In distant times (before Microsoft's Satya era) I was the maintainer of a popular OSS product that scratched an important itch for specialist people who were doing work in the early cloud days. It solved my own problems, and I didn't want to make a business out of it, so I was content to release it as OSS.
A Microsoft director who ran a portfolio of product teams reached out to ask about a "collaboration". I said I'd be happy to send them my consulting agreement. There was a little grumbling about the rate but I just reiterated that it was my rate. After a lot of legal back and forth, they signed, I answered a bunch of questions for them in a 2-day workshop, and they paid.
If they want you badly enough, they'll pay. Don't work for free.
Hi Philip, I'm Lachlan from the Cloud Native Ecosystem team at Microsoft. Our team works in the cloud native open-source community with a goal of being great open-source collaborators in these projects and communities, and I’m sorry that this happened.
We appreciate your leadership and collaboration on Spegel and see your project solving a real challenge for the cloud native community. I wanted to thank you for your blog post https://philiplaine.com/posts/getting-forked-by-microsoft/, let you know what we’re doing, and address a few points.
We’ve just raised a pull request https://github.com/Azure/peerd/pull/110 amending the license headers in the source files. We absolutely should have done better here: our company policy is to maintain copyright headers in files – we have added headers to the files to attribute your work.
I also wanted to share why we felt making a new project was the appropriate path: the primary reason peerd was created was to add artifact streaming support. When you spoke with our engineers about implementing artifact streaming you said it was probably out of scope for Spegel at that time, which made sense. We made sure to acknowledge the work in Spegel and that it was used as a source of inspiration for peerd which you noted in your blog but we failed to give you the attribution you, that was a mistake and I’m sorry. We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community.
Thanks again for bringing this to our attention. We will improve the way we work and collaborate in open source and are always open to feedback.
There's a lot of blame being assigned to Microsoft, the entire corporation. But I doubt this was a heavily contemplated decision by a room full of executives, or voted on by the shareholders.
More likely, this is a way for someone to get ahead in their career at Microsoft by passing off a successful open source project as their own accomplishment. They can steal users from the original project and justify using Microsoft's resources to maintain it, which puts more resources under their control, and gives them something to talk about during performance reviews.
The open source community should have a way to enforce professional consequences on individuals in situations like this. They are motivated by professional gains after all. That's the only way this will stop happening. Professional consequences does not mean doxxing or other personal attacks, it means losing career opportunities, losing contributor privileges, and becoming known as untrustworthy. These consequences have to be greater than the expected gain from passing a project off as your own at work.
I wonder if a new kind of license could be created which includes projects in some kind of portfolio and violating the license means losing access to the entire portfolio. Similar to how the tech companies added patents to a shared portfolio and patent treachery meant losing access to the portfolio.
Failing to abide by the MIT license is copyright infringement. My advice is to contact these guys: https://softwarefreedom.org/ They likely can file a cease and desist on your behalf.
However, I took a closer look at the files in question. The MIT license requires that they retain and provide copyright notices, but you never put copyright notices in your files. The only place where you appear to have placed a copyright notice is in the LICENSE file:
Things become interesting when I look at their LICENSE file. They appear to have tried to relicense this to Apache 2.0 before backpedaling and reinstating the MIT license:
Unless they forked from a very early version of the project that did not even have the LICENSE file, they removed the sole copyright notice you had in the repository. That brings us back to my original thoughts, which is that they have committed copyright infringement, and you should contact OSS friendly lawyers about it.
I am not a lawyer, but I do contribute to various OSS projects and all of the ones to which I have ever contributed have copyright notice headers at the top of every file to ensure proper attribution is maintained no matter where that code is used. Beyond having that sole missing copyright notice reinstated, I am not sure what else you could expect since none of your files have proper copyright headers in them. The SFLC guys would be in a better position to advise you, as they are actual lawyers.
Don't use one of the most permissive licenses in existence and certainly not one that doesn't provide copyleft. This is all very well established at this point and yet somehow the GPL seems to have gone out of vogue.
My personal thought is that we need a new kind of license: community open source. No corporations, just community.
The problem this addresses is not that Microsoft forked this project. The problem is that when a corporation like Microsoft does this, they harm our community[0]. Open source thrives because a bunch of individuals and groups collaborate.
Microsoft, is built around the concept of profit for stock owners at any cost. They may collaborate as long as their interest in profit is served, but otherwise, it is back to "Embrace, Extend, Extinguish" [1].
This lack of community ethic is endemic in corporations. It is also an existential threat to our community. Profit at any cost is not collaboration. It is predatory.
And yes, I know, corpies and other greedist will vote this down, blah, blah, blah.
While Microsoft is certainly in the wrong for removing the copyright notice, I think the author has zero basis for complaint otherwise. If you're going to release software with one of the most permissable licenses, you need to accept that for all it entails. Consider what you're comfortable with and pick an appropriate license relative to your values.
I suspect that what's happening internally (at Microsoft) is that someone's leveraging your work towards their next promotion packet. They went to their manager with "hey I've got this great idea" and followed it up with your code a few weeks later. Of course, this only works if they claim they were "inspired" by Spegel to "write their own code".
> As a sole maintainer of an open source project, I was enthused when Microsoft reached out to set up a meeting to talk about Spegel. The meeting went well, and I felt there was going to be a path forward ripe with cooperation and hopefully a place where I could onboard new maintainers.
Seems it isn't the first time Microsoft leads open source maintainers on, trying to extract information about their projects so they can re-implement it themselves while also breaking the licenses that the authors use. Not sure how people fell so hard for "Microsoft <3 Open Source" but it's never been true, and seems it still isn't, just like "Security is the #1 priority" also never been true for them.
Here is the previous time I can remember that they did something similar:
The best advice for open source maintainers who are being approached by large tech companies is to be very wary, and let them contribute/engage like everyone else if they're interested, instead of setting up private meetings and eventually get "forked-but-not-really" without attribution.
Microsoft has almost always behaved unethically. Many examples similar to yours are easy to find. Their behavior in your case immediately reminded me of this 1994 example:
They've engaged many naive people/companies, milked them of their knowledge after signing NDAs, and then stabbed them in the back, stealing eveything.
They're big enough, and have unlimited legal resources to vigorously defend any legal challenge, and also to launch legal attacks at will.
After the DOJ anti-trust case, they preemptively put every major law firm on retainer, so nobody else could retain them in an effort vs. Microsoft, without creating a conflict of interest.
They are still evil, but less so after Gates and Ballmer.
As a maintainer, it is my duty to come across as unbiased and factual as possible
i disagree with that. factual? sure, but unbiased? why? it's your project, and you have every right to be biased towards it. on the contrary, i expect you to, and i actually believe that not being biased towards your own project is very difficult so that i don't expect many people to be able to not be biased.
This post is a great example why the choice of a license matters. You never know what your code will evolve into, so why give away your countless hours to a company/3rdparty that does not really care (aws, msft, goog, etc). License matters and large companies would not risk litigation and even if they do, that would be a great way to earn money down the road for the copyright holder. The only FOMO with MIT is that your code will prob not gonna be easily used by 3rd parties in production which would diminish the popularity effect. On the other hand, I think that code has more value if it uses a copyleft license and I am much more inclined to contribute to it.
> fix: amend copyright attributions #110
>
> This commit amends copyright attributions that were omitted due to an oversight on part of the Peerd authors. Copyright header attributions in a few files have been updated to include "2023 Xenit AB and 2024 The Spegel Authors". The attribution in the LICENSE file has also been updated to reflect the same.
There has been many, many stories of Microsoft doing just that, invite for some talk, learn what they need to know and then do it their way.
It's not a new practice, and it's not exclusive to Microsoft either, it's something every developer should be acutely aware of, in case they're interested in avoiding it.
This is not the first or last time this has happened. Microsoft does it intentionally and when they get caught they then give a fake apology and pretend it was a mistake. These mistakes keep happening and the pattern is always the same, MS teams engaging with a developer to learn all about their business idea and then they steal it:
Microsoft does, it because they know they can get away with it. Its in Microsofts DNA in my opinion. The company has a long history of such practices, decades. Occasionally they meet someone who has a enough clout to hold them to account. Sometimes they have even tried to copy patented information and get away with it. ( Example Microsoft tried to steal the idea of product activation. The owner had deep pockets enough for the court case cost ~$15M and won several hundred million from Microsoft.) Also, Many companies that disclosed information to Microsoft under NDA found Microsoft developed very similar products
Forking might be the wrong word, what happened here looks more like (somewhat obfuscated) plagiarism.
I analyzed the 2 repositories for copy/pasted lines using PMD's CPD (copy/paste detector) - using the first commit of peerd and one from spegel that was from around the same time.
I haven't looked deep enough to see how much of the differences are obfuscation and how much are meaningful changes. File names are all changed, many structs and variable names as well.
To add some missing context: the MIT license is so small I can embed it into this post.
Here it is:
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
:shrug: - of course, the failure to preserve the license is an egregious error which amounts to infringement. But it's easily remedied.
And if the downstream project has a popular feature that can't / shouldn't land upstream, then that's okay - that's what everyone prefers.
"$BIGCO shouldn't be using my software, certainly not outside of how I intended it to be used!" - this attitude is totally contrary to both Free Software and Open Source IMO.
If you don't like it then you should probably consider a more restrictive license.
> I default to using the MIT license as it is simple and permissive
What's good about being "permissive"?
I keep hearing this argument, but I still don't understand, what's the incentive for authors of one-man projects to choose anything "permissive".
Do you enjoy your project getting forked, walled off and exploited for profit by someone who has never done you any good?
AGPLv3 still allows forking, still allows making profit (if your business model is sane). But it is at least backed by some prominent figures and organizations, and there are precedents where companies were forced to comply.
Could file a DMCA takedown over the license violation, or you know, just file a pull request correcting the license to include your name and explain the situation. They're technically violating the MIT license as-is.
I want to make a point that might be misinterpreted, so I want to make clear I am not at all defending Microsoft.
That said, Microsoft isn't a person and has no agency by itself. It is specific persons/developers/managers violating the licenses and stringing along open source developers in bad faith.
Who are these people? Why is the blame not falling on them, specifically?
Getting 'forked' (so to speak) by Microsoft was the norm, and might again be.
Up until the dotcom boom (and in the earlier days of it), one of the questions I'd heard of software startups was something like, "What will you do when Microsoft decides to own your space?"
Fortunately, the broad tech industry overall got a decade or two reprieve from that, though it might be starting to return.
A long related question, when partnering with Microsoft, which sounds like it still applies, is "What's your plan for when Microsoft stabs you in the back?"
Microsoft never had a self image of "Don't Be Evil", and is more a close releative of Cantrill's Lawnmower.
My suspicion is that ruthlessness and the long-con have deep roots in Microsoft's culture.
Microsoft only appears to play nice when it has to, and is shameless otherwise.
I find it unlikely that this is Microsoft policy, it does not benefit them in any way. Someone fucked up or claimed glory internally. Pointing this out to their legal department might get the Copyright notice fixed.
Yeah for a program (not a library) I'd really recommend the GPL. Although it sounds like they even violated the really permissive terms of the MIT license!
I know it isn't mainstream, but companies try to avoid those licenses as much as possible.
Tinfoil hat: sometimes I wonder if companies astroturfed support for permissive licenses. Getting the entire Rust ecosystem to avoid copyleft was a huge win, for example.
And now that copyleft Gnu tools are being replaced with permissive uutils in Ubuntu, it seems they won, whether or not they were the ones to push it.
I wish people would seriously consider (A)GPL for their projects more often. It hasn't happened here, though has certainly happened in the past without anyone knowing - (A)GPL would make it hard for them to make a closed source "fork".
In fact, I wish an even stronger license existed which allowed the original author to dictate who can build on top of the project to avoid exactly these kinds of situations where a powerful actor completely disempowers the authors while technically following the license (I assume MS will "fix" their error by fixing the licensing information but will continue to compete with Spegel with the intent to make it irrelevant).
I've been "on the other side," part of a big corporation forking an open-source project. In Laine's case, what I would suggest is to focus more on what Microsoft added and changed; try to understand why they did that; and see if you can get any value bringing it back into your project.
(IE, don't let your ego run away.)
Why?
In my case, I was working for an industry-leading product that required a bit of reverse-engineering into MacOS. We got stuck on a new release of MacOS, so we did a bit of digging and found an open-source project that successfully reverse-engineered what we were trying to do.
(Basically, integrating in the right-click menu in Finder required reverse engineering prior to 2014; and every version of MacOS required redoing the reverse engineering.)
It was a legal grey area to copy how the open-source project reverse engineered MacOS, so I reached out to the open-source project and tried to collaborate. We exchanged a few emails and then I found a problem...
Basically, their solution had rather large memory consumption in Finder if the user had very large folders. Our customers had very large folders. (Edit, 200,000+ files were common.) We still wanted to collaborate, so I proposed a fix that fixed the problem.
But, then "radio silence" from the original authors. We forked and complied with the license. I always hoped they never begrudged us.
(Ultimately, Apple released an API so we didn't have to reverse engineer MacOS.)
If you don't want people to fork your code, don't explicitly give them permission to fork your code. Its like if you put your couch on the curb with a sign on it saying "FREE COUCH" and then coming home and freaking out because your couch is gone.
This happened with me and Google (Antbot/Cellbots stuff, circa 2011). The difference is that the Google person in charge of the fork of my project was actively hostile to me. He told me that I was just a hobbyist and that my product didn't exist.
So I put a PCB of my product in his hand (it had some through-hole components), and squeezed it really hard, and asked him "If it doesn't exist, why is it making you bleed?"
All this at a meeting/presentation where my bot was literally running circles around theirs because mine worked and theirs stalled.
I think I have video of this somewhere, but there's no audio.
The guy left Google a year later, tried to sell bots independently, and folded. I on the other hand am still here.
It was a bit of a weird interaction overall. Why would someone say "this doesn't exist" while staring at it? I figured that haptic feedback would help with their solipsism at the time.
It's like when someone says they want to go birding with you and they really just want to get you alone in the woods so they can steal your binoculars.
Not just forked. Microsoft stole the code without attribution, violating the license terms. Truly shameful behavior. Best case, it was a single engineer who was tasked with duplicating the functionality, but chose the lazier, fraudulent route and was even too lazy to clean things up entirely. Still, MS should own up, correct the record, and make this right.
That is why I only choose extremes with my open source licensing. If I really don't care then I go with a CC0 1.0 license. If I want any participation or credit for the work at all then I go the other extreme: AGPL 3.0. If that, and only that, means people will refuse to look at the project then I know I have chosen wisely.
The best you could hope for in these situations is perhaps a job. It's not uncommon to see not just in open source but in business in general that the large player will try to extract business knowledge and reimplement themselves. The code isn't the value, it's the people maintaining it and the community or customers using it. I've seen it happen with Google and a real business also. So I think ultimately cooperation turns into coopetition where you're going to compete until some agreement can be reached. In a business case, Google fell flat on its face and acquired the company I was working at. In the case of open source I've raised seen it turn into an acquisition as we've seen the forks are really about code ownership for something they run as as managed services or use internally. They're rarely buying it for the people or community.
This sucks and I feel for the maintainer, but it really is their own fault for publishing as MIT. However, that is a pretty common mistake that most people never learn until they've been screwed by it. The OSI have done a good job at convincing devs to open themselves up to exploitation for the benefit of big tech companies, and I find it hard to fault people for falling for that. The social pressure is very high.
But giving a (presumably) free consultation to Microsoft is a self-own. History has shown that you should never give the benefit of the doubt to Microsoft, and you should certainly never trust them (unless you have a contract and a good lawyer). Not knowing this can only be the result of willful ignorance. I can't offer sympathy for that.
Hopefully, this person learned the right lessons from this experience.
> Spegel was published with an MIT license. Software released under an MIT license allows for forking and modifications, without any requirement to contribute these changes back.
If that's what the license says, why is the author complaining? Microsoft is complying with the license.
That's what you get for not picking the one of the license from the GPL family.
> However, I am not the first and unfortunately not the last person to come across this David versus Goliath-esque experience.
Again, this situation was completely avoidable. Stallman had foreseen this kind of situations literally forty years ago. That's why the Free Software movement exists.
Tangentially related: has anyone notice how the whole Grafana ecosystem is going strong and unaffected by forks and corporate take-overs? I'm pretty sure that the AGPL license is playing a big role into that.
Really poor form there from Microsoft, I hope that some of the wiser heads see this and educate the team responsible and ensure that this is made right.
Not a direct solution to your problem, but people should definitely consider Apache over MIT when reaching for a permissive license. In addition to being more robust about things like, notifying users of modifications that have been made to the original source code, it also explicitly requires that forkers maintain the NOTICE file in its entirety, and distribute that file to users receiving copies of the software (whether source or binary copies).
Even if megacorp does nothing else for you, that NOTICE file can at least contain information about who you are as the original author, links to your website, etc.
They just updated the license and attribution. https://github.com/Azure/peerd/pull/110/files . Overall, it does not sit right with me. How can you be at the position you are and make a very obvious non-attribution mistake. I want to side on incompetence and give benefit of doubt but malice (for personal gains) is on the table as well.
> As a sole maintainer of an open source project, I was enthused when Microsoft reached out to set up a meeting to talk about Spegel. The meeting went well, and I felt there was going to be a path forward ripe with cooperation and hopefully a place where I could onboard new maintainers.
As usual pick carefully your license, doesn't matter if it is the neighbour down the street or Microsoft, when they play by the legalese of the license.
First, if Microsoft used any of the Spegel code then it should provide proper attribution. A best practice is to put the LICENSE file in the root of project (both peerd and spegel do). But also, you need to put the license in the header of each file as a best practice. Like Microsoft did here https://github.com/Azure/peerd/blob/main/api/docs.go#L1
That's why you release projects like these under restrictive licences.
Far too many times big company's take what they choose and give you nothing. Use licenses for your advantage, heck dual license if needed. Not sure what the desire is of a Eutopia open source world view, where not everyone has the vision or plays by the rules anyway.
I actually worked on an open source project, the maintainer was convinced by microsoft to relicense the project for "collaboration" - I left the project for this reason and as far as I can tell msft never did anything for them except for keep giving them the "honor" of being a microsoft mvp.
If you write open source code, expect it to be forked. It's kind of what open source is all about. Do it because sharing knowledge is a moral good. The wealth, influence, power, etc of whoever may decide to participate in your act of open source is completely and utterly irrelevant.
Regarding the removal of copyright notice, did anyone open an issue on the Microsoft GitHub repo to have it restored? It should be relatively simple to fix. Yes, I know, this won't dull the knife that Microsoft stuck into the back of the original author.
Friends don't let friends release as MIT, except for trivial amounts of code.
Last week I relicensed most of my previously released Minecraft mods (except those with trivial code and those with missing source code) to AGPL plus a bunch of exceptions.
I feel for this person. I stopped using open source licenses a while ago, and I've recently started writing about how I've ended up where I am. One of my pieces got shared here last month and predictably didn't land with the readership.
Nevertheless, I'm going to keep writing (latest piece [1]) about my post-open source journey in the hopes of clicking with a handful of people in the next generation.
Why haven’t you threatened to sue yet? They very clearly violated the MIT license by getting rid of your copyright, which is literally the only requirement MIT imposes. Go after them, don’t let the corporation get away with
Microsoft doing this is expected, it is what big tech companies do, but what is surprising is the growing number of people defending its behavior and blaming the developer for what happened.
If a big tech company shows any interest in your open source project, don't ever assume there are any good intentions. Never agree to any meeting or unpaid work, or do any work or go out of your way for them unless you have a contract. Be extra careful when dealing with a big company, because they have a lot of resources and do not care about you or your project.
Hahahahah this sounds very much like what Microsoft did to one of my employers.
Meet for a week. Bring in one of their grey beards. Learn all our deets in anticipation of acquisition. Then silence...according to my understanding, not being privy to executive level discussions.
A bit later, release their own take on the problem area ... tragic.
Their improvements are available under MIT license. They would have been fully within their rights to not release and put in a proprietary product but did not do this.
Instead everyone can benefit from their improvements. Author can steal whatever he wants for his upstream.
(I can’t find any details of “Microsoft MIT” and the above is premised on it being functionally MIT.)
Hey, this sucks. Unfortunately the MIT license doesn't do much to prevent this and (I think?) their licensing transgression is they haven't kept "Copyright (c) 2024 The Spegel Authors" in the LICENSE file. I suspect if you call them out on it that'll be the remediation.
Did you manage to reach out to any of the people at MSFT you originally spoke to to ask wtf?
They all do it. Anytime a corporation comes calling, they're looking for something from you and there's an implicit quid pro quo. I'm not a lawyer, but anytime latin is involved, you better get it in writing and run it by someone who is.
I tend to disagree with the criticism of Microsoft here.
The author of Spegel released it as MIT, which means that anyone can fork it as long as they keep the attribution. So if every file of the original project has a header containing the copyright, Microsoft has to keep it. Looking at Spegel, I haven't found a single source file containing an MIT header and copyright.
Microsoft added their header with their copyright in Peerd (because now that they changed the files, they own a copyright over parts of those files). Nothing says that they must add a line for the original author, and I could imagine that it's legally a risk for them to do it.
Moreover, a copyleft license wouldn't have changed anything here (except maybe discouraging Microsoft from reusing any of that code).
If you don't want anyone to reuse your code, don't open source it. The whole point of open source it is that you allow others to reuse it.
If you want to have the copyright license put into it do a DMCA take down. They're in breach of your copyright license and therefore do not have rights to distribute your copyrighted material.
So this is a peanut gallery esque reply, but this sort of thing is what GPL was meant to avoid. I know GNU has had a lot of detractors and criticism, but you cannot and should not expect large orgs to respect community norms around open source. Permissive licenses are NOT better in this world where different players have different levels of power relative to each other.
Sometimes I wonder if all the shitting on free software in general is in fact cynical and in bad faith by actors who want your labour for free.
Looks like Bill's old M.O. of embrace, extend, and extinguish has rubbed off on Satya. Except this time, MIT license has shielded the code from extinguish to emaciate.
The MIT license should have a provision to permit forks (without allowing daisy chaining of fork of forks). You can then decide & allow/reject fork requests.
Is it possible that there could be enough damages for Microsoft's violation of the license that a talented law firm would take up a lawsuit on a contingency basis?
Do. Not. Trust. Microsoft. Why is this a lesson that has to be learned over and over again by people? It's been extensively, exhaustively, documented over the years.
The leopard doesn't change its spots. The scorpion stings the frog. Microsoft screws over people. Lessons learned in childhood that still hold true today.
Many of us dislike Microsoft and big corporations, but here’s my (possibly unpopular) take:
1. Open source worked as expected. Some MIT-licensed code was forked under the same licence, giving users more options and contributing further to the open-source codebase.
2. I don’t understand the claim about users being confused between Spegel and Peerd. These are two products with different names and maintainers. Maybe some users are also confused between Ubuntu and Red Hat Linux - so what? I’m glad users have more choices.
3. The point about the original author not being given enough credit is the only valid one. The legal side, discussed in other comments, seems to suggest they’re within their rights, but they could have done better.
Default for copyleft licenses for open source or life with the consequences.
Licenses like the GNU Affero General Public License (AGPL) might prevent some corporations from using an open-source project because they do not want to release the source code of their own modifications to it. Sadly, corporate compliance often prohibits the usage of copyleft projects altogether, even if nobody plans to modify anything. Especially the legal departments of large “enterprizy” organizations often prefer software with licenses like MIT as they want it simple and “risk”-free.
But who cares? If these corporate users do not contribute back, there is simply not benefit in having them as users.
Except you do not care about open source community but about hypergrowth. This seems not to be true for this case, but the impression comes to mind that many start-ups use open source not because of freedom but as an argument for adoption in the enterprise ecosystem. They avoid choosing (A)GPLv3 licenses to facilitate easier corporate adoption without generating enough revenue, while being funded by venture capital and without getting contributions back by organization who could easily afford giving back something. Then, after being adopted, they complain.
There’s a reason why Linux (GPL licensed) is still around, growing, and making money for so many while companies behind widespread open source projects often fail financially and burning insane amounts of money. It might work out for individuals and owners when getting bought, but it hurts users and ecosystems who relied on something.
The solution is to change the license ASAP, add some must-have features from the pull requests (or your own imagination, you know best what's missing), and continue on your merry way.
Eventually the MS fork will be so far behind yours that they will come back to talk to you. And this time, you will be prepared.
Open source is becoming not much more than free labor for giant corporations and SaaS.
The OSI considers any open source license that tries to restrict or disincentivize this "not open source." Look into OSI and note that it is effectively captured and controlled by these corporations.
So, let me get this straight.
You published your software under a free license that stipulates they can't remove the license and are otherwise free to do as they please.
They took you by your word and did exactly that.
What did you think a license is for? For artistic expression?
It's a contract. If you want to get paid, put that in your license.
I recommend AGPL 3. Then nobody will rip you off. And if they do, you can drag them to court over it.
Reminds me of the scene in Silicon Valley where they team are excited to hear a VC interested in the details so they are explaining the technology on the whiteboard to the "investors" who were a team of engineers eager to copy their tech.
But seriously, it sounds like a weird version of "not invented here syndrome" where you are somehow OK with copy-pasting most of it.
> How can sole maintainers work with multi-billion corporations without being taken advantage of?
Use AGPL, Fair Source or BSL. That's the only way forward. I for one will be using AGPL in everything. If a trillion dollar company cannot pay for services it is a fucking shame. Absolutely disgusting. Microsoft should be ashamed.
He got Jeff’d. Or maybe Bill’d (or Satya’d). Regardless, any kind of non-gnu open-source collaboration with the Powers That Be in the tech world is just begging for punishment. Amazon will just blatantly rebrand something, but Microsoft seems especially comfortable wasting a dev’s time mining for details before stealing or copying their work entirely.
Boo Microsoft. Winget still sucks.
I read recently that Microsoft is adopting rust more and more. I think that’s a step in the right direction for an OS with such a huge marketshare. That said, I’m just waiting for Rust.Net or Managed Rust to get excreted in a thinly veiled attempt to split the community, steal mindshare, and take over the project.
Is there a template license that says open source unless your market cap is or goes above x million? Would like companies to be able to use things to grow but then if they hit it big the have to start paying.
Reading story after story about big corporations abusing single/small group opensource developers, I think we need a license that, otherwise permissive, explicitly denies the use of the code for companies that took VC money or are worth a billion or more.
Not including original license may well be oversight, It is very unlikely Microsoft would intentionally to do something like this, which costs them really nothing, but not doing it can post a lot in the future in the legal costs.
For the rest - if you chose MIT license for your work you should expect it can be used by someone to create software based on it, including commercially licenses
I would treat anything you're releasing as MIT as the gift to the world. This is how Open Source suppose to work - people building on each other work, often without properly thanking authors and maintainers.
If you want to reserve some rights - chose who can use your software and for what purpose, ie ensure "Microsofts" of this world can't use your code in a way you do not approve, you should not release it as Open Source.
This is why I wrote the SAUCR license [1] for my full-stack JavaScript framework.
A lot of OSS developers get "got" by the ideological arguments of OSS and shy away from doing "source available" (which if we set down the Kool-Aid, is in effect open source because...the source is open).
If you're an independent or small team and want to protect your IP as best you can while keeping source available for learning/auditing, check it out.
That said, Microsoft provides extremely generous Startup Assistance (to the tune of > 150K of Azure credits). Disclaimer: I'm not affiliated with MS but I did their program, also did the Gcloud and AWS programs back in the day. No negative comparisons, but off the top of my head the Azure program is awesome. I really enjoyed working with Azure, and it does what it says on the tin.
Getting forked by Microsoft
(philiplaine.com)1837 points by phillebaba 21 April 2025 | 997 comments
Comments
A Microsoft director who ran a portfolio of product teams reached out to ask about a "collaboration". I said I'd be happy to send them my consulting agreement. There was a little grumbling about the rate but I just reiterated that it was my rate. After a lot of legal back and forth, they signed, I answered a bunch of questions for them in a 2-day workshop, and they paid.
If they want you badly enough, they'll pay. Don't work for free.
We appreciate your leadership and collaboration on Spegel and see your project solving a real challenge for the cloud native community. I wanted to thank you for your blog post https://philiplaine.com/posts/getting-forked-by-microsoft/, let you know what we’re doing, and address a few points.
We’ve just raised a pull request https://github.com/Azure/peerd/pull/110 amending the license headers in the source files. We absolutely should have done better here: our company policy is to maintain copyright headers in files – we have added headers to the files to attribute your work.
I also wanted to share why we felt making a new project was the appropriate path: the primary reason peerd was created was to add artifact streaming support. When you spoke with our engineers about implementing artifact streaming you said it was probably out of scope for Spegel at that time, which made sense. We made sure to acknowledge the work in Spegel and that it was used as a source of inspiration for peerd which you noted in your blog but we failed to give you the attribution you, that was a mistake and I’m sorry. We hear you loud and clear and are going to make sure we improve our processes to help us be better stewards in the open-source community.
Thanks again for bringing this to our attention. We will improve the way we work and collaborate in open source and are always open to feedback.
More likely, this is a way for someone to get ahead in their career at Microsoft by passing off a successful open source project as their own accomplishment. They can steal users from the original project and justify using Microsoft's resources to maintain it, which puts more resources under their control, and gives them something to talk about during performance reviews.
The open source community should have a way to enforce professional consequences on individuals in situations like this. They are motivated by professional gains after all. That's the only way this will stop happening. Professional consequences does not mean doxxing or other personal attacks, it means losing career opportunities, losing contributor privileges, and becoming known as untrustworthy. These consequences have to be greater than the expected gain from passing a project off as your own at work.
I wonder if a new kind of license could be created which includes projects in some kind of portfolio and violating the license means losing access to the entire portfolio. Similar to how the tech companies added patents to a shared portfolio and patent treachery meant losing access to the portfolio.
Failing to abide by the MIT license is copyright infringement. My advice is to contact these guys: https://softwarefreedom.org/ They likely can file a cease and desist on your behalf.
However, I took a closer look at the files in question. The MIT license requires that they retain and provide copyright notices, but you never put copyright notices in your files. The only place where you appear to have placed a copyright notice is in the LICENSE file:
https://github.com/spegel-org/spegel/commit/23ed0d60f66dd292...
Things become interesting when I look at their LICENSE file. They appear to have tried to relicense this to Apache 2.0 before backpedaling and reinstating the MIT license:
https://github.com/Azure/peerd/commit/473a26c808907f2d9f7b7f...
Unless they forked from a very early version of the project that did not even have the LICENSE file, they removed the sole copyright notice you had in the repository. That brings us back to my original thoughts, which is that they have committed copyright infringement, and you should contact OSS friendly lawyers about it.
I am not a lawyer, but I do contribute to various OSS projects and all of the ones to which I have ever contributed have copyright notice headers at the top of every file to ensure proper attribution is maintained no matter where that code is used. Beyond having that sole missing copyright notice reinstated, I am not sure what else you could expect since none of your files have proper copyright headers in them. The SFLC guys would be in a better position to advise you, as they are actual lawyers.
The problem this addresses is not that Microsoft forked this project. The problem is that when a corporation like Microsoft does this, they harm our community[0]. Open source thrives because a bunch of individuals and groups collaborate.
Microsoft, is built around the concept of profit for stock owners at any cost. They may collaborate as long as their interest in profit is served, but otherwise, it is back to "Embrace, Extend, Extinguish" [1].
This lack of community ethic is endemic in corporations. It is also an existential threat to our community. Profit at any cost is not collaboration. It is predatory.
And yes, I know, corpies and other greedist will vote this down, blah, blah, blah.
[0] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...
[1] https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
[edit clarity]
https://vadosware.io/post/the-future-of-free-and-open-source...
Seems it isn't the first time Microsoft leads open source maintainers on, trying to extract information about their projects so they can re-implement it themselves while also breaking the licenses that the authors use. Not sure how people fell so hard for "Microsoft <3 Open Source" but it's never been true, and seems it still isn't, just like "Security is the #1 priority" also never been true for them.
Here is the previous time I can remember that they did something similar:
- https://news.ycombinator.com/item?id=23331287 - The Day AppGet Died (keivan.io) 1930 points | May 27, 2020 | 550 comments
The best advice for open source maintainers who are being approached by large tech companies is to be very wary, and let them contribute/engage like everyone else if they're interested, instead of setting up private meetings and eventually get "forked-but-not-really" without attribution.
https://www.latimes.com/archives/la-xpm-1994-02-24-fi-26671-...
They've engaged many naive people/companies, milked them of their knowledge after signing NDAs, and then stabbed them in the back, stealing eveything.
They're big enough, and have unlimited legal resources to vigorously defend any legal challenge, and also to launch legal attacks at will.
After the DOJ anti-trust case, they preemptively put every major law firm on retainer, so nobody else could retain them in an effort vs. Microsoft, without creating a conflict of interest.
They are still evil, but less so after Gates and Ballmer.
i disagree with that. factual? sure, but unbiased? why? it's your project, and you have every right to be biased towards it. on the contrary, i expect you to, and i actually believe that not being biased towards your own project is very difficult so that i don't expect many people to be able to not be biased.
> fix: amend copyright attributions #110 > > This commit amends copyright attributions that were omitted due to an oversight on part of the Peerd authors. Copyright header attributions in a few files have been updated to include "2023 Xenit AB and 2024 The Spegel Authors". The attribution in the LICENSE file has also been updated to reflect the same.
It's not a new practice, and it's not exclusive to Microsoft either, it's something every developer should be acutely aware of, in case they're interested in avoiding it.
https://keivan.io/the-day-appget-died/
I analyzed the 2 repositories for copy/pasted lines using PMD's CPD (copy/paste detector) - using the first commit of peerd and one from spegel that was from around the same time.
There are some clear duplications, e.g. 178 lines here: https://github.com/Azure/peerd/blob/64b8928943ddd73691d0b5d8... correspond to this: https://github.com/spegel-org/spegel/blob/ed21d4da925b9a179c...
Also 44 lines here: https://github.com/spegel-org/spegel/blob/ed21d4da925b9a179c... and https://github.com/Azure/peerd/blob/64b8928943ddd73691d0b5d8... but the full files are almost identical, only a few edits that break the complete equality.
Also https://github.com/spegel-org/spegel/blob/ed21d4da925b9a179c... matches https://github.com/Azure/peerd/blob/64b8928943ddd73691d0b5d8...
I haven't looked deep enough to see how much of the differences are obfuscation and how much are meaningful changes. File names are all changed, many structs and variable names as well.
See this gist for full list of duplications: https://gist.github.com/corneliusroemer/c58cf0faf957d9001b58...
Here it is:
Further reference: https://en.wikipedia.org/wiki/MIT_License"No."
<Fork happens>
:shrug: - of course, the failure to preserve the license is an egregious error which amounts to infringement. But it's easily remedied.
And if the downstream project has a popular feature that can't / shouldn't land upstream, then that's okay - that's what everyone prefers.
"$BIGCO shouldn't be using my software, certainly not outside of how I intended it to be used!" - this attitude is totally contrary to both Free Software and Open Source IMO.
If you don't like it then you should probably consider a more restrictive license.
What's good about being "permissive"?
I keep hearing this argument, but I still don't understand, what's the incentive for authors of one-man projects to choose anything "permissive".
Do you enjoy your project getting forked, walled off and exploited for profit by someone who has never done you any good?
AGPLv3 still allows forking, still allows making profit (if your business model is sane). But it is at least backed by some prominent figures and organizations, and there are precedents where companies were forced to comply.
That said, Microsoft isn't a person and has no agency by itself. It is specific persons/developers/managers violating the licenses and stringing along open source developers in bad faith.
Who are these people? Why is the blame not falling on them, specifically?
Up until the dotcom boom (and in the earlier days of it), one of the questions I'd heard of software startups was something like, "What will you do when Microsoft decides to own your space?"
Fortunately, the broad tech industry overall got a decade or two reprieve from that, though it might be starting to return.
A long related question, when partnering with Microsoft, which sounds like it still applies, is "What's your plan for when Microsoft stabs you in the back?"
Microsoft never had a self image of "Don't Be Evil", and is more a close releative of Cantrill's Lawnmower.
My suspicion is that ruthlessness and the long-con have deep roots in Microsoft's culture.
Microsoft only appears to play nice when it has to, and is shameless otherwise.
I know it isn't mainstream, but companies try to avoid those licenses as much as possible.
Tinfoil hat: sometimes I wonder if companies astroturfed support for permissive licenses. Getting the entire Rust ecosystem to avoid copyleft was a huge win, for example.
And now that copyleft Gnu tools are being replaced with permissive uutils in Ubuntu, it seems they won, whether or not they were the ones to push it.
In fact, I wish an even stronger license existed which allowed the original author to dictate who can build on top of the project to avoid exactly these kinds of situations where a powerful actor completely disempowers the authors while technically following the license (I assume MS will "fix" their error by fixing the licensing information but will continue to compete with Spegel with the intent to make it irrelevant).
(IE, don't let your ego run away.)
Why?
In my case, I was working for an industry-leading product that required a bit of reverse-engineering into MacOS. We got stuck on a new release of MacOS, so we did a bit of digging and found an open-source project that successfully reverse-engineered what we were trying to do.
(Basically, integrating in the right-click menu in Finder required reverse engineering prior to 2014; and every version of MacOS required redoing the reverse engineering.)
It was a legal grey area to copy how the open-source project reverse engineered MacOS, so I reached out to the open-source project and tried to collaborate. We exchanged a few emails and then I found a problem...
Basically, their solution had rather large memory consumption in Finder if the user had very large folders. Our customers had very large folders. (Edit, 200,000+ files were common.) We still wanted to collaborate, so I proposed a fix that fixed the problem.
But, then "radio silence" from the original authors. We forked and complied with the license. I always hoped they never begrudged us.
(Ultimately, Apple released an API so we didn't have to reverse engineer MacOS.)
This sentence is true but a bit confusing, because there are no licenses that require anyone to contribute changes back upstream.
So I put a PCB of my product in his hand (it had some through-hole components), and squeezed it really hard, and asked him "If it doesn't exist, why is it making you bleed?"
All this at a meeting/presentation where my bot was literally running circles around theirs because mine worked and theirs stalled.
I think I have video of this somewhere, but there's no audio.
The guy left Google a year later, tried to sell bots independently, and folded. I on the other hand am still here.
It was a bit of a weird interaction overall. Why would someone say "this doesn't exist" while staring at it? I figured that haptic feedback would help with their solipsism at the time.
GPLv3.
Microsoft has been a bully for years: https://www.fsf.org/news/microsoft_response
They can't change, regardless of how much marketing money they put into "We love opensource".
Ref: https://youtu.be/JlwwVuSUUfc
But giving a (presumably) free consultation to Microsoft is a self-own. History has shown that you should never give the benefit of the doubt to Microsoft, and you should certainly never trust them (unless you have a contract and a good lawyer). Not knowing this can only be the result of willful ignorance. I can't offer sympathy for that.
Hopefully, this person learned the right lessons from this experience.
If that's what the license says, why is the author complaining? Microsoft is complying with the license.
That's what you get for not picking the one of the license from the GPL family.
> However, I am not the first and unfortunately not the last person to come across this David versus Goliath-esque experience.
Again, this situation was completely avoidable. Stallman had foreseen this kind of situations literally forty years ago. That's why the Free Software movement exists.
Tangentially related: has anyone notice how the whole Grafana ecosystem is going strong and unaffected by forks and corporate take-overs? I'm pretty sure that the AGPL license is playing a big role into that.
Even if megacorp does nothing else for you, that NOTICE file can at least contain information about who you are as the original author, links to your website, etc.
Using it then complaining about its effects because you don't like the company is silly.
Use a different license if this is important to you.
Copyright (c) 2024 The Spegel Authors
Which should be retained when you are forking it right? Or am I wrong?
I bet the Spyglass people had the same thought.
https://en.wikipedia.org/wiki/Spyglass,_Inc.
Sez who?
spegel did not follow best practices to put the copyright in the file itself: https://github.com/spegel-org/spegel/blob/main/internal/web/...
Ideally starting with something like this
// SPDX-License-Identifier: MIT
Far too many times big company's take what they choose and give you nothing. Use licenses for your advantage, heck dual license if needed. Not sure what the desire is of a Eutopia open source world view, where not everyone has the vision or plays by the rules anyway.
Last week I relicensed most of my previously released Minecraft mods (except those with trivial code and those with missing source code) to AGPL plus a bunch of exceptions.
Nevertheless, I'm going to keep writing (latest piece [1]) about my post-open source journey in the hopes of clicking with a handful of people in the next generation.
[1]: https://lgug2z.com/articles/on-evils-in-software-licensing/ - feel free to hit me up off-platform if you want to discuss
Meet for a week. Bring in one of their grey beards. Learn all our deets in anticipation of acquisition. Then silence...according to my understanding, not being privy to executive level discussions.
A bit later, release their own take on the problem area ... tragic.
It was very bad for us.
Their improvements are available under MIT license. They would have been fully within their rights to not release and put in a proprietary product but did not do this.
Instead everyone can benefit from their improvements. Author can steal whatever he wants for his upstream.
(I can’t find any details of “Microsoft MIT” and the above is premised on it being functionally MIT.)
Who are they?
Did you manage to reach out to any of the people at MSFT you originally spoke to to ask wtf?
That being said, it's not cool to remove the attribution even internally. Then again, I use MIT without the attribution clause for this very reason.
Use AGPLv3.
The author of Spegel released it as MIT, which means that anyone can fork it as long as they keep the attribution. So if every file of the original project has a header containing the copyright, Microsoft has to keep it. Looking at Spegel, I haven't found a single source file containing an MIT header and copyright.
Microsoft added their header with their copyright in Peerd (because now that they changed the files, they own a copyright over parts of those files). Nothing says that they must add a line for the original author, and I could imagine that it's legally a risk for them to do it.
Moreover, a copyleft license wouldn't have changed anything here (except maybe discouraging Microsoft from reusing any of that code).
If you don't want anyone to reuse your code, don't open source it. The whole point of open source it is that you allow others to reuse it.
Commercial entities will always exploit your work - you need to force them to give back, they will never do the positive sum game by default
He already gave them permission. I think he is overemphasizing the meeting they had and under-emphasizing already giving away his work.
Sometimes I wonder if all the shitting on free software in general is in fact cynical and in bad faith by actors who want your labour for free.
The leopard doesn't change its spots. The scorpion stings the frog. Microsoft screws over people. Lessons learned in childhood that still hold true today.
1. Open source worked as expected. Some MIT-licensed code was forked under the same licence, giving users more options and contributing further to the open-source codebase.
2. I don’t understand the claim about users being confused between Spegel and Peerd. These are two products with different names and maintainers. Maybe some users are also confused between Ubuntu and Red Hat Linux - so what? I’m glad users have more choices.
3. The point about the original author not being given enough credit is the only valid one. The legal side, discussed in other comments, seems to suggest they’re within their rights, but they could have done better.
Licenses like the GNU Affero General Public License (AGPL) might prevent some corporations from using an open-source project because they do not want to release the source code of their own modifications to it. Sadly, corporate compliance often prohibits the usage of copyleft projects altogether, even if nobody plans to modify anything. Especially the legal departments of large “enterprizy” organizations often prefer software with licenses like MIT as they want it simple and “risk”-free.
But who cares? If these corporate users do not contribute back, there is simply not benefit in having them as users.
Except you do not care about open source community but about hypergrowth. This seems not to be true for this case, but the impression comes to mind that many start-ups use open source not because of freedom but as an argument for adoption in the enterprise ecosystem. They avoid choosing (A)GPLv3 licenses to facilitate easier corporate adoption without generating enough revenue, while being funded by venture capital and without getting contributions back by organization who could easily afford giving back something. Then, after being adopted, they complain.
There’s a reason why Linux (GPL licensed) is still around, growing, and making money for so many while companies behind widespread open source projects often fail financially and burning insane amounts of money. It might work out for individuals and owners when getting bought, but it hurts users and ecosystems who relied on something.
Eventually the MS fork will be so far behind yours that they will come back to talk to you. And this time, you will be prepared.
The OSI considers any open source license that tries to restrict or disincentivize this "not open source." Look into OSI and note that it is effectively captured and controlled by these corporations.
People using that gift is the point. Forks aren’t just permitted, they are encouraged. That’s why we release free software.
You aren’t in competition with Microsoft and their fork. There is no such thing as marketshare when there is no market.
Especially amongst Linux users… :-)
They took you by your word and did exactly that.
What did you think a license is for? For artistic expression? It's a contract. If you want to get paid, put that in your license.
I recommend AGPL 3. Then nobody will rip you off. And if they do, you can drag them to court over it.
But seriously, it sounds like a weird version of "not invented here syndrome" where you are somehow OK with copy-pasting most of it.
Use AGPL, Fair Source or BSL. That's the only way forward. I for one will be using AGPL in everything. If a trillion dollar company cannot pay for services it is a fucking shame. Absolutely disgusting. Microsoft should be ashamed.
Boo Microsoft. Winget still sucks.
I read recently that Microsoft is adopting rust more and more. I think that’s a step in the right direction for an OS with such a huge marketshare. That said, I’m just waiting for Rust.Net or Managed Rust to get excreted in a thinly veiled attempt to split the community, steal mindshare, and take over the project.
Are American lawyers that can read three-paragraph licenses so prohibitively expensive?
Use a GPL of some form, whichever one is up to you.
Can someone please explain why?
For the rest - if you chose MIT license for your work you should expect it can be used by someone to create software based on it, including commercially licenses
I would treat anything you're releasing as MIT as the gift to the world. This is how Open Source suppose to work - people building on each other work, often without properly thanking authors and maintainers.
If you want to reserve some rights - chose who can use your software and for what purpose, ie ensure "Microsofts" of this world can't use your code in a way you do not approve, you should not release it as Open Source.
It's ridiculous that companies with literal trillion dollar market caps coast on the back open source.
A lot of OSS developers get "got" by the ideological arguments of OSS and shy away from doing "source available" (which if we set down the Kool-Aid, is in effect open source because...the source is open).
If you're an independent or small team and want to protect your IP as best you can while keeping source available for learning/auditing, check it out.
[1] https://saucr.org
That said, Microsoft provides extremely generous Startup Assistance (to the tune of > 150K of Azure credits). Disclaimer: I'm not affiliated with MS but I did their program, also did the Gcloud and AWS programs back in the day. No negative comparisons, but off the top of my head the Azure program is awesome. I really enjoyed working with Azure, and it does what it says on the tin.
You can apply here: https://www.microsoft.com/en-us/startups/
Or here: https://foundershub.startups.microsoft.com/signup