LWN: Comments on "GitHub announces Open Source Friday"

GitHub announces Open Source Friday

sbaugh — Sun, 02 Jul 2017 15:16:37 +0000

It appears that it just tracks when you submitted patches to a project hosted on Github.

GitHub announces Open Source Friday

andresfreund — Fri, 30 Jun 2017 20:33:41 +0000

Which Joel's article, referenced in the comment you're replying to, explicitly mentions.

GitHub announces Open Source Friday

Cyberax — Fri, 30 Jun 2017 19:40:14 +0000

Lots of companies (e.g. Amazon) have contracts that explicitly state that developers' free time is their own and that the employer doesn't own IP produced during the spare time.

GitHub announces Open Source Friday

dtlin — Fri, 30 Jun 2017 19:03:27 +0000

Developers’ side projects – Joel on Software has more details about IP assignment in US employment contracts and why they work the way they do.

You could argue that the standard employment contract overreaches. I don't think you'll ever find one that underreaches, though. They're written to be maximally advantageous to the employer, as contra proferentem will only take away from them.

GitHub announces Open Source Friday

mirabilos — Fri, 30 Jun 2017 14:41:29 +0000

My employer just uses OSS components from employees under their general OSS licences and honours them.

Shame on GitHub for not doing so, then.

But then, in the USA, they have a strange view at employed people creating works in their spare time, anyway…

GitHub announces Open Source Friday

mirabilos — Fri, 30 Jun 2017 14:39:28 +0000

What’s the website for?

I mean, explaining about it, sure, but what’s the login there for? I literally don’t get it.

GitHub announces Open Source Friday

pizza — Fri, 30 Jun 2017 11:17:44 +0000

> Who's going to get into bigger trouble when a kid breaks in and gets seriously injured or killed - a building contractor who doesn't bother locking his building site, or a building contractor who secures the site with padlocks and barbed wire?

You'd be surprised -- A rural property of mine has a fence along part of its perimeter. This means the land is technically "improved", which means it no longer falls under the general "empty land" clauses of laws shielding me from civil liability should someone tresspass during hunting season, drink the night away with a buddy, and in the process accidentally shoot themselves while cleaning their guns, I, as the landowner, can still be held liable.

Yes, the whole premise is completely insane, but that doesn't make the legal risk any less crippling. Consequently, I carry an insurance policy to protect my posterior from random local rednecks.

</rant>

GitHub announces Open Source Friday

Wol — Fri, 30 Jun 2017 09:51:50 +0000

> The only uncovered case is code brought in that an employee does not own and thus cannot give a license for.

That was why I said the employee indemnifies the company. Okay, as was pointed out, the employee may not be financially able to indemnify the company, but the reality is the employee would probably have done it anyway.

All this does is give the company "plausible deniability" as in "we told our employees to give us a licence to any code from outside that they incorporated 'as if they'd written' it. This employee broke the rules". You can't (easily) stop employees from breaking the rules. All you can do is cover your backside.

If you've got procedures and contracts in place, it makes it easier to place blame, and while it may not help put things right, it should help protect you from the worst of the consequences. Who's going to get into bigger trouble when a kid breaks in and gets seriously injured or killed - a building contractor who doesn't bother locking his building site, or a building contractor who secures the site with padlocks and barbed wire?

Cheers,
Wol

GitHub announces Open Source Friday

paulj — Thu, 29 Jun 2017 11:00:58 +0000

That sounds like a general failing in procedures in reviewing licensing of 3rd party proprietary code. Trying to give one's company over-arching rights to employees prior works does not address that - it will far more often be the case that employees incorporate external code from some 3rd party than their own prior code.

GitHub announces Open Source Friday

MattJD — Wed, 28 Jun 2017 23:17:12 +0000

AFAICT, this is what the contract is trying to do. Code wrriten during company time is the companies, as it is work for hire. Code written outside the company is yours, it's not work for hire. If you bring in your own code that wasn't developed during company time (either before or during empolyment), then the company gets a license for that code. The license is broad to avoid a potential conflict later.

The only uncovered case is code brought in that an employee does not own and thus cannot give a license for. That would probably be handled separately, and is the hard problem (see all the various GPL violations flying around). I'm not sure idemnifying would help here, as an employee could cause more damage then they could ever possible correct for.

I wouldn't want my own code considered work for hire, as that has specific meanings in law. I rather just give a license to the company. If I don't want my code licensed, I won't bring it to work.

GitHub announces Open Source Friday

Wol — Wed, 28 Jun 2017 21:51:04 +0000

Surely they can just put it in the contract that any code written for the company is a "work for hire" - as per the normal state of affairs - and that any code that was not originally written for the company but is incorporated as if written by the employee is licenced to the company for use in any of the company's products as if it were a work for hire. The employee also indemnifies the company if he has no right to include the code.

Cheers,
Wol

GitHub announces Open Source Friday

MattJD — Wed, 28 Jun 2017 15:57:50 +0000

Regarding the risk, I agree companies often try to grab as many rights to "just in case". I've had an IP agreement I signed that claimed all IP I made (including my own time) unless I got specific company permission after the IP was already made (having that happen once was enough to ensure I'd be more careful in the future).

I have a feeling that license is meant more for software directly incorporated into a product, as opposed to a third party library linked to it. If you have a utility class you bring in for use by the company, the company wants to ensure they have a license. That clause gives them that ability. I'm not sure how you could word that differently to ensure they would always have a license without allowing employees to play games with the wording.

GitHub announces Open Source Friday

pboddie — Wed, 28 Jun 2017 15:23:12 +0000

In response to your other reply, I linked to the text in my previous reply to Wol.

As for "companies not wanting to expose themselves to risk", I guess people hear that a lot when confronted with overreaching agreements that some lawyers insist are only written as they are "just to be sure". I would have thought that general licensing policies on code introduced to products would cover this and many other more risky cases, but it sure is easier for a company to just claim as many privileges as they can from an employee instead.

And given that external projects may well have multiple copyright holders, they don't get any protection from such clauses, anyway: the other copyright holders can still insist on the licence being respected. Maybe the ideal kind of "open source" for such employers is "lone coder" kind of stuff that they can assimilate. Otherwise, I imagine that the employee would be required to exert pressure on those other project contributors to grease the wheels of commerce "for the good of the project", but really just to keep their job.

GitHub announces Open Source Friday

MattJD — Wed, 28 Jun 2017 14:42:51 +0000

> And I guess stuff owned by former employers isn't affected. But it hardly respects your own licensing choices when they effectively say "thanks for working for us and giving us privileged access to your stuff". Why can't such an employer just respect the licence?

I think this is a general protection clause, so you can't incorporate your external AGPL licensed project into Github's software, then leave Github and sue them for violating your copyright license. Or worse, claim your (propietary) license to Github expired when Github fired you from your job and they now owe you one billion dollars.

Admittedly, those are probably both rare situations. But companies are not wanting to expose themselves to risk either.

GitHub announces Open Source Friday

MattJD — Wed, 28 Jun 2017 14:37:29 +0000

> I also think that various GitHub terms of service have crept in when it says things like "IP you created prior to working for the Company [is] still yours, of course, but you grant the Company a nonexclusive, irrevocable, fully paid-up, royalty-free, perpetual, sub-licensable, transferable, worldwide license to use it without restriction in any way or implementation, in modified form, or as is, by itself, or incorporated into another product or service".

Where did this quote even come from? I've searched through the history of the document, and I cannot find this quote anywhere. The closest up to date version is:

> Contribution of your IP to Company projects. If you include your own IP – such as IP you created prior to working for the Company – into a Company product or service, it's still yours, of course, but you grant the Company a nonexclusive, irrevocable, fully paid-up, royalty-free, perpetual, sub-licensable, transferable, worldwide license to use it without restriction in any way or implementation, in modified form, or as is, by itself, or incorporated into another product or service ("License"). If you include your name in any project over which the Company would have rights under this Agreement, such as in a copyright notice or a comment in code or documentation, then the License covers the rights associated with that use of your name as well.

Which limits this to only IP you incorporate into the company's projects. You can still disagree with that version, but it doesn't try to imply the company has a license to everything you've made before your employment.

GitHub announces Open Source Friday

pboddie — Wed, 28 Jun 2017 14:23:44 +0000

Sorry, I should have put that in more context, which is to say that this supposedly only occurs "if you include your own IP – such as IP you created prior to working for the Company – into a Company product or service".

So, it supposedly doesn't affect other things you've done and own yourself, at least if you don't include it in your work for the employer, and provided the employer doesn't manage to claim it as being "related to" their portfolio (including random vapourware and things that might have been scrawled on a whiteboard somewhere), anyway.

And I guess stuff owned by former employers isn't affected. But it hardly respects your own licensing choices when they effectively say "thanks for working for us and giving us privileged access to your stuff". Why can't such an employer just respect the licence?

GitHub announces Open Source Friday

Wol — Wed, 28 Jun 2017 12:20:26 +0000

> "IP you created prior to working for the Company [is] still yours, of course, but you grant the Company a nonexclusive, irrevocable, fully paid-up, royalty-free, perpetual, sub-licensable, transferable, worldwide license to use it without restriction in any way or implementation, in modified form, or as is, by itself, or incorporated into another product or service"

Except that that is blatantly not true ...

I've created loads of IP for former employers. If a new employer put that in my employment contract, that would basically claim for said new employer a licence to loads of stuff I have no right to grant a licence for!!!

Yes I know they'll try and weasel out of it by saying it doesn't apply to former "work for hire", but taken at face value it is clearly errant nonsense.

Cheers,
Wol

GitHub announces Open Source Friday

pboddie — Tue, 27 Jun 2017 22:54:46 +0000

It also sounds a bit like "everybody pitch in so that we get more stuff for free", with vague noises about how their employees and those of other high-valuation corporations are potentially investing as much as 5% of their time contributing to "open source". I guess that as long as it happens on GitHub, mission accomplished.

What I did find somewhat interesting was the "balanced employee IP agreement", although I personally don't think it moves any great distance from the current sad state of corporate affairs when it refers to works "related to an existing or prospective Company product or service at the time you developed, invented, or created it", meaning that the employer more or less gets to lay claim to stuff, anyway.

I also think that various GitHub terms of service have crept in when it says things like "IP you created prior to working for the Company [is] still yours, of course, but you grant the Company a nonexclusive, irrevocable, fully paid-up, royalty-free, perpetual, sub-licensable, transferable, worldwide license to use it without restriction in any way or implementation, in modified form, or as is, by itself, or incorporated into another product or service".

So, we have some good intentions on display, if I am to frame this charitably.

GitHub announces Open Source Friday

SEJeff — Tue, 27 Jun 2017 22:04:18 +0000

To be fair, Rails upstream also ignored Eugene's request, which is why he committed to rails/rails:master, to prove the mass assignment vuln was a real thing.

GitHub announces Open Source Friday

flussence — Tue, 27 Jun 2017 21:40:27 +0000

It's a shame GitHub has such a marketing-weasel/programmer imbalance in their own ranks these days they can't even practice what they preach.

2 hours a week of them contributing back would have made Pygments better for everyone and saved years of reinventing a worse wheel. 2 hours a week responding to pull requests that have been sitting in their Linguist repos for months would alienate far fewer people. Maybe they could've set aside 2 hours a week to look into security vulns like the one homakov tried to politely inform them about repeatedly...