Copyleft Currents

The Schisms of Open/Libre/Only Office

A governance crisis at LibreOffice and a licensing war over OnlyOffice have resulted in the biggest threat to open source office software since Oracle nearly killed the whole Open Office project back in the early 2010s.

The open source office software world rarely makes headlines. Spreadsheets and word processors are the workhorses of desk work–useful and unglamorous. They tend to walk a fine line between feature bloat and obsolescence, and none of them are very beloved. But recently, this quiet world erupted into two simultaneous forking upheavals, each with implications for open source governance and corporate stewardship over community software.

StarOffice to OpenOffice

The story begins in Germany in 1985, when Star Division developed a proprietary suite called StarOffice. In 1999, Sun Microsystems acquired it for $59.5 million–reportedly because it was cheaper than licensing Microsoft Office for Sun’s thousands of employees.

(Think about that for a moment: the cost of buying an entire company was less than an enterprise license from Microsoft for off-the-shelf software.)

Sun then made a fateful decision: on July 19, 2000, at the O’Reilly Open Source Convention, it announced it would release the software as an open source project. OpenOffice.org 1.0 shipped on May 1, 2002 and quickly became the free alternative to Microsoft Office across most Linux distributions of the time.

This start was rocky, though. The original OpenOffice was functional but had real problems: sluggish startup times (the infamous “splash screen wait”), a bloated memory footprint, inconsistent Microsoft format compatibility, and an awkward user interface.

When Oracle acquired Sun in January 2010, matters deteriorated rapidly. Oracle slashed its developer headcount, and by September 2010 the community was foundering. The project was given over to The Document Foundation, which launched the re-branded LibreOffice in January, 2011. Every major Linux distribution adopted it almost immediately.

The project also gained renewed interest as its quality improved. TDF cleared out a large backlog of patches that had been sitting unmerged for years,
and started an aggressive cleanup of the codebase. After a while, the product became more useable and stable.

The Document Foundation Turns on its Own Builders

LibreOffice’s main support at the time was Collabora Productivity, a UK-based company whose developers accounted for roughly 80% of all commits to the LibreOffice codebase. But this relationship was always uneasy, because Collabora both contributed to the free suite and sold a commercial version of their own.

Enter geopolitics: LibreOffice became a darling of open source-focused European governmental groups: users in Germany, Italy and Denmark adopted LibreOffice as part of a transition away from Microsoft. While this was outwardly touted as a move toward open source, it was just as much an attempt to elude the hegemony of US software interests.

Then the uneasy partnership between LibreOffice and Collabora fractured in spectacular fashion at the end of March 2026. TDF’s Membership Committee ejected over 43 contributors who were Collabora staff and partners, citing a newly approved bylaw barring contributions from employees of companies involved in legal disputes with the foundation. The expelled contributors included seven of LibreOffice’s ten most prolific committers, including Michael Meeks, Collabora’s general manager for the project and one of LibreOffice’s original architects. But this was apparently only the divorce after a long and tempestuous marriage; according to Collabora, several of TDF’s own founders had already quietly departed membership in the preceding years.

Then, in a public statement, Michael Meeks announced plans to launch a new Collabora Office product built from a cleaner codebase. The company did not formally create a fork, but its intention to supplant LibreOffice was clear: “We seem to be back where we were fifteen years ago,” Meeks wrote. OSNews summarized it bluntly: “The end result seems to be that Collabora is effectively forking LibreOffice.” Government IT departments across Europe then faced a choice between a foundation-stewarded codebase with little momentum, and a corporate fork. That put them, in a way, back to their original dilemma of being reliant on a foreign corporate steward.

Euro-Office and the OnlyOffice Drama

At the same time, another forking drama was unfolding in the world of OnlyOffice, a web-based office suite developed in Russia by Ascensio System and licensed under the GNU Affero General Public License (AGPL). This product is “dual-licensed,” with the vendor offering alternative commercial licenses. OnlyOffice was not based on LibreOffice, but was widely considered its most competitive substitute. In late March 2026, Nextcloud and the German cloud provider IONOS announced Euro-Office: a fork of OnlyOffice touted as a European-controlled alternative to both Microsoft 365 and OnlyOffice. The project’s rationale was explicit–OnlyOffice’s development is centered in Russia, and European organizations increasingly viewed that as a geopolitical risk.

OnlyOffice did not react well to the fork. The company suspended its eight-year partnership with Nextcloud, alleging that Euro-Office violated the AGPL by stripping required attribution,* branding, and logos from the code– additions OnlyOffice appended to the standard AGPL terms. The company also accused Nextcloud of attempting to poach its employees.

The Deeper Pattern

Both crises expose the same underlying fault line: what happens when the entity that governs an open source software parts ways with the people who actually build it? With LibreOffice, The Document Foundation holds the trademark and the governance apparatus, but Collabora holds the engineering talent. With Euro-Office, Nextcloud holds the distribution channel and the political narrative; OnlyOffice holds the code and the licensing leverage. In neither case does the formal authority align with the practical power.

Open source governance has always struggled with this tension. The Apache OpenOffice story, after all, ended with a foundation holding a brand nobody wanted to develop. The risk now is that LibreOffice, the suite on which European governments bet millions in anti-Microsoft savings, had fractured at the worst possible moment: just as those governments, struggling with economic woes, need it most.

This illustrates that neither corporate control nor non-profit control are panaceas for the challenge of open source sustainability and community cohesion. Good governance requires resources, but also commitment, and when either fails, projects suffer.

*The AGPL violation question is interesting, but beyond the scope of this post.

“Malus”: Is Copyleft Dead?

I can’t tell you how many times I have heard people predict the death of open source software over the years. Each time some new tech trend arrives–crypto, source available licensing, SaaS–people predict the death of open source. Lately, people have been predicting the death of open source because of AI code generation, and while some of the facts they cite are undeniable, their conclusions are not supportable.

This week, many people sent me the link to the Malus “Clean Room as a Service” announcement. I don’t think I’ve ever had so many people send me a single link. Now, this website is fake, but you have to wade into it a bit to figure that out. No real company would be foolish enough to represent anything as “legally distinct,” for example. The name “Malus” suggests a bad actor, and I guess it’s a pun on Manus, a popular AI agent. So, it seems site is a troll.

(And to the trademark lawyers: Gentlemen, start your engines.)

The Malus post says:

Finally, liberation from open source license obligations. Our proprietary AI robots independently recreate any open source project from scratch. The result? Legally distinct code with corporate-friendly licensing. No attribution. No copyleft. No problems.

The implication is clear: AI coding agents are bad actors that are killing free software.

I wrote about the AI use case of clean room development nearly a year ago. I didn’t cast it as a catastrophic prediction of the death of open source, so no one got excited. But it’s interesting to look beyond the political theater and analyze what is really going on here.

Copyleft Has Died Many Deaths

There are two kinds of open source licenses–the permissive and the copyleft. Permissive licenses don’t require you to do much, so nobody would ever bother re-engineering software that is available under a permissive license. Ergo, the Malus website is about copyleft. Copyleft licenses require you to share source code when you share binaries. Copyleft licenses like GPL were the original free software licenses, and were extremely popular in the early days of the free software movement.

The death of copyleft has been predicted for a long time, and in fact it is already dying. Copyleft as a licensing paradigm has been experiencing a steady decline over the past two decades. This is because of licensor choice, not an international conspiracy to kill copyleft. Over time, more and more software has been released under permissive licenses instead. The software under permissive licenses has become more and more important in computing. All that happened long before the advent of AI coding.

Why did it happen? In a way, copyleft became a victim of its own success. Back in the late 1990s, copyleft was a catalyst. The only way to get large organizations to collaborate on developing software was by forcing them to do so with a legal mechanism. That mechanism was GPL. It compelled them to share their source code, under threat of copyright infringement lawsuits. Before the early 2000s, large technology organizations would never have voluntarily shared their improvements, rather than keeping their improvements secret and proprietary. But over time, technology companies learned the value of collaboration. As developers decided to voluntarily share their improvements over time, the legal threat of GPL became an artifact.

The truth, I think, is that we’ve been living in a post-copyleft world for quite a while. Copyleft licenses are expensive and difficult to enforce, and in fact are rarely enforced. Almost all enforcement in the open source world is done via moral suasion and education about the benefits of collaboration.

“We view legal action as a last resort, to be initiated only when other community efforts have failed to resolve the problem.”–From the Linux kernel enforcement statement, which was signed by over 100 major kernel contributors.

Overall, voluntary collaboration has worked extraordinarily well; open source software is ubiquitous. Proprietary software, in this sense, is like cigarettes. In the 1960s, smokers were everywhere and smoking was cool. Now, smoking is considered trashy. That was a huge shift in attitude. And yes, there were laws that supported that change: workplaces and public buildings became non-smoking. But that wasn’t what make the change so successful. It was a collective realization that smoking was a really bad idea.

Similarly, there was a flurry of enforcement of GPL in the 1990s and early 2000s, but then it tailed off. Simultaneously, the Linux Foundation grew into a $300 million-a-year organization, with all the world’s biggest companies supporting collaborative development. We are now so accustomed to that “new normal” that we have have forgotten what a sea change it represents. That sea change didn’t happen because these companies feared the legal might of GPL. It happened because they figured out that it made more sense to collaborate on infrastructure than to individually re-invent the wheel.

Some free software advocates argue there’s a great deal of noncompliance for copyleft licenses. That’s true, but that doesn’t mean open source is not working. It just means it’s not working perfectly–and nothing works perfectly. In fact, today, compliance with open source licenses is better than it ever has been. It took many years for the culture of compliance to permeate the industry. It did so because open source devotees grew their ranks in private industry, and because license compliance goes hand-in-hand with security management. Meanwhile, the killer app for copyleft, the Linux kernel, is extraordinarily successful–to the point that it has eclipsed all other operating systems. And open source now runs everything.

Don’t Embarrass Yourself by Celebrating the Opportunity to Fork

The Manus hoax imagines developers celebrating their freedom from open source license requirements. Let’s take an extreme case for illustrative purposes. Imagine a fictional developer who is faced with the task of developing an operating system for an embedded system. Most developers would start with the Linux kernel. It’s freely available, it’s high-quality, and there are lots of engineers in the talent pool who are familiar with it. That reduces the developer’s cost in important ways. Easier recruiting. Less debugging. Community support. Better security.

But it’s licensed under GPL, and GPL has requirements.

Now, suppose this developer decides that it needs to keep its customizations proprietary–which would violate GPL. So it does a clean room implementation of the Linux kernel using an AI coding tool. Would that be a good idea?

Seriously?

That would be a terrible idea. Once you reimplement in order to avoid the license, you have essentially created your own fork of the project. Everyone knows it’s a terrible idea to create custom forks of open source projects. Your maintenance cost increase. Your security costs increase. Your talent recruitment and training costs increase. You have earned yourself a mountain of technical debt. The Linux Foundation recently released a timely report estimating the technical debt for maintaining private forks to “an average of 5,160 labor hours, or $258,000, per release cycle.” That’s a lot of expense.

Only ignorant and sub-optimizing tech managers–or maybe tech investors–would think it’s a good idea to incur those kind of costs in order to “protect” their IP. These are the same people who sit in board meetings parroting fears about IP value instead of figuring out how to build good products. They have the mindset of patent trolls, not innovators. No self-respecting developer would fall for this thinking error.

Copyleft is not dead–at least, no deader than it already was. Forking projects is too costly, and complying with open source licenses is too easy. Yes, there will be scofflaws and there will be those who want to re-invent the wheel in order to hold onto their perceived IP advantage, but they can travel their own path, and see their businesses struggle as a result. The rest of us will be whistling as we keep traveling on on the open source road.

What Truly Dies Without Copyleft?

There is one thing that truly is threatened by the putative death of copyleft, and that is the pure dual licensing business model.

Dual licensing, which was pioneered by MySQL in the 1990s, is a business model where you release something under GPL, then sell alternative licenses to those who can’t comply. In the open source world, this is sometimes referred to as selling exceptions. It only works when the project steward has the right to choose alternative licenses, either because it owns all the copyright in the project, or uses contribution licenses to clear rights in outside contributions.

In fact, true dual licensing has become quite rare in the last decade. Almost all businesses today that use the threat of GPL enforcement are owned by private equity, and the others who build businesses around open source have morphed into open core models. Open core provides a core of open source software for free, then sells enterprise features like compliance certifications, collaboration features, managed SaaS, or SSO. And almost all these businesses use permissive licenses, not copyleft licenses. So, the death of copyleft is not even a blip to them.

A Post Copyright/left World

Taking the long view, AI coding might mean that we are in a post-copyright world. But copyright was always an awkward fit for software. Copyright protects expression, not function, and the value of software is that it is functional, not beautiful.

It was always possible to clean-room software to avoid its copyright. It just used to be labor-intensive, and now it’s not. But I invite you to consider that this is not such a bad thing. Software now needs to prove its value proposition the way other products do, rather than via threats of IP infringement.

And the threats have been a drag on software development. The last few decades have seen developers spend millions of dollars on open source compliance, down to the level of trying to ferret out 5-line snippets from Stack Overflow in their code. Who really benefitted from that, other than Black Duck? The Malus site says that companies doing development “spend millions on software composition analysis tools like Snyk and Black Duck.”–and that is entirely true. This is what the legal threat of copyleft bought us: decades of unnecessary remediation and negotiating draconian open source terms in deals to allocate the risk for a specter of copyleft enforcement.

This waste of energy came from over-emphasis on threats of enforcement, which, over the years, came to be a goal itself, instead of a way to educate developers on the benefits of collaboration. Over time, the free software community seemed to convince itself that GPL as a legal weapon is the goal of free software, not just a tool to support open development models. Proprietary software developers and free software advocates alike have sown Fear, Uncertainty and Doubt (FUD), and derailed what should have been the lesson of the open source movement: that collaboration produces better code.

People love open source software not because it’s free, but because it is open. That openness brings all sorts of benefits. Fear of lawsuits has skewed the discussion toward the cost of acquisition: Is it better to buy proprietary software or incur the cost of GPL compliance? But the much more interesting conversation is about the benefits, and the benefits of open source software have proven themselves, so repeatedly and decisively that they hardly bear explaining anymore.

Death, or Afterlife?

I find it curious that people seem to enjoy constantly predicting the death of all good things. Anyone who reads the news today can’t help but be appalled by the predictions of apocalypse that bombard us at every turn, all to garner clicks and views and waste our day with doomscrolling. It’s a shame that so much of our society today is about generating fear via misinformation. It’s also a danger, because focusing on doom derails the conversation from the right focus–like how can AI help generate and refine software so we can do more and better things with it. We will accomplish nothing with visions of HAL 9000 dancing in our heads.

It is not so easy to kill something like open source. Free and open paradigms are self-actuating. The invisible hand of the market makes them so. Too many people benefit from these paradigms to let them die, and humans are very clever at protecting what works for them.

Copyleft will survive, to the extent it deserves to survive, and open source is stronger than ever.

The Great Subscription Pivot of January 2026

Every new year is an opportunity to reassess our priorities. This January, I took a hard look at my monthly software subscriptions. They say that the defining characteristic of Baby Boomers is a dozen paid-for but unused app subscriptions. I always like to play against type, and so I’m pretty good at cancelling them, but it still surprised me how much things had changed in only one year.

Goodbye Receipt Platform, Hello Claude

This was the easiest cut to make. Every January, my thoughts turn to doing my taxes, and that involves gathering a lot of information. Being self-employed is great, but it makes doing one’s taxes a slog. I long ago figured out that I should have a dedicated credit card for business (preferably one with a nice, high fee that I can deduct), but it’s not always possible to use that card, and only that card, for business expenses. So, I dutifully make scans of my receipts. Last year, I found a dedicated receipt tracking platform, and I was happy that it scanned and categorized receipts for me. I got a year’s subscription, in anticipation of this year’s tax homework.

But this year I did an experiment, and sent copies of receipts to Claude, asking it to extract the information, and organize it into a spreadsheet that I can sort by date and vendor. It did a great job.

The receipt platform cost me $6/month. That may not sound like much, but Claude does it better for free (or as part of my Claude Pro subscription, which I was already using for a boatload of other things).

Ingesting my receipts on Claude did have a glitch: I hit my compute limit. But I solved that by waiting a few hours and then changing my prompts to eliminate unnecessary aspects of the output, like categorization, which cost extra compute cycles.

My only regret is that I am now getting less use out of my beloved Keychron number pad, which I customized with colored keycaps, and for which I have a deep and abiding attachment.

Adobe’s Value Proposition Failed

This is another specialized software suite that got gobbled up by the general LLMs. I’ve been a relatively happy customer of Adobe for a while, but by the end of last year, as my needs changed, the main thing driving my Creative Cloud subscription was Firefly. For quite a while, it was the best-of-breed image generator. But it got blown out of the water by Gemini in the last few months.

I mostly use image generation for slide decks, or articles like this one. So, for an upcoming talk, I asked Gemini and Firefly to produce an image for “the marriage of open source and AI” depicting a penguin marrying a robot.

[Apologies for this, but the Adobe image, which I originally posted here, disappeared somehow.] The Adobe one was not awful, but it had some creepy elements. What is up with the dolphin? Are those a regular sight at weddings these days? “Open hearts & source code” not only contains a misused ampersand, it sounds like a bad translation on a Japanese T-Shirt. The bride looks so miserable she might be the victim of wife stealing, and her dress is slit up to her non-existent private parts.

The Gemini image got the message across, without out any extraneous dolphins or wardrobe malfunctions.

I cancelled my Adobe subscription the next day.

Microsoft Office Is Now Google Workspace!

Just kidding! Both Google and Microsoft are notorious for rebranding, but this was a sea change in requirements, not names.

I held onto my personal Microsoft 365 subscription for over a decade, mostly out of fear of that one moment when a client would call with a hair-on-fire demand that required me to run a redline on my cell phone. But when I examined my workflow, I realized Google Docs and Sheets, supplemented by Libre Office, could do everything I needed. The real-time collaboration in Google Drive is great, the mobile apps are excellent, and the interface is clean. Microsoft Office used to be the only tool that could reliably produce redlines. But now Google’s apps do this, too.

Plus, I consolidated my storage needs in the process. These days, it’s nearly impossible to go without a cloud storage service. Yes, I have friends who run their own private cloud server, but most of us mere mortals can’t be bothered. If you have more than one that you use regularly, you can more easily get lost in the hellish landscape of trying to find your documents. To me, Google Drive works best mainly because–surprise!–its search feature is the best. When you are thinking, “I know I wrote a thing about that thing once, what was that thing called?” and try to find it in Outlook or One Drive–forget it.

Becoming a Paid Prifina User

This one’s new. I’ve been using Prifina for a while. I love the digital twin concept. If you are worried about AI taking your job, you might consider that knowledge work is kind of like figure skating: the success of work product is about half performance and half reputation. With a digital twin, you can train your own AI on whatever you like. Prifina respects your personal data, and its training dashboard is drag-and-drop. So when my free account expired last year, I put money behind it. The idea of having a digital twin that I actually control—that learns from my data and lets me control my personal branding—is the right kind of AI for me.

You can check out my bot COSSMO here: https://chinstrap.community/ask-cossmo/. It’s trained on most of my writing.

Spotify? YouTube Music? Amazon Music? CD-ROMs?

I seriously do not understand how people deal with their music anymore. This is one of those areas where the available tech is getting worse and worse.

Now, perhaps that’s because I’m an eccentric dinosaur. I want music, not music-as-a-service. I’m a musician, so I record some of my own music. None of the music services can deal with that, and none of the few remaining players are good at it, either. Next, I choreograph dance routines, and for those, I need to download the music and cut it in my digital audio workstation. That requires access to local digital copies. Next, I like to listen to music on planes, where streaming doesn’t work. (Who doesn’t? I guess, people who don’t travel?) Last, I have no desire at all for the latest hits, because, true to my dinosaur self, I don’t think more than a dozen good songs have been released since the music industry died, which was sometime around 1992. So I don’t care about what any platform thinks I want to listen to (because they’re wrong).

I want my 2004 iPod mini back! But you can’t go home again: iTunes is awful these days, and Apple Music is like putting your music in jail. I have to admit that I don’t get the point of Spotify, and YouTube Music has re-branded so many times that I have no idea what it’s called this week, or which of my music is there, or where it resides. I get access to Amazon Music Unlimited via my prime subscription, so I’ve taken the path of least resistance.

This decision got tabled until next year–again.

General Purpose AI

As I mentioned, I have settled on Claude for my main paid LLM subscription, but Google Gemini is getting hard to ignore, particularly for image processing. I’m guessing that, sometime this year, I will be upgrading my Google subscriptions for access to its AI. But meanwhile, Claude writes code like a superhero.

Password Manager

I have been paying for Dashlane for years, while also having access to password management through both Google and Apple. I still don’t entirely get passkeys, and authenticator apps require you to have your mobile devices surgically attached so you can access them at all times. I am probably not the only person who has tried to access an online service while on the road, only to have it demand that I authenticate on another device–which is currently in another country. So, I’m not ready to let go of Dashlane quite yet.

I suspect this special purpose app will eventually get eclipsed as well. But mainly, it is a good way to share access with my husband. Until you have to access a loved one’s accounts in an emergency, you don’t know how important this is. I’m keeping my passwords platform-independent for now.

The Bottom Line

All told, I have only saved, at most, $50 a month on my subscription costs by making these updates. (Over half of that was Adobe.) Given I use most of them for my work, that’s not a lot. But pausing to re-evaluate them was useful. My key insight from this year is that many of the specialized tools I was paying for are being superseded by more general, more powerful AI assistants and integrated platforms.

The lesson isn’t that specialized tools are bad—it’s that the landscape has shifted dramatically in the past year, and will continue to do so in the next years to come. AI assistants can now handle tasks that used to require dedicated apps. Cloud platforms have matured to the point where they can replace entire software suites.

I am mindful that this situation is probably not sustainable. The general AI platforms are hemorrhaging money, and I am not confident they can be made profitable without drastic increases in fees–which in turn may drive users back to specialized platforms. But I have always looked at the massive losses of unicorns as a wealth transfer from venture investors to users, and that’s fine with me, at least for now.

Actors Trademarking Themselves

An article (sorry for the paywall) appeared recently in the Wall Street Journal under the title “Matthew McConaughey Trademarks Himself to Fight AI Misuse–
Actor plans to use trademarks of himself saying ‘Alright, alright, alright’ and staring at a camera to combat AI fakes in court.”

The WSJ article said, “McConaughey’s lawyers believe that the threat of a lawsuit in federal courts would help deter misuse more broadly, including for AI video that isn’t explicitly selling anything.” It also quoted the lawyer as saying: “I don’t know what a court will say in the end. But we have to at least test this.”

I think the more accurate statement is: Mr. McConaughey’s lawyers are generating fees (or possibly appeasing a demanding client with speculative legal work) by doing trademark filings on something that is not properly the basis for a trademark. But I guess a client who is a wealthy, successful actor can easily fund speculative trademark registrations, so…everybody wins. Except maybe the PTO. Perhaps I need more clients like that.

To me, trademark law covering a man saying “alright” sounds much more speculative than publicity rights–which are already designed to protect a personal likeness and image. On the plaintiff’s side, the problem is that trademarks are intended to cover the source or origin of goods and services, and a guy–real or fake–saying something in a video clip is neither of those. On the defendant’s side, if the AI truly “isn’t selling anything” then a trademark claim is weak. Trademark infringement is a commercial tort. Publicity rights, in contrast, are designed to redress claims about personal, rather than commercial, reputation. Both are also vulnerable to first amendment limitations. Mr. McConaughey is, after all, a public figure who has voluntarily placed himself in public view.

The better legal policy would be to advocate for consistent publicity rights via federal law, instead of the crazy-quilt of state law that currently covers it in the US.

I suspect also that one element of the fitting-a-square-publicity-rights-peg-into-a-round-trademark-hole strategy is to leverage international treaties about trademark that might not extend to publicity rights.

Looking for the Registration

I took a look on the USPTO site, because I was curious to see how to claimed goods and services would be described, and found this:

All of the above were filed for products, but have been abandoned, though it’s not clear whether the abandonment may have been “suggested” by the actor’s lawyers.

Now, there are many registrations at the PTO by J.K. Living Brands, which is apparently McConaughey’s trademark holding company. But I could not find any application of the kind described in the WSJ article.

A couple of the live registrations are for “entertainment services” in category IC 041.

The goods listed for this last one are “Entertainment services, namely, personal appearances by an actor and celebrity; entertainment services, namely, acting services in the nature of live performances and personal appearances by an actor and celebrity; entertainment services, namely, acting services in the nature of live visual and audio performances by a professional entertainer; entertainment services, namely, film and television show production service.”

But a meme of someone saying “Alright” would not be in this goods description.

So, is this just another example of the press drumming up a headline without any particular regard for how IP law works, or a brilliant new legal tactic that IP lawyers need to learn? That’s unclear.

I will update if I find the registration or more explanations of why this tactic should work.

X Sues Over Open Source “Exfiltration”

This week, a new lawsuit cropped up relating to corporate open source releases.

X Corp. v. Yao Yue and IOP Systems, ND Cal, filed 12/4/2025

X, the-micro-blogging-service-formerly-known-as-Twitter, sued Yao Yue, a former engineer at X, alleging theft of proprietary source code. The facts sprung from the fraught events surrounding Elon Musk’s purchase of the company in 2022. The complaint linked above sets out the allegations in detail.

“Yue had been making repeated requests to open-source certain X Corp. data, as well as made comments that she had exfiltrated X Corp. source code to benefit her new company. …[A]fter Yue’s termination, Yue began contacting [X Director of Performance Engineering] Ms. Strong, asking her to push through a project that had been underway at the time of the Musk Acquisition. The aim of the project was to open-source certain data logs, with the purported goal of educating the broader technology community as to the performance of systems in a company of X Corp.’s scale. Prior to the Musk Acquisition, the project was going through the normal process for approval. Yue wanted Ms. Strong to “nudge” the project along, claiming that it was simply waiting for someone to sign off on the open-source designation.”

Later, Yue “bragged about how she and other former X Corp. colleagues had exfiltrated X Corp. source code needed to start their own venture, IOP Systems.”

The complaint alleges that an article in The Verge quoted Yue as an anonymous source, and that “after her termination, Yue used the service elevator to sneak into X Corp.’s San Francisco, CA office and purportedly gather personal belongings,” but used the opportunity to “exfiltrate to a USB drive 6 million lines of X Corp.’s proprietary and confidential source code from her company-issued laptop.”

The software or data in question was developed by X’s Redbird group, which focuses on infrastructure technology.

An academic paper co-authored by Yue described a tool, “Latensheer,” which can “predict end-to-end latency of a complex internet platform.” The paper stated that “LatenSeer is open-sourced at: https://github.com/yazhuo/LatenSeer, and the Twitter traces will be released upon legal approval.”

As of this writing, the repository is still online–which is interesting, given that if it is infringing, I would expect a DMCA takedown request to have been issued. I checked GitHub’s repository of takedown requests and did not find anything about this repository.

The Open Source Skunkworks

This points up a troubling trend for technology companies for some time: employees push their company to release software under open source licenses, or release the software without company authority, and then quit, created a new company, and use the released software to build competing products.

This happened most spectacularly with NGINX–or at least, that is what a 2020 lawsuit claimed. For some details, see my post here: https://heathermeeker.com/2020/07/23/lawsuit-alleges-nginx-conspiracy/. The lawsuit was later dismissed, but its complaint told quite a tale, so I recommend reading the original complaint, if only for entertainment value.

The skunkworks problem illustrates why it is key to have a process for corporate open source releases. Here, because X had an approval process, there will be a smaller likelihood of a dispute over whether the open source release was actually authorized or not. Companies without formal policies can end up in finger pointing disputes, with potential defendants claiming they had the right to use the software because it was released under an open source license, and the company claiming it did not authorize the release.

The X lawsuit claims misappropriation of trade secrets, and related claims like violation of the California Computer Data Access and Fraud law, and unfair competition, but not, notably, copyright infringement. So it is not clear whether the LatenSeer code is alleged to be infringing.

What Happens Next

The allegations in the complaint are only the plaintiff’s version of events at this point, not proven. The defendants will likely respond by denying the allegations, and the suit will plug along the way lawsuits do.

Investing in the Red Zone: Commercial Open Source and the Bear Market

Note: This is an article from 2020 whose original link has broken. I’ve posted it here for continuity.

When business is on an upward trajectory, investing is not so hard. After all, the stock market always goes up over the long term. But it takes more work to identify good investments during down markets. Fortunately, commercial open source software (COSS) businesses can be a great investment during bad times.

There is plenty of anecdotal evidence for this premise. First, the demand curve. Linux was getting popular before 2001, but its popularity skyrocketed during the Internet bust. That shows the power of COSS on the demand side, and it fits a classic demand curve analysis. When times are bad, and profits are down, buyers turn to lower cost goods. COSS is often developed as a substitute for more costly proprietary software. IT managers tasked with cutting budgets turned to it in earnest beginning with the downturn of 2001.

But the economic profile of COSS is also about the supply side. In difficult times, the companies that use capital most efficiently survive. COSS companies are fundamentally more efficient at running on a less capital, and that makes COSS one of the most interesting investments in a down market.

COSS companies leverage capital efficiently for many reasons. First, consider the people who write open source software (OSS). Today, even though OSS is heavily underwritten by industry, an OSS project is still usually the brainchild of an individual or small team who came up with the idea on their own and had no top-down direction to create it. So, the roots of most projects are still in the garage. That means the labor to make the initial development sprint is usually a volunteer effort. This can play out in different ways. Perhaps an engineer starts a side project while employed doing something else. Perhaps an engineer expends time during slow periods, or while between jobs, to create a resume trail, network, or prepare for the next opportunity. The cost here is the engineer’s sweat equity–definitely not a zero cost. But it is, undeniably, an efficient cost. No expensive office lease, no free lunches, no swag. Just work.

Once a project is underway, it gets a slew of free marketing advice from adopters who vote with their feet. Downloads are not dollars, but downloads can tell you a lot. Is the project going in the right direction to meet market needs? Is it reliable? Is it structured correctly? Are its goals and its value properly communicated to the community? As they say, criticism is a gift. All this feedback is a trial by fire. Any project that comes out on the other end of its initial pipeline alive has been road tested in the most ruthless way imaginable.

There are also efficiencies in ongoing maintenance, but this can be a red herring. Lots of people focus on this most obvious benefit of COSS–that the world is your maintenance and support team. But that is the bean-counter viewpoint, and the real efficiency has more to do with the costs of a mature project versus a nascent one. It’s also misleading. In truth, most OSS projects are primarily maintained by their core committer team, and the value of community input is primarily in feedback: bug reporting, feature requests, and evaluation. In fact, projects like Linux that have a wide and active community of committers vying for PRs is the exception, not the rule. So if you find one of those, it’s probably a great investment. But until that unicorn comes along, there are plenty of projects with great potential that don’t “outsource” their support to the community.

If we take all the above as a given, a COSS company makes ridiculously efficient use of resources in its early stages. Now, suppose you are an investor looking for your highest long-term multiple. Consider that a COSS company does not usually get formed on day one of this process. It usually gets formed after all this initial honing has taken place. So, if you have a choice between investing in a fledgling COSS company, and a proprietary company, that choice is simple. The proprietary company will be using your capital for initial development, feature definition, and road testing–not to mention the financing roadshow. The COSS company already has a foothold on its product and market. So, at a minimum, investing in COSS companies takes place at a better inflection point than for fully proprietary companies.

But that is theory, and now we have to road test the hypothesis: do COSS companies survive downturns well? The analysis below suggests that the answer is a resounding: Yes.

To investigate this proposition, I looked at approximately 50 COSS companies. These included notable exits and companies with a notable business.

Then I identified the major down markets of the last 30 years. Our working assumption was that development would have started in the 12 months prior to first release. So, I included in the RED ZONE companies who released in, or within 1 year after, a down market.

The RED ZONE shows companies whose initial development took place during one of the downturns identified below.

The results speak for themselves–most of the biggest COSS were built on software developed during a downturn–even if we eliminate the Linux distros. Of the companies considered, over 50% of them were started during a recession. The table appears below.

So, I am excited for whatever comes next. If the market is great, there will be lots of winners. If not, I will be following the winners.

The exceptions are also notable: the wave of acquisitions by Oracle in the 1990s and 2000s, Kubernetes, Docker, and several Apache projects during the past 7 years since the recession of 2008.

Now, to be scientific, I would have to also pick a control group, but I haven’t done that. To be candid, this is like one of those clinical trials where they stop the control group for moral reasons once the initial data comes in. I don’t need to know if proprietary companies would do as well–I don’t think that’s likely. But even if so, the more efficient capital use by COSS companies would motivate us. Capital, thoughtfully applied to COSS businesses in bad times, is a big countercyclical advantage.

A note on methodology: The selection of 50 companies was to some degree arbitrary, in the sense that I applied a few rules to identify COSS companies according to our definition. I did not include companies like Facebook or Google, which contribute greatly to open source development, but whose primary business is not open source development. (In other words, primarily proprietary companies with open source activities, rather than vice-versa. For more on this distinction see www.chinstrap.community. I excluded cryptocurrencies–because their products are not primarily based on providing software, companies that sold only proprietary versions of open source software written by others, and a few others whose business was too complex to map–positively or negatively–to the analysis. Other methodology notes appear in the table.

Is AI the re-Democratization of the Web?

For a few years now, the news has been full of prognosticators screeching about the dangers of AI. And while some of it is potentially concerning, we all know that the news tends to lean into the catastrophic. So, I’ve been thinking about one aspect of the advent of AI that might actually be great – at least for the time being.

Once upon a time, the web was a level playing field. I remember my delight in being able to use algorithmic search results. In those results, even small webpages sometimes came up before big ones.

Then the commercialization of search started–and never stopped.

Don’t get me wrong, there were some things about the commercialization of search that were great. The theory was that people who were willing to pay to show search results typically had more resources and therefore offered better products or more interesting information. And those who complain about targeted ads have surely forgotten the early days where every ad was for Viagra.

Once Upon a Query

For a while, search engines like Google clearly separated algorithmic and paid search results–whereas some search engines leaned more heavily into paid results without identifying them as paid. And each of us used the search engine that fit our needs best. I was an Altavista fan until it got acquired by Yahoo and mothballed. Altavista was the algorithmic search engine beloved by nerds everywhere.

But eventually, paid search took over the web experience. These days, you can’t even search for information about hotels without getting an entire page of results from aggregators–so much so that the official sites of the hoteliers are actually hard to find. And don’t get me started about trying to file government documents; the actual government sites are buried in a slew of ads by charlatans who want to charge you money to file something that is usually just as easy to file yourself.

For Now, AI is Better

Now, recently, we’ve seen some hue and cry in the press about AI taking over search. Let me remind you that, a few years ago, the same hue and cry was about videos taking over search. All these articles seemed to imply that anything taking over search was a danger, because (reading between the lines) search yielded up purer, more factual, or less brain-rot results. These articles bemoanthat the golden days of search were over, and possibly that Google’s ad-related business model is doomed–though given the Google-hating so common in media, it wasn’t clear why that was supposed to be a cause for alarm.

Recently, OpenAI announced a browser called Atlas. Again, the alarm bells sounded for the death of search.

Then I started thinking, is that really a bad thing? When I ask AI a question, the AI answers based on what it knows. And mostly, it knows facts, not the potential for ad revenue. I also get web links as references in the answer. Those references seem to be more like the old days of search, where information took precedence over advertising.

Here’s an example, I searched for a flight to Samarkand. With Google Search, the entire first page was paid results. It found Turkish Air, which was good, but the first hit was Delta.

Now, Delta and Lufthansa are not the best flight to anywhere, in my experience, but guess what? Delta–the top result–apparently doesn’t even go there.

Meanwhile, Claude gave me a lot of useful information. But even AI is at the mercy of what is on the web, so it pointed me to an aggregator instead of an airline.

And so, exactly who is surprised that AI is replacing search? I mean, AI is helpful, but the problem is that search is broken.

Waiting for the Other Shoe to Drop

Now the question is: where will the search ads go? What will be the next business initiative to divert my attention from what I want to see, to what advertisers want me to see? Ads aren’t in AI results yet, because the AI providers are getting paid for using their models. In that sense, Google search is more like the old over-the-airwaves TV model: the service is free, but the ads pay for it. Now, for AI, we seem to be in the equivalent of the early streaming days: pay for the service, but no ads. But we all know what happens next: pay for the service, and see ads, as well.

Meanwhile, let’s enjoy this time, which we might later look back on as a golden age of ad-free AI search results.

Amicus Brief in Thomson Reuters v. Ross

I am excited to announce that I filed an amicus brief in this case (about which I wrote a while ago). The case is on interlocutory appeal to the Third Circuit on topics of protectability of legal headnotes under copyright, and fair use of legal headnotes in AI training. My brief is focused on protectability.

On a personal note: This is the first time I’ve ever filed an amicus brief–or any brief–and the process was a learning experience for me. Writing the argument was fun, but for me, that was only the beginning. It was truly a 90/10 rule. In the end, with the help of the excellent team at Counsel Press, I was able to get it filed.

I look forward to the court’s eventual decision on this case.

Anthropic Settling AI Class Action

Of all the many pending lawsuits about AI and copyright, the Anthropic class action has been blazing trails in the US courts. The case is still not precisely over, but apparently heading toward settlement.

Update as of 9/5/25: Under the proposed settlement, Anthropic will pay about $3,000 for each of about 500,000 books used from pirate sites, for a total of at least $1.5 billion. “All works in the Class are treated the same in this settlement, entitled to the same pro-rata amount of the Settlement Fund, reflective of the per-work statutory damages remedy authorized by the Copyright Act itself. The allocation for each Class Work will be calculated by dividing the total amount of the Settlement Fund (less fees and expenses) by the total number of Class Works.”

And in case you were wondering, this summary was done almost entirely with Claude, Anthropic’s LLM, with minimal editing. So…

Background

Case: Bartz v. Anthropic PBC, Case No. 3:24-cv-05417 (N.D. Cal.)

Court Docket: CourtListener.com

Plaintiffs: Three named plaintiffs – Andrea Bartz, Charles Graeber, and Kirk Wallace Johnson – filed a class action lawsuit against Anthropic.

The Training: Anthropic downloaded over seven million books from pirate sites and digitized millions of purchased print books to build a “central library of “all the books in the world'” to support the training of its large language models. Specifically:

Anthropic used millions of copyrighted books to train its Claude LLMs for use with its AI services capable of generating writings that mimic the writing style of humans.
Millions of books were downloaded from shadow library sites like Pirate Library Mirror and Library Genesis and stored in a central repository that Anthropic employees could access for model training and internal research.
The Court relied in part on an internal Anthropic email in which an employee was tasked with obtaining “all the books in the world” while avoiding as much “legal/practice/business slog” as possible.

Legal Claims

The plaintiffs claimed Anthropic infringed their copyrights by (1) pirating copies of their works for Anthropic’s library and (2) reproducing their works to train Anthropic’s LLMs. The authors argued that use of their books to train Anthropic’s LLMs could result in the production of works that compete and displace demand for their books and that Anthropic’s unauthorized use has the potential to displace an emerging market for licensing the plaintiffs’ works for the purpose of training LLMs.

Procedural Facts

Filed: August 19, 2024
Complaint: Bartz et al. v. Anthropic PBC – 3:24-cv-05417
Judge: U.S. District Judge William Alsup of the Northern District of California
Motion: Anthropic moved for summary judgment on an asserted defense of fair use. Judge Alsup issued a mixed decision on June 23, 2025, granting summary judgment on some issues while denying it on others.
Class Action Status: The case was certified as a class action on July 17, 2025.
Interlocutory Appeal: Anthropic filed a Rule 23(f) petition seeking interlocutory appeal of Judge Alsup’s class certification in Bartz v. Anthropic.
Motion to Stay: Anthropic moved to stay the case, pending its seeking of Rule23(f) interlocutory appeal of his class certification. Judge Alsup denied Anthropic’s request to stay the case on August 11, 2025.
Notice of Settlement and Joint Stipulation for Stay was filed August 25, 2025 indicating hte parties were close to a settlement.
Order re: Settlement. The case is stayed for the parties to file a settlement by September 5, 2025.

The June 23 Summary Judgment Order:

Granted Summary Judgment (Fair Use Found):

Training LLMs: The court concluded that use of the books at issue to train Anthropic’s LLMs was “exceedingly transformative” and a fair use under Section 107 of the Copyright Act. Judge Alsup wrote that the “‘purpose and character of using works to train LLMs was transformative – spectacularly so'” and described it as “quintessentially transformative.”
Digitizing Purchased Books: The Court concluded this was fair use because the new digital copies were not redistributed, but rather, simply, convenient space-saving replacements of the discarded print copies.

Denied Summary Judgment (Not Fair Use):

Pirated Books: The court found that downloading and copying pirated books for its library was not fair use. Because Anthropic never paid for the pirated copies, the court thought it was clear the pirated copies displaced demand for the authors’ works, copy for copy.

Fair Use Analysis

Factor 1 (Purpose/Character): The court noted that authors cannot exclude others from using their works to learn. It noted that, for centuries, people have read and re-read books, and that the training was for the purpose of creating something different, not to supplant the works
Factor 4 (Market Effect): The Court found that the copies used by Anthropic to train LLMs did not (and will not) displace demand for the authors’ works. The court dismissed concerns by analogizing to complaining that “training schoolchildren to write well would result in an explosion of competing works”
Partial Victory: Upon weighing all the fair use factors, the Court granted Anthropic’s summary judgment motion for fair use as to the training of LLMs and the digitization (format change) of legally purchased works. The Court, however, denied summary judgment relating to pirated copies and ordered a trial on that issue and any related damages.
Trial Scheduled: The court wrote that “We will have a trial on the pirated copies used to create Anthropic’s central library and the resulting damages, actual or statutory (including for willfulness)” Trial was Scheduled for December, 2025.
Potential Damages: Depending on how many titles were involved, Anthropic’s potential liability could reach into the billions.

PHP License Metamorphoses to BSD

The PHP project announced it is moving to a new license.

PHP is a scripting language used for web development. It can be embedded within HTML and used to create dynamic web pages. It is the “P” in the LAMP stack (Linux, Apache, MySQL and PHP)–although some people use the P to refer to Python or PERL. The Zend Engine, the core of PHP.

For years, PHP as a whole has been offered under the PHP License and the Zend Engine License–both permissive licenses. The PHP License is OSI approved, but the Zend Engine License is not. The Zend Engine License has specific naming restrictions related to “Zend” and “Zend Engine,” sometimes referred to as advertising clauses or attribution clauses. Such restrictions were common in early permissive licenses like Apache 1.0, but have since been deprecated by the open source community and do not appear in most recent permissive licenses.

License changes can be a challenge, because unless a project uses a contribution license agreement (CLA), it must get permission from all contributors to change the license for their contributions. In major projects, this has been done a few times, such as the Wikipedia migration and the OpenSSL change, but it’s a big project that can require broad socialization and risk that a contributor will object. These changes usually take place with popular projects whose licenses are outdated, ad hoc, and confusing.

But PHP has found a neat trick to avoid having to get permission from every contributor. Like many open source licenses, the PHP license allows the license steward to issue new versions.

  5. The PHP Group may publish revised and/or new versions of the
     license from time to time. Each version will be given a
     distinguishing version number.
     Once covered code has been published under a particular version
     of the license, you may always continue to use it under the terms
     of that version. You may also choose to use such covered code
     under the terms of any subsequent version of the license
     published by the PHP Group. No one other than the PHP Group has
     the right to modify the terms applicable to covered code created
     under this License.

Apparently, PHP, as license steward, is redefining its own license as the BSD license. The announcement says that the BSD License will be adopted as the PHP License v.4 and as the Zend Engine License v. 3.