Thank you for your request (routed through legal, which added a day or so of latency).
Main issue is we don't have an automated pipeline to update the published tarball/zipfile from our internal source control system, so it has to be done manually, and no one has that as a specific task. We also review the source for IP/security concerns before releasing.
We will probably add a quarterly task to update it, until/unless we start maintaining a public branch and do it automatically.
Strictly speaking, the source code needs to be made to users upon request. It doesn't need to be proactively published. That's just the easiest way to do it.
So it would be within the license to update "quarterly, and whenever someone bothers to ask".
That is how GPL has always worked. Before AGPL expanded the scope to network services, only people with possession of a binary containing GPL code had a right to request the source. You never have to publicly disclose the source beforehand and you can deliver it by any means you choose with a media fee if necessary. Tapes and paper listings are compliant. AGPL doesn't change the requirements for source delivery.
The GPL and AGPL are two different licenses, and the clauses that require publishing source are very different. The GPL explicitly allows for the request based model, the AGPL (again, exact clause cited below in a sibling comment thread) does not. The AGPL also explicitly requires it be at no charge and be provided over the network.
Edit: Actually I'll just quote the relevant clause of the AGPL here again
> 13. Remote Network Interaction; Use with the GNU General Public License.
> Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
It depends on how the program is itself distributed. For programs that users interact with over the network, the program must have a way to offer those users the source code as well, though it need not be located on the same server.
Paragraph 6d:
Convey the object code by offering access from a designated place
(gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
This just means that it should have some user–visible page that describes the software and any open–source components it uses, and that this same page should offer a way to download their source code. If you use an open–source component but haven’t modified it, you can send your users to its own webpage to download it if you prefer, but if you have modified it then you have to allow them to download the modified code.
While the open source community does actively try to avoid lawsuits, others have let their source code releases get out of date with their actual website before. Usually this results in intervention from a group such as the SFC, backed with very gentle and politely–worded reminders that lawsuits are possible and are occasionally necessary. I believe that they will also remind you that revocation of the license is a possible remedy, although one that they earnestly hope to avoid. Their goal will be to help you find a way to get yourself back into compliance with the license, making the lawsuit unnecessary. They’re pretty good at this; approximately 90% of organizations that find themselves out of compliance manage, with the SFC’s help, to get themselves back on track without involving the courts. You can read more about it at https://sfconservancy.org/copyleft-compliance/ if you want.
Contract law covers licenses. Just because it’s not criminal doesn’t mean it’s not important to follow. Also, regardless of the fact this is contract law, do you think it’s okay to take code other made and use it without following the licenses? Especially for a rich media corporation? That’s shameful if true.
> Also, regardless of the fact this is contract law, do you think it’s okay to take code other made and use it without following the licenses? Especially for a rich media corporation? That’s shameful if true.
Not defending Truth Social, but let's ask GitHub that same question after Microsoft trained on GPL and AGPL source code for its GitHub Copilot uses and it is known for outputting GPL and AGPL code. [0]
As Truth Social should comply with the AGPL, GitHub should do the same and open source the whole of Copilot.
You imagined some meaning not present in the words I wrote, and asked me if that’s what I meant. This is a way of implying that my words had this imagined meaning. You should avoid doing that.
Contract law does not explicitly state that every provision of every contract must always be followed. By definition, contract law really has nothing to do with the specific circumstances of any particular agreement; if it did, it would just be a law about those circumstances and not about contracts. In fact, it was not until two years ago that a court acknowledged that the GPL really is a contract (https://sfconservancy.org/news/2022/may/16/vizio-remand-win/).
All I am saying is that you shouldn’t ask them not to try to weasel out of their obligations under “the law”, but instead to ask that they not try to weasel out of their obligations under the terms of the AGPL. This is a contract that they entered in to not just with the authors of the open–source software that they rely on, but also with their users. It would be dishonorable to renege.
My understanding is it requires active publishing, but I'm not a lawyer. Here's what I believe to be the relevant section
> 13. Remote Network Interaction; Use with the GNU General Public License.
> Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
I'm particularly looking at "from a network server at no charge, through some standard or customary means of facilitating copying of software", I don't believe "upon emailed request" qualifies.
Is email not customary? It seems like it would be fine as long as they respond in a timely manner, and provide access instructions. Also, in this situation it seems like that's exactly what happened.
I suppose what might be non-compliant is if their website doesn't explicitly document the process to access the source, i.e. "send an email to this addressm to request the most up-to-date source code."
Email is customary for some things of course, however I don't believe it is a "customary means of facilitating copying of software". Nor do I believe it is "providing access to the Corresponding Source from a network server". It needs to be both to satisfy the license.
What's the work culture like at Truth Social? Are you guys mostly remote? How many developers are there? Are you hiring a lot of new people? Is there an ideological current to the workplace culture?
I won't be applying, but I'm genuinely curious what it's like to work at a company in such a unique situation.
Pretty good! Relatively small team (between 10 and 100), biased toward senior with a few ~5 year more intermediate people, mostly remote across the US although we do have an office and try to get together monthly to quarterly. Ironically, lots of open source contributors. We are hiring for a few roles but mostly just being opportunistic rather than needing to hire. Remarkably little turnover for a tech company. We've all worked at multiple other places made the conscious decision to make this a good place to work.
Biggest challenges are supporting multiple platforms (iOS, Android, Web), all the backend infra, etc at scale with a small team -- i.e. normal startup stuff. Also the perennial challenge of doing new features vs. making things more robust.
A lot of info in the SEC filings as well as news articles (many of which are predictably biased for partisan reasons).
Masks don’t protect against viral licenses either. IP isn’t a valid claim to withhold the source. Security needs to be managed outside the code via vaults and other runtime secret stores. There’s no leg to stand on for not releasing the entire code consistently.
I don’t understand what that has to do with source code level licensing. I’ve never seen anything in any open source license that requires forced interoperability at a service and business level. The fact they’re social pariahs doesn’t have a legal remedy, rather it just requires being not such asshats and hurtful to others.
Best practice when releasing source code generally is making sure no one left API keys, etc. in source code. (Obviously you never check secrets in in the first place, keeping them separate, but it's still worth automated and manual review before releasing.)
Best practice is to not have secrets in your source code. Those should be supplied by an internal service, or injected by your build pipeline at the least.
Those would be provided by a CDN, with some storage service underneath that. Configuration secrets that (transitively) point to these services should be injected by the build system and have no business being in source code.
They mean 'configuration secrets'. Those variables used for internal authorization and configuration that should never be leaked outside the organization. If source code of AGPL software is modified and used for an online service, it needs to be published in respecting the license, and best any 'trade secrets' are isolated. The only other alternatives are to use the code as-is or build a proprietary solution from scratch.
If you did, "Trade secrets are a type of IP." seems to be an unrelated assertion to the thread.
> You would be sued under trade secret law if you intentionally leaked them.
To embed trade secrets into an open source fork, would suggest either the intent to withhold the modified source, ignorance, or flat out incompetence. Anyone, be it a lone hacker or a large organization, can simply fork the source on the platform it's hosted on (e.g., GitHub, GitLab) at a click of a button.
It is a requirement of AGPL that all deployed updates to a product or online service need published source[0]. Once again, very simple to have this running off CI/CD. If there are trade secrets in that source... oh well, they have to be published too. So the simple solution is to not have them in there in the first place (i.e., abstract it away).
Maybe you should rectify this legal requirement rather than continue to flout it? Put your code where your mouth is and start producing your source continually, as is the requirement from the original developers. You wonder why people seem to hate MAGA folks: it’s because of stuff like this where you have a CLEAR duty under the license (or law in many other cases) and choose to ignore it, disrespecting everyone who creates mastodon upstream.
Thanks, not an English major. People hate them because they ignore the law and community standards, such as in this case, like I said. This is one example of many, but you know that and are arguing in bad faith rather than reading my words as intended. Don’t bother responding, or do and get the last words, I don’t really care to argue with trolls today.
You mean solely for the deplatformed, and not necessarily free speech for anyone else?
Edit: I was banned for saying Ashley Babbit was committing a crime and that we should not have double standards where she is a martyr but George Floyd can’t be.
Says you'll ban spam. Unwanted commercial solicitation is free speech.
Says you'll ban incitement to violence and harassment. That is also free speech.
All that "free speech" means is that the government can't take a priori action to prevent it from happening. But there can be consequences.
All the popular platforms are free in that sense already. You will just have a boundary somewhere else for what you consider worthy of consequences.
Which is fine. I don't actually believe anyone enjoys a completely unpoliced platform. But maybe don't be so quick in saying you'll give a voice to the deplatformed, when you're a platform yourself and will ban people too for not adhering to your own speech police.
Even if you hate FIRE for defending the civil rights of people you hate, the article is succinct and contains links to the ca ten most relevant high level court cases.
Probably misidentified as spam; filtering isn't really based on content, but at various times we've used third party tools to deal with abuse and have been constantly improving and bringing those in-house. If you email support with the details they can address it.
The biggest footgun I remember was some religious content (Christ on the cross, specifically) being identified as bad by some of these tools and filtered, which we obviously prioritized correcting.
No UGC site really has this solved 100%. Look at Twitter today with the porn reply bots. Facebook has 3-4 orders of magnitude more employees dedicated to filtering content than we have in our entire company. Automation ("AI" plus multiple signals) is the solution, but it's a hard problem.
Yes, the SFC (Software Freedom Conservancy) is a charity that provides legal support for free software developers, and actually backed up mastodon in the last instance of this:
Good! Companies need to be called out for this more. For example, Phase One, a very high end digital camera company, started using Linux in their digital backs. They were completely unaware of the impacts of GPL!!! At first they refused, until I literally just linked them the Vizio case by SFC. I got a source download of the (mostly AMD/Xilinx) software the next day :)
This is a great start with Truth Social, lets also do something with this poor student, who's AGPL software is being still used by Andrew Tate's "The Real World" scam.
Agreed, though AGPL is quite different than GPL and I’m not aware of many (any?) public companies that have their main code base covered by that license.
I think the word is “frequently” which isn’t “exclusively” and the subject was “open source,” not code. I don’t think it’s controversial most free software / open source people fall into these categories much to the cryptofascist science denying qanon follower free software nerds dismay.
I'd even challenge "frequently" to the extent that it rises to an obvious point of "exploitation" when "their" code is used. It claims ownership and a position that is neither relevant the copyright issues presented nor, in my opinion, even true.
It's probably not controversial here on Hacker News, but many people live inside this HN valley bubble that's pretty solidly disconnected from the rest of the country and even the world. You've made this particular case here perfectly by attempting to connect identity to open source.
Which, I do find annoying, as many people make the same assumptions you do towards me in my work, as if presumptively pushing politics into an engineering conversation is a worthwhile or welcome activity. The mixture of faux shock and bullying in response is, sadly, nothing new to me either.
Anyways, you're welcome to openly have as closed of a mind as you like, but I will always find the behavior baffling and worthy of comment.
Oh I agree the license of open source lets anyone use it. No debate at all.
But the demographics of the community are not particularly controversial and I’m frankly surprised people disagree at all no matter their social or political view point.
The HN valley bubble is absolutely disconnected from the rest of the world, but is absolutely representative of the open source developer community. Representative however does not mean exclusively so.
Your experience of presumption of political belief is specifically the “dismay” point I made. I absolutely agree there’s a huge presumption based on the overwhelming political alignment of the community and it absolutely makes science denying cryptofascists uncomfortable.
What I find unclear is why this makes me close minded. I’m a card carrying ACLU members and 1000% agree everyone is entitled to be as close minded and cruel as they want and am absolutely in favor of seeing Truth Social exist and watch it suck the money of its investors pockets since in fact their views -are- repugnant to most people. But they’re absolutely free to share them at their own expense.
The write up could have done without a good portion of it just bashing Republicans every other line, it didn't add anything at all to an otherwise fine writeup.
the majority on this site are still relatively sane, as are the mods, but only 1% of users needs to be ideologically deranged to hide ideologically inconvenient comments with [flagged]
Main issue is we don't have an automated pipeline to update the published tarball/zipfile from our internal source control system, so it has to be done manually, and no one has that as a specific task. We also review the source for IP/security concerns before releasing.
We will probably add a quarterly task to update it, until/unless we start maintaining a public branch and do it automatically.