Comment by raphaelrobert
1 year ago
I love that Kagi now uses Privacy Pass, and they look like a cool company in general.
That being said, they essentially took the IETF draft I worked on for a while [1] and also my Rust implementation [2]. They built a thin wrapper [3] around my implementation and now call it "Kagi’s implementation of Privacy Pass". I think giving me some credit would have been in order. IETF work and work on open-source software is mostly voluntary, unpaid, and often happens outside of working hours. It's not motivating to be treated like that. Kagi, you can do better.
[1] https://datatracker.ietf.org/doc/draft-ietf-privacypass-batc... [2] https://github.com/raphaelrobert/privacypass [3] https://github.com/kagisearch/privacypass-lib/blob/e4d6b354d...
Honestly, I think what TFA calls "Kagi’s implementation of Privacy Pass" is the integration of the feature into their server and clients, not the RFC (which they acknowledge), or the protocol implementation.
[I work at Kagi]
Indeed, this is the intended interpretation of "Kagi's implementation of Privacy Pass" - we're talking about building out the server infrastructure, the UX, the browser extensions, the mobile applications, the Orion browser integration, the support and documentation, the Tor service, etc. The cryptography is obviously an extremely important piece, but it is far from the only piece.
As other commenters have noted, the code in question is MIT licensed [1] and we're pulling it in as a standard dependency [2], it's not like we've gone out of our way to obscure its origin. The MIT license does not require us to do anything more.
That said, I can understand the author wanting more visible attribution, and that's very reasonable, we'll add a blurb to the blog post acknowledging his contribution to Kagi's deployment of Privacy Pass.
[1] https://github.com/raphaelrobert/privacypass/blob/main/LICEN...
[2] https://github.com/kagisearch/privacypass-lib/blob/e4d6b354d...
Understood, and thanks for updating the blog post. The discussion in the comments was interesting, and I'd like to clarify a few points. From my side, there never were any doubts about licensing compliance. I picked MIT precisely so that folks can use the implementation without further obligations, I wanted the implementation to be as useful as possible. What startled me was the combination of a for-profit company writing a blog post about a new feature (that will likely further increase profit in the future), using my implementation as the core of the feature (and therefore likely save a bunch of money) and not giving any credit to either the IETF batched tokens draft or the implementation. Anyway, the blog post has been amended now – thanks for that. Case closed.
PS: If you want to go above and beyond, you can spell my last name right in the blog post – it's Robert, not Roberts.
1 reply →
So if they add “credit to raphaelrobert”, or a copy of your license to their code somewhere, Kagi will be compliant?
I’ve never had any of my open source software used, and I typically license it with MIT, so I’m curious how other groups and organizations actually comply with the license.
They are compliant, the code being used is under the MIT license.
Yeah I'm as big of a FOSS fan as the next guy on here but you really can't complain about how someone uses your code if you used the MIT License...one of the most permissive licenses in existence.
If someone wants attribution or something then they should use a license that requires that thing.
8 replies →
Kagi isn't MIT compliant if they lifted code and removed the copyright of the original author (as claimed by OP) only to replace it with theirs.
https://github.com/kagisearch/privacypass-lib/blob/83c9be8cb...
1 reply →
MIT licence explicitly requires maintaining the original copyright header, and licence.
>Copyright (c) <year> <copyright holders>
>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
>*The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.*
>[...]
Captured 14 Feb 2025 ~12:15pm EST from README header
> This repository contains the source code of the core library implementing the Privacy Pass API used by Kagi.
Yeah... that doesn't feel great. Though I do think the folks at Kagi would be open to more accurately reframing that as "core library implementing a Crystal Lang wrapper for raphaelrobert/privacypass". It's likely unintentional, they were probably just focusing on getting it working and didn't get someone to reread this stuff.