Thursday, February 22, 2024
Open SourceTechnology

Confusion over GitHub’s new ToS, open-source projects remove repositories

GitHub‘s new Terms of Service (ToS) went into effect two days ago, and now the git-annex, propellor, ikiwiki, etckeeper, myrepos, and github-backup projects have removed their repositories while other projects have started to discuss if and how the new ToS affect them was well. What’s going on?

The issue

It looks like everything started with a blog post by MirOS developer Thorsten Glaser. He claims that “certain content may no longer legally be pushed to GitHub” because of various issues and requirements. The “offending” parts in the new ToS seem to be the following:

Section D. User-Generated Content

4. License Grant to Us
Your Content belongs to you, and you are responsible for Content you post even if it does not belong to you. However, we need the legal right to do things like host it, publish it, and share it. You grant us and our legal successors the right to store and display your Content and make incidental copies as necessary to render the Website and provide the Service.

That means you're giving us the right to do things like reproduce your content (so we can do things like copy it to our database and make backups); display it (so we can do things like show it to you and other users); modify it (so our server can do things like parse it into a search index); distribute it (so we can do things like share it with other users); and perform it (in case your content is something like music or video).

This license does not grant GitHub the right to sell your Content or otherwise distribute it outside of our Service.


5. License Grant to Other Users
Any Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of your Content in repositories they control).

If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub's functionality. You may grant further rights if you adopt a license.


7. Moral Rights
You retain all moral rights to Content you upload, publish, or submit to any part of the Service, including the rights of integrity and attribution. However, you waive these rights and agree not to assert them against us, to enable us to reasonably exercise the rights granted in Section D.4, but not otherwise. You understand that you will not receive any payment for any of the rights granted in this Section.

To the extent such an agreement is not enforceable by applicable law, you grant GitHub a nonexclusive, revocable, worldwide, royalty-free right to (1) use the Content without attribution strictly as necessary to render the Website and provide the Service; and (2) make reasonable adaptations of the Content as provided in this Section. We need these rights to allow basic functions like search to work.

Glaser claims “Section D.7 requires the person uploading content to waive any and all attribution rights”, which would be impossible if you upload something to GitHub which is based on the work of other people. This is allegedly the case for all licenses which require attirbution (Creative Commons Attribution, BSD and the likes). The uploader would not have the rights to grant GitHub this license, so uploading such a project would be illegal.

According to Glaser, Section D.5 also requires the uploader to grant all other GitHub users the right to “reproduce your Content solely on GitHub as permitted through GitHub’s functionality”, which is perceived as being a “killer for, I believe, any and all licences falling into the copyleft category”. If this turned out to be true, “This means that any and all content under copyleft licences is also no longer welcome on GitHub”.

According to this interpretation, all copyleft licenses (“GPL, AGPL, LGPL, CC-*-SA”) and anything requiring attribution (“CC-BY-*, but also 4-clause BSD, Apache 2 with NOTICE text file, …”) would be affected. Glaser is “in contact with someone from GitHub Legal”. Fellow open-source developer Joey Hess shares this interpretation and states that he has tried to contact GitHub about this issue two weeks ago, receiving “only an anodyne response”, and that “The Free Software Foundation was also talking with them about it”.

The reactions

Both Glasers and Hess’ conclusion was to start removing their projects from GitHub. git-annex, propellor, ikiwiki, etckeeper, myrepos, github-backup and jupp are only some of the removed projects. Self-hosting seems to be the option of choice right now because concurring services like Atlassian BitBucket have similar terms and GitLab “seems to not have such, but requires you to indemnify them” (at least according to Glaser).

Other developers don’t share this interpretation or refuse parts of it, mainly because of interpretation details and because GitHub doesn’t try to do anything it hasn’t already been doing before. There are long discussion threads on Hacker News news and Reddit with arguments going back and forth between developers, users and lawyers, and multiple open source projects have already started to discuss if and how this issue affects them.

Leave a Reply

Your email address will not be published. Required fields are marked *