Hacker News new | ask | show | jobs
by throwaway277432 1639 days ago
This is their process. Very hard to argue these are all mistakes:

ippsample (Apache -> MIT) https://github.com/microsoft/ippsample/commit/938bff17c72868...

huggingface-transformers (Apache -> MIT): https://github.com/microsoft/huggingface-transformers/commit...

health-cards-tests (MIT changed) https://github.com/microsoft/health-cards-tests/commit/5649b...

CUPS (Apache -> MIT) https://github.com/microsoft/cups/commit/ad69bcc78bdea3fea3f...

Credit to this reddit comment: https://www.reddit.com/r/opensource/comments/roa9xz/comment/...
4 comments
verst 1638 days ago
This is a bot that is supposed to configure the right license when employees start a new repo in the Microsoft GitHub org.

It seems the automation is also triggered when Repos are forked into the Microsoft GitHub org which isn't correct behavior.

This isn't a deliberate action. If it were plenty of employees (myself included) would be outraged. I assume it's a bug in the bot - an edge case that was not considered. It is very rare to fork something into the Microsoft GitHub org after all.

I'll pass it along to some people I know.

link
throwaway277432 1638 days ago
Thank you. So these are in fact all mistakes.

I looked at some of the other forked repos (95 out of 4.5K repos) and all the human commits from MS I saw seem to care about getting the licenses right. So it really is just a broken bot.

I hope the bot can be fixed soon and I'm going to put my figurative pitchfork down now.

link
verst 1638 days ago
I reached out to Jeff Wilcox who runs the Open Source Programs Office now earlier (see Tweet https://twitter.com/berndverst/status/1474789173882089472?s=...).

He since commented on this post with a lot more detail.

link
throwaway277432 1638 days ago
He wrote a great response. Not many people I know would stand in front of a online mob and say "It's code that I wrote". And then fix it on Christmas!

While I'm glad this got resolved so quickly, I'm slightly ashamed of myself and the HN community for how we handled this. In hindsight the outrage was wildly out of proportion for a simple bug.

I'll make a mental note to do better in 2022.

link
tptacek 1638 days ago
Thanks for saying this.
link
verst 1638 days ago
I'll consider it an unusual bug report.

Hopefully the bot can be fixed soon and the affected licenses changed back.

Realistically I'm not sure folks are working over the holidays, so give it a bit of time :)

link
ognarb 1638 days ago
Look at https://github.com/microsoft/cups/commit/8100595a3a3a6d5c7d0... . This was done by an human.
link
mst 1638 days ago
As noted elsewhere in this thread this one looks like human misunderstanding and has already been raised internally for fixage.

Shame it slipped through the cracks, but at scale eventually something's going to no matter how hard you try.

link
btdmaster 1638 days ago
Are they deliberately getting their modifications under an pseudo-incompatible* license? This is the only reasonable explanation I can think of.

* IANAL. Although Apache 2.0 and MIT are compatible, using a different license makes it awkward for changes to be merged upstream.

link
ognarb 1638 days ago
The biggest change between Apache 2.0 and MIT are related to patents. INAL but the Apache 2.0 is a lot more safe in this aspect.
link
lazysheepherd 1638 days ago
Things break all the time, so errors will happen.

If you look at life as good & evil, you won't solve any conflicts. You should rather focus on "incentives". Correcting bugs and errors take time and other resources, therefore require incentive to prioritize. If their bots were to stamp Microsoft projects with open source licenses, there would be huge incentive for them to tackle this problem within this sprint, and make sure it never happens again.

This bug profits them, or does not harm them at worst case. Therefore, by drawing attention and applying pressure, we should create the incentive for them to allocate resources to fix it, and make sure it does not repeat.

link
michaelmrose 1638 days ago
How can someone be so bad at their job that they realize that a bot that writes to the license file needs to avoid overwriting an existing file? A certain degree of malfeasance cannot possibly be explained as incompetence.
link
dang 1638 days ago
Please don't pile on like this. You can make your substantive points without "how can someone be so bad at their job" hyperbole. Any mistake can be made to look terrible if you're uncharitable enough.

https://news.ycombinator.com/newsguidelines.html

link
jolux 1638 days ago
> A certain degree of malfeasance cannot possibly be explained as incompetence.

This is a missing conditional check, a mistake that is extremely easy to make and one I’m sure you’ve made at least once if you’ve been a professional programmer for any significant length of time.

link
csunbird 1638 days ago
or maybe they do not know/they missed that creating a fork from an existing project actually triggers “new repo created” event in the github organization, which has an unintended effect.
link
wiredone 1638 days ago
This is the type of online rage that we as a community need to stamp out.

Be better.

link
dang 1638 days ago
I agree with you in principle but "stamp out" and "be better" are phrases that produce the opposite of what you're aiming at. We're trying to avoid the online callout/shaming culture here.

https://hn.algolia.com/?sort=byDate&type=comment&dateRange=a...

link
micimize 1638 days ago
These forks may be done for security purposes for projects that use source-based build systems so that the depending project doesn't have 3rd party repo dependencies.

As someone whose developed similar GH integrations, getting things right with their API is fairly tricky. What would actually be desirable is public-to-private forks so that the fork-dependency pattern is more enterprise friendly and this kind of confusion is mitigated.

link
tbrock 1638 days ago
Why would anyone write that so it changes the license to the right one instead of just flagging it as incorrect for review?
link
chris_wot 1638 days ago
Have you considered that the reason for the outrage is because people don't actually trust Microsoft to do the right thing? I can see this is a mistake, but surely the litany of awful business practices by Microsoft in the past precedes it?
link
verst 1638 days ago
I didn't say anything about the outrage of others. I said a deliberate license change would be unacceptable to employees.

I'm no official representative of Microsoft...

link
chris_wot 1638 days ago
Sorry, I didn't mean to imply you were. But no offense, so what if it isn't acceptable to employees? The decisions by Microsoft are made by the management of the company. As an example of another company with severe credibility problems, I'm sure there are plenty of employees at Facebook who don't like working there now, but they are still there. And still implementing the policies and directions of management.
link
Tyriar 1639 days ago
MS dev here. Thanks for calling this out. I contacted the GH@MS admins to look into this and to consider adding some safeguards to the tooling so this doesn't happen in the future.
link
michaelmrose 1638 days ago
How is it remotely possible to not understand you cannot automatically overwrite a license file with your own. If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?
link
mlyle 1638 days ago
If you think of the use case of forks, sure.

If you think of employees creating new repos in the org--- smash the correct LICENSE in there ASAP.

The problem is that forking a different repo into the org triggers the logic of a "new repository".

link
wise_young_man 1638 days ago
A simple solution prior to writing to a file in this case is to check if it already exists. It shouldn’t matter what triggers this bot if it’s programmed safe and idempotent.
link
mlyle 1638 days ago
Nuking the existing LICENSE file and replacing with the canonical one is a good move when it's your own developers' work. They could easily have picked "a" MIT license or screwed up the copyright string, and getting this normalized from the moment the repository is published is important.

But it's important that this -not- get applied to outside work from forks.

link
michaelmrose 1638 days ago
It should raise an exception that causes a person to have to deal with the matter. I should not be surprised if I were to find that this is actually in fact so and the extra step is responding to a prompt which people got used to not reading.
link
dpark 1638 days ago
So your simple solution is to not have the bug. Wish I’d thought of this for all the bugs I’ve ever shipped.

Disclosure: Microsoft employee who sometimes writes bugs.

link
michaelmrose 1638 days ago
The world is full of important people performing vital tasks either without fail or wherein failures can be caught by other individuals and processes that serve as guard rails.

The solution isn't merely to be perfect it is to have a process that is tolerant of the level of imperfection that one would expect. For example it is perfectly reasonable that a someone could have foreseen it not clobbering a license file without prompting the user this could have brought the matter to immediate attention, its reasonable to suppose that if the first person didn't foresee it someone reviewing their choices might have thought of it, its reasonable that someone might have viewed the commit logs and noticed what was going on.

None of this is an acceptable level of failure from people that drawing a 6 figure salary for a position of expertise or leadership.

link
dpark 1638 days ago
Do you never write code with bugs or do your employers just judge you much less harshly than you judge others?

> If you yourself were creating such automation wouldn't that be one of the first and most obvious things you would think of?

Probably not, because it sounds like this was not intended to ever run on forked repos at all.

link
ordiel 1638 days ago
And so ther revert the ones done in the past I hope...
link
phendrenad2 1638 days ago
Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know? Especially if no one noticed these and called them out on it until now.
link
fivea 1638 days ago
> Wrong. The more links, the easier it is to argue that it's a mistake. Automation is hard, you know?

Is it wrong though? I mean, if Microsoft's reiterated pattern of license switches is automated, wouldn't this also mean that the error would be easily detected based on public feedback alone? And given this was not the first or second or third separate and independent occurrence of this pattern, if this was a honest mistake then wouldn't this already be addressed in any of the multiple past shout-out?

link
nomel 1638 days ago
> wouldn't this also mean that the error would be easily detected based on public feedback alone

Please see the entire public feedback you’re a part of right now.

link
fivea 1638 days ago
Thanks for the call out. Here's a helpful link to the announcement.

https://news.ycombinator.com/item?id=29685628

link
throwaway277432 1639 days ago
(deleted)
link
Tyriar 1639 days ago
MS acquired that extension, Don works at MS now.
link
throwaway277432 1639 days ago
You're right. Saw the reviewer on that PR but you were too quick and I couldn't delete my comment anymore.
link