Re: [Boost-users] License Issue with boost_intrusive

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
Copying to dev ML.

On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:

> During an annual third-party audit of our source code, boost intrusive
> was flagged as containing unlicensed code. Specifically, there are
> several pieces of code in this file which are explicitly attributed to
> external parties on external websites, which still exist and show no
> license. 
>
> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L156-L158 
>
> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L207-L208  
>  
>
> Original sources: 
> http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bit-integers 
> http://www.flipcode.com/archives/Fast_log_Function.shtml
>
> I don't claim to be a license expert. I've read a lot over the years,
> but this is the first time that I've actually been between an attorney
> and a codebase having to figure out practical implications of a scenario
> like this. 
>
> I first want to make sure that Boost committee is aware of this situation.  
>
> Second, I would like to know what the official conclusion would be from
> the Boost Committee about the license implications in cases like these. 
> Maybe it has come up before and is well established. On the surface, the
> implications seems ambiguous to me when: DEVELOPER_A takes unlicensed
> code off the internet, prefixes it with a comment that says "Thanks to 
> DEVELOPER_B ", then prefixes the whole file with a file-level copyright
> notice that says "COPYRIGHT  DEVELOPER_A", and then says it's
> distributed under BSL-1.0 license, and then the boost team
> re-distributes the source code.  
>
> Internally at my company, there was little discussion about it.  There
> is no room for ambiguity, so the directive from management was to delete
> the file from our SCM system completely and ensure it never is included
> in our products.  VERY fortunately, deleting it doesn't seem to have
> broken our builds.  In future cases like this, that's really not what we
> want to be doing with your OSS libraries for obvious reasons.  So, I'd
> like to know if there's any chance this situation changes in a future
> version of Boost (I.E., the code be removed/re-written with clean-room
> approach, etc).  
>
> Regards,
> Jerry
>
> Gerald R. Wiltse
> [hidden email] <mailto:[hidden email]>
>
>
> _______________________________________________
> Boost-users mailing list
> [hidden email]
> https://lists.boost.org/mailman/listinfo.cgi/boost-users
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
On Thu, Aug 22, 2019 at 2:37 PM Michael Caisse via Boost <
[hidden email]> wrote:

The original source of that one is <
http://graphics.stanford.edu/~seander/bithacks.html#IntegerLogLookup>.
Which is stated as "Individually, the code snippets here are in the public
domain (unless otherwise noted) ". I'm surprised the lawyers in this case
did not track that down.

--
-- Rene Rivera
-- Grafik - Don't Assume Anything
-- Robot Dreams - http://robot-dreams.net

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
On Thu, Aug 22, 2019, 3:18 PM Rene Rivera via Boost <[hidden email]>
wrote:

> On Thu, Aug 22, 2019 at 2:37 PM Michael Caisse via Boost <
> [hidden email]> wrote:
>
> > Copying to dev ML.
> >
> > On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:
> > >
> >
> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L156-L158
> >
> > > Original sources:
> > >
> >
> http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bit-integers
> >
> >
>
> The original source of that one is <
> http://graphics.stanford.edu/~seander/bithacks.html#IntegerLogLookup>.
> Which is stated as "Individually, the code snippets here are in the public
> domain (unless otherwise noted) ". I'm surprised the lawyers in this case
> did not track that down.
>

Public domain does not exist in some jurisdictions, so it cannot be used in
place of a license.

Zach

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 22/08/2019 21:37, Michael Caisse via Boost wrote:

> Copying to dev ML.
>
> On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:
>> During an annual third-party audit of our source code, boost intrusive
>> was flagged as containing unlicensed code. Specifically, there are
>> several pieces of code in this file which are explicitly attributed to
>> external parties on external websites, which still exist and show no
>> license.
>>
>> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L156-L158
>>
>> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L207-L208
>>  
>>
>> Original sources:
>> http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bit-integers
>> http://www.flipcode.com/archives/Fast_log_Function.shtml
>>
>> I don't claim to be a license expert. I've read a lot over the years,
>> but this is the first time that I've actually been between an attorney
>> and a codebase having to figure out practical implications of a scenario
>> like this.
>>
>> I first want to make sure that Boost committee is aware of this situation.
>>
>> Second, I would like to know what the official conclusion would be from
>> the Boost Committee about the license implications in cases like these.
>> Maybe it has come up before and is well established. On the surface, the
>> implications seems ambiguous to me when: DEVELOPER_A takes unlicensed
>> code off the internet, prefixes it with a comment that says "Thanks to
>> DEVELOPER_B ", then prefixes the whole file with a file-level copyright
>> notice that says "COPYRIGHT  DEVELOPER_A", and then says it's
>> distributed under BSL-1.0 license, and then the boost team
>> re-distributes the source code.
>>
>> Internally at my company, there was little discussion about it.  There
>> is no room for ambiguity, so the directive from management was to delete
>> the file from our SCM system completely and ensure it never is included
>> in our products.  VERY fortunately, deleting it doesn't seem to have
>> broken our builds.  In future cases like this, that's really not what we
>> want to be doing with your OSS libraries for obvious reasons.  So, I'd
>> like to know if there's any chance this situation changes in a future
>> version of Boost (I.E., the code be removed/re-written with clean-room
>> approach, etc).

Hi,

I didn't expect those snippets in the public domain of well-known
methods could be a problem, and I explicitly thanked the authors.

I could just remove that section as compiler-specified methods are
available using clz and friends (that's why your build was not broken).

Best,

Ion

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
On 8/26/19 2:02 AM, Ion Gaztañaga via Boost wrote:

> On 22/08/2019 21:37, Michael Caisse via Boost wrote:
>> Copying to dev ML.
>>
>> On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:
>>> During an annual third-party audit of our source code, boost intrusive
>>> was flagged as containing unlicensed code. Specifically, there are
>>> several pieces of code in this file which are explicitly attributed to
>>> external parties on external websites, which still exist and show no
>>> license.
>>>
>>> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L156-L158 
>>>
>>>
>>> https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L207-L208 
>>>
>>>
>>> Original sources:
>>> http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bit-integers 
>>>
>>> http://www.flipcode.com/archives/Fast_log_Function.shtml
>>>
>>> I don't claim to be a license expert. I've read a lot over the years,
>>> but this is the first time that I've actually been between an attorney
>>> and a codebase having to figure out practical implications of a scenario
>>> like this.
>>>
>>> I first want to make sure that Boost committee is aware of this
>>> situation.
>>>
>>> Second, I would like to know what the official conclusion would be from
>>> the Boost Committee about the license implications in cases like these.
>>> Maybe it has come up before and is well established. On the surface, the
>>> implications seems ambiguous to me when: DEVELOPER_A takes unlicensed
>>> code off the internet, prefixes it with a comment that says "Thanks to
>>> DEVELOPER_B ", then prefixes the whole file with a file-level copyright
>>> notice that says "COPYRIGHT  DEVELOPER_A", and then says it's
>>> distributed under BSL-1.0 license, and then the boost team
>>> re-distributes the source code.
>>>
>>> Internally at my company, there was little discussion about it.  There
>>> is no room for ambiguity, so the directive from management was to delete
>>> the file from our SCM system completely and ensure it never is included
>>> in our products.  VERY fortunately, deleting it doesn't seem to have
>>> broken our builds.  In future cases like this, that's really not what we
>>> want to be doing with your OSS libraries for obvious reasons.  So, I'd
>>> like to know if there's any chance this situation changes in a future
>>> version of Boost (I.E., the code be removed/re-written with clean-room
>>> approach, etc).
>
> Hi,
>
> I didn't expect those snippets in the public domain of well-known
> methods could be a problem, and I explicitly thanked the authors.

I'm not a lawyer, but my understanding is that works under public domain
can be used by everyone in any way, including modifying and
redistributing under a (different) license with no identification of the
original author. Thus using public domain code in a BSL-licensed Boost
library should be fine. That the original author or source was also
acknowledged is legally unneccessary, but is a gesture of gratitude and
good faith.

If I'm wrong then I would like to be corrected by someone who knows for
certain. I think, this might be a good case for the Steering Committee
to ask advice of a lawyer.

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list

>>> Second, I would like to know what the official conclusion would be from
>>> the Boost Committee about the license implications in cases like these.
>>> Maybe it has come up before and is well established. On the surface, the
>>> implications seems ambiguous to me when: DEVELOPER_A takes unlicensed
>>> code off the internet, prefixes it with a comment that says "Thanks to
>>> DEVELOPER_B ", then prefixes the whole file with a file-level copyright
>>> notice that says "COPYRIGHT  DEVELOPER_A", and then says it's
>>> distributed under BSL-1.0 license, and then the boost team
>>> re-distributes the source code.

I am on record here on boost-dev on how incorrect the software which
scans for "plagiarism" is. Technically, legally, and morally. Those
third party audit vendors basically do almost no work, they feed the
code to a plagiarism program which contains corpuses derived from
various well known places on the internet in order to appear like they
earned their fees. Most of said vendors never bother to review the
reports of "plagiarism" they return for accuracy. The knee jerk reaction
of deleting anything in those reports is just NIH syndrome in another
variant.

For small snippets of algorithm like you mostly get from stackoverflow,
or public websites, they are uncopyrightable in any case as they are
maths, which cannot be copyrighted nor patented anywhere in the world.
Only the naming of variables might be copyrightable, and hence one would
be wise to change the variable names.

For larger snippets, fair use exception generally applies, though fair
use exceptions don't exist in some jurisdictions of the Western world.

The use of the phrase "taken from" in the Boost.Intrusive comment is
unfortunate. "Inspired by" is much better. Doesn't affect the legality
though.

I think linking to source of bit tricks is very good. It helps explain
the algorithm to those studying Boost code to learn from it. I think we
should do more of it, not less.

99% of the C and C++ snippets on StackOverflow actually come from the
book "Hacker's Delight" by Henry Warren. He explicitly says that reusing
said snippets from his book require no attribution, so all those
snippets on StackOverflow are legal, and so is reusing them in Boost
code, with or without attribution.

Last time I raised this issue, Boost decided to delete the "offending"
parts rather than take a stand for what is right. I assume nothing here
will change this time round, but I encourage Boost library authors to
grow a backbone and stand up for good etiquette. I similarly encourage
Boost users to tell management to stop implementing NIH, in all its forms.

Niall

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
On Mon, 26 Aug 2019 at 17:41, Niall Douglas via Boost <[hidden email]>
wrote:

> For small snippets of algorithm like you mostly get from stackoverflow ...
>

As to SO, the terms are set out here:
https://stackoverflow.com/legal/terms-of-service/public#licensing .

degski
--
@realdegski
https://edition.cnn.com/interactive/2019/06/middleeast/saudi-teen-death-penalty-intl/
"Anyone who believes that exponential growth can go on forever in a finite
world is either a madman or an economist" - Kenneth E. Boulding
"Growth for the sake of growth is the ideology of the cancer cell" - Edward
P. Abbey

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list


> -----Original Message-----
> From: Boost <[hidden email]> On Behalf Of Ion Gaztañaga via
> Boost
> Sent: 26 August 2019 00:02
> To: Michael Caisse via Boost <[hidden email]>
> Cc: Ion Gaztañaga <[hidden email]>
> Subject: Re: [boost] [Boost-users] License Issue with boost_intrusive
>
> On 22/08/2019 21:37, Michael Caisse via Boost wrote:
> > Copying to dev ML.
> >
> > On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:
> >> During an annual third-party audit of our source code, boost
> >> intrusive was flagged as containing unlicensed code. Specifically,
> >> there are several pieces of code in this file which are explicitly
> >> attributed to external parties on external websites, which still
> >> exist and show no license.
> >>
> >> https://github.com/boostorg/intrusive/blob/develop/include/boost/intr
> >> usive/detail/math.hpp#L156-L158
> >>
> >> https://github.com/boostorg/intrusive/blob/develop/include/boost/intr
> >> usive/detail/math.hpp#L207-L208
> >>
> >>
> >> Original sources:
> >> http://stackoverflow.com/questions/11376288/fast-computing-of-log2-fo
> >> r-64-bit-integers
> >> http://www.flipcode.com/archives/Fast_log_Function.shtml
> >>
> >> I don't claim to be a license expert. I've read a lot over the years,
> >> but this is the first time that I've actually been between an
> >> attorney and a codebase having to figure out practical implications
> >> of a scenario like this.
> >>
> >> I first want to make sure that Boost committee is aware of this situation.
> >>
> >> Second, I would like to know what the official conclusion would be
> >> from the Boost Committee about the license implications in cases like these.
> >> Maybe it has come up before and is well established. On the surface,
> >> the implications seems ambiguous to me when: DEVELOPER_A takes
> >> unlicensed code off the internet, prefixes it with a comment that
> >> says "Thanks to DEVELOPER_B ", then prefixes the whole file with a
> >> file-level copyright notice that says "COPYRIGHT  DEVELOPER_A", and
> >> then says it's distributed under BSL-1.0 license, and then the boost
> >> team re-distributes the source code.
> >>
> >> Internally at my company, there was little discussion about it.
> >> There is no room for ambiguity, so the directive from management was
> >> to delete the file from our SCM system completely and ensure it never
> >> is included in our products.  VERY fortunately, deleting it doesn't
> >> seem to have broken our builds.  In future cases like this, that's
> >> really not what we want to be doing with your OSS libraries for
> >> obvious reasons.  So, I'd like to know if there's any chance this
> >> situation changes in a future version of Boost (I.E., the code be
> >> removed/re-written with clean-room approach, etc).
>
> Hi,
>
> I didn't expect those snippets in the public domain of well-known methods could
> be a problem, and I explicitly thanked the authors.
>
> I could just remove that section as compiler-specified methods are available using
> clz and friends (that's why your build was not broken).

I think that nothing should be done without agreement from Boost's legal adviser because it sets a precedent.

I don't believe that Boost should just 'roll over and remove' when faced with this sort of criticism - it seems nonsense to me, but then IANAL 😉

If we could do things in the future, it is perhaps that we should get more people to agree to their names being added to the authors claiming copyright and agreeing to the licence, and keep a record of their agreement (an email will do).

And that we should give more details about the sources, references and their license terms.

My 2p.

Paul


Paul A. Bristow
Prizet Farmhouse
Kendal, Cumbria
LA8 8AB           UK






_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [Boost-users] License Issue with boost_intrusive

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 8/26/19 00:34, Andrey Semashev via Boost wrote:
> On 8/26/19 2:02 AM, Ion Gaztañaga via Boost wrote:
>> On 22/08/2019 21:37, Michael Caisse via Boost wrote:
>>> Copying to dev ML.
>>>
>>> On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:
>>>> During an annual third-party audit of our source code, boost intrusive
>>>> was flagged as containing unlicensed code. Specifically, there are

<snip description>

>>>>
>>>> I first want to make sure that Boost committee is aware of this
>>>> situation.
>>>>
>>>> Second, I would like to know what the official conclusion would be from
>>>> the Boost Committee about the license implications in cases like these.

<snip>

>>
>> Hi,
>>
>> I didn't expect those snippets in the public domain of well-known
>> methods could be a problem, and I explicitly thanked the authors.
>
> I'm not a lawyer, but my understanding is that works under public domain
> can be used by everyone in any way, including modifying and

<snip>

I'll send an email to Boost's legal counsel and have them weigh in.

michael (with steering committee hat on)

--
Michael Caisse
Ciere Consulting
ciere.com

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost