[dane-pgp]

> If NPM gets a DMCA takedown request they will absolutely have to fulfill it.

Assuming the package is released under a Free Software licence, what grounds would there be for a DMCA takedown?

I suppose a developer could include the lyrics to a pop song in their code (possibly encrypted), and then tell the copyright holder about it (since I don't think you can make a DMCA request on behalf of a copyright holder without their permission), but I would hope that such a poison-pill would be caught long before the package became widely depended on.

Perhaps you're thinking someone would risk perjury(?) charges for making a false DMCA request against their package, and NPM would act on the request without questioning it; but remember that NPM is owned by Microsoft and they have previously stood up to frivolous DMCA requests (after a fashion)[0]. That article has the lede: "Software warehouse also pledges to review claims better, $1m defense fund for open-source coders".

[0] https://www.theregister.com/2020/11/16/github_restores_youtu...

[josephcsible]

> I don't think you can make a DMCA request on behalf of a copyright holder without their permission

In theory, you're right. In practice, there's never any actual consequences for filing a false DMCA claim. Worst case is that the thing doesn't get taken down, but that's no worse than if they didn't file it at all.

[labster]

Corps don’t care about DMCA takedowns from natural persons. I sent a takedown once, the CEO replied that he was sorry it had come to that, but they still distributed it for years under a license I did not grant. This CEO is licensed to practice law in California, btw.

[mlyle]

Anyone is free to ignore DMCA notifications.

Some parties that are distributing other peoples' stuff lose a safe-harbor protection from liability themselves if they ignore it.

This means intermediaries who don't benefit much directly from distributing a given bit of content will immediately comply with the DMCA takedown process. But this does nothing if you send the notice to someone who is actually using it.

The correct move is to send DMCA to the infringer's ISP/host. Then the ISP has to take it down unless counter-notified that they say they're not infringing. In turn, that counter-notification improves your position for any litigation that may ensue.

[jonas21]

Someone could have added non-free third-party code into the package (intentionally or inadvertently, it doesn't really matter).

[pc86]

> but I would hope that such a poison-pill would be caught long before the package became widely depended on.

I'm not sure what about the current open source ecosystem makes you think anyone would catch something like this.

[zdragnar]

Funny, my company couldn't use Webpack 1 because a dependency of a dependency... depended on an ancient package from the days when it was common to not bother with attaching a license.

Legally, that meant that noone could use it. In practice, nobody but our legal department cared, so we had to wait for version 2 when the dependency chain was updated to remove it.

[Dylan16807]

You couldn't override the package locally? Or was too much of that code actually needed?

[inetknght]

> I don't think you can make a DMCA request on behalf of a copyright holder without their permission

Tell that you Youtube's copyright trolls

[dane-pgp]

The people trolling YouTube over copyright are either making false Content ID claims[0] (not DMCA takedown requests), or claiming infringement based on an incorrect match of something they genuinely hold the copyright on.[1]

You're probably right, though, that there is enough imprecision in the system for someone to claim that someone else's code snippet infringes on the copyright of a code snippet the claimant had previously published.

[0] https://torrentfreak.com/u-s-indicts-two-men-for-running-a-2...

[1] https://freebeacon.com/culture/google-youtube-algorithm-copy...

[lmm]

> Assuming the package is released under a Free Software licence, what grounds would there be for a DMCA takedown?

Noncompliance with the license, e.g. by removing required copyright notices/attribution in the code (this has happened in the past). Or straight-up uploading someone else's non-free code.

[bombcar]

The developer can DCMA claiming the code doesn’t follow his license as famously happened with Bukkit (the Minecraft server tool).

[dane-pgp]

I didn't remember that particular legal complication, so thanks for prompting me to look it up. It seems that his argument was that Bukkit couldn't be distributed because it contained Mojang's proprietary code, but the fact that it also contained some of his code meant that he was a copyright holder for the purposes of the DMCA.[0]

This seems like an edge case that wasn't anticipated by the DMCA, but I can see the argument that mixing GPL code with proprietary code is creating and distributing a derivative work, in violation of the GPL. Without proprietary code being present, though, I don't think a developer can DMCA takedown their own GPL software.

[0] "As the Minecraft Server software is included in CraftBukkit, and the original code has not been provided or its use authorized, this is a violation of my copyright." https://github.com/github/dmca/blob/master/2014/2014-09-05-C...