GitHub Fights Open Source DMCA Disputes – InApps 2022

This week, GitHub announced that it would be working together with the Stanford Law School to help defend open source developers against Digital Millennium Copyright Act (DMCA) claims. The move follows up on some drama that took place last year around a little library called youtube-dl, which had been removed from GitHub after a DMCA takedown notice.

While you might be more familiar with your standard DMCA takedown, which usually applies to the unpermitted use of copyrighted materials, youtube-dl was subject to removal according to a less common rule. As GitHub wrote upon youtube-dl’s reinstatement last year, the rule applied to “anticircumvention—an allegation that the code was designed to circumvent technical measures that control access or copying of copyrighted material, in violation of Section 1201 of the DMCA.” As a part of its response to this incident, GitHub promised at the time that it would not only work to change the law itself, but also improve its own response to takedown notices, as well as establish a Developer Defense Fund “to help protect open source developers on GitHub from unwarranted DMCA Section 1201 takedown claims.”

having literally experienced DMCA takedowns *this week* on Twitter, I… genuinely appreciate that there’s a seed of helping individuals, rather than defaulting to trusting corporations to do the right thing.

— Tierney Cyren (@bitandbang) July 27, 2021

As part of GitHub’s dedicated 1201 review process, when we notify a developer of a valid takedown claim, we will also give them the option to seek independent legal support through the clinic at no cost to them,” the company wrote in this week’s announcement. “This ensures that the developer has access to fully independent legal support, putting their interests and the interests of their community first.”

Beyond offering free legal support, GitHub says the fellowship will also be “researching, educating, and advocating on DMCA and other legal issues important for software innovation” as well as training others on how to “work with developers and advocate on behalf of open source communities.”

Now, perhaps it’s just the nature of being a multinational corporation in modern society, but even when you seemingly try to help out the masses, you catch a bit of flack. One article, for example, cautions those watching against unfettered optimism, noting several caveats, including that there is no mention of a legal defense fund were a developer to actually be sued by someone making a claim.

“According to GitHub’s transparency report, In the past month (as of this writing), they have dealt with some 138 DMCA notices and only one counternotice. It’s unclear how many of those notices deal with Section 1201 disputes versus more traditional issues of copied code and other content,” the article states. “So while the DMCA takedown issue is a major one from a public relations standpoint, it’s much less so from a practical one.”

Not to mention, whenever you talk GitHub, the lowest hanging fruit is to point out that the company’s business dealings with the U.S. Immigrations and Customs Enforcement (ICE) stand in contrast to their otherwise claiming to take a moral high ground.

ICE: *separates children from families, puts them into cages, “loses” them in the system, causes deaths*
GITHUB: ¯_(ツ)_/¯
DMCA: *takes down repo*
GITHUB: pic.twitter.com/Znl5OFFGtw

— bletchley punk (@alicegoldfuss) November 16, 2020

And then there’s that whole matter of using mass amounts of publicly available source code, irrespective of licensing, to train an immense AI, regardless of whether or not it may be perfectly legal…

so github get some good PR for doing something very very specific and limited to defend against relatively rare enforcement of the DMCA’s circumvention provisions, while taking large amounts of copyleft code and feeding them into a neural network that can regurgitate it intact

— Evelyn fra den øya✴⬡✴ (@ulvniya) July 28, 2021

This Week in Programming

• GitLab Adds A Helm Package Registry: GitLab continues its efforts to provide a “single application for the entire DevOps lifecycle,” this week with the introduction of the GitLab Helm Package Registry, an addition that appeared with GitLab version 14.1. Helm is a Kubernetes package manager, with Helm charts serving as resource definitions for running applications in a Kubernetes cluster, all of which can be versioned and shared. GitLab points out that, while you could simply store Helm charts in a Git repository, “this method starts to become unruly as the code scales” and would present challenges for sharing charts without providing access to full code repositories as well. Instead, GitLab’s Helm Package Registry will provide users with “a centralized repository to store and share charts so large organizations can manage many complex applications in a controlled manner.” In addition to being more easily able to store and share Helm charts, GitLab says that its solution will also make them able to be systematically scanned for vulnerabilities, distribute across an organization, and be secured using SSO/SAML and authorization with deploy tokens, job tokens, or personal access tokens. Currently, GitLab says the product is at “viable” maturity, and not yet recommended for production.

Friends, what cloud provider do you use to host your metaverse?

— Miguel “metaverse” de Icaza (@migueldeicaza) July 28, 2021

• GitLab’s Package Hunter Detects Malicious Code in Dependencies: While GitLab already offered dependency scanning, the company has gone an extra step with this week’s introduction of Package Hunter, a tool for detecting malicious code in your dependencies. Part of the problem with traditional dependency scanning, they write, is that they “typically don’t detect if a dependency executes malicious code, as these tools are limited to identifying dependencies with known vulnerabilities.” Package Hunter, however, analyzes dependencies “for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation,” with Falco providing the basis for system call monitoring. Whatever irregularities it finds, it alerts users to, and currently offers support for NodeJS modules and Ruby Gems.
• A Deep Dive into Visual Studio’s Hot Reload Features: As you might have heard, Microsoft recently released the second preview of Visual Studio 2022. The first preview primarily showcased its 64-bit capabilities, while the second introduced a number of features. One of the highlighted features was the ability to apply code changes without having to restart applications. This week, Microsoft offered a bit more of a deep dive into how you can speed up your .NET and C++ development with Hot Reload in Visual Studio 2022, which will “include things such as our initial support for editing Razor pages in your ASP.NET web applications, support for Hot Reloading C++ apps during the debugger experience, the ability to use .NET Hot Reload without the debugger when launching the app with CTRL-F5 and support for more types of edits,” alongside bug fixes and stability improvements. If Visual Studio is your day-to-day IDE, head on over and find out more about this upcoming feature and how you can try it out now.

non-Rust developers: Rust moves so quickly!
also non-Rust developers: I can’t believe that Rust 2021 is so incremental. They should be more ambitious.

— Tim McNamara (@timClicks) July 29, 2021

Feature Image par S. Hermann & F. Richter de Pixabay.