Come on, Amazon: If you're going to copy open-source code for a new product, at least credit the creator

Developer wishes cloud giant gave more thought to not stepping on toes


On Thursday, Amazon Web Services launched CloudWatch Synthetics Recorder, a Chrome browser extension for recording browser interactions that it copied from the Headless Recorder project created by developer Tim Nolet.

It broke no law in doing so – the software is published under the permissive Apache License v2 – and developers expect such open-source projects will be copied forked. But Amazon's move didn't win any fans for failing to publicly acknowledge the code's creator.

There is a mention buried in the NOTICE.txt file bundled with the CloudWatch extension that credits Headless Recorder, under its previous name "puppeteer-recorder," as required by the license. But there's an expectation among open source developers that biz as big as AWS should show more courtesy.

"The core of the problem here (for me at least) is not the letter of the license, it's the spirit," said Nolet in a message to The Register.

"It's the fact that no one inside of AWS cared enough to stop and think 'is this a dick move? Is this something I would want to have happen to me?' Hence the current PR damage control campaign. They know it's wrong. Not illegal, but wrong. Someone just had to tell them that."

Nolet runs a software monitoring service called Checkly and developed the Headless Recorder browser extension as a tool for his company and customers. He said he hadn't given the license for Headless Recorder a lot of thought because it's just a browser extension full of client-side code – meaning it's visible to anyone familiar with browser development tools.

"Amazon should have opened a PR [pull request] and proposed 'let's add this feature to your code. Or they could have simply kept their fork open source," he said.

"In the least, they could have mentioned that their work was based on my work. I do this in the README.md of the project itself where I acknowledge the creators of an old project by segment.io that I used as inspiration."

empty room serverless

AWS cooks up Extensions API for Lambda serverless platform: Useful for monitoring, alerting

READ MORE

This is not the first time AWS has taken the work of open source developers and turned it into an AWS product. Last year, it launched Open Distro for Elasticsearch, to the dismay of Elasticsearch, a company formed to make a business out of the Elasticsearch open source project. And earlier that year it released DocumentDB, based on an outdated version of the open source MongoDB code.

Many popular open source licenses allow this, but because AWS brings billions in infrastructure assets into the competition, smaller companies trying to commercialize open source projects find the challenge difficult to deal with.

Such behavior – taking without giving back, or at least giving thanks – has been a concern for the past few years and has led to experiments with "cloud protection licenses" designed to deter cloud providers from co-opting public software projects. Just last month, database maker TimeScale adopted a new source-available license called the Timescale License (TSL) as a defense against AWS and its peers.

Late last year, in response to a New York Times article about how AWS copies and integrates software pioneered by others, AWS VP Andi Gutmans criticized the report. He pointed to the many open source projects that have received code contributions from AWS developers and insisted, "AWS has not copied anybody’s software or services."

The Register asked Amazon PR and Matt Asay, head of Open Source Strategy and Marketing for AWS, for comment. But we've not heard back.

Via Twitter, Asay expressed concern about the handling of the CloudWatch extension launch and said he would look into it. And in a comment posted to Hacker News, he sounded similarly contrite.

"AWS uses a lot of open source, and we contribute a lot, both in terms of code (first-party projects like Firecracker and Bottlerocket, but also third-party projects like Redis, GraphQL, Open Telemetry, etc.), testing, credits, foundation support, and more," he said.

"But open source is ultimately about people and communities, and I personally feel we could have done more to acknowledge the great work Tim and his co-maintainers have done, and try to support their Headless Recorder work. We're talking with Tim now about this."

Nolet confirmed this and said he believes AWS is sincere in its desire to make amends. "They screwed up and we're going to work something out," he said. "What that is, I have no idea yet." ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022