What prevents other open source projects from being taken down with a "management did not authorize this" notice? For example, what prevents Twitter from saying Bootstrap was released by a rogue employee, invalidating the open source license and rendering millions of websites in copyright violation?
What happens to the commits by other authors to the source tree? Do they own the copyright to their commits, even if they modify invalid open source code?
How does the open source community react when this happen? Do they fork and pretend the source code is legit open source? (from reading the discussion, it seems like many developers have already forked the code and encouraged others to work off it)
Perhaps there are reasonable solutions to these, but I'm interested to see how this story unfolds, since it may affect how people think of companies open sourcing code in the future.
The legal doctrine of promissory estoppel is generally considered to protect open source licensees. If you license something for free, and people come to rely on that free licensing, they generally have a right to keep using it, even if you change your mind and try to revoke it later. You can, however, stop licensing the software to new parties.
Novus seems to be trying to get around this by claiming that the license was never valid to begin with, because it was issued by a rogue employee. However, I would argue that the doctrine of apparent authority applies here. That is, to a potential licensee, there was no reason to believe that the open source licensing was anything but company-sanctioned. (The rules for apparent authority are actually a bit more nuanced than that, but the main point is the same.) Thus, even if the employee did indeed act without authorization, I think Novus would still be bound by the license.
Novus seems to be on shaky legal ground, and I find its cease-and-desist questionable. Unfortunately, it would appear that the recipients of the cease-and-desist opted to comply rather than risk a fight. So the scary thing is not that companies can arbitrarily revoke an open source license--in fact, they can't. Rather, it's that a letter containing vague legal threats can have such a strong chilling effect.
1. Estoppel is only going to get you a very limited set of rights. It's highly unlikely a judge is going to find you have the same rights as the open source license, unless you were actually relying on all of those rights. You certainly would not be able to sublicense those rights further, except to those you had already. This is not the same as Novus's ability to "stop licensing the software to new parties", it means you would not be able to give others the rights you had gotten through estoppel.
In effect, estoppel mainly going to protect you from damages, not give you the right to use it as open source.
2. It certainly depends, but the apparent authority question is a lot closer than you make it out to be. There are plenty of cases in the US where "the nature of the transaction" should have caused one to question whether the employee had authority, etc. Not just that, but in New York state, where Novus Partners is, the law is nowhere near like you make it out to be. AFAIK, under New York State law, the apparent authority doctrine will hold a principal responsible for its agent’s actions as long as the principal clothed the agent with apparent authority. Novus Partners would have had to have done something explicit to make you believe this person had authority to open source.
See Hallock v. State, 64 N.Y.2d 224, 231 (1984).
“Essential to the creation of apparent authority are words
or conduct of the principal, communicated to a third party,
that give rise to the appearance and belief
that the agent possesses authority to enter into a
transaction,”
An agent can never “by his own acts imbue himself with
apparent authority,” Id.
“[T]he existence of ‘apparent authority’ depends upon a
factual showing that the third party relied upon the
misrepresentation of the agent because of
some misleading conduct on the part of the principal — not
the agent,” Id.
“Moreover, a third party with whom the agent deals may rely
on an appearance of authority only to the extent that such
reliance is reasonable,” Id.
Source: I'm a registered patent attorney and corporate IP lawyer who has been doing open source lawyering for many many years now.
It seems like if the code is considered "stolen" there must be some legal common sense. I would also imagine the longer the code stays as open source, the less likely you'd be able to claim theft. If you immediately took it down claiming copyright that would be one thing. If you knowingly left it up for a year, though, that would certainly be a different situation.
and people come to rely on that free licensing
there was no reason to believe that the open source
licensing was anything but company-sanctioned
Estoppel
Estoppel in English law is a doctrine that may be used in certain situations to prevent a person from relying upon certain rights, or upon a set of facts (e.g. words said or actions performed) which is different from an earlier set of facts.
Estoppel could arise in a situation where a creditor informs a debtor that a debt is forgiven, but then later insists upon repayment. In a case such as this, the creditor may be estopped from relying on their legal right to repayment, as the creditor has represented that he no longer treats the debt as extant. A landlord may tell his tenant that he is not required to pay rent for a period of time ("you don't need to pay rent until the war is over"). After the war is over, the landlord would be "estopped" from claiming rents during the war period. Estoppel is often important in insurance law, where some actions by the insurer or the agent estop the insurer from denying a claim.
> What prevents other open source projects from being taken down with a "management did not authorize this" notice?
Retracting an open-source product is a move without a lot of upside. What business goal is promoted by such a retraction? It seems like it will just generate controversy, tarnish the company's reputation, and lead to endless ownership fights with contributors.
In addition, I suspect that major open-source projects usually actually do have the approval of people who have the authority to make that decision.
> What happens to the commits by other authors to the source tree? Do they own the copyright to their commits, even if they modify invalid open source code?
My understanding is that a contributor (or his employer) owns the copyright to his own patches when they are written. Larger open-source projects often require contributor agreements before they'll accept patches; the contributor must legally give the copyright to the project as a condition of their patch being incorporated into the official tree. If there's no contributor agreement in place, the patches continue to belong to the contributor.
You can think of the pre-patch tree and the patch as two parent nodes of the patched version. Novus owns the pre-patch tree; the contributor owns the patch; the post-patch tree is a derivative work of both of them, and can only be distributed with permission of both owners.
The contributor's patches may be useless without the parent tree to patch against. But if the contributors own the copyright to their patches, they can still use that copyright to forbid Novus from using or distributing the patched child tree.
> How does the open source community react when this happen?
Read the Google group and see. My feeling of how they should react is by the contributors banding together and telling Novus the following:
We contributed patches to Novus based on the understanding that the patched software would be released publicly as open source.
As soon as Novus became aware of the situation, it made a clear, unambiguous statement that Novus is not, and never was, willing to agree to these terms.
Therefore, since Novus does not accept the terms under which we gave them the patches, we revoke all permission for Novus to use these patches, or any version of the software which includes them.
If the contributors do this, and Novus is using the project internally, then Novus will have to either (1) back down and say that they're okay with open-source after all, (2) spend engineering resources on proprietary reimplementation of the features the community gave them for free, or (3) live without those features. Only option (1) lacks significant cost and/or risk from Novus's point of view.
> Perhaps there are reasonable solutions to these
This suggests that the more contributors an open-source project has, the stronger it is against any one person or company claiming ownership in this way. The remaining contributors can band together in response and pull out their patches, leaving the proprietary project at a feature-poor, ancient version -- especially compared to people's still-fresh memories of the open-source version -- if not making it entirely nonfunctional. The contributors could even attempt to make their patches useful again with an independent implementation which presents the same interface as Novus's now-proprietary code. Or they could toss their patches and rewrite the library from scratch. It would presumably take much less effort because, while they can't re-use the proprietary code from the Novus version, it should be okay to re-use the design decisions and API that may have been a big reason that the Novus version was so successful.
This smells like the whole Twitter Bootstrap thing a few weeks ago, but the bootstrap guys had enough pull to take the brand with them after they left Twitter.
NVD3 is one of many chart libraries that placed more emphasis on design than robustness. Having gone through many charts I wonder if any of these developers have heard of the Profiles tab on web inspector.
Something like NVD3 can be used on a static page that isn't live updated for a short time. But a long living application will have problems.
In other words don't worry. NVD3 wasn't very good. Go look at the d3 basic chart examples on the d3 example's site. It is not hard to build graphs with d3. You don't need NVD3.
Having said this, I thought the NVD3 editor was pretty cool. Better than the actual library.
It doesn't matter if that piece of software was the best or the worst implementation in its field.
I guess some like kicking people when they're down.
The opposite for this are which?, ie: For people with not enough experience could be good idea to know which ones are bad in this regard and wich ones are good.
I`m in the hunt for a chart library. So far, I think in Google chart and highcharts.
If the company is the copyright holder, then the license that the code was released under was invalid from the start - regardless of it being out in the public.
Just because someone gets some Microsoft internal code and slaps an open source license on it and releases it to the public, that doesn't mean every company is now free to use the code without reprisal from Microsoft.
They're not "changing" the license - they're saying it never existed / was never valid in the first place.
Now, if they had done it officially - then yes, the best they could do was dual / re-license it. Being the copyright holder, they have the right to do this at any time. They could then stop work on the original open source licensed version and from that point on, internally, continue to develop their closed source version (minus the contributions to the open source fork).
The open source (older) version would continue to exist, separately, and continue to be free for use.
If someone has a business/product built on using nv3d and they come after them with a cease and desist / demand for money, the business in question could definitely take them to court over it and attempt discovery to find internal documents indicating whether it was truly approved or not - which would then either ratify or abolish the license once and for all.
However, with bits, things are different. Bits can be copied, they can't be stolen, and bits aren't unique things whose possession can be controlled. Thus, the idea of copyright is to "own" the copyrighted works so as to control making copies of it. The company tried to assert that it owns the library and extrapolate from there that they could control the bits that represent copies of the library. But if the thing companies intend to control is the idea or "the works" instead of the physical bits then we're faced with another dilemma.
Consider if the leaked thing was a trade secret, which is an idea with no physical presentation. The trade secret was published without permission by a rogue employee and thus it wouldn't be a secret any longer, then how could the company possibly claim it could be restored somehow? How could anyone who had read about the trade secret explicitly unmemorize it? There are no physical copies or bits to destroy, the idea would simply live in peoples' minds and eventually travel to the company's competitors. The cat's out of the bag, what can you do.
I think that in this case, the only plausible view of what actually happened is just that. The culprit is the employee who should be liable for the damages if it turns out that he actually did publish the source code without a permission. (Based on the comments even verifying that is still uncertain.) Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3.
Both are quite harsh conclusions. It seems that for any company larger than a few dozen people would eventually bump into one of these two cases. Employees would have to require written permission from their managers to release source code. (What if their managers didn't have the permission to give that permission?) Companies would have to audit all new source code before adding it to their version control system. (Nearly an impossible task unless commit lag of months would be considered agile in their line of business.)
In practice, things don't work——neither way, as long as copyright is removed from the realm of bits, data, and software and the concept of intellectual "property" is disintegrated from the beginning. WHen companies stop relying on those delusions and base their business on things that actually work on real life, they are relieved of much suffering.
Similarly, if you "copy" the bits that I'm trying to monetize (they're a book, or a movie, or a computer program), I will also prefer the word "steal" and likewise involve the police.
Just because a low-level mechanism ("hey, we /copy/ bits, we don't destroy them! You still have them!") enables behavior on your part does not make that behavior ethical or lawful, nor does it imply that the notion that someone can control ownership of mere bits is bankrupt or delusional.
So I wouldn't define your password as stolen, just "known". As soon as the perp used it to take money from your account, then stealing has occurred.
"Stealing" is a very loaded word, which is why big media is desperate to frame their business problems using it. And in this case, I doubt many people would consider those who used NVD3 were guilty of stealing, given that a) they had been authorised to use it (as far as they knew), and b) they haven't deprived Novus of anything.
(Do you see how insane this is?)
No, assuming the company was in violation of the GPLv3, they would probably need to stop using it, and potentially pay damages if sued by copyright holders, but would be under no compulsion to release their own proprietary source code. Unless, of course, they wanted to comply with the terms of the license and continue using it. However, the GPLv3 alone wouldn't even require that unless they were selling or making available copies of the software.
Clean-room reverse engineering of functionality could work. For copyright. There'd remain patent infringement issues, if claimed.
The readme of the first public release says:
nv.d3 - v0.0.1
A reusable chart library for d3 by Bob Monteverde of Novus Partners.
The license later said that the copyright belonged to Novus, (not Montaverde), under the GPL v3.
This means that they couldn't (nor could anyone) use the Free contributions in closed source products.
Since Montaverde is responsible for ~95% of the code (https://github.com/RobertLowe/nvd3/graphs/contributors) and he sounds embarrassed by the ordeal, it looks like a dick move by someone above him at Novus.
Thanks, that's my fork, it's was released under Apache 2.0.
https://github.com/RobertLowe/nvd3/blob/master/LICENSE.md
* 2. Grant of Copyright License.
* Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Irrevocable copyright, I love it. It will stay open source and hosted there.
Bob should not be all to blame. Novus is clearly handling this poorly.
EDIT:
I'll accept pull requests, and if anyone had issues, please repost them.
Luckily, "un" open sourcing projects under Apache, BSD, MIT, GPL, etc. is not so easy.
Are there any other notable examples where a project was 'open' for such a long period of time and then the company that claimed to own the copyrights tried to un-open it? It seems like there's a huge potential for nasty side effects when something like this happens. 9 months is long enough for lots of people to start relying on a library that's been released under a permissive license like Apache2 and then suddenly have the rug pulled out from under them because a vendor either did a terrible job of protecting their copyrights or decided to take their toys and go home.
Borland open-sourced Interbase in 2000, but then bought it back in-house. The OS code was forked and became Firebird (aside - Firefox was originally called Firebird, but changed names after the name clash with Firebird db was realised)
Interbase http://www.embarcadero.com/products/interbase
Firebird http://firebirdsql.org
They could have used this to their advantage by simply allowing it to stay open but requiring that their company/brand name be used in the project (like Twitter Bootstrap), thus allowing the company to be seen as a supporter of the open source community without much effort on their part. Now they look the exact opposite of that, by doing something that would require huge effort and resources to achieve/maintain.
If/when the whole story emerges, it'd be neat to hear.
EDIT: Now that I thought about this more, since they pull out the finance part of the library before, it is very likely that they _did_ know about the library being open sourced. Makes it much harder to believable the story.
"Please see Novus' official statement on nvd3 with an explanation, apology, and commitment to its permanent status as an open-source project. We know this was a shock and a major inconveniece, but we want to regain the community's trust and involvement. Please see the full statement at: http://nvd3.org/statement.html "
QUOTE
I'm one of the 30 other individuals that acutally patched and commited changes for Bob to include in nvd3.js; I'm looking for contacts for the other 29 contributors. (Please contact me at using the feedback form on congocart.com or master-technology.com) I would like one of us (I'm willing to volenteer) to contact Mr. Qunibi of Novus partners in a position of consensuses from those who actually have code in the product.
My thoughts that would I believe be amicable (i.e. win/win) to both sides is that they can have our permission to take ALL of our changes closed source in the own future versions as long as we also (the community) may use the last release under the open source (Apache) license it has been under since shortly after it was released on there official novus github account and go our own separate way. I know my changes were really early to the library and some of my code may not even exist anymore (lol).
But I believe the cost for them to audit the whole library and rip out all of our changes and rewrite it all could be major -- I believe Bob could legally remove all of our code; but for the actual re-implementation Bob would have to hand it off to someone to do a fully clean-room version to make them legally safe from being sued. And that could be very costly in time and resources. Cost wise for them It might even be cheaper for them to ditch the last 6-7 months of changes and to just revert to the version before my patch/commit (which was issue #3 <G>). So I think we might be able to make this a win/win proposition if I can get the consensuses of the other 29 contributors.