How do people find out or know whether your repo which is having MIT or apache or AGPL license is being used by a corpo and profiting from it and not making the code open source or paying license fees?

  • Knossos@lemmy.world
    link
    fedilink
    arrow-up
    70
    ·
    5 months ago

    You don’t.

    Unless it is publicised or an obvious bug exists in your code and you see the consequences of it in their system.

  • Perhyte@lemmy.world
    link
    fedilink
    English
    arrow-up
    48
    ·
    5 months ago

    For MIT, why do you care? That’s perfectly fine and explicitly allowed by the license. Same for Apache, but with a few extra requirements (like keeping a list of changes in the source code and preserving licensing information etc.).

    As for how I know big corporations are using my code: the fact that a prominent project (publicly used by several tech giants) took a dependency on one of my tiny (permissively licensed) library packages is probably a clue.

    • 555@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      5 months ago

      So what you’re saying is you could take down an entire company by introducing a bug?

      • Perhyte@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        I don’t think so, no.

        Leaving aside the fact that I don’t want to do that:

        They’ve quite sensibly vendored my library, so I’d have to hope they pull in updates without checking the code changes: since it’s such a tiny library (excluding tests but including fairly extensive comments, it’s less than 100 lines of quite readable code) I don’t think it’d be easy to get it past their code review system if I tried to sneak in enough code to take down entire companies.

        Also, my GitHub account is tied to my real-world identity, so I’d probably be in a lot of trouble if I somehow succeeded.

        • 555@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          If it’s less than 100 lines, why on earth don’t they just put that in their own code?

        • AnarchistArtificer@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          “vendored my library”

          I’m unfamiliar with this phrase, are you able to explain what it means (or point me towards an explanation)? Is it relating to forking?

          • maynarkh@feddit.nl
            link
            fedilink
            arrow-up
            3
            ·
            5 months ago

            It means, at least in the golang world, that they keep a copy of your source for themselves and use it for builds. They don’t pull from the public repo every time they build their stuff, so malicious code could only get in with new versions, but they check for that.

          • Perhyte@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            They’ve checked in my code in their own repository, using an automated tool that keeps track of its origin so they can still check for updates. (The build tool knows to check this directory before trying to pull in dependencies from elsewhere)

            One benefit to them is that their build won’t break if I decide to delete that specific repository (see also: the left-pad incident) or do silly things with version tags (deleting versions, or re-tagging a different commit with the same version number, that sort of thing).

            But more relevantly for this thread, it also means that if I release a new version and they upgrade to it, the PR on their repository won’t just be incrementing a version number in go.mod and adding an unreadable hash to go.sum: the diff will show all the changes I’ve made since the version they previously used.

    • Ogeon@programming.dev
      link
      fedilink
      arrow-up
      11
      ·
      5 months ago

      That’s definitely part of “the deal” with MIT and Apache. The other end of it is that they shouldn’t really expect to get anything more than what the authors are willing to give.

      • Perhyte@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        I may have slightly misremembered the license text (subsection 4c):

        You must cause any modified files to carry prominent notices stating that You changed the files;

        So I guess technically you only need to indicate that you have changed the files, not what you’ve changed in them. I suppose that’s less burdensome because it only needs to be done once per file at most.

  • catch22@programming.dev
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    5 months ago

    For MIT/Apache it doesn’t matter. That’s always a problem with those free to use licenses you have a “good idea” who’s using it, but you never really can tell. It also creates a shit load of wasted improvements every time a company uses it, moth balls the project, but never pushes code upstream because why do that? \s So you sit back and hope that someone in the company feels a big enough moral drive or obligation to contribute their improvements up stream. But, how can you tell definitively? You can sometimes see it in the job descriptions they are hiring for, also I have had companies reach out out me personally for help. Many open source projects also will reach out and ask, and if they get the ok, will put it in the project description in order to encourage others companies to do the same. So why to companies bother? The funny thing about open source is that it lets people who like solving tough problems (the best type of engineers) know where the tough problems are being definitively solved, because here’s the code, and here’s the author from xyz company contributing and showing the rest of the world how it’s done. Often this will bring in engineers who are at the top of their game to these companies.