The Software Freedom Conservancy (SFC), a non-profit focused on free and open source software (FOSS), said it has stopped using Microsoft’s GitHub for project hosting – and is urging other software developers to do the same.
In a blog post on Thursday, Denver Gingerich, SFC FOSS license compliance engineer, and Bradley M. Kuhn, SFC policy fellow, said GitHub has over the past decade come to play a dominant role in FOSS development by building an interface and social features around Git, the widely used open source version control software.
In so doing, they claim, the company has convinced FOSS developers to contribute to the development of a proprietary service that exploits FOSS.
“We are ending all our own uses of GitHub, and announcing a long-term plan to assist FOSS projects to migrate away from GitHub,” said Gingerich and Kuhn.
We will no longer accept new member projects that do not have a long-term plan to migrate away from GitHub
The SFC mostly uses self-hosted Git repositories, they say, but the organization did use GitHub to mirror its repos.
The SFC has added a Give Up on GitHub section to its website and is asking FOSS developers to voluntarily switch to a different code hosting service.
“While we will not mandate our existing member projects to move at this time, we will no longer accept new member projects that do not have a long-term plan to migrate away from GitHub,” said Gingerich and Kuhn. “We will provide resources to support any of our member projects that choose to migrate, and help them however we can.”
GitHub claims to have approximately 83 million users and more than 200 million repositories, many of which are under an open-source license. The cloud hosting service promotes itself specifically for open source development.
For the SFC, the break with GitHub was precipitated by the general availability of GitHub Copilot, an AI coding assistant tool. GitHub’s decision to release a for-profit product derived from FOSS code, the SFC said, is “too much to bear.”
Copilot, based on OpenAI’s Codex, suggests code and functions to developers as they’re working. It’s able to do so because it was trained “on natural language text and source code from publicly available sources, including code in public repositories on GitHub,” according to GitHub.
Gingerich and Kuhn see that as a problem because Microsoft and GitHub have failed to provide answers about the copyright ramifications of training its AI system on public code, about why Copilot was trained on FOSS code but not copyrighted Windows code, and whether the company can specify all the software licenses and copyright holders attached to code used in the training data set.
Kuhn has written previously about his concerns that Copilot’s training may present legal risks and others have raised similar concerns. Last week, Matthew Butterick, a designer, programmer, and attorney, published a blog post stating that he agrees with those who argue that Copilot is an engine for violating open-source licenses.
“Copilot completely severs the connection between its inputs (= code under various open-source licenses) and its outputs (= code algorithmically produced by Copilot),” he wrote. “Thus, after 20+ years, Microsoft has finally produced the very thing it falsely accused open source of being: a black hole of IP rights.”
Arrogant, subtle, entitled: ‘Toxic’ open source GitHub discussions examined
Such claims have not been settled and likely won’t be until there’s actual litigation and judgment. Other lawyers note that GitHub’s Terms of Service give it the right to use hosted code to improve the service. And certainly legal experts at Microsoft and GitHub believe they’re off the hook for license compliance, which they pass on to those using Copilot to generate code.
“You are responsible for ensuring the security and quality of your code,” the Copilot documentation explains. “We recommend you take the same precautions when using code generated by GitHub Copilot that you would when using any code you didn’t write yourself. These precautions include rigorous testing, IP scanning, and tracking for security vulnerabilities.”
Gingerich and Kuhn argue that GitHub’s behavior with Copilot and in other areas is worse than its peers.
“We don’t believe Amazon, Atlassian, GitLab, or any other for-profit hoster are perfect actors,” they said. “However, a relative comparison of GitHub’s behavior to those of its peers shows that GitHub’s behavior is much worse. GitHub also has a record of ignoring, dismissing and/or belittling community complaints on so many issues, that we must urge all FOSS developers to leave GitHub as soon as they can.”
Microsoft and GitHub did not immediately respond to a request for comment. ®