Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: GPL

  • Piracy and the GPL

    Piracy and the GPL

    Sé and I go back a while, so when she asked me if I’d like to come on WPwatercooler and talk about Piracy and the GPL, I said sure! I’m including the video at the end so you can see the whole conversation but … What got me interested was that she didn’t ask me about what I thought she would!

    The Hill I Die On Is Theft

    I always get people pissed off when I say this, but you absolutely 100%, without question, can steal GPL code if you mess with copyright law.

    I even went and asked ChatGPT for some fun:

    It would be considered unethical and potentially illegal to take GPL-licensed code and release it as your own work. The GPL requires you to respect copyright laws and the rights of the original authors. By claiming GPL-licensed code as your own without proper attribution or acknowledgment of the original authors, you would be violating both the terms of the GPL and copyright law.

    The GPL allows you to use, modify, and distribute the code, but it also requires that you maintain the integrity of the original license and give appropriate credit to the original authors. Failure to do so could lead to legal consequences, including potential copyright infringement claims. It’s essential to adhere to the principles of open source licensing and respect the contributions of others in the software development community.

    I expected the chat to be about that. It wasn’t. It was about the lovely grey area I spent a decade and a half in.

    Piracy is/n’t Theft

    The crux of Sé’s question was this: Is it piracy to get a copy of a premium plugin (one you have to buy to get) from someone else.

    The initial answer is ‘yes’ but then Sé laid out some amazing nuance.

    1. She’d already bought the code before
    2. She couldn’t buy the upgrade because the devs are in Russia (and sanctions)
    3. There was a workaround to pay an intermediary, but she felt it was sketchy
    4. She intended to migrate off the plugin, but needed the latest version to do so
    5. Someone she knew offered to give her a copy of the latest version

    Now, I worked for a bank before WP, and I can tell you that her workaround is what you do when you launder money. And if you did use that workaround, you run the risk of ending up on the FBIs sniff-list and they do not have any sense of humor about ignorance of the law.

    So now, would I still call it piracy? Actually … yes. I would. But it’s small scale and not actually a huge issue and really depends on the intent of the person who gave it to her, and what Sé did with it in the end.

    The Scale of Piracy

    There’s a constant battle going on between consumers and corporations. I’ll use an example close to my heart. The TV show Willow was a fun fantasy romp with silly flashbacks and messy magic. It wasn’t perfect, it wasn’t the greatest thing ever, but it was fun. Shortly after it got mid-to-low reviews, it was removed from streaming.

    There is no way to watch the TV series, except for piracy.

    Is it piracy if I had managed to download the videos beforehand and kept them for my own entertainment? Yes. Yes it would be. The same as how all of our mix tapes were technically piracy. Mixtape artists have been arrested under RICO charges for that!

    But the reality is that no one was going to waste time and kick in your door for making a mixtape and giving it to your sweetheart. They didn’t really care that much about it (and in some cases, like The Grateful Dead, encouraged it). It was incredibly hard to make money off mix tapes. I made copies of a CD I had bought in high school for friends, never sold ’em.

    Then came the internet and suddenly I could copy that CD into files and send them across the world! And you know what? People did. Suddenly the scale of what could be done with a pirated copy of a CD had skyrocketed.

    Obscure Monetization

    I pause here to quote from Cory Doctorow’s interview back in 2010, when he was asked why does he give all his books away for free?

    I give away all of my books. [The publisher] Tim O’Reilly once said that the problem for artists isn’t piracy – it’s obscurity. I think that’s true. A lot of people have commented: “You can’t eat page views, so how does being well-known help you earn a living as a writer?” It’s true; however, it’s very hard to monetise fame, but impossible to monetise obscurity. It doesn’t really matter how great your work is; if no one’s ever heard of it, you’ll never make any money from it. That’s not to say that if everyone’s heard of it, you’ll make a fortune, but it is a necessary precursor that your work be well-known to earn you a living. As far as I can tell, these themes apply very widely, across all media.

    As a practical matter, we live in the 21st century and anything anybody wants to copy they will be able to copy. If you are building a business model that says that people can only copy things with your permission, your business is going to fail because whether or not you like it, people will be able to copy your product without your permission. The question is: what are you going to do about that? Are you going call them thieves or are you going to find a way to make money from them?

    The only people who really think that it’s plausible to reduce copying in the future seem to be the analogue economy, the people who built their business on the idea that copying only happens occasionally and usually involves a giant machine and some lawyers. People who are actually doing digital things have the intuitive knowledge that there’s no way you’re going to stop people from copying and they’ve made peace with it.

    Cory Doctorow: Publish books free online

    There’s Piracy and There’s Piracy

    On the podcast, I mentioned a book I’d bought for school that was over $100 (this was in the mid 1990s) and, having bought it, I worked with a friend in the print shop to make copies for classmates and sold them at enough for me to break even. I think it was $5 a pop, and I would accept lunch instead.

    Piracy? Oh you betcha.

    Illegal? Again, yeppers!

    Immoral? ….

    Oooh now I brought up a dirty word.

    But it ties in to that intent I mentioned when I was describing Sé’s situation.

    If Sé or I took the copies of the book/plugin and sold them with the intent of making a profit, then yeah, we’re immoral shitbags. But that isn’t the case. I was trying to not go broke because of that stupid college textbook scam that’s only worse with DRM. Sé wanted to properly move off a plugin that she cannot use anymore.

    It’s all about that intent. As I said on the podcast, if you see someone sleeping in their car and it’s illegal where you live? No, you did not see anyone sleeping in their car. Did you see someone shoplifting diapers? No you did not. And if I have to explain why you didn’t see those things, you may be following the wrong blog.

    Those GPL Avenger/Nulled Shops

    I have to loop back to the GPL.

    Officially, technically, 100% the GPL says that the code you write and release under the GPL is free for anyone to do whatever they want. And if you make changes, you have to release it under the same license.

    Now, if you’ve spent any time in the WP world, you’ve run into sites that offer the same expensive plugins as you’ve seen for sale, but cheaper and ‘nulled’ (which means they no longer phone home to momma for your license). And technically under the GPL, that’s allowed. But I argue this:

    1. The intent here is to circumvent legitimate, available purchasing
    2. There is no assurance the code has not been tampered with
    3. It’s a dick move

    Can plugins been overly expensive? Yes, absolutely. I saw one for over $500 and it was not worth it. But you’re not paying for the plugin itself, you’re paying for security, support, and maintenance.

    (Off Topic: I mentioned how cool it is when someone releases free back ported security fixes for premium plugins – I wish it was easier to do and everyone could do it, but it’s really freakin’ hard! Still, the easiest way would be “find all people with expired licenses and email them the latest release of the last branch they paid for, free of charge”. Easier said than done.)

    The other problem is that by giving away the plugin, you may have broken the purchasing agreement. You know the one? Don’t rip off the tags on this mattress? Well first of all, the GPL actually supports people selling code (they’re not stupid, people gotta earn a living), and they’re of the Doctorow approach — watch your price point, convert the free users to paying one with value.

    The value most plugin shops offer is support and updates. They’ll patch your plugin until they go out of business. And they’re clear about how you’re not paying for software, you’re paying to have it sent to you:

    You can charge people a fee to get a copy from you. You can’t require people to pay you when they get a copy from someone else.

    Frequently Asked Questions about the GNU Licenses

    So what do I mean by a purchasing agreement? Well it’s your license agreement. I pay for YoastSEO, and from them I get a license. If I break the terms of that agreement, they have the right to sever my license and no more updates for me.

    Those nulled/GPL Avenger sites are regularly playing with fire, and most have to make purchases with disposable credit cards and shuffle things around in order to not get caught. Once they’re caught, they’re banned and blocked and someone figures out how to catch them ahead of time next time and prevent sales in the first place.

    Piracy is Nuanced

    The reality of all this is piracy is an incredibly nuanced situation.

    Pirate Radio Stations use airwaves they didn’t pay for and play music they have no license to. But at the same time, they might be the first way you hear a certain song that inspires you to go out and buy the album.

    Sharing Cory Doctorow’s books for free takes money from him, but how is that different than using the library or loaning your favorite book to a friend? The goal isn’t to make money, it’s to share joy.

    Asking a good friend for a copy of a premium plugin so you can test it out is, in my eyes, much the same. Asking for a copy so you can update and move off it is also fine.

    When you start working at scale to actively block people from making a living (like if I took all of Doctorow’s books, printed, and resold them) then you’ve crossed my line about what is ethical piracy and what is just being a jerk.

    Don’t be a jerk.

    And remember, they’re more like guidelines.

    WPwatercooler

    Watch me on the world’s most influential WordPress Podcast, talking about piracy, GPL, copying books, and money laundering.

  • Plugins: Double the Damage

    Plugins: Double the Damage

    Sit down for a fun ride in what I can only call … The plugin equivalent of Revenge Porn.

    Player 1 forked a plugin from Player 2. Player 2 attempted to claim Player 1’s work as his own. Insanity occurs. And if you’re thinking it’s a simple case of he-said/he-said, it’s actually not. They both agree on a number of facts, but disagree on what the facts ‘mean.’ And it is hard to work around that.

    I’ll start by introducing our players (not their real names):

    • Ken – an existing plugin dev who was already on thin ice for submitting the same plugin over and over, due to not reading emails
    • Andrew – a new (to us) dev who possibly stole code

    Before The Drama

    Ken. He’d been a plugin dev for a few years, but he’d always been a problem. Not worthy of an outright ban, but he’d had a number of cautions and warnings.

    Ken’s biggest issue was his own head-in-the-sand arrogance, and a refusal to read. No, I’m serious. He had a history of not reading the emails, even when they were one sentence. This made his reviews take a hog’s age, and it made dealing with him something I had to psych myself up for.

    I was already frustrated enough to leave a note in his user account about it. Ken would read subject lines only, if at all. It was maddening and he was on his last warning already about communication. To whit, if you cannot (or will not) communicate with people, why are you here?

    Submission Wars

    On Monday, doing the usual weekend clear-out, I started like always. See, I preferred to start with low-hanging fruit. I would reject the outright bad or incorrect submissions (like people submitting Akismet) and pend trademark issues. This is, if you’re wondering, why I ended up writing so many blockers for submissions. It took that morning ‘easy’ work from 2 hours to under 1! Doing that work takes little brain power, though it was always time consuming, and let me ease into the day.

    That day, I ran into Andrew who had a trademark issue out of the gate. The name of his plugin started with ‘WoCommerce’. Yes, one O. Around then was when I’d just introduced the blocker on starting with ‘WooCommerce,’ and for the life of me, I don’t know why people see that they cannot use a trademark and decide it’s smart to ‘tweak’ the trademark.

    Note: For the love of the flying spaghetti monster, DO NOT try to ‘get around’ a trademark issue with a clever spelling. The legal concept you’re violating is ‘intent to infringe’ and I have to tell you, Facebook has zero tolerance for that.

    Back to the plot, I emailed Andrew and explained the plugin was pended due to trademarks. Also it’s Woo with two O’s.

    Imagine my surprise on Tuesday when I saw the same plugin submitted with the same name typos and now a ‘Free’ at the end (because the original name was used). Now usually this happens when someone doesn’t fully read the email that says to reply with your code attached. Sometimes it’s two people with the same idea and, since we blocked multiple submissions, it’s often someone using two separate accounts to resubmit. Giving this new one the benefit of the doubt, I checked and saw it was an existing dev, Ken!

    I downloaded this new plugin and then Andrew’s and compared. Guess what? Same code. The readmes, mostly, were different, but not in a good way. Ken’s was a half-edited version of Andrew’s, and Ken’s plugin headers also credited Andrew.

    This means, whoops, Ken submitted a copy. That gets Ken’s rejected and Ken is told that either he stole this (bad) or he’s working with Andrew and resubmitted instead of following directions (also bad).

    Meanwhile, I also emailed Andrew asking “Are you working with someone else and did you goof the reply?” Andrew replies promptly, with the new code, explaining a very odd story.

    Andrew said that Ken will claim Andrew stole Ken’s plugin. He named Ken! I was stunned and kept reading. According to Andrew, he made a more complex plugin and had offered it as a patch, but Ken said no. Then Ken stole it back from him since, per Andrew, Andrew’s code was cooler. Furthermore, Andrew said Ken was likely to claim Andrew stole it from him (Ken) who sold the plugin, but not with Andrew’s features.

    So this is already a bit of a mess as you can see. And no, Ken didn’t take it well, already ranting that we rejected his plugin.

    Who Stole First?

    My first thought had been that Ken was 100% wrong, and Ken had taken Andrew’s code. Now it looked like Andrew forked Ken’s plugin and Ken wanted to steal it back. Who is right in this situation?

    I did my due diligence and confirmed Ken was selling a plugin that claimed to do the same thing. It was over $100 USD mind you, and that’s a lot for a 3 file plugin (including the readme). I was surprised that Ken’s version was riddled with security flaws not all found in Andrew’s version (no sanitization, no escaping, no nonces, trademark abuse, broken translations, etc etc). No one was going to pay $100+ for that! Also why would he not take Andrew’s fixes?

    Since Ken had emailed claiming it was his work and I was wrong, I replied and pointed out his plugin submission was copying much of Andrew’s work. This means even if the core plugin was his, he would have had to credit Andrew. Oh and could we please see the original, premium, plugin to see what Andrew ripped in order to address that part.

    But looking at Ken’s bleak history, I realized this was going to be a big problem. Ken jumped right into the blame game and name calling, as I feared.

    After a gut check with others and confirming it sure looked like Ken made a spite submission, I was leaning towards a ban. He was already replying in anger and now he was shouting that Andrew stole from him, but he refused to share the premium plugin lest I steal it. While I’ve received hundreds of premium plugins to do an ownership/copying check on, I have never kept them without buying them. Once or twice I found a plugin I’d pay for, and I did. But the rest I deleted them as soon as I can. Ken’s claim was we would take his code and host in on .org for free. Which… no.

    Ken actually confirmed he did take Andrew’s ‘version’ of the code, but refused to credit because Andrew forked his code, and he didn’t have to credit since his was the original plugin. And anyway, Ken said he did it in order to hurt Andrew. This made it clear. He had made a SPITE submission.

    In Ken’s email about being banned I said this:

    After you submitted [plugin], which was clearly at least partly someone else’s work, we did some research on how you came to take that code and misrepresent it as your own. In doing so, we have determined that your actions were of an intentionally abusive nature. This behavior of yours is unwelcome here in our community.

    Me in an email to Ken.

    Andrew was given the benefit of the doubt as I tried to figure out if he really forked or not (remember I had not seen Ken’s original plugin yet!), but he too was flagged for possible naughty behaviour. The odds were he had a disallowed fork, and he was cautioned that if the plugin was a premium one, we couldn’t host it on .Org.

    At this point, here’s where we are:

    • Ken charged over $100 for a piece of shit code.
    • Andrew (may have?) forked it because it’s shit and submitted it after Ken said he didn’t want it.
    • Ken submitted the same code as Andrew’s version.

    Since Ken’s been a known bad-egg, was is now intentionally acting badly, and already started to rant, it was a no-brainer. Ken was a problem, Ken was acting hatefully and spitefully, and Ken had a bit of conspiracy paranoia going on.

    What Did I Expect?

    I did not expect over 40 emails over a week, ranting. Most made it pretty clear Ken only read the subject lines of the emails, and never the content.

    First Ken claimed it was originally his, even though the version Ken submitted literally credited the other guy. Then Ken claimed he just copied the readme, but again, the code credited Andrew. It had the same formatting to boot. You can see where this is going right?

    Next, Ken claimed he ‘accidentally’ uploaded the nulled version Andrew had posted to the web prior to uploading on .org … except Ken’s version has his partly rewritten readme. That is pretty weird. How does one upload a partly ‘corrected’ nulled version? The obvious answer is that he realized (as had I) that Andrew’s code was better than his and stole some of it! Actually a lot of it.

    Ken’s argument became “I am releasing the basic version as a Albert is stealing my code!” And if you just went “Who the flying fuck is Albert?” so did I. Five emails from Ken came in, including claims we ‘stole’ his plugin.

    Yes. The Plugins Team stole his plugin. How you ask? Well it transpired that Ken believed the plugins team, by accepting the submission from Andrew, had commited theft, even though we had not approved the plugin. It was in pending, at this point.

    I suppose you could maybe argue someone attempted to use WordPress.org as a fence for stolen goods, or a money launderer. But since the Plugins team did not accept the goods, we stole nothing.

    Where Are the Clowns?

    At this point, Ken kept linking to his code (still too much money) and saying I should look at his code (not going to pay for it). Ken also said he’d sue if we didn’t reply to his emails (there were like 10 separate emails from the last time I’d replied, I was trying to catch up). He also claimed he wrote the plugin with two other guys, one of which was Albert! Our mystery guy!

    Officially once you say the magic words invoking legal action, the Plugin team stops talking to you, save to point out we aren’t qualified for legal stuff and here’s the foundation’s contact. Keep in mind, Ken’s emails were minutes apart, so no one had a chance to reply even if we wanted to.

    Naturally Ken went on to claim we were “in cahoots” with with Andrew and he would handle it from his legal team. Then he demanded we do the “right thing” and reinstate his account and host his code. Also he claimed Andrew was a scam artist who was harassing Ken. (Remember this, it comes back to haunt Ken.)

    I said ‘no’ because it was damn clear Ken was operating in bad faith, not to mention he had a history and had been on a final warning at the start. This prompted Ken to claim he wasn’t warned, except he was. Not only was he warned, the read-receipts in HelpScout showed he’d opened the email! When that was pointed out, Ken said he’d not read the email, as he’d been asleep.

    I found the hypocrisy of not reading emails while being pissed I was reading all before replying to be amusing.

    Either way, though, he was up and reading things now, and yet still hadn’t read the other email. This goes back to longstanding issues with him not reading. But hey, Ken claims he did read the chat logs and knows exactly who Andrew is (or Albert).

    Ken went on. Andrew was harassing him, stole from him, was a racist, tried to hack his site and so on. Also WordPress.org would be enabling him and we needed to stop hosting his code.

    I had not approved Andrew’s plugin and pointed that out. We didn’t host it. And when a plugin is rejected, the zip is deleted so we don’t have it anymore.

    There Is a Point

    All of that said, I absolutely DID take Ken’s claim seriously! Yes, Ken was an angry and vengeful man, but theft isn’t okay! So I pointed out (again) that Ken needed to email the code of his premium plugin to the plugins team. I had zero intention of signing up since I was sure he’d take that information to abuse/harass me.

    Finally he sent the code, and guess what?

    Andrew’s code was not the same.

    The code was not even close, except for one page, which had some of the same security issues as Ken’s plugin (most were fixed), and that means this was what would normally be considered a legitimately different fork. Even if you just compared Andrew’s code to the license-checked-removed code of Ken, there were distinct differences (some worse, some better).

    The problem, however, is that it was a fork of a premium plugin that was non GPL (same as the previous post). WordPress.org couldn’t host it.

    But before we could reply, there were another 10+ emails. Yeah, 10.

    After threatening to sue WordPress, Ken finally broke down and gave us the whole deal from his side. According to Ken, over and over, the real story is as follows:

    • Ken charged $100+ for his plugin.
    • Andrew bought and stole his plugin by putting a nulled version up for download a null software site. He linked to it.
    • Andrew used stolen credit cards to buy the plugin in the first place.
    • Ken did not take anyone’s code.
    • Andrew was a racist.

    The problem with that story is:

    1. The post on the nulled site did not match the timeline. It was made after the plugin submission, which was over the weekend.
    2. Ken’s submission literally said “Yadda Yadda Plugin Written By Andrew LastName”
    3. The code Ken (eventually) shared as his version was totally different save for one page (the settings page).

    Also we had no evidence that Andrew was anything other than a frustrated dev who just wanted the code to work without conflicts (Ken’s really didn’t), and was mad that Ken blew him off.

    Now. I do give people the benefit of the doubt, but that changes once people jump up and want to sue you. Not to mention Ken’s version of events didn’t pass the sniff test.

    Andrew forked Ken’s code, and Ken retailed by stealing Andrew’s.

    I (Don’t) Know The Law!

    At this point, we moved into lawyer stuff. Ken named his lawyer and I looked him up. He was a personal injury lawyer based out of California (Ken claimed to be from somewhere in the midwest). But hey, maybe he side hustles? The lawyer also does corp law counselling, which maybe would have helped Ken, if he had a leg to stand on.

    This prompted Ken to claim a judge would rule in his favour as WordPress.org didn’t follow “details” and didn’t investigate any copyright claims. I knew that was unlikely. A judge would say “They didn’t host the code, they rejected it. They’re not at fault here. They didn’t steal your code.”

    He went on to talk about how he had to read 26 emails (he sent all of them!) and proved his plugin was older (not in doubt at the moment). Ken continued, because the code wasn’t allowed to be forked (GPL), and a judge would certainly agree.

    He was wrong. Since I had rejected Andrew’s code already (because it was a fork of a premium plugin), I was sure we’d been in the clear. We had, in fact, agreed with Ken and did the right thing by rejecting Andrew’s plugin. And yes, I told Ken that.

    Ken replied and shared private information which actually … hurt his argument. In the “evidence” there was a bunch of screenshots of chats where in Ken called Andrew a “stupid [racial-slur] scammer” and a “dumb fucker” which frankly even if Ken’s right about theft, that’s not how you handle things.

    Remember how I said the racism thing would come back? Ken was the racist. He had some more slurs that made me feel a bit ill in his messages to Andrew who, at worst, told Ken he was a dumb bitch. Not nice, but nowhere near the level of Ken’s insults, and none were racist.

    The End Results

    Ken remains banned. He’s got anger issues and doesn’t understand how to play well with people. He has since asked to come back with a new account and was told no. But also:

    We will, at this point CONFIRM with you that we’re not hosting the code submitted by anyone else either, so don’t worry about that.

    We won’t allow anyone to host your code here.

    Plugins team via Email to Ken

    After that he asked to make a third new account and was told no, mostly because he jumped to suing.

    As I mentioned, Andrew’s submission was rejected as it’s a fork of the premium plugin by Ken, and we don’t allow that. Andrew read the email and said nothing in response, which is fine.

    I still have no idea who the hell Albert is.