This isn't ML, it is a ripoff and is violating clear software licensing terms. https://news.ycombinator.com/item?id=27710287
Software freedom matters, but I wouldn't expect the typical HN type to understand, since their money is made on exploiting freely-available software, putting it into proprietary little SaaS boxes, then re-selling it.
If anyone thinks they don't, ask why Microsoft didn't train Copilot on their Windows, Office, or Azure source repositories.
For one, just because your code is covered by the GPL, it doesn't mean every single line in isolation is copyrightable. It has to demonstrate creativity. That's why you don't have to worry about writing for (int i = 0; i < idx; i++) {.
This means that the output of any algorithm on copyrighted code is still under the original copyright. I mean, we still apply the copyright of the original to the output of compilers, even though compilers can be transformative with inlining and link-time optimization, to the point that it mixes disparate code in the same way Copilot does.
In fact, I wrote some software licenses [1] that codify the fact that algorithms cannot change copyright.
Microsoft did not just copy individual lines. They fed whole repositories into their model, ignoring the license (if it exists) even though they knew from the start that information generated by the model will be publicly available. Available usually out of context, but nonetheless - the scope of the input and intent are very clearly "everything" and "redistribution".
Just adding a filter/ML model to the output shouldn't matter. I dare you to build a Copilot clone trained from leaked internal Microsoft code and then trying to argue the output is a bit mixed up.
That is a clear violation imho.
OSS licenses have been litigated and upheld. Can't supply details of my own experience for confidentiality reasons but plenty of plaintiffs have prevailed in suits about violations of OSS license terms. My guess is the numbers are higher than you might think because a lot of the cases end in non-public settlements.
Then there's private repositories. If they included those in the training data set that's even more actionable.
Personally I think this is software piracy at an absolutely unprecedented scale. Machine learning is just information transfer from the training data into weights in a model, a close relative of lossy data compression. Microsoft is now reselling all its GitHub users' code for profit.
I'd argue Microsoft too, was/is overconfident about how this would play out. I would have expected a little more caution on selecting the training data.
copilot is known to reproduce entire blocks of text including non functional parts like comments.
> it doesn't mean every single line in isolation is copyrightable
It is if you can prove reproduction apart from your own original work (fair use). Unlike patents copyright doesn’t protect uniqueness. It is only a shield from reproduction, and if reproduction is demonstrable to a court you are likely at risk.
Some of us think is detrimental to humanity at whole.
Copyright certainly matters. It's a big deal legally and economicically all over the world.
Suppose that it's just a bad idea and shouldn't exist. Does that mean that I should release my code into the public domain? I think you could make a good case that even being totally opposed to copyright morally or pragmatically or otherwise, given that it currently is enforced in many places it's worthwhile to play along. For example, some people would prefer a world without copyright, but GPL their code, because it might prevent a greater evil.
I have a feeling Copilot is more of a tool for publicity than for development.
You don't have to use Github to have a skin in the game. As long as someone has access to your open source code, no matter where it's hosted, anyone is free to upload it to Github. The open source license of your code allows that.
So much this. If a neural network is capable of regurgitating code verbatim (with comments!), it's not a stretch to say it's a derivative work of the GPL code used to feed it.
[0] https://www.gnu.org/software/repo-criteria-evaluation.html#G... [1] https://github.blog/2021-01-05-advancing-developer-freedom-g...
But, github could easily establish a non-us entity to host export restricted code. And for savannah, if anyone had any code they were worried about export control for their code, savannah would quickly and easily have an independent person host that repo outside the US.
https://stackoverflow.com/legal/terms-of-service/public#:~:t...
> You agree that any and all content.. that you provide to the public Network... is perpetually and irrevocably licensed to Stack Overflow on a worldwide, royalty-free, non-exclusive basis pursuant to Creative Commons licensing terms (CC BY-SA 4.0)
Technically a lot of people who copy from Stack Overflow are breaking CC BY-SA 4.0 since it requires attribution AND requires distributing code that uses it under the same license ( I think - I am not your lawyer) :
Instead, I would like a system telling me about obscure things, traps, vulnerabilities, performance issues, etc... like the machine learning linter. The way I could see it work is by matching my code with bugfix commits. For example if several commits replaces "printf(buffer)" with "printf("%s", buffer)" and I write "printf(buffer)", I want an AI to tell me "code like yours is often replaced in commits, it may be wrong", bonus points if it can extract the reason from commit messages ("format string vulnerability") and suggest a replacement ("printf("%s", buffer)"), mega-bonus if it can point me to good explanation of the problem.
Pissing lines of code is easy, I can do it, anyone with a couple weeks of training can do it, I don't need a bot to help me with that. Thinking about everything while I am pissing my lines is hard, and I will welcome a little help.
A nice thing about that approach is that it is unlikely to result in worse code than what I would have written by myself, because it will be designed to trigger only on bad code.
Notebooks programming has a flow of "execute a small bit of code, check the results, and iterate", and this fits perfectly with Copilot since you still need to check if the suggestions work.
Maybe this kind of programming is where Copilot finds a niche, maybe not. I don't know. I'm skeptical of its use in larger applications where you can't trivially check if the code you wrote (with its help) did what you want. I think there needs to be a lot more tooling built around that to really make it compelling for larger applications like that, likely in the form of more editor tooling integrations. But I think it's promising. I wrote about that a little more here: https://phillipcarter.dev/posts/four-dev-tools-areas-future/...
As an example I would like to see is a Cosinger, where the AI is trained using songs on youtube and streaming services. With the final product, a user start to sing and the algorithm attempt to sing along and give the singer suggestions for how the song should continue. I could see how a lot of musicians would be willing to pay good money for such program, and removing obligations to pay any money for the training set would make it much more feasible to create.
There are already AI's that create music (through unlikely from proprietary training sets). A Cosinger shouldn't be too far from that.
The same difference as allowing Google to prosper while beating down ThePirateBay, another search engine.
When copilot came out, one thing it reminded me of was the ethical considerations of face generators in animation. The output naturally has some similarities with the training data, and it is trivial to use a limited set of actors in order to create faces with canny similarities of the actors. A question that people asked (here on HN if I recall) was if you needed permission from those actors to use in the training set, or if this would allow anyone to "steal" the face of public faces and create semi-look alike that can then be used in anything from porn to advertisement.
The law is undoubtedly going to catch up.
So, why call for white papers? I don’t believe they will publish any papers that go against their views.
I think that's a backwards because it's putting the conclusion first then seeking to justify it, but to each their own.
They are asking for views on the machine learning, which they do not have arguments or a position on.
Isn't that literally a lawyer's job?
Having tested copilot, most suggestions are based on existing code in your opened file. Furthermore, most snippets tend to be relatively short, where it feels more like a Stack Overflow answer than existing code.
Of course it is possible to make the model generate longer pieces of code that are potentially GPL. But you would have to do certain effort for it. It also tends to adopt your coding style.
But maybe the fact that there are no guarantees makes it unfair.
[GitHub Copilot License Config Menu]
Show suggestions with the following tags:
- [ ] GPLv3
- [x] GPLv2
- [ ] AGPL
- [x] CC-BY-SA
- [x] Apache License
- [x] MIT License
- [ ] No License Attributioni wonder if they could retrain the model on BSD or MIT licensed code only; How much of the open source code is licensed as GPL vs more permissive licenses, does anyone know?
Interesting that they want to charge for the use of co-pilot, I guess that we will see this business model more in the future.
A little nitpicky, but the only proprietary part it requires is the plugin itself, not the IDE—Copilot runs just fine with the Free build of VS Code compiled from source from GitHub, after flipping a switch to enable WIP APIs.
I did it two days ago, installing the Copilot plugin in a Free build of VS Code provided by my distro.
Same link, just 13h ago, but with 5x less upvotes than the one in here: https://news.ycombinator.com/item?id=27992894
My money's on yes, but this isn't settled until SCOTUS says so.
>How likely is the output of Copilot to generate actionable claims of violations on GPL-licensed works?
This depends on how likely Copilot is to regurgitate it's training input instead of generate new code. If it only does so IF you specifically ask it to (e.g. by adding Quake source comments to deliberately get Quake input), then the likelihood of innocent users - i.e. people trying to write new programs and not just launder source code - infringing copyright is also low. However, if Copilot tends to spit out substantially similar output for unrelated inputs, then this goes up by a lot. This will require an actual investigation into the statistical properties of Copilot output, something you won't really be able to do without unrestricted access to both the Copilot model and it's training corpus.
>How can developers ensure that any code to which they hold the copyright is protected against violations generated by Copilot?
I'm going to remove the phrase "against violations generated by Copilot" as it's immaterial to the question. Copilot infringement isn't any different from, say, a developer copypasting a function or two from a GPL library.
The answer to that, is that unless the infringement is obvious, it's likely to go unpunished. Content ID systems (which, AFAIK, don't really exist for software) only do "striking similarity" analysis; but the standard for copyright infringement in the US is actually lower: if you can prove access, then you only have to prove "substantial similarity". This standard is intended to deal with people who copy things and then change them up a bit so the judge doesn't notice. There is no way to automate such a check, especially not on proprietary software with only DRM-laden binaries available.
If you have source code, then perhaps you can find some similar parts. Indeed, this is what SCO tried to do to the Linux kernel and IBM AIX; and it turned out that the "copied" code was from far older sources that were liberally licensed. (Also, SCO didn't actually own UNIX.) Oracle also tried doing this to the Java classpath in Android and got smacked down by the Supreme Court. Having the source open makes it easier to investigate; but generally speaking, you need some level of suspicion in order to make it economic to investigate copyright infringement in software.
Occasionally, however, someone's copying will be so hilariously blatant that you'll actually find it. This usually happens with emulators, because it's difficult to actually hire for reverse engineering talent and most platform documentation is confidential. Maui X-Stream plagiarized and infringed PearPC (a PowerPC Macintosh emulator) to produce "CherryOS"; Atari ported old Humongous Entertainment titles to the Wii by copying ScummVM; and several Hyperkin clone consoles feature improperly licensed SNES emulation code. In every case, the copying was obvious to anyone with five minutes and a strings binary, simply because the scope of copied code was so massive.
>Is there a way for developers using Copilot to comply with free software licenses like the GPL?
Yes - don't use it.
I know I just said you can probably get away with stealing small snippets of code. However, if your actual intent is to comply with the GPL, you should just copy, modify, and/or fork a GPL library and be honest about it.
To add onto the FSF's usual complaints about software-as-a-service and GitHub following US export laws (which, BTW, the FSF also has to do, unless Stallman plans to literally martyr himself for--- oh god he'd actually do that); I'd argue that Copilot is unethical to use regardless of concerns over plagiarism or copyright infringement. You have no guarantee that the code you're actually writing actually works as intended, and several people have already been able to get Copilot to hilariously fail on even basic security-relevant tasks. Copilot is an autocomplete system, it doesn't have the context of what your codebase looks like. There are way better autocomplete systems that already exist in both Free and non-Free code that don't require a constant Internet connection to a Microsoft server.
>Should ethical advocacy organizations like the FSF argue for change in copyright law relevant to these questions?
I'm going to say no, because copyright law is already insane as-is and we don't need to make it worse just so that the copyleft hack still works a little better.
Please, for the love of god, we do not need stronger copyrights. We need to chain this leviathan.
there are more countries in the world than the United States, and most of the world's developers live outside of the United States
copyright only works because the Berne Convention was more or less universally agreed between governments
most countries won't pay any attention to what the US Supreme Court decides
Copyright lawsuits across nation state lines are pretty much non-existent and not worth it. What matters in the U.S. is pretty much as far as anyone who cares about copyright is going to care about.
Please continue using GitHub as you were, but maybe consider acting on your words and either removing or changing licenses within your code that does not represent your ideals. Nothing is preventing you from releasing code into the public domain, so do that!
Is this true? Is there really a large portion of contributors speaking up against this? I got the opposite sense, that it was a very small portion of contributors speaking up against this but I don't have any evidence one way or the other.
No, that's your opinion, which as it turns out also has no legal basis. For me, I want proper attribution from people who use my code. And for any code that I release that's under copyleft, I absolutely do want that license followed.
You seem to be fine releasing your stuff into the public domain, and that's great that you want to do that, but you don't speak for everyone.
Not everybody is and that's ok too.
However other people for varying reasons have other ideas ...
> We will read the submitted white papers, and we will publish ones that we think help elucidate the problem.
Doesn't give me hope they're aiming for unbiased opinion. I would be very surprised if any of the published papers don't closely align with FSFs apriori position.
The word "unbiased" seems to be doing a lot of heavy work in your comment. The FSF is inherently biased towards its project -- how is that a problem?
That's straw-man, I never said (nor do I think) FSF should not be biased towards its project.
However, I would be more willing to trust the results of this call if I had confidence that all solid arguments are presented, even if they're not aligned with FSF's agenda. Hiding them won't make them disappear - you might as well get as informed as possible about the issue, especially if you care deeply about the issue and agree with the FSF.
* I have already made my position clear in public, [1] so I could probably be identified.
* I am not a lawyer, just some bloke who attempted to write FOSS licenses to combat ML on copyrighted code. [2]
[1]: https://gavinhoward.com/2021/07/poisoning-github-copilot-and...
The big GPLv3 push and development - plenty of attacks on folks actually shipping product on GPLv2 and building communities around that model (which keeps software free but allows users of the software to do what they want with it pretty much including putting in devices that are locked down - cars / tivo's etc).
Here's an opportunity to really advance in an interesting area with ML -> something that may open up programming to more people -> may advance computers ability to program and modify their own programs in the long run.
And regardless of the FSF attorney stuff, places like china, tiny little LLC's with no assets will very likely use the wonderful amount of code on the web to develop solutions in this space, even if FSF claims everything is a violation. Where is the vision anymore from FSF.
One thing that's been sad about the FSF -> it's gone from what I would consider a forward looking idealism sort of thing -> here's how we could do / make cool stuff that let communities work together -> to now sort of a legal compliance type org that really is focused on "actionable claims" " protected against violations" etc.
Question - does the Linux community and other successful larger open source communities welcome the FSF and their attorney's into the discussion? I can hardly imagine the BSD's, the Linux folks really connecting anymore with them.
Is there space for a different group, maybe a collection of actual develops shipping code in larger communities to get together, no FSF / SFC lawyers present, to think creatively about the future? What should we be working for, what is fair to everyone, what helps society, what works around pro-social community building?
A tool that helps with cross language building blocks for common functions etc (stackoverflow on steroids) - just how bad is this?
The FSF considers the user to be the one using cars/tivo's/other devices. In their view, this was a design flaw of gplv2 that it allowed locking out end-users of their devices.
For Linux this was not the case. The important part that modifications/extensions were shared (and maybe even upstreamed), while the end user access wasn't important.
The case of tivoization fractured the interest between the mostly moral "I want freedom for the end user" and the more immediately benefical "If you use my code, I want reciprocity for modifications".
I personally believe that today the latter case won, even for a lot of non-gpl software that gets lots of contributions e.g. via github for lots of different reasons, but the moral case gets more dire.
Looking at security for older (or shockingly often even current) devices, right to repair and lots of other issues concerning the effective loss of rights with more modern devices, the concerns of the FSF were often accurate, but with the increasingly hostile approach to "proprietary" IP and thus the exclusion of GPLv3 and similar licenses not palatable to the larger open source community.
The approach to IP in china is also sometimes a lot different, see https://www.bunniestudios.com/blog/?p=4297.
https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://news.ycombinator.com/item?id=27937877 https://events19.linuxfoundation.org/wp-content/uploads/2017...
Apparently what TiVo did (breaking proprietary software if you modify GPLed software) is even allowed by GPLv3.
Is anyone building strong communities on AGPLv3 / GPLv3? I feel the momentum shifted towards Apache / MIT style licenses unfortunately.
The users of the software are the owners of the devices. The distributors are the ones locking down the devices to prevent the users from modifying the software (often so that the distributors can control something else the users are doing).
GPL is about end-user freedom (as opposed to software distributor freedom). This is why GPLv3 exists.
So yes, FSF created GPLv3 to focus on USERS freedoms, but the users are not writing the software - so it remains the devs who pick licenses.
So your argument is if China does not care about license neither should we, the thing is I am fine with that, I know Windows source code is leaked so let's train an AI on it too
I think is a clear sign that MS did not trained on proprietary code , it means that is not legal or not safe, so the question is why GPL or other licenses are safe, I think you need the authors or the licenses to give you the permission to use the code as training data in black box, locked, proprietary algorithms.