There is no such thing as a GPL compatible license. The GPL is only compatible with GPL.
When a license is "compatible", it allows you to relicense that code as GPL, sometimes with additional conditions.
This means that if you link it GPL code into a MPL code base, the GPL requires that entire code base to now be GPL. And as such all other code linked against it also must become GPL.
> There is no such thing as a GPL compatible license
On the contrary, you can use MIT, BSD, MPL, LGPL code in a GPL codebase without any issue. You can dynamically link LGPL in any codebase. You can statically link GPL in another GPL codebase.
> All GNU GPL versions permit such combinations privately
IE, the copyright holder can permit anything they want, as they own the copyright
> they also permit distribution of such combinations provided the combination is released under the same GNU GPL version. The other license is compatible with the GPL if it permits this too.
IE the license grants the ability to add the GPL license that code.
> means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.
> 3.3. Distribution of a Larger Work
> ... If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
---
The MPL 2.0 is compatible with GPL because it explicitly grants the right to release MPL code as GPL. All the copyright holders of MPL 2.0 code have authorized this secondary licensing because the license they released it as says so.
This means that in cases where compatibility matters, then the MPL2.0 code base has all the additional restrictions that the GPL has. And the GPL is _all_ code, which means it spreads out from there. If you are using GPL-2.1, MPL-2.0, and APACHE-2.0 code in the same code base, there is a violation.
I took the pint as saying that Apache/MIT/BSD/MPL code that is distributed as part of a GPL project is actually under GPL. To obtain the original Apache/MIT/BSD/MPL code you need to get it from upstream.
So that if project A originally licensed as MIT is statically linked inside a project B licensed under the GPL then in the event that all copies of project A source code are destroied except those distributed via project B (a more likely scenario before mirror servers) then project A is now only available under GPL.
I believe that GP relies on the fact that GPL source code can only be statically linked with other GPL code and so "compatibile with GPL" means "can be relicensed under GPL" rather than "can be included as is in GPL works"
My original comment and point has not changed. The GPL is only compatible with the GPL. The only way for a license to be compatible with the GPL is to have the ability to license under the GPL. We have proven that is the case.
There is a lack of awareness and understanding of how this can transitively affect things accidentally.
For the record I am all for GPL code. I think the GPL is a fantastic license that has enabled great good in the world. But there are reasons why a company may not want to release code that is compatible with it.
Well, the bundle is GPL, the particular code is still MPL, so that you can still take that portion away from the bundle and do anything that the MPL allows.
I don’t think you can ever rellicense or sublicense someone else’s code without consent or prior arrangements.
Like if I said this comment is licensed under GFDL 12.34 and you thought GFDL 10.01 is “compatible” with it, it’s still mine to decide under what license it is licensed.
A popular phrasing found on many GPL projects are “Version 2 or later”, but that doesn’t mean you get to rewrite it to “AGPL 3 or stricter”. That’ll be a copyright violation.
It was called ‘super’ and it was most famously abused by an intern that blabbed to the press about using it. They then added more restrictions and auditing to ‘super’ which was supposed to be mostly for investigations and user operations teams to help users with their own account issues. Also at that time Zuck’s own account was always super so...
Auditing sure, but almost any Facebook software engineer has permission to still take super user actions. The ability to abuse is still there, it's just a question if they actively audit well enough to catch the abuse.
From an anonymous source, I found out it's automatic termination if you're using super mode unauthorized. Would love to get one more anonymous or non-anon source to verify.
I know of someone who had to go in front of an internal audit committee of some sort due to unauthorized access. He did it during a demo, not really thinking it through. They were convinced it was unintentional, and he got to keep his job in the end. He was telling me it was definitely considered a termination-worthy thing, and was legit worried about losing his job.
Spent time at FB, can confirm that you have to go through a few modals, your manager is notified via email, and the penalties are quite harsh. This was back in 2014
When I was at FB you had to go through two confirmation modals and at least from my team (biz intelligence on ads side) it said an email would be sent to my manager if I proceeded.
I never worked in a role that required me to go further, but the penalty of losing my job deterred me just fine.
At a real company you have to write up something saying what you are planning on doing before taking any action, eg change control. I don't think that type of thing fits into the "move fast and break things" culture though.
What reasons do companies like facebook have to actually make these tools safe? As long as it has the veneer of only being used for the right things, they don't really have an incentive.
No-one is going to check up on Zuck. So as long as he doesn't leak it himself, no-one is really going to know if he checks your nudes. I don't even really blame him. It's just human nature to be curious.
It’s important because locks ultimately keep good people honest.
A system where access control policy is capricious is a system that is fundamentally broken. I have been in jobs where I had the authority to hire and fire people, and make significant decisions that impact important things and spend lots of money. But guess what? I don’t have access to employee applications with PII. I don’t have access to the accounts for the business. Don’t know about employee healthcare or retirement.
If I tried to use my position to get access to that data, I would expect that issue to be escalated, even if I were the CEO. A data driven company with casual disrespect of basic principles is a problem waiting to happen.
I'm not disagreeing that it's important. I'm asking, in a corporate environment driven by capitalism and the ultimate pursuit of generating revenue/shareholder value. Why would a company care?
I know that I've seen situations where departments critical to this access control policy system were chronically understaffed, because they are cost centers. They don't generate value. In the same way I've heard security and access control dissuaded from software development, because "we just need to get this out".
What all of these situations end up with is "performative" access control. You have to act as though you need the data, but beyond that it's a free for all. This lets the company pretend like it's fulfilling it's obligations, while saving money.
Where does the magical privilege end? Who is responsible when the all-seeing CEO is compromised personally and data or cash is exfiltrated?
A common fraud committed against public institutions like school districts or small businesses is compromise of a business manager’s account, which allows an attacker to empty the checking account.
In a public company, that sort of fraud for finance is mostly controlled by regulatory compliance. But as we know, information or data has value. Value as a commodity, value as a competitive advantage, etc.
Abuse scandals erode user trust in the product which is bad because growth over everything seems to be the name of the game. Worse for publicly traded companies as it could impact dollars. Not so much anymore as the news cycles are so short that the impact on the stock only lasts a couple days before bots buy up the dip.
“Perception is reality” was an internal slogan at the time. So if users (at the time) believed it was evil maybe they leave or maybe a possible new users chooses not to sign up.
The other thing too is employees abusing such a tool with other employees. When you use super you assume the user id of the user of your choice. That’s pretty dangerous and there are way better ways of helping a user fix an account issue than signing in as them. If employees can’t trust each other not to snoop then how can users trust the company not to snoop? It had to be addressed internally at the time of the intern that was creeping on someone and that’s when things started getting locked down and more auditing applied. But I think it boils down to PR. If you run a company online trust is everything. I’m sure this crowd understands that nothing online is secure but Facebook was built for the masses and they need to have that blind trust that they’re personal lives are private.
> “Perception is reality” was an internal slogan at the time.
I don't think this line really conveys the weight of the slogan. That slogan is applicable in so many fields and pretty much all the time. Even just in small social circles, not just politics, whether corporate or government.
Google scares me much more, for me, my data on Facebook is nothing compared to the amount of my personal data on Gmail and Docs. Having worked at Google, a regular cog in the wheel engineer getting access to sensitive user data is carefully monitored and logged for appropriate usage, but I also strongly suspect that if a powerful player like Schmidt/Brin wanted to get the dirt on private user data they would have no problem, because there is a strong culture of secrecy that labels any sort of whisteblowing as "leaking", considered the most cardinal of sins by most Googlers.
If Facebook has such a tool, it's certainly not public knowledge. The parent comment was clearly meant to make a point that Facebook could have such a tool, even if it's not public knowledge. I was expanding on that point that Google could as well. Hope that helps.
I agree that Schmidt is a good example of someone who's already demonstrated willingness to use his power to bully those he perceives as political opponents, but the principle that access to such an incredibly dangerous power exists, and that existing regulation can barely if at all limit it, is really the problem. Forget any specific individual and ask yourself if we can trust every high level Alphabet exec who could pull some strings and make sure it doesn't get "leaked" that those strings were pulled in decades to come.
