3

My understanding of the CC-BY-SA is that if you use a snippet of CC-BY-SA code in a larger project, not only must you reveal the source code of your entire project, but you must also brand the entire project's code-base with the CC-BY-SA license.

My concern would be that if I, at one stage of a project, used a little snippet of CC-BY-SA code, my entire project would have to be CC-BY-SA, even if the original CC-BY-SA snippet was removed.

I understand that the CC-BY-SA is only relevant when the project is published, but if I had a project in a CI/CD pipeline, it is always being "published" whenever a change is made.

Think of this theoretical example:

  • You make a website.
  • You deploy it in a CI/CD pipeline.
  • You keep makings commits (each one is immediately deployed) .
  • You copy code that's CC-BY-SA licensed not understanding the full implications (perhaps you thought CC-BY-SA only required attribution like MIT or CC BY 3.0)
  • You find out that the CC-BY-SA code snippet you used means the entire project must now bear the CC-BY-SA license.

The problem here is that if the author panics and removes the CC-BY-SA code snippet it's too late. The ENTIRE project has forcibly become CC-BY-SA. If the original CC-BY-SA code is removed it doesn't matter because every step constitutes as being published, binding the code base as CC-BY-SA. Furthermore, the entire project is now (for lack of a better term) infectious... If you say "I'll just start over," you can't use ANY of your original code base at any commit, or your new app will also become "infected," and then you'll have to start over again and not use any code from either project...

I hope I am wrong. Is there any legal theory that can save the situation I described? I'd hate to think that any code base I've been working with that has touched CC-BY-SA code must be thrown out.

NextNightFlyer
  • 197
  • 4
  • 1
    You seem to have reworded and posted the same question twice. This here is the original question where you have accepted the answer. – Martin_in_AUT Jun 07 '23 at 08:57
  • Why is it relevant for your example that this is occuring in a CI/CD pipeline? Shouldn't the same potential problem exist if I accidentally type in some CC-BY-SA code into my text editor and click "Save" and perhaps "Compile&Run"? If I later remove that code and click Save again, maybe the resulting code is technically a derivative work of that CC-BY-SA code that was already removed. The way copyright normally works legally, is that the copyright exists as soon as something is fixed on a tangible medium (i.e. as soon as its saved to disk, solid state, etc.). "Publishing" is not required. – Brandin Jun 07 '23 at 09:50
  • Sorry @Martin_in_AUT , I really appreciated your answer in the last post and I appreciate your insights on the topic, but I think this question is different because the introduction of the CI/CD pipeline makes it a possible "publication" every time a commit is pushed. This could materially effect the legal theory used. – NextNightFlyer Jun 07 '23 at 09:58
  • @Brandin , the CI/CD pipeline makes it a possible "publication" every time a commit is pushed. I thought that "publication" was the point at which the CC-BY-SA license was applied? – NextNightFlyer Jun 07 '23 at 10:00
  • 3
    @NextNightFlyer CC-BY-SA in the legal code seems to prefer the word "Share" capitalized with a special definition. I'd suggest looking at that definition and see if your CI/CD "publishing" case corresponds to that definition. – Brandin Jun 07 '23 at 10:05
  • 1
    Does the CC-BY-SA code in your example appear in the front-end of the website (i.e. so that the code of that publish/push/commit is available to the public), or is it in the back-end only (i.e. so that the public never sees it)? For Creative Commons this appears to make a difference. If the code is only on the back-end, then technically you are not Sharing it and the license itself says that you don't need to comply with the ShareAlike terms in that case and that your other code does not automatically become CC-BY-SA either. – Brandin Jun 07 '23 at 12:04
  • Of course, even if the code is on the back-end only, it's still a bit of a questionable case what your obligations are under CC-BY-SA. Technically the license doesn't forbid that, but it doesn't really explicitly allow it either. So it may be technically an infringement but it's definitely not "automatic acceptance" of the CC-BY-SA terms either. See the statement "By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions..." I think issues like this are why CC is not recommended for software code. – Brandin Jun 07 '23 at 12:06
  • Please see this related QA about this: https://opensource.stackexchange.com/questions/6777/can-i-use-source-code-licensed-under-cc-by-sa-for-commercial-closed-source-proje – Brandin Jun 07 '23 at 12:33
  • @Brandin Whether you build and/or deploy manually, using a script, or some sort of CI/CD pipeline, does not make a difference. What exactly does the pipeline do? Where did it deploy or "publish" your code or its build artifacts? – Bergi Jun 08 '23 at 02:12
  • It would deploy them to an actual www facing url. I think this would make it published. – NextNightFlyer Jun 08 '23 at 02:30
  • @NextNightFlyer Yes so the WWW content would be published and "Shared" to the Web (i.e. it would be available to the public), but exactly what kind of code is the CC-BY-SA code in your situation? Is it frontend code or backend code? Backend code means the code that never appears in the Web output (i.e. not HTML, not CSS, not client-side JavaScript, etc.). – Brandin Jun 08 '23 at 06:51

2 Answers2

5

My concern would be that if I, at one stage of a project, used a little snippet of CC-BY-SA code, my entire project would have to be CC-BY-SA

That is so, as it is with most copyleft licences.

even if the original CC-BY-SA snippet was removed.

Some, including me, would so argue.

if I had a project in a CI/CD pipeline, it is always being "published" whenever a change is made

Copyleft obligations, like most obligations in copyright licences, trigger when something is done that would infringe someone else's copyright if not otherwise permitted. It's not clear to me that merely putting the code into a CI pipeline is such an act. Better to focus on conveyance, as GPLv3 has it: the act of giving copies to other people. That definitely requires permission.

I'd hate to think that any code base I've been working with that has touched CC-BY-SA code must be thrown out.

I understand that, but the best advice we can give is to have a care about the licence status of the third-party code you use. The practice of pulling in code from all over, willy-nilly, and only starting to worry about the legalities when the project is ready to ship, is as foolish as it is common. If you're going to use someone else's work in your own project, licence compliance must be your highest priority.

In practice, if you accidentally use some copyleft code which you promptly remove as soon as you realise your error, and which you have never shipped to another person, it's unlikely that anyone will ever notice or care that you have done so. But it could still be a technical infringement; instead of looking for loopholes in copyright, spend your time being careful about what code you reuse.

MadHatter
  • 48,547
  • 4
  • 122
  • 166
  • I would say that if the CC-BY-SA snippet was removed then the rest of the code base written by the author can be published under any license (as long as compatible with the licenses of the other libraries), because the author --as the original copyright holder-- has all the rights to do so. The question about 'copyright on negative code' does not really fit here. – Martin_in_AUT Jun 07 '23 at 09:03
  • 1
    The arguments in the question about copyright on negative code equally apply to the issue of removing code and the consequent copyright obligations, so I think it's highly relevant. I do, however, accept that you take a different view on the question of whether removing the code removes the obligations; it is, as I say above, capable of argument. – MadHatter Jun 07 '23 at 09:06
  • I appreciate your thorough answer @MadHatter , even if it's not what I wanted to hear lol. And your point is very well taken. It is very good advice to understand a license fully before you copy code. Still though, it seems unfair that I could have a ready-to-ship finished code base that has to be thrown out even though it contains no actual code from a CC-BY-SA code base other than pieces of long deleted code in previous git commits. I keep hearing that CC-BY-SA is much weaker than the GPL. Shouldn't that mean there's some loophole? – NextNightFlyer Jun 07 '23 at 10:08
  • 2
    "I keep hearing that CC-BY-SA is much weaker than the GPL" not from us, you don't. And it's not unfair: you started the problem by not checking the licence on code you reused; don't expect copyright law to give you an easy out. – MadHatter Jun 07 '23 at 10:10
  • @NextNightFlyer One relevant difference here is that CC-BY-SA claims in the terms that your acceptance is "automatic" (i.e. you can in principle 'accidentally' make your material CC-BY-SA), whereas GPL requires that you explicitly take actions to do that (i.e. you must explicitly say "this is GPL" and give a copy of the license as well). So 'weaker' is not really what I'd say here. GPL is clearer and more explicit about what you have to do to say that you accept the GPL terms for the code. With CC someone could always read the terms and say that you accepted it "automatically". – Brandin Jun 07 '23 at 12:12
3

My concern would be that if I, at one stage of a project, used a little snippet of CC-BY-SA code, my entire project would have to be CC-BY-SA, even if the original CC-BY-SA snippet was removed.

I fully agree with the answer by @MadHatter, including the assessment that building upon the codebase that includes the CC BY-SA code, even if that change removes the original CC BY-SA code, cannot remove the CC BY-SA obligations.

However, I do see a way out of the situation without having to publish your product under the CC BY-SA license for all time, or being unable to publish due to conflicting licenses.

That way out is to go back in time in your codebase to a commit before the first line of CC BY-SA code was added. From this point forward, you can start doing a cleanroom re-implementation of the features that were added after the introduction of the CC BY-SA code.

The features need to be re-implemented in a cleanroom manner, i.e. without referring to the previous implementation, to ensure that you don't accidentally pull in again some code that is encumbered by the CC BY-SA license.

This is not a cheap or easy process, so you should add measures to your development process to catch addition of code with an undesirable license as early as possible. Preferably before it actually gets added.

Bart van Ingen Schenau
  • 29,549
  • 3
  • 46
  • 83
  • This is a great idea thanks! – NextNightFlyer Jun 08 '23 at 23:38
  • @NextNightFlyer note the important bit in cleanroom reimplementation: the clean room. This is not something you can do on your own, since it doesn't just mean "redo the work". – MadHatter Jun 09 '23 at 13:44
  • "cleanroom reimplementation," Does that just mean re-create the functionality after the point of CC-BY-SA code introduction, while being careful to write new code that does not share any code with the code added after CC-BY-SA code? – NextNightFlyer Jun 09 '23 at 20:14