those who don't!
Recognizing this fact and operating with that as an assumption is important.
E.g., if the author is obviously asking for sponsorship to maintain the project, as a major user/customer, you should consider a donation. Otherwise, you should be stripped of the benefit of the doubt, regarding the question, whether you are a civil person or not. Likewise, you shouldn't engage in actions, which are prone to doom (economically or otherwise) the project you're profiting from.
If you don't want people to make money off your software, or use it a certain way, don't put it under a license that says it's fine to do so.
Not so much an issue with them using faker.JS, though honestly companies should do more to pay for development of these kinds of libraries that they depend on, it isn’t the core issue here
Which by the way is a great service if you are in the market and would fully managed fake data api
But if so, then definitely a problem. They would then have a valid legal case against the company, I assume.
If faker.js, an open source library, creates links to fakercloud.com - a for-profit offering, then someone who is merely using faker.js isn't falling afoul of the fakercloud.com TOS since they were never even presented with it in the first place.
https://github.com/Marak/faker.js/blob/c9764abd20a198e318367...
Writing restrictions into the license makes sense in theory. Actually enforcing that license against an uncooperative company will take far more time, money and effort than most people are willing to spend.
Certainly an individual dev could pull in a library with a non permissive license without the broader business being aware. Or, I do agree, there may be particularly corrupt companies that knowingly violate terms of a license... But that's going to be less common than not.
Having worked for big tech, I can assure you they are very strict with licensing.
In this case it's a fast and loose startup, so I agree that it may have happened regardless. But at a certain scale these kind of things will be caught.
But you're not going to get AWS cloning your project if your license doesn't permit it.
That being said, AFAIU violating the GPL of the Linux kernel is very common in the embedded world. A lot of that is made in places largely out of reach of Western IP laws, and by the time anybody gets around to do something, the fly by night company responsible has ceased existing, replaced by a new company currently working on a device five generations ahead, again committing GPL violations.
which means either the market they serve don't care, or don't have enforcement within reach of the western courts. But then, them "stealing" GPL nor not won't really affect the owner of the GPL software, since the world would've been the same to them whether the fly-by-night company violated them, or did not exist in the first place.
I'm not aware of widely used templates for this kind of license, but definitely needs to become more common.
We need something like this in spirit but which uses a legal mechanism thats more reliable.
From tfa:
Most Fortune 500s are using Faker in some capacity. The scope of the Faker project is not small... Who pays for Faker development? No one... Most of these donations are from fellow developers, and not enterprises or corporations.
I don't think there's a single OSS license that'd force corps to pony up. Too restrictive terms and they'll simply go looking elsewhere.
Google does OSS right. Open source to commoditize your competitor's advantages, not to strengthen your own.
I guess the lesson is don't be that guy whose business plan is
1. Write FOSS 2. ... 3. Profit!
There is no such license, and there can't be. Just as a license that prohibits use by the military can't be open source, neither can a license that prohibits use by, or requires payment from, corporations.
Dual licensing under GPL (or AGPL) and a commercial license is the closest you'll get, and it relies on the aversion many corporations have to the GPL, rather than adding restrictions per-se.
Redis and Elastic tried something Frankenstein by mixing Apache and custom license code in the same repo, which spooked them and the community for good measure, with Elastic, later, notoriously doubling-down on "open" with SSPL.
Of all the source-available licenses, I like BSL by MariaDB, better.
https://qbix.com/QBUX/whitepaper.html#Monetizing-Open-Source
The cost of using GPL licences is that any changes you make to it everybody gets to have and anything you create with it has to be licensed under that licence. It was designed to create a viral effect so that free software remained free and that people could make money from those who didn't like free.
The MIT licence says "I have tenure in some organisation that is getting its money from something else and which can pay me to spend time on this".
Does GPL ever work this way? In practice, GPL discourages corporate (=widespread) adoption, driving down the quality of open-source software, and creating the market for paid closed-source software (which is often worse than open-source software, but packaged better). I'd love to see cases where a GPL-dev successfully negotiates a reasonable "cost-plus" arrangement with a company for a non-free license.
Your analysis of the MIT license is spot-on, btw.
isn't that a contradiction? How can it be worse, but packaged better, if the packaging is what people are paying for?
> GPL discourages corporate (=widespread) adoption
and i believe this is because most GPL software doesn't provide enough value over the cost. But for MIT style licenses, there is zero cost, and thus, adoption must be high by the laws of supply/demand!
In other words, the excess value provided by the software under an MIT license is extracted and kept by the corporations using it. GPL licenses forces some sort of non-monetary compensation in the form of contributions, and thus, the corp cannot extract and retain the full value of the software (and hence, they correctly decide to make a cost/benefit analysis, and choose the most profitable decision).
No, this is false.
- You can use a GPL library without making changes and contributing anything upstream
- You can use a GPL library internally and make changes without contributing anything upstream
- You can use a GPL library, make changes and distribute it to 3rd parties and, only in that case, you simply have to share the changes with the 3rd parties. [Not with upstream]
which is fine - your usage of GPL software doesn't affect anyone else. If you decide to charge for it, that's OK too - since if the market exists for such software, the price would equalize to the break-even point of the cost of production.
> You can use a GPL library internally and make changes without contributing anything upstream
If it's "internal", aka, not visible to the outside world, then that's fine too. There's no effect from anyone else's perspective.
> You can use a GPL library, make changes ... share the changes with the 3rd parties
This is the point i was trying to make - in this case, where you make changes, you have to share it. Even tho it's just the 3rd party, this 3rd party has the right to distribute these changes. And anyone that has access to the software is also the 3r party.
So, in other words, if you have visible effects to the outside world with your (changed) GPL software, you are effectively bound to contribute those changes for free, or relicense with the owner to hide those changes.
I have never worked at an organization that does not use GPL software in some way. It discourages shipping GPL components/dependencies in binaries which is the whole point of the license.
it works very well for Qt
So at least in my experience, yes dual-licensing can work
On the contrary, GPL tends to be associated with software from the era that predates the new "social coding" phenomenon. The tendency of folks whose first contact with OSS was GitHub and who are most likely to choose the MIT License usually give us brittle, highly niche devops boondoggle that is the byproduct of their responsibilities at their dayjob and that gets abandoned a couple years after being pushed out to GitHub (when the creator realizes the futility of trying to convince other programmers churning out corporate boondoggle that they or their company should pay the creator for their contribution to the mudpie).
Here's another opinion I've been mulling - the emphasis on FOSS is actively damaging to our community and we need to take steps to end it. We're highly trained professionals who often sacraficed a lot to get to where we are. Having this culture of giving away our professional work for free - often to people and organizations who can readily afford to pay for it - borders on masochism.
Instead of constantly singing the praises of open source, we should be encouraging a deep level of self-esteem in younger engineers by encouraging them to "know their worth".
There are of course clear and obvious benefits to FOSS - like no licensing friction and better security - but we have to find a sustainable way to reward the developers. Little donations here and there aren't going to do it either.
i would differ in my opinion, because it's not the 'singing praises' that's the root cause, but that the creator of said FOSS library expecting money in some form for having provided value up front (either contributions or donations etc).
That's an expectation that will never live up to reality.
> we have to find a sustainable way to reward the developers
this exists already - charging for the software you develop. Or, develop a business model around the software - aka, the software is free, but is just the bait for consulting business.
To be specific - I think a good argument could be made for free development in the service of the underprivileged or other altruistic causes. However, a large portion or most development ends up benefitting large public corporations who make large profits. But because, as a culture, we encourage this work, we have basically set ourselves up to be exploited.
I recognize that this is an unpopular opinion and is difficult to make well, in a thread, without being downvoted. But I think there is always value at questioning our underlying cultural assumptions.
All this "it's not real OSS" bullshit needs to end. People who make libraries like this gotta eat.
There should be a non-profit-software Linux distribution that is only for non-leeches. But as it is, the OSS landscape favors corporations.
I'm beginning to wonder how much that software-needs-to-be-free propaganda has been spread in the 90s and early 00s by the beneficiaries (corporations and foundations).
Better to be direct. I think it's very possible the CEO did not fully internalize what you were implying by stating they're using your CDN, etc, and instead it just seemed like a sales email.
Edit: just did a bit of digging.
It looks like we have a Retool template that has some fake data in it (https://retool.com/api-generator/). This is an app built in Retool, and has a few thousand rows of hard-coded data.
Most of this fake data is self-generated, but we used the faker.js library (https://github.com/marak/Faker.js/) to generate three datatypes: IP address, avatar, and industry. This MIT licensed library, when used, creates data that links directly to fakercloud (https://cdn.fakercloud.com/avatars/). Here is the code itself: https://github.com/Marak/faker.js/blob/master/lib/internet.j..., and here is a demo that shows the library generating those links: https://rawgit.com/Marak/faker.js/master/examples/browser/in....
I just spoke to the engineers who worked on this project, and we are sorry for including links to fakercloud. This wasn’t intentional, and we just pushed a commit removing all avatars from the template. This is already deployed. I hope you all can understand why we trusted the data generated by the MIT licensed project, and didn’t think it would link to anything proprietary.
I myself am an engineer (and avid HN reader, as evinced by how I found this while reading HN on a Sat night), understand Marak’s frustration, and agree that monetizing OSS is hard. While we’ve already contributed around $10k to various libraries we use (https://opencollective.com/retool), including faker.js, Babel, ESLint, and JSON Schema, I’m going to see if there is more we can do. We’ll be writing a blog post about it this week and I will follow up with more next steps. I wonder whether there is a better way of sponsoring OSS, other than just donating dollars every month? (Maybe we could commit one engineering-day per month for contributing back to OSS libraries we use heavily?) In the meantime, we'll certainly continue sponsoring all the libraries we’re sponsoring already, including faker.js.
(Also: I’m sorry to Marak for not responding to his email re. acquiring Faker. More in this child thread: https://news.ycombinator.com/item?id=27252420)
You promised this last time. Why is a post on Hacker News any different than a private email?
(FWIW, I typically receive 50 - 100 sales emails every day. I do try and reply to the ones that look interesting, but I do forget to follow-up sometimes if we're not interested! This does not excuse my behavior in this particular case, and I’m sorry to Marak for not following up.)
> I do try and reply to the ones that look interesting, but I do forget to follow-up sometimes if we're not interested!
Especially since Faker.js doesn't do anything that much useful which can't be replicated in trivial time. You use it because it's available, like we all do with MIT licensed libraries.
Good luck with this all.
1) Initial email was sales pitch that did not touch the problem at all. Which retool responded to by the way.
2) CDN is hardcoded into the JS library. Why would you even do that and then shame people? If it’s against the ToS then you need people point to the ToS first. It’s the author’s fault here.
3) MIT license. How many times do we have to go through this. Retool could just fuck off but even before this witch hunt began, they were already donating.
4) Some human communication explaining the problem wouldn’t hurt. Personally I’m more likely to turn down using faker.js now.
people way overreact online
It’s worth noting that before the fakercloud.com URLs were hard-coded into the library, the library was hard-coding a different service’s S3 URLs (uifaces.co) and only stopped when they became inaccessible:
https://github.com/Marak/faker.js/commit/e45648439ff5dd9adbe...
https://github.com/Marak/faker.js/issues/1055
So it seems a little unfair to complain that Retool are embedding URLs to your CDN when this library was doing the same thing to UI Faces a few months ago.
I don't think your company did anything wrong. The CDN is hard codes into the library as far as I can tell.
Ultimately there are two separate issues.
1. The CDN thing, of course.
2. The open source monetization never ending problem.
The first can be fixed with a simple change to the library. The second your company is already trying to help in part. Ultimately open source is not easily monetizable...
In an a bit odd way, this time, donating to OSS, resulted in "bad press" at least for a while.
I hope things will end in a good way, somehow, for everyone
I believe there is a bias people have of viewing (somewhat ironically) things in terms of a “David vs. Goliath” lens. Everyone loves rooting for the little guy, even when the little guy is objectively incorrect.
Hope your weekend goes better than it has been so far! Retool is an excellent product by the way :)
This could be more disruptive than helpful as very few engineers would contribute much one day a month. Would you hire a developer for 1 day per month? They would more likely burden the experienced developers with questions and poor code submissions that need to be reviewed and then forget what they learned a month before.
We are quickly made aware that we are reading an article made by the author of faker.js. The facts are laid out, mostly without embellishment. Though we understand the author is biased, they leave it to the reader to form their own conclusion. Overall, I appreciated how I was treated as a reader while reading this piece.
As for the matter at hand: despite the MIT license's permissive attitude in this case, it just speaks to the company being complicit somehow in... I don't know what to call it? Shady-ness? I hope you find a worthwhile resolution.
Note that in the initial email spurned on by the actions of the company, the concern with them using the paid service to generate a free service is not mentioned at all. Just a sales pitch for a product. He is lucky he even got a response.
A proper email would have directly addressed the concern the author actually had. But he didn't do that. He didn't say "you guys are using my service to provide it to others for free" he said "hey I see you guys use my product, want to buy it?" And then when they didn't he wrote an article about how they're basically stealing from him.
1. If you wanted Retool to stop using your service, you should have said it up front instead of beating around the bush. From what I can gather from your emails, you sent their CEO a random sales pitch and he ignored it. Hard to fault him for that.
2. I love faker.js. I have used it in the past, and I'm sure several teams in my company use it today. I would, however, never ever pay for your cloud service, simply because taking a dependency on a third party hosted website to run unit tests is madness. The old school corporate software licensing model might be losing favor, but that does not mean it isn't apt for any use case. If faker.js was still downloadable but needed a license key to run I'm sure people would pay for it. It would probably be the easiest thing in the world to bypass, but the same Fortune 500 companies you mention would gladly break our their checkbooks rather than risk getting sued.
A limited defense. I've only ever seen browsers respect CORS.
The server can inspect the Origin header, and if the maintainer doesn't want to support the domain, then don't send the CORS Access-Control-Allow-Origin response header.
I.e. not first finding out if it's something people want to pay for, before building the SaaS.
A mistake that's easy to do
http://momtestbook.com
https://www.youtube.com/watch?v=FG1Fa-t4AEQ
It isn't hard to figure out what he really wanted: Some compensation for a product that has been used in a parasitical (but legal) manner.