alt Hacker NewsStopping bad guys from using my open source project (feedback wanted)
Comments
In theory you can change the licence and hope that those that use the software respect the licence terms, but that depends on trusting others.
I think of the case of the Russian programmer who was arrested and jailed for stealing proprietary code from Goldman Sachs. During the trial it was revealed that Goldman Sachs would use open source software and replace the software licence with their own:
"Open source was an idea that depended on collaboration and sharing, and Serge had a long history of contributing to it. He didn’t fully understand how Goldman could think it was O.K. to benefit so greatly from the work of others and then behave so selfishly toward them. “You don’t create intellectual property,” he said. “You create a program that does something.” But from then on, on instructions from Schlesinger, he treated everything on Goldman Sachs’s servers, even if it had just been transferred there from open source, as Goldman Sachs’s property. (At Serge’s trial Kevin Marino, his lawyer, flashed two pages of computer code: the original, with its open-source license on top, and a replica, with the open-source license stripped off and replaced by the Goldman Sachs license.)"
From: https://www.vanityfair.com/news/2013/09/michael-lewis-goldma...
Two thoughts.
Ben Thompson and James Allworth discussed an idea on an episode of The Exponent (https://exponent.fm/) the idea of a "principle stack", and at which "layer" of the stack it's appropriate to address different societal issues. I wish I could find the episode again, it was quite a few years ago. The upshot being... maybe software licensing isn't the right place to address e.g. income inequality?
On the other hand, I definitely encourage tech workers (and all workers) to think about their place in the world and whether their work aligns with their personal values. I think the existence of free and open source software is a fantastic thing, but I think we should continue to evaluate whether it is in danger, or whether it could be better, or whether our efforts might be applied to something else.
For example, I'd love to see co-ops developing shared-source infrastructure based on principles of mutuality, which the sector is built upon anyway. The co-op principles already include cooperative and communitarian ideas which mesh really well with some aspects of open-source software development. But co-ops aren't about just giving everything away either. There could be a real new approach to building a software commons for mutual businesses, rather than a kind of freedom-washed way for big tech companies to benefit from free labour.
Do you want to spend your time creating a project the world finds useful, or do you want to make a political statement that gets ignored? Because any attempt to restrict the license turns into the latter.
If the project is even slightly useful, but with a restrictive license, someone else will create an alternative with a free license. The community will quickly move, and the time spent trying to push a political opinion will be wasted.
In the long term, a free software license is always going to win. Even when it's unsustainable for one maintainer, the software remains free, and if it's useful enough, others will take on the maintainer role.
For sustainability, that's going to be a mix of lobbying your government, and companies realizing they need to hire developers because the open source maintainers aren't able to do everything for free. Just realize that governments are slow with conflicting goals. And companies will minimize their costs, leaving the average open source maintainer at the edge of being sustainable.
Free software is about freedom. Restricting it from anyone means it's not free. There is no requirement that we must create free software but if it's called free I think it should always have the basic qualities of freedom; not only when it fits our purposes and our values.
There is zero overlap between projects that are actually interesting and those that have weird activist licenses.
If you prevent licensing software to large corporations, small corporations won't use it, either, because small corporations may get acquired by large ones. Such a license would be a "poison pill".
I am not a lawyer and this is not legal advice.
We picked the Boost license for the D Language Foundation because it is the closest to public domain we could find.
Besides, why would "bad guys" be deterred by a license, anyway?
Open source is a gift you’re giving.
Companies take that gift and use it to provide a service for cheaper than it would otherwise be if they had to build it all themselves.
You are already benefiting from open source - but it is a tiny benefit and subtle and very indirect and very diffuse.
Licensing is thorny but it’s personal choice too.. would you use a project whose license is “use it for now unless or until I decide you’re evil at my discretion”.. probably not. Probably, someone else would get the users you have now, and the corresponding popularity.
It is a tough choice, but it’s a lovely and important thing you’re doing when you provide the gift of open source software.
Stallman's take on the issue: https://www.gnu.org/philosophy/programs-must-not-limit-freed...
The thing about having morality-based restrictions to the license is that there is no well defined legal standard for good and evil.
Creating such license will indeed discourage lawful corporations from making use of it because of the legal uncertainty.
It will discourage open source projects for making use of it because it's not open source and it's incompatible either from a legal or philosophical standpoint.
The only ones who would not discourage would be the ones you actually want to prevent using it since they would likely not care about the license terms at all and just use it regardless.
The end result would be essentially a dead project that would be either ignored by the programmer community if it started out with this license or be forked like what happened when other open source projects switched licenses example redis being replaced by valkey.
Always the same rant of people profiting open source without understanding it.
This guy is free to select whatever license it wants for his code. But don't expect profiting from the open source (in the common sense of free software) brand if you don't want to respect it's principes.
Would the package be as successful? Have has many users, contributors, ... The author is free to test that if he wants but his rant isnot justified for the whole open source world.
Also, I'm quite sure that he is also a freeloader happy to benefit without contributing. Even from big companies. I'm quite sure that he never paid or contributed for npm, GitHub or his IDE for example...
https://en.wikipedia.org/wiki/Focal_point_(game_theory)
People can reasonably agree on what "Open Source" means. Once you start trying to define "bad guys" and exclude them, you will get dozens of incompatible definitions and no consensus, and as a result, you'll have numerous incompatible ecosystems rather than one.
"Open Source" isn't perfect, not by any means. But any purported replacement for it has to be so obviously better that people are willing to switch and build consensus on the replacement.
I understand the intention of what the author is trying to achieve, but I think the problem they will run into is how do you define "evil" in a legal document or license? There is a subset of acts and beliefs that wider society has deemed "evil", but I doubt large corporations are actively supporting sexual assault, torture, murder etc. What the author is referring to is things they find morally reprehensible but do not reach the level of the aforementioned acts enough to be expressly illegal and evil (and whether they are or not, IANAL).
Take a look at the original json.org license and all the problems that the "not for evil" clause they added to it had caused.
Ultimately though, if you put a non free license on your libraries, somebody will cry foul, fork it, and evil will still happen.
The best option to stop bad companies from doing bad things is to lobby your government to put in place laws against those bad things. Ban specific evils with regulation, thats much more effective than preventing people who do those evils from using a specific piece of software that is fairly easily replaced.
It really seems like you just don't want to be open source. That's your choice.
Just make it GPL, there is no chance evil company would tolerate the enforcement of giving back, let alone lawyers to make sure they comply.
If you're having thoughts about who can and cannot use your free software, I think you're no longer interested in free software.
"creating software for free that largely benefits large corporations"
Who cares. The end result of this is that we all get to use amazing software, often for free.
Think of your open source contributions as a gift to all of humanity. I wouldn't get too hung up on the fact that bad people can use it. Hammer makers don't add conditions on who can buy their products, even if it could be used as a murder weapon. Take solace in the fact that your work is creating far more good than evil.
You're increasing the rate of innovation in the world. And we're all grateful for it.
Sounds good, but what happens when everyone else uses ideological purity filters too?
Because if what this guy is saying is reasonable, then it immediately follows that it's also reasonable for every ideology and religion to exclude the ones they don't like. For example: how does an antisimetic software license strike you? Because that would be a perfectly reasonable license for some people to enact, and fully justified by this article's logic.
Do unto others, and all that.
Your project would no longer be open source. It would become source-available proprietary software.
I created a software license which is effectively BSD, but lists priority boycott targets and rationale from BDS (boycott-divest-sanction for Palestinian liberation), in an information-only section that has no bearing on the software freedoms and restrictions, but is nevertheless required to be copied as part of the license[1].
I don't actually recommend using this specific license yet, because the text from bdsmovement.net is not technically available under a permissive license (they told me I could use it... but I don't think the person fielding my request really understood what I was asking), but perhaps you can make something similar out of your preferred permissive software license (this is a no-go with GPL unfortunately because any derived license would be incompatible with GPL in addition to permissive-licensed software)
If you're a fan of BDS you can also just list the priority targets in your license, or give the BDS organizers another nudge via email.
I think the power of this is that such licenses wouldn't change how people might use the software. And big corps like Google, Amazon, et al may accidentally end up using such software (which is perfectly allowable via the license), but would then have to circulate a license which calls for their boycott and highlights their complicity in oppression. So I think it'd be fun if some software using this license makes its way into an end-user product of theirs
"No man is wise enough to know all the evil that he does." -Rochefoucald
This raises a question in my head. If the author was to update the license to something restrictive, consumers and transitive consumers will npm update at some point, and likely not notice the dependency change.
They would then be breaking the license terms without realizing.
Is there anything in npm to protect against this? Projects have hundreds of dependencies, it's not feasible to manually check licenses haven't changed every time you update.
There are perhaps 2500-3000 unique open source licenses, ranging from the half dozen most of you will know well to very obscure licenses which have come about because (for example) a research grant from a foundation with certain guiding principals indirectly paid for some of the development of some software as part of a larger research initiative. There's even a license that precludes use of the software in any military equipment other than that which is strictly of a defensive nature, due to the constitution of the country sponsoring (a small part of) the project.
It seems like CC-BY-NC (https://creativecommons.org/licenses/by-nc/4.0/) works perfectly for this: Anyone is allowed to use it, but they have to credit you, and they can't use it for commercial purposes.
You're still free to license it out commercially on other terms, the open-source community gets to make use of it as they please, and it ensures you're credited.
Your best solution is I think simply proprietary or CC-BY-NC + maybe non-government, then just license it to whoever you want that emails you. Consider just not making infrastructure software with free labor if you don't want to fund megacorps, because they will be the primary benefactors. Consider also that anything you upload to the internet goes into the LLM funnel which leads back to them. It's funny if you sold guns, shovels, or even printers everyone would be very understanding if you expressed a desire to not support Russia or whatever. Once its printer drivers though its "The only thing we can say for sure about the nature of evil is that you're a bad actor".
There are very few pieces of free software that don't lean very heavily on top of a mountain of other free software that make it possible, and I think the author would be surprised how much of that was written by people who strongly disagreed with his worldview and considered him a "bad guy".
How are you planning to find out about violations of the license and then enforce license compliance? The GPL is very commonly violated, and license compliance costs a lot to enforce since you have to go to court, which also takes a long time.
This seems to pass a transitive requirement to users.
Suppose your libpopular forbids ill-faith actors from using it. Also suppose that I wrote a my-utility, a neutral tool, that depends on libpopular. If some bad actor uses my-utility for wrongdoing, will I be responsible for their behavior? Will my-utility be in breach of your license?
It's not open source when you disallow people and companies from using it. One big difference between open source and public domain is that code in the public domain doesn't force anyone to redistribute the changes.
I have had several projects where I didn't want to be forked, especially by a company with a marketing budget. I choose not to distribute it with an open source license. There's nothing wrong with that. Companies have sold copies of source to people who paid, so that's an option. But I don't know of any licenses like that which have been written for the public to use (copying a company license is a copyright violation)
Make it source available. It won't help, but you might feel better.
DuckStation (PS1 emulator) changed license from GPL to CC-BY-NC, because Chinese manufacturers were including it in their hw devices. Somehow I doubt that helped.
Let's say you accomplish your goal of dissuading "big corporations" and "bad guys" from using little auth middleware library, and you get a bunch of other open-source maintainers to do the same.
The "big corporations" will shrug and throw a few more tens of thousands into their R&D budget and will assign a few devs to create an alternative, and when they release it as open-source, they'll use it an opportunity to self-promote, it'll have a slick website, and "X by Big Corp" will become the go-to library.
The "bad guys" will just shrug and steal your code. Al Capone was brought down on tax evasion but I don't think you're going to get him on copyright infringement.
If you can somehow convince the majority of non-corporate developers to not use corporate-sponsored open-source, then that might be interesting, but not by much, because there aren't many of those.
This is already explored - use source available instead of open source.
Thinking aloud here. Start by requiring that orgs get your permission via email to license your code. Over time, formalize the patterns in your approve/deny responses into an LLM-powered API which does an instant approve/deny, with a prompt you handcrafted and backtested based on real-world data. This could even work for e.g. Linux package installation: As a pre-install hook, a prompt asks the user what organization they work for (if any) and how they intend to use your code. Make it so users can still appeal a "deny" by sending you an email, but attempting to respond to the questions a second time with different answers violates the license [within a certain timeframe at least]. If other open source devs are also interested in this scheme, you could let them piggyback off of your infrastructure... answering your qs toggles a "virtue bit" which unlocks a bunch of "ethical packages", hosted in a dedicated repository to better track downloads. Support yourself by suing companies which violate your license terms.
Since organizations evolve over time, you could have a re-authorization flow every time your users want a major version update of your software.
A flaw in this proposal is that the very worst actors (scammers, black hats, etc.) are likely to be beyond the reach of the legal system in practice. Perhaps you could mitigate this a little bit by replacing Github Issues with a private support forum for trusted licensees.
OSS has allowed me to help real customers in times of need. It’s a tiny company. But there must be many others.
The benefits are dispersed broadly while the “evil” appears to be more concentrated and easier to identify.
Don’t lose sight of the benefits.
(PS We contribute to projects and individuals.)
This reminds me of the whole Lerna debacle a few years back.
https://www.vice.com/en/article/open-source-devs-reverse-dec...
That aside, even if something like this was “legally enforceable”, it adds enough friction, risk, and uncertainty to downstream consumers compared to a “vanilla” open source license that I expect most folks would choose an alternative to the “bespoke” license project where they could. Fine if you don’t care about getting usage, but that defeats much of the value that open source brings.
This is a semi joke answer but I have worked at some of the big corps and see how they use OSS software. One way I have continuously thought about to prevent usage is to make all of the variables/function names/APIs contain profanity and PR incorrect jokes. I do know that every single corp has a profanity filter to prevent any bad word being added to code. It’s not bullet-proof but certainly makes it a lot more difficult to get that code on corpo servers and past legal.
Is there something like the societal license where you can select different levels of harm: a) can be used to kill people b) can only be used to harm people c) can only be used for animal testing d) no harm should come to any living creature, neither in thought nor action.
Something like the creative commons license just for evil.
I like to use non enforceable license such as “don’t do evil” license because it causes meltdowns in the legal departments of large tech companies trying to define what is evil and whether they are committing evil.
Even if its not enforceable, at least it can trigger some kind of a reflection in folks and their interactions with society that supports their existence.
Preventing the only people who will realistically use your work from using it is a pointless gesture.
If you’re not charging for it then who cares? I’d rather have people actually using it than have a super restrictive licence and an empty project.
There are plenty of licences to achieve this that'll make your code unusable.
CC-BY-NC allows you to ban commercial use. There is also the Hippocratic licence[2] which allows you to choose from a variety of "evil corporation" types, from fossil fuels, mineral exploration, the Taliban, companies that have more than 200% pay inequity, etc.
Pretty much all of these licences will make your project unusable and no longer free software, but hey, they exist!
I think the question is do you want to actually stop certain entities from using the project, or do you just want to send a message? If you want to actually stop them then ultimately there is only one way, which is you sue them. If you're not willing to aggressively sue people who use your software in ways you don't want, then I think there's little point in taking the time to craft a license that expresses acceptable uses.
If you just want to send a message, then you can change the license and not take any further action.
This library has already been scanned and used for training AI. It is too late for a license change to have any effect. New projects, maybe.
Post is dated 2026-01-01, I guess it was maybe not meant to be released yet?
I am not a lawyer and do not know all of the other things, but I will write what my idea is.
Some possibilities (while still being FOSS) might be:
- Use AGPL3 license, and do not make exceptions. (Alternatively, make an exception but make it possible to revoke the exception.)
- Design the program for uses that are not bad so that bad uses might be more difficult.
- Sue them, if this becomes necessary.
These combination might make it difficult for bad guys to use it for bad purposes, although some organizations might ignore the license and use it anyways, but you cannot really prevent that.
> 38 massive car brands that use curl. The second slide: 0 of them give anything back.
"Open".
Honestly: By trying to control usage its not FOSS anymore and you yourself become a bad actor in the eyes if the FOSS idea. No soon to be unicorn can use any of your stuff.
May I add: You’d have to stop using VsCode or TypeScript, or even npm and Chrome, if you think big means bad, and you don’t want to fuel big corporations.
One can see how rediculous the whole idea of limiting FOSS in a “who can use this” way is.
Truly free will always win in the long way. Or you don’t think, a paid dev with some AI can replace your package fairly quickly?
For end-user applications, there's potentially the PolyForm Noncommercial License[1]. But since your project is a library, I would not recommend straying from well-known OSS licenses. Very few people would consider using a non-OSS library in a project of any kind.
[1]: https://polyformproject.org/licenses/noncommercial/1.0.0/
The evil car companies filling our roads with cars!!!!
"Bad guys can't use it" is per definition incompatible with free software.
For this author's definition of "bad guys" (megacorps), AGPL is probably the easiest poison pill. As with all poison pills, this will also make many (most?) "good" users unable to use it.
This project is no curl or database engine, it seems to be a slightly easier way to set HTTP response headers. I bet most of the uses are transitive (someone using something that uses something that uses a framework that uses something that uses this project).
In particular, this project is something small enough that nobody will pay for it, not because it's not worth it, but because the friction of paying for it is higher than rewriting it from scratch. And "the bad guys" are unlikely to use it directly in their major products due to the pure nature of it.
In most cases, but especially this one IMO, you just get to choose wheter to contribute to the commons, the actual commons, for everyone, including "the bad guys" - or not.