Hi Philip, I'm Lachlan from the Cloud Native Ecosystem team at Microsoft. Our team works in the cloud native open-source community with a goal of being great open-source collaborators in these projects and communities, and I’m sorry that this happened.
We appreciate your leadership and collaboration on Spegel and see your project solving a real challenge for the cloud native community. I wanted to thank you for your blog post https://philiplaine.com/posts/getting-forked-by-microsoft/, let you know what we’re doing, and address a few points.
We’ve just raised a pull request https://github.com/Azure/peerd/pull/110 amending the license headers in the source files. We absolutely should have done better here: our company policy is to maintain copyright headers in files – we have added headers to the files to attribute your work.
I also wanted to share why we felt making a new project was the appropriate path: the primary reason peerd was created was to add artifact streaming support. When you spoke with our engineers about implementing artifact streaming you said it was probably out of scope for Spegel at that time, which made sense. We made sure to acknowledge the work in Spegel and that it was used as a source of inspiration for peerd which you noted in your blog but we failed to give you the attribution you, that was a mistake and I’m sorry. We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community.
Thanks again for bringing this to our attention. We will improve the way we work and collaborate in open source and are always open to feedback.
Now that you got caught you are fixing it and writing fancy PR fluff. An org the size of MS should have clear policies and processes of how to handle open source forks like this. Unless we assume “bad faith” here. This is a pretty bad look.
I wonder how many other projects are not attributed correctly. Are you checking up on them also or just waiting for the next HN post?
That said, the author of Spegel should have used another license if he wanted more “recognition” or the like.
> Now that you got caught you are fixing it and writing fancy PR fluff. An org the size of MS should have clear policies and processes of how to handle open source forks like this. Unless we assume “bad faith” here. This is a pretty bad look.
What would you prefer them do? A public flogging? Bring back the stocks?
I agree with the sentiment with these types of comments (I hate PR fluff too), but the aggression when a company has screwed up and not only admits it but tells you their plan going forward is silly. The best case scenario is it does nothing, worst case it encourages them to ignore it next time it happrns.
I’d like them to explicitly set out how they’re going to avoid such an issue occurring in the future, rather than symptomatically commenting on an HN post that’s now a top post.
They say:
> We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community.
Thanks again for bringing this to our attention. We will improve the way we work and collaborate in open source and are always open to feedback.
…which is a lot of nice words with absolutely NO accountability. They could write a sticky note “do better” and technically that’s all that’s required from their side. Is that okay with you?
Their plan? “We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community”? That’s not a plan. It’s PR fluff.
Nobody is expecting this one incident to make Microsoft change. It’s about reputation, which can take a long time to shift, but can be important in the long term.
We don’t have to just accept it when a company issues a statement apologizing for their screwup. It’s perfectly acceptable to say “this apology means little to me, and if you want your reputation to change you need to do more”.
What would Microsoft do if I forked their repo, removed all the licenses and then held talks at conferences about my amazing new tool?
Pretty sure their legal department would have my fork obliterated from the face of the earth and I would be crossing my fingers that all I got was a cease and desist letter instead of a lawsuit in Texas.
Well how does Microsoft react if some company "forgets" to licence windows/office/some other product? Because that is what happened here a clear licence violation so Microsoft essentially pirated the software.
I bet Microsoft would do something similar. If Microsoft entered an agreement with another company, Apple for instance, to build a version of word for the Mac, a fork, and part of the license has a requirement to attribute in the help file or something like branding requirements, and then Apple doesn't do it right, then Microsoft reaches out to Apple and tells them to fix it else be in breach of the license. They fix it, happy happy. They don't fix it and lawyers get paid.
This was MIT licensed open source software and an attribution clause was not properly respected. Hardly piracy.
> I wonder how many other projects are not attributed correctly. Are you checking up on them also or just waiting for the next HN post?
As I wrote in my parallel post (https://news.ycombinator.com/item?id=43756102): these copyright violations (not giving proper attribution of the license requires it is copyright violation) from Microsoft's side (the more, the "better", and the clearer the message) can be considered de-facto, implicitly stated corporate messages from Microsoft's side that they are from now on officially fine with copyright violations, and thus everybody is from now on free to violate the copyright on every software product that Microsoft has ever produced.
This tsk-tsk is misguided. There's a time and place to shame companies for acting in bad faith, and we should do it, but I don't think it's the case here. It does not seem like damage control for intentional malice.
The TL on the project should have done better, but it was a good sign that they had originally taken the time to acknowledge Spegel's author's help. It's very likely that someone else dealt with the actual code and license text and didn't know any better.
The PR text is reviewed by lawyers. The default advice from lawyers is "do not admit any wrongdoing". They probably suggested that the license text be fixed silently with no apology. The PR department likely convinced them that a public apology would be good for optics and it doesn't seem soulless either.
They should have done better. They admitted that. They may or may not change their internal processes, but it's now in the record book. Case closed.
And the author of Spegel should not have used a different license if he wanted "more <<recognition>>". He wanted the recognition specified by the MIT license.
I mean what else are they supposed to say or do to correct a mistake other than "sorry, here's what happened, we have fixed it, we are taking steps to reduce the chances of it happening again"? Sometimes you just have to correct an error.
They are also fully funded to compensate when they do something wrong. An apology from a Fortune 500 company with a history of unethical behavior is worthless.
He is lucky microsoft doesn't have 30,000 ai-agents out there just stealing everything he has ever done and spinning up 10 competitors to each project all with new license and money flow into microsoft in any number of ways.
I mean they made sure to get all the consent from all authors on github before training on it right
> but we failed to give you the attribution you, that was a mistake and I’m sorry.
In other words: there exists some responsible person at Microsoft who violated the copyright (yes, removing the attribution is also a copyright violation!) for Microsoft.
In consideration how Microsoft has been treating copyyright violators for decades, if Microsoft does not give this responsible person the same crual treatment, it should be considered an honest, clear, implicit official statement from Microsoft's side that they are perfectly fine if hackers violate all of Microsoft's copyright. In other words: it means that all of Microsoft's software now (spiritually!) will become public domain.
Also, if Microsot does not make make this responsible person pay the caused damage from their own pocket to the original author of Spegel with the same monatery magnitude as if Microsoft would sue other entities for a violation of copyyright of Microsoft's software, the same statement applies.
Based on the initial commits and the logs after that surely there’s someone unethical person at MS. This might have been brushed under the carpet and due to sheer luck it reached HN frontpage.
> it means that all of Microsoft's software now (spiritually!) will become public domain.
You have said many things like this in this thread. I don't think you understand how laws or courts or legal fees work. Good luck defending yourself against MS's army of lawyers during your court proceedings though!
> I don't think you understand how laws or courts or legal fees work. Good luck defending yourself against MS's army of lawyers during your court proceedings though!
I have no hope that the courts currently (!) agree with this. But let us spread the gospel so that as many people as possible know how Microsoft's "real" stance on copyright is. If a lot of people become aware of this and this truth stays in lots of people's heads for a sufficiently long time, the public opinion might change so that juries (representing the public opinion in courts) will indeed begin to judge against Microsoft in the way that I described.
If I accidentally pick up your jacket instead of mine and apologize when you point it out this doesn't mean I give you blanket rights to steal my stuff forever. If I keep doing it, then it's probably worth looking into, but you're going to have to bring up evidence of serial abuse for that.
> the public opinion might change so that juries (representing the public opinion in courts) will indeed begin to judge against Microsoft in the way that I described
I'm pretty sure that's exactly how juries shouldn't work.
Kudos for stepping in here, but I think the team at Microsoft need to do some more investigation, no?
Microsoft is a large, wealthy corporation has a big target painted on its back, and, consequently, CELA (corporate, external, and legal affairs) are, for good reason, a very strong force inside Microsoft. You can't just grab some code from someplace at Microsoft. Your PM has to run it past your division's CELA rep, look at the terms, assess exposure, etc. Did that happen?
If not, that's a big hole and you should probably beg forgiveness from them as you ask for an audit of every other piece of code you've picked up.
If it didn't happen, well, I suspect someone in your group just became the new Nelson, the hapless developer, in Microsoft's Standards of Business Conduct videos. You really don't want to be Nelson.
> When you spoke with our engineers about implementing artifact streaming you said it was probably out of scope for Spegel at that time, which made sense.
It seems like it would have been a much better strategy to add artifact streaming, submit a pull request and then if the maintainer isn't interested in adding it, proceeding with a fork.
"Probably out of scope" sounds like "I dont have time to implement a feature of that scope"
It sounds more like "I don't want to maintain a feature of that scope" or "I don't want to commit to the design decisions this feature would require". Both of those aren't solved by a PR.
If you're discussing with potential collaborators and want to communicate that you don't have time to develop such and such a feature but would be open to accepting a PR, it's very natural to say "I don't have time to develop this feature but would be open to accepting a PR".
"probably out of scope" sounds like "there would need to be some major refactors and you're the only user who wants it, so I am turning this down for now"
> It seems like it would have been a much better strategy
Better for whom? Now there is Peerd and Spegel that are different projects. Imagine if Microsoft had opened PRs into Spegel and the maintainer had merged them. Then at some later point Microsoft had decided that they need to have ownership of that project (maybe because they want to have the control over what gets merged into the project because they depend on it). Imagine this ended up with a Microsoft fork of Spegel, becoming more popular than the original one. What would people say?
Probably something along the lines of "embrace, extend, extinguish", right?
I think this is a good case for applying Hanlon's Razor. The person that did the forking and removal of copyright text may simply not know that it needed to stay there.
I would love to know what processes MS is considering to prevent this in the future as well as what kind of auditing might be done to look at other projects that started as forks.
There are other possibilities, for example, the person may have thought that they were complying with the MIT licence by releasing the new project under the MIT licence too + including a mention of the original project in the README.
This, of course, is incorrect, and a cursory read of the very short licence text would show it to be incorrect.
Hanlon's razor can indicate an absence of malice, but that doesn't mean what they did wasn't wrong, nor should Microsoft skimp on taking steps so it never happens again.
I agree on both points, and with the earlier comment:
> I would love to know what processes MS is considering to prevent this in the future as well as what kind of auditing might be done to look at other projects that started as forks.
In response to:
> ... going to make sure we improve our processes to help us be better stewards in the open-source community.
Most software developers I know have no clue how open source licences work.
Hell, I have been reading a lot about them (including the licences themselves and stuff like the GPL FAQ) many times, and in situations like this it's still not entirely clear to me what Microsoft should do (surely there are different valid ways to handle this).
Would you consider yourself competent as a lawyer regarding open source licences? If not, can I say that "you apparently never learned it" and aren't better than the rest of us?
Compliance here is simple — preserve the original license and copyright.
This isn’t complicated, but if you truly don’t understand it then you should speak to a lawyer before incorporating someone else’s code into your or your employer’s project.
Ignorance is not a surprise or a fault. Anyone choosing to act from ignorance very much is.
I reiterate that this is not complicated. If you still find it complicated, then you need to speak to an attorney or someone else qualified to give you direction before attempting to use someone else’s code.
We have been doing this for nearly 60 years. Correct examples abound if you’re willing to do basic research.
That’s willful ignorance at this point, and they shouldn’t be incorporating open source code into their projects without speaking to an attorney or someone otherwise qualified to answer their questions.
It wouldn't be surprising to me if an expert Leetcoder simply copy/pasted the code, knowing nothing of licensing. What would surprise me though is the engineering team not having at least one open source expert that didn't intervene.
Not good enough. All previous commits still infringe Spegel's copyright, given they are still available and distributed. I would assume the point release also infringes copyright.
What do you mean they can't rewrite the commits? They can, they should, and it's really easy to do so. As for the packages, they should be taken offline.
They should neither rewrite the commits nor take the old packages offline. It's not worth a huge potential clusterfuck when the issue has been fixed on the latest version.
They should absolutely do it. They made a serious mistake and should pay for it, even if that means every Microsoft developer having to rebase all their WIP branches. The more expensive it gets the more they’ll pay attention to those things in the future.
> oh, corporate wording. so you do not really care :D
Better do care a lot about it, and use every syllable of the corporate statement against Microsoft. :-)
I.e. the principle of some martial arts: use the force that the opponent applies against himself/herself.
Addendum: In this particular case
> We hear you loud and clear ..
can be considered as a very official statement from Microsoft that from now on, they cannot claim anymore that they didn't know of something ..., i.e. the hangman's noose is slowly closing. :-)
I might not be up to speed, is naming this behaviour "source of inspiration" a common industry term to accurately represent an unacknowledged fork by the large company over the small?
It seems an option to not take free labour to build a commercial cloud largely as a wrapper of open-source, and maybe find other ways to support the creators.
If one person's labour is that valuable to a company, maybe it will help someone realize that supporting such individuals monetarily might help create the next thing with time that they can't get to today.
Reducing costs (and then trying to drum up community goodwill by "releasing" an open source tool) is not the same thing as generating revenue. https://github.com/Azure/peerd does not have a "pricing" section.
This sounds like a good idea but getting the checkbook out at a company like Microsoft probably takes 3-5 meetings, and saying you want to donate because you accidentally stole their code and put the company at (theoretical) risk of a lawsuit seems like a bad conversation starter with management.
Also it seems like in the original comment they already admitted to breaching the copyright, so sending him money doesn't increase the chance of a lawsuit succeeding.
> We absolutely should have done better here: our company policy is to maintain copyright headers in files – we have added headers to the files to attribute your work.
This is a more than clear corporate statement from Microsoft's side that Microsoft is perfectly fine if copyrights are violated (implicitly including Microsoft's), as long as, if they get caught, people start giving proper credits. This implicitly implies that Microsoft promises that from now on they will only sue for getting proper attribution in case of copyright violations, and not for monetary compensation for damages.
I find this implicit statement really nice from Microsoft's side - actually more than what I could ever have wished for. :-)
We appreciate your leadership and collaboration on Spegel and see your project solving a real challenge for the cloud native community. I wanted to thank you for your blog post https://philiplaine.com/posts/getting-forked-by-microsoft/, let you know what we’re doing, and address a few points.
We’ve just raised a pull request https://github.com/Azure/peerd/pull/110 amending the license headers in the source files. We absolutely should have done better here: our company policy is to maintain copyright headers in files – we have added headers to the files to attribute your work.
I also wanted to share why we felt making a new project was the appropriate path: the primary reason peerd was created was to add artifact streaming support. When you spoke with our engineers about implementing artifact streaming you said it was probably out of scope for Spegel at that time, which made sense. We made sure to acknowledge the work in Spegel and that it was used as a source of inspiration for peerd which you noted in your blog but we failed to give you the attribution you, that was a mistake and I’m sorry. We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community.
Thanks again for bringing this to our attention. We will improve the way we work and collaborate in open source and are always open to feedback.