In this case, Microsoft seized ownership of an open source project and modified the code without the permission of the person who still controls those copyright rights that they haven't specifically waived.
Legally, shouldn't Microsoft limit themselves to banning the developer from npm and forking their repos under a new name?
Didn’t they just revert it to a previous version? A version they are legally allowed to distribute? They are legally allowed to ban people and use whatever urls they want to host git repos. They are also legally allowed to give someone else permision to npm publishing under a specific package name.
Seems like they did things they are allowed to do.
Microsoft isn't asserting any sort of ownership - colors.js is licensed under MIT. Microsoft is free to make whatever changes they like and redistribute said changes. (But as was already mentioned, they merely dropped the broken versions and set the last working version as "latest".)
The person who holds the copyright doesn't own the storage for the repo. They agreed to a terms of service, which they almost certainly violated by pushing malicious code. Microsoft undid a change; that's not even derivative, it's literally the same code that the author published. To claim that Microsoft can't remove content from GitHub is wild.
While I agree that Microsoft has every right to deny service to the developer, ban their account and remove all of their repos, that doesn't mean that Microsoft has the right to forcibly seize the developers IP.
What action here constitutes the seizure of IP? The code was licensed under MIT. The developer is free to host it elsewhere and Microsoft retains no rights other than the ones explicitly granted to them.
Being the copyright owner of a piece of OSS doesn't give you control over every location where that software is hosted. For example, the developers of Python can't update the Python package in Debian's apt repo, Debian decides when to pull in new versions. (And if they want to add custom patches.) This doesn't mean Debian is declaring ownership of Python, they're simply distributing it in accordance with the license.
Just because NPM allows developers to self-publish doesn't mean that's a guaranteed perpetual right, and it doesn't mean MIT-licensed packages can't be published on NPM against the developer's wishes.
Licensing code under the MIT license (or any common FOSS license really) is the wrong move if you want to control where your software is distributed, and by who.
Who owns repo? The author has a right to package code, but he doesn't want have the right to use other people's platforms to distribute it. This is a lot like twitter bans isn't it?
The MIT license explicitly gives the entire world the right to distribute and modify and project licensed under it. The author isn't allowed any takesie-backsies. Everyone is well within their rights to host copies of faker and colors and any other MIT-licensed project in existence regardless of whether or not the author objects to it.
If the author didn't want third parties redistributing copies of their code, they shouldn't have released it under the MIT license.
Well I didn't explicitly license my tweets to allow that, so maybe not. But they probably are, anyway.
What's really the difference between "fork the repos and change the fork" and "seize and modify somebody else's IP without permission". It just comes down to the specific reference/name on GitHub and npm. I don't think there are any IP issues involved. I am pretty sure that those platforms have given themselves unlimited rights to do whatever they want with the identifiers inside their platform. You don't "own" a username on social media.
Maybe the worst that could be said is that they are impersonating someone, which might be illegal? IANAL as should be obvious.
I live in a country where copyright is automatic and inalienable, so I am aware. But what does seize mean in this context?
What is the difference, as far as the MIT License is concerned, between "fork the repos and change the fork" and what Microsoft is doing here? They are not seizing the copyright, if such a thing is even possible.
Licensing your code under an open source license is not the same thing as giving up ownership of your code.
Here's an example where a huge open source project must get permission from every coder who ever contributed before they can make a change to the licensing.
GitHub has always owned 100% of the project from the day the developer created their account. The developer owns the code, yes, but the account itself and the actual GitHub project structure is 100% owned by GitHub. From a legal perspective, it is a 100% GitHub-owned project that's a derivative work of the developer's code. Legally, the website is a derivative work, and derivative works are owned by the creator of the derivative work, not by the owner(s) of whatever the work is derived from. There are restrictions on what the owner of a derivative work can do based on the licensing of the original work (for example, GitHub can't merge GPLv2-licensed code and Apache2-licensed code hosted on their platform) but GitHub still owns the derivative work entirely.
For example, if I were to stand up a website using Apache httpd using PHP and Drupal, then the website is 100% mine but it contains code owned by the Apache Software Foundation, Dries Buytart, and Zend Technologies. None of those three have any rights over my website, even though they own the code I built it on. I still have to respect the licenses to the code I use—I can't make my own fork of httpd containing code I copy-pasted from a GPLv2-only project, for example—but the website is still my website.
Or for a non-code example, let's say I were to write Lord of the Rings fanfiction. As a derivative work, the fanfic is 100% mine even though it contains characters copyrighted by the Tolkien estate. I can't legally distribute my fanfic to people without getting a license from the Tolkien estate (but thankfully the Tolkien estate is willing to look the other way), but it's still mine, and the Tolkien estate can't just yoink my fanfic and publish it in an anthology unless I give them permission either.
NPM/MS/GitHub are distributing code consistent with the terms of the license provided to them. The developers (current lack of a) relationship with his (former) service provider doesn’t have any bearing on that.
If one doesn’t way service providers to distribute code they’re licensed to if other relationships are terminated, one should include those terms in the license under which they rel,ease their code.
They were certainly granted the right to fork the code under the license chosen by the developer (and then make changes to the fork) but that isn't the same thing as changing the original.
It's an interesting question as to what constitutes the "original" code. Presumably that exists on the developer's machine. It wasn't written on GitHub.
But I do agree that the expectation is that the repo is controlled by the repo owner, and that expectation has been violated.
The developer owns a copyright to the specific work - the literal arrangement of characters in a specific order, and non literal aspects like structure or organization. Copyright is created when the work is ‘fixed’ but is not attached to a specific copy of the work. All copies thereof are either made by the owner, produced under license, or a violation of copyright. Everyone can distribute any work they have license to, intact or modified, latest or not, as long as they adhere to the terms of the license. “Ownership”of a repo, latest commits, etc. barely enter into the equation.
Github has a clickthrough license that probably gives them this right.
If you are of the legal opinion that one cannot simply wish away some fairly fundamental rights through something as blazé as a clickthrough license, then that's a problem: It means the even-worse-than-clickthrough FOSS licenses that handwave away merchantability surely have no legal standing either. Then, if you are also of the legal opinion that the relationship between FOSS author and FOSS user is a vendor/buyer one, then what Marek did is _illegal_. At which point Github/microsoft surely regain their right to intervene. You are usually allowed to attack someone if they are about to commit a murder, even if that act would in all other circumstances be a slam-dunk assault case.
You're now banking on the notion that the relationship between FOSS author and FOSS user is fundamentally not a vendor/buyer relationship even though github has a sponsors system, the FOSS license uses terms that relate to vendor/buyer relationships, and that nevertheless copyright law still does apply. That's possible, certainly, but that's a lot of coinflips that have to land correctly.
> Github has a clickthrough license that probably gives them this right.
If Microsoft is asserting the right to seize control of anybodies open source project any time they choose, they are going to have much bigger issues than if they had simply made a mistake and overstepped their bounds.
> seize control of anybodies open source project any time they choose
the platform the code is under belongs to microsoft. The only thing they cannot do is impersonate someone (e.g., pretend they were the author and make a commit), because that would be illegal.
However, they can roll back a commit from being displayed - it is no different than only showing certain commits (it's a right that a website has - showing _anything_ they wish to). There's no claim of ownership (of the copyright), and there's no seizure of the code IP rights whatsoever (for an example of seizure, see the multitude of DMCA takedowns, which is a right specifically granted to them by the state).
Presenting this case as a violation by microsoft is incorrect.
Legally, shouldn't Microsoft limit themselves to banning the developer from npm and forking their repos under a new name?