On Thu, Aug 22, 2019, 3:18 PM Rene Rivera via Boost wrote:

On Thu, Aug 22, 2019 at 2:37 PM Michael Caisse via Boost < boost@lists.boost.org> wrote:

...

Copying to dev ML.

On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:

...

https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/d...

...

...

Original sources:

http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bi...

...

The original source of that one is < http://graphics.stanford.edu/~seander/bithacks.html#IntegerLogLookup>. Which is stated as "Individually, the code snippets here are in the public domain (unless otherwise noted) ". I'm surprised the lawyers in this case did not track that down.

Public domain does not exist in some jurisdictions, so it cannot be used in place of a license. Zach

On 8/26/19 2:02 AM, Ion Gaztañaga via Boost wrote:

On 22/08/2019 21:37, Michael Caisse via Boost wrote:

...

Copying to dev ML.

On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:

...

During an annual third-party audit of our source code, boost intrusive was flagged as containing unlicensed code. Specifically, there are several pieces of code in this file which are explicitly attributed to external parties on external websites, which still exist and show no license.

https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/d...

https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/d...

Original sources: http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bi...

http://www.flipcode.com/archives/Fast_log_Function.shtml

I don't claim to be a license expert. I've read a lot over the years, but this is the first time that I've actually been between an attorney and a codebase having to figure out practical implications of a scenario like this.

I first want to make sure that Boost committee is aware of this situation.

Second, I would like to know what the official conclusion would be from the Boost Committee about the license implications in cases like these. Maybe it has come up before and is well established. On the surface, the implications seems ambiguous to me when: DEVELOPER_A takes unlicensed code off the internet, prefixes it with a comment that says "Thanks to DEVELOPER_B ", then prefixes the whole file with a file-level copyright notice that says "COPYRIGHT  DEVELOPER_A", and then says it's distributed under BSL-1.0 license, and then the boost team re-distributes the source code.

Internally at my company, there was little discussion about it.  There is no room for ambiguity, so the directive from management was to delete the file from our SCM system completely and ensure it never is included in our products.  VERY fortunately, deleting it doesn't seem to have broken our builds.  In future cases like this, that's really not what we want to be doing with your OSS libraries for obvious reasons.  So, I'd like to know if there's any chance this situation changes in a future version of Boost (I.E., the code be removed/re-written with clean-room approach, etc).

Hi,

I didn't expect those snippets in the public domain of well-known methods could be a problem, and I explicitly thanked the authors.

I'm not a lawyer, but my understanding is that works under public domain can be used by everyone in any way, including modifying and redistributing under a (different) license with no identification of the original author. Thus using public domain code in a BSL-licensed Boost library should be fine. That the original author or source was also acknowledged is legally unneccessary, but is a gesture of gratitude and good faith. If I'm wrong then I would like to be corrected by someone who knows for certain. I think, this might be a good case for the Steering Committee to ask advice of a lawyer.

...

...

Second, I would like to know what the official conclusion would be from the Boost Committee about the license implications in cases like these. Maybe it has come up before and is well established. On the surface, the implications seems ambiguous to me when: DEVELOPER_A takes unlicensed code off the internet, prefixes it with a comment that says "Thanks to DEVELOPER_B ", then prefixes the whole file with a file-level copyright notice that says "COPYRIGHT  DEVELOPER_A", and then says it's distributed under BSL-1.0 license, and then the boost team re-distributes the source code.

I am on record here on boost-dev on how incorrect the software which scans for "plagiarism" is. Technically, legally, and morally. Those third party audit vendors basically do almost no work, they feed the code to a plagiarism program which contains corpuses derived from various well known places on the internet in order to appear like they earned their fees. Most of said vendors never bother to review the reports of "plagiarism" they return for accuracy. The knee jerk reaction of deleting anything in those reports is just NIH syndrome in another variant. For small snippets of algorithm like you mostly get from stackoverflow, or public websites, they are uncopyrightable in any case as they are maths, which cannot be copyrighted nor patented anywhere in the world. Only the naming of variables might be copyrightable, and hence one would be wise to change the variable names. For larger snippets, fair use exception generally applies, though fair use exceptions don't exist in some jurisdictions of the Western world. The use of the phrase "taken from" in the Boost.Intrusive comment is unfortunate. "Inspired by" is much better. Doesn't affect the legality though. I think linking to source of bit tricks is very good. It helps explain the algorithm to those studying Boost code to learn from it. I think we should do more of it, not less. 99% of the C and C++ snippets on StackOverflow actually come from the book "Hacker's Delight" by Henry Warren. He explicitly says that reusing said snippets from his book require no attribution, so all those snippets on StackOverflow are legal, and so is reusing them in Boost code, with or without attribution. Last time I raised this issue, Boost decided to delete the "offending" parts rather than take a stand for what is right. I assume nothing here will change this time round, but I encourage Boost library authors to grow a backbone and stand up for good etiquette. I similarly encourage Boost users to tell management to stop implementing NIH, in all its forms. Niall

-----Original Message----- From: Boost On Behalf Of Ion Gaztañaga via Boost Sent: 26 August 2019 00:02 To: Michael Caisse via Boost Cc: Ion Gaztañaga Subject: Re: [boost] [Boost-users] License Issue with boost_intrusive

On 22/08/2019 21:37, Michael Caisse via Boost wrote:

...

Copying to dev ML.

On 8/22/19 12:05, Gerald Wiltse via Boost-users wrote:

...

During an annual third-party audit of our source code, boost intrusive was flagged as containing unlicensed code. Specifically, there are several pieces of code in this file which are explicitly attributed to external parties on external websites, which still exist and show no license.

https://github.com/boostorg/intrusive/blob/develop/include/boost/intr usive/detail/math.hpp#L156-L158

https://github.com/boostorg/intrusive/blob/develop/include/boost/intr usive/detail/math.hpp#L207-L208

Original sources: http://stackoverflow.com/questions/11376288/fast-computing-of-log2-fo r-64-bit-integers http://www.flipcode.com/archives/Fast_log_Function.shtml

I don't claim to be a license expert. I've read a lot over the years, but this is the first time that I've actually been between an attorney and a codebase having to figure out practical implications of a scenario like this.

I first want to make sure that Boost committee is aware of this situation.

Second, I would like to know what the official conclusion would be from the Boost Committee about the license implications in cases like these. Maybe it has come up before and is well established. On the surface, the implications seems ambiguous to me when: DEVELOPER_A takes unlicensed code off the internet, prefixes it with a comment that says "Thanks to DEVELOPER_B ", then prefixes the whole file with a file-level copyright notice that says "COPYRIGHT DEVELOPER_A", and then says it's distributed under BSL-1.0 license, and then the boost team re-distributes the source code.

Internally at my company, there was little discussion about it. There is no room for ambiguity, so the directive from management was to delete the file from our SCM system completely and ensure it never is included in our products. VERY fortunately, deleting it doesn't seem to have broken our builds. In future cases like this, that's really not what we want to be doing with your OSS libraries for obvious reasons. So, I'd like to know if there's any chance this situation changes in a future version of Boost (I.E., the code be removed/re-written with clean-room approach, etc).

Hi,

I didn't expect those snippets in the public domain of well-known methods could be a problem, and I explicitly thanked the authors.

I could just remove that section as compiler-specified methods are available using clz and friends (that's why your build was not broken).

I think that nothing should be done without agreement from Boost's legal adviser because it sets a precedent. I don't believe that Boost should just 'roll over and remove' when faced with this sort of criticism - it seems nonsense to me, but then IANAL 😉 If we could do things in the future, it is perhaps that we should get more people to agree to their names being added to the authors claiming copyright and agreeing to the licence, and keep a record of their agreement (an email will do). And that we should give more details about the sources, references and their license terms. My 2p. Paul Paul A. Bristow Prizet Farmhouse Kendal, Cumbria LA8 8AB UK