Comment by tut-urut-utut
4 years ago
Please don't blame engineers on every single issue. The engineer may not even know there's an issue here. They may be assured by their boss or legal department that they are in the clear. They may not even think about such mundane things like licensing and stuff, that's what they have higher ups for.
If someone is to blame, then it's the company leadership and legal department. As much as we want to make us engineers more important than we are, we are not decision makers. Blame should be put where it belongs.
> They may not even think about such mundane things like licensing and stuff
Imagine a medical doctor or civil engineer claiming that knowing the laws of their professions is "mudane". That's why no one takes programers seriously.
> we are not decision makers.
You totally can decide to not work on stuff you are not comfortable with. It's not like there's a shortage of software engineering jobs.
> You totally can decide to not work on stuff you are not comfortable with.
I seriously don't get why engineers think they share no responsibility whatsoever for the company they work for. Somehow, they seem to think their situation is comparable to someone picking orders at an Amazon fulfillment center. Thinking they "have no choice" when making 6 figures and having to fight off the recruiters. That's just an easy excuse they tell themselves to help them sleep at night. It's an insult to workers who actually have little choice to do shitty jobs for shitty companies to put food on the table and can barely make ends meet.
> can barely make ends meet
I dunno, that’s kinda how I feel every time I look at the price of housing.
Yes because every software engineer is at a SV startup or is a FAANG employee earning 100k+...
> knowing the laws of their professions is "mudane". That's why no one takes programmers seriously.
You cannot know laws that are not there, and the very definition of a lot of software positions these day is ‘do evil’.
I like that I am not being taken seriously as a programmer. I get paid a lot and in exchange I have no responsibilities. If a civil engineer or a doctor make a mistake that kills someone they go to prison. Nothing happens to me for producing crappy code. What are the downsides?
Software engineers are in a position of great privilege: if we can’t hold ourselves to account, what are we doing? Almost any software engineer put in a difficult position can get up and walk into another job — “it’s not my decision” is not an acceptable excuse for (almost any) software engineer.
Blame lies with those who are complicit by choice, just as much as those who are directing the behaviour.
> They may not even think about such mundane things like licensing and stuff, that's what they have higher ups for.
Oh, come on. Engineers these days are not stupid. While I agree that their boss could plainly lie to them that he bought a commercial license, it was more like, "What will we use for the underlying storage?" "Maybe MiniIO, they're S3-compatible and efficient." "Fine. Can we use their code, though?" "Sure, it's open source, and we are a *aaS business, so no problem." I saw this kind of thinking before.
"I was just following orders" is not considered a legitimate excuse. The engineers have agency and should be considered a "reasonable person".
As soon as doing morally questionable things becomes illegal I think you’ll find that a lot more people are willing to take a stand.
The engineers might understand the issue better than legal. Most engineers I've meet understand the spirit and intentions of the open source license far better than the legal teams, who are more interested in whether or not you could be successfully sued.
One of the issues with open source software, from a branding perspective, is that you can technically be in the clear, but violate the social contract that implicitly exist in the community. Many companies fail to factor that part in when running licenses through legal.
The engineer who includes the binary is responsible for understanding the ramifications
You are being downvoted but I actually think there are some fair points that you are making.
We use a lot of FOSS in our company. We pay licenses and contribute very little (our job isn't to improve gitlab or docker, we are shipping a software product on top of that), but I wouldn't know where exactly we are in the legal-illegal spectrum to save my life.
I consider myself an employee, not an entrepreneur. If I was an entrepreneur, I sure would happily seek legal advice on what exactly is fair use of open source. But really, I wouldn't know who to trust on the free advice market to figure out what I'm allowed and not allowed to do when starting up. I have absolutely 0 interest in legal stuff and it's mostly scary and confusing to me (and that's probably why I don't do any entrepreneurship, not even a side hustle in consulting), and I wish I and other salary men would be given a break about what the company is doing.
Nutanix shouldn't do what they are doing, but I don't think engineers should be to blame. At the end of the day, if an employee would have to go through everything that the company might not do perfectly right before deciding on a job, we would work nowhere. I wouldn't work for Oracle, but where to draw the line exactly ?
If your job is to pick the dependencies, your job is also to understand what picking those dependencies means.
It rings hollow to throw your hands up at the license part and say - “not my job”. It is. Understanding the legal risk of that dependency is as important as understanding the technical risk.
If your company doesn’t have a license policy, ask for a lawyer to draft that. But I’ve worked at some pretty penny-ante companies before and even they had an acceptable license policy.
If yours truly doesn’t have one, part of your job as the person building the software is to get one drafted.
Engineers generally have the responsibility of picking dependencies subject to legal constraints - they have zero understanding or inclination to understand licensing terms. That's generally fine at companies with established legal departments. The enforcement of legal constraints is done by the legal department, which will usually employ at least one full-time counsel who specializes in IP law, and it is generally completely outside engineers' purview. In fact, this is Standard Operating Procedure at almost every company of this size, including at Nutanix, which is a mid-size, public, enterprise hardware/software company whose shares are traded on NASDAQ.
It's really not the engineers' job to pick the dependencies per se, but to pick them subject to constraints that are laid out by management. There is certainly no ethical quandary or abdication of moral responsibilities in this setup: engineers will pick among choices that are pre-vetted by people who know the legal ramifications best and have a fiduciary responsibility to shareholders to make sure the company does not run afoul of applicable law.
Engineers need to ask legal for a license review. You as an engineer may not understand every aspect of it, but your legal team should make it clear. It’s the same at most places. Licenses are included with the source code, it’s not that hard to bump it up to legal to understand your responsibilities of including it in the product.
OTOH - if the engineer did that and received flawed guidance, then it’s a legal issue and not the engineer’s issue. I guess the question is whether the legal review of all FOSS licenses in the product was done.
For the record, opensource licenses are generally fairly understandable.
And if you're lazy, there are websites which gives you a summary of it: https://tldrlegal.com/licenses/tags/OSI-Approved
I'm really starting to think that companies violating OSS licenses is often times malice, not ignorance.