Open Source and copyright infringement
Yesterday Till Klampaeckel proposed an S3 stream handler for PEAR. A great idea, as this should make integration PHP and S3 very easy.
However, it didn't take long for Cesar Rodas to respond to the proposal, claiming he was the original author of the code. Till first denied the allegations, but after Gregory Beaver presented the undeniable proof Till claimed he got the code from an intern at the company he worked with, who apparently lied about where he got the code from, and stripped out the original copyrights; violating the BSD license.
Cesar will now be credited for his code, so the issue seems somewhat resolved. This does however show a bigger problem.
If the code made it through PEAR, and was put in use in commercial applications, Cesar would have been able to claim his copyrighted code and for example sue the PHP Group or companies making use of the code. This is also exactly why any contributions to the Zend Framework requires a CLA to be signed, which effectively makes the coder responsible for only submitting code he or she owns. If a mistake such as this one would have been made, the original contributor would be liable for the legal violations, and not Zend or the entity using the code.
So the lesson of the day is, if you're going to contribute to any open source project; make absolutely sure you own the code or got explicit permission from the original author. If you don't, you can put both the open source project and the people who use your code in danger. Additionally, giving credit where its due is the decent thing to do. (and apologizing in the case you did make a mistake).
Chuck Burgess •The tone of your description of the situation here is disappointing. If your intention really is "won't make any unverified claims", then less inflammatory phrases than "denied the allegations" and "claimed" would have been better... as written, this has a "Till is a liar, but you didn't hear it from me (wink wink)" edge to it.
Pierre •Not only the tone and the post itself is ridiculous but to read again such non sense about how safe are the Zend Framework regarding IP is even worst.
No CLA can protect it against such cases. As a developer using code violating copyright, you will be in troubles as soon as you get a lawyer on your back. No matter if it is Zend with a clean IP, PEAR, cakephp or symfony.
Now, talking about code thief, I can't remember how many copy/paste from PEAR packages I found without any notice or copyright. Without talking about a lite refactoring to make it look different.
About giving credits where its due is not a decent thing, you have to do it. And not only for the beauty of the gest.
Chuck Burgess •This whole situation makes me wonder if I need to videotape myself during all my coding sessions, to _prove_ that I started all development work from an empty screen.
Hey, maybe we can all start uploading video files along with all our code patches...
Chris Shiflett •The criticism regarding tone is valid, but I don't think Evert is claiming that a CLA would prevent this scenario. What he said was that a CLA would place the legal burden on the contributor:
"This is also exactly why any contributions to the Zend Framework requires a CLA to be signed, which effectively makes the coder responsible for only submitting code he or she owns. If a mistake such as this one would have been made, the original contributor would be liable for the legal violations, and not Zend or the entity using the code."
Evert •Hi Guys,
Maybe I should have reworded some of the things I said here. I do try to stay objectively and keep my opinion out of my posts.
I simply disliked the fact that his first response was 'I deny all allegations', to be followed with admitting that he didn't know where the code was coming from and that it did in fact looked like a straight copy.
If all this was followed with an apology my tone would have been 180 degrees different. I don't think till is a liar, and if I came across that way I'd like to apologize for that. I'll take out the second paragraph out of the article.
(the paragraph said : "Whether Till actually did steal the code, or if he was mislead is unclear to me, and I won't make any unverified claims." ; I'd also not want to lose journalistic integrity).
Cesar D. Rodas •Copy one or two functions, and a few of lines is something, or fix bugs.
But COPY all the project, including examples, english mistakes on comments :), and anything, just changing the name of the author an few of variables name, that is not good...
how would you think is someone is trying to get benefits about your code, doing nothing to make it better?
till •For transparancy and to hopefully explain myself and the situation I posted on my own blog as well and also referenced the mailinglist to hopefully show no bias, etc..
Also, I know this may come across grumpy but I explained myself on pear-dev, I talked to Cesar on the chat directly and flaming me on blog posts again and again - well, whatever.
I also talked to the company I contracted at the same and if you or anyone else believes it or not, they *thought* they owned all IP of the code. Which is the only reason why I released this to begin with because they said it was theirs and obviously got f'ed over as well.
Anyway, I am repeating myself - I have a blog post up, we also removed the proposal and will redo it ground up.
Pierre •"Copy one or two functions, and a few of lines is something, or fix bugs. But COPY all the project, "
There is absolutely no difference. Let say you copy a function from my code, you will have to duplicate the license header and copyright for this code portion. A licence covers all the code where it is included, even if only part of it has been used.
Ted •As I understand the copy was crude and made no real attempt to obfusicate. Unless the guy is foolish he probably just made a sloppy mistake in tracing the genus of the code which we all do at times. Not necessarily a legal defence but a moral one imho.