GitHub Copilot for Business is now available (opens in new tab)

Where's the part of the Copilot EULA that indemifies users against copyright infringement for the generated code?

If the model was trained entirely using code that Microsoft has copyright over (for example: the MS Windows codebase, the MS Office codebase, etc.) then they could offer legal assurances that they have usage rights to the generated code as derivative works.

Without such assurances, how do you know that the generated code is not subject to copyright and what license the generated code is under?

Are you comfortable risking your company's IP by unknowingly using AGPLv3-licensed code [1] that Copilot "generated" in your company's products?

[1] https://en.wikipedia.org/wiki/GNU_Affero_General_Public_Lice...

It's an unpopular opinion which is why I'll cowardly write it under a throwaway account. Josh, I have a ton of respect for your work just btw. I can't help but see a headline like this and think "Okay the license argument has to be the top comment already".

To me this whole thing is like pandora's box and it will not in any way be put back into the box. In the long run isn't arguing about the code it generates and how it generates it mostly tilting at windmills? I've already met new / junior programmers that have used copilot and chatgpt to help them see how to approach certain problems or try to get better framing for what they couldn't quite get into the most accurate words to google.

I too would prefer these tools embody the ideal: no license violation, perfect citation of where the archetypes of the code came from. I've commented here today (amongst some great FOSS software engineers) to see if a genuine respectful conversation can be had about how just like torrents this one isn't going to be put back in the box no matter how many legal precedents attempt (or succeed) in cutting off heads of the hydra. It's utility seems like it will steamroll any attempts to stop or slow it down.

Am I wrong? Is it a fools errand to ask?

Yeah we were told not to use it by the lawyers at work and have an official policy against using it. Not having that would open us up for liability if we’re sued as there’s no defence that what we did was clean room if we admitted using it.

We’ll hang back until other companies have litigated their way to some legislation around it.

I don't understand why they aren't tagging data with license information and allowing users to use models that don't include certain licenses - seems like it would be the middle ground given the stance they've taken; like, "we don't think it's a problem, but if this makes you feel better you can use these other models that specifically don't train on gpl code, or whatever"

I would prefer to see full license attributions included in generated responses, though. Something that then also wouldn't be that difficult to generate a licenses file from?

Amazon's CodeWhisperer has a "reference tracker" that tells you the license of training data code if the generated response is within some similarity threshold, but that's still not good enough imo.

You make it sound like Copilot is just copy-pasting something from a single repo. The code Copilot generates for me is extremely specific to my application. It understands the context, my code style and what I'm trying to do.

The result looks like my own code and is utilizing the already existing parts of my application. The code it writes for me solves problems that you cannot find a standard solution for anywhere and is definitely not something that could be attributed.

How Copilot is trained is an issue but answering the question "where did this code come from and what license is it under" would be impossible.

I open source my code specifically so that it can be re-used, ideally even for cases like this. To me, software freedom is the ability for it to be used for effectively any useful purpose, so that others don't have to do the same work again.

I understand that some folks don't believe the same thing, and use copyleft licenses so that their code can't be re-used in a closed way, and that's fair. Github shouldn't be training their product on copyleft licenses.

It's fair to call out its misuse of certain licenses, but "the equivalent of money laundering for violation of Open Source licenses" is simply inaccurate, as many licenses allow this type of re-use explicitly.

Indeed, that is why I don't use it either.

Double-checking whether the generated part is a verbatim copy negates the speed advantage.

Possible infringements from similarity are even harder to search.

Yes, thank you this is exactly what I was looking out for in the announcement.

Was looking for a way to instruct CodePilot to abide by the following rules:

- Only use Apache v2, MIT or BSD licensed work for its recommendations. (Or a specific license set)

- Only use code trained on public repositories.

- Provide code attributions of the source code where the recommendations originate from.

I'm not sure if the last point is possible given these GPT type architectures but it would really help during code reviews.

> This tool remains the equivalent of money laundering for violation of Open Source licenses

That's what a good chunk of people do anyway at work. No one really cares nor will care. We were already moving in that direction anyway this will just accelerate it.

I tried using the playground code completion to ask it to write a script for pyautocad that colors in a grid, it completed with a different library, pyautogui. Even after saying "import pyautocad" myself, the function it completed was pyautogui.

I'm sure it's prob still very useful for people who care about the privacy tradeoff, but I've had more success with ChatGPT

you’re going to need to ship that emacs extension if you want to keep advertising on HN :-)

I looked around your web site and I thought about trying out your product, but one feeling never stopped nagging me: even though I'm not in a large organization, I need absolute assurance that the AI is trained only on our code and permissively licensed open source software (like MIT or BSD.) Also, whenever it uses permissively licensed code, I need a complete list of everything it based its work upon so I can declare the relevant licenses.

Without that, I can't even entertain the idea of using an AI code tool for anything but private projects that I don't share with anyone.

What model do you use? CodeGen?

Are there plans to support the full Visual Studio IDE?

Edit: Also, Notepad++ support would be awesome

The price difference is mostly irrelevant to large corporations. The just need that license management.

9 bucks per developer isn’t that much. I getting a developer to be 5 percent faster is a huge gain for just 9 dollars.

If you want to make a conversation awkward, ask your account team about the indemnification for the AI’s potential copyright violations.

People with corporate compliance departments.

I think the privacy part would be a big part for some organizations, even if I do not know what this really means or what this implies for the other plans.

I came here to post exactly this. My team has budgeted for CoPilot, but we’ll only pull the trigger if copyright liability is resolved. I think it’s hilarious Microsoft is doing this, of all companies; it’s like they’ve forgotten that big businesses are run by risk-averse general counsel offices (often for good reason).

I can’t even imagine the hilarity that would ensue if I went to my GC right now to ask permission with so much in limbo; it’d be suicide by conference call.

It doesn't regurgitate any code unless you bait it really hard. That's not how you use it. The only code it normally regurgitates is your own when it tries to autocomplete your boilerplate.

Not an answer to your overall question of compliance, but to the specific point:

> Copilot for Business does not retain any telemetry or Code Snippets Data.

https://docs.github.com/en/copilot/configuring-github-copilo...

Source: Ex Hospital IT.

I wouldn't risk it. It is too easy to write the wrong prompts and leak PHI.

ChatGPT:

"Write me a parser for this HL7 message..."

Copilot:

"Using this example message please write a parser for it..."

Yeah... If it was compliant, people would write those in a heartbeat.

Unless sold as HIPAA compliant, and the conditions of use for that compliance are known... don't trust it, for SAAS.

This is stuff covered in your yearly HIPAA briefing folks.

Why on earth would you ever put any PHI information in source control?

More likely their hands are tied by not many businesses wanting to pay for a DGX A100 to run the models!

Microsoft itself uses and suggests this internally for production code.

This version specifically removes snippets that appear in open source code.

I don't think you've ever tried copilot.

It's amazing at specific things, like being z context aware boilerplate generator or doing the scaffolding of an algorithm from a comment describing it.

That's really different than using libraries.

it's not about reusing code, it's about generating code, ie, autocomplete, except the generator trys to recognize what you are trying to / most probably writing and suggests it. Great for boilerplate type code.

I love it. I love that it learns my codebase, my style, etc... and truly does feel like a second brain at times.

I am using it within JS/Vue and Python and really enjoy it a lot. You can write a simple comment like "upsert the object in the store, and if the item is incomplete recursively call a refresh fn until it is complete" and it will "magically" do the rest - down to understanding where the objects I am referring to are in my store, the attribute used to decide this ('completed_at'), down to the correct syntax for updating the data in a way that plays nice with vue reactivity.

It's also a stellar autocompleter in Python-land. I have been using more and more type annotations in my codebases, but even without that, it will usually guess the right attribute or function name.

I also dig the way it will automatically write a docstring for a function. It can sometimes be a great debugging method since I can just have it comment an undocumented fn to quickly glean what it is doing. I'll circle back to enhance the docstring usually too so it is less cookie cutter.

For writing blog posts it is really neat too, because it will help me write functions to illustrate certain points based on what I am trying to teach in the post. Most of the time I can come up with the most succinct and relevant example, but sometimes I cannot and this tool does a good job helping there.

It's not perfect, but the fact that I can type a few words, hit tab, and then correct any mistakes is really a magic experience sometimes.

One data point for you.

My company (big UK-based tech company) had an “all employees” sort of e-mail saying the use of Copilot, ChatGPT et al was not allowed for anything work-related or using company equipment due to unclear licensing model of the generated code.

I find many of these blanket rules silly, but in this case I find it is sensible to wait before polluting our products with this autogenerated code.

Fwiw Microsoft itself is betting on and suggesting devs use it for Microsoft production code.

Honestly, I don't think the code I write is so special that no one should ever see it. The whole product might be worth protecting, that's why the codebase isn't public. But the individual files/functions are not special in any way. And that'll be the case for 99%+ of all code.

Their training data comes from repos, not from you using the tool.