Audacity's New Owner Is In Another Fight With the Open Source Community (arstechnica.com) 48
An anonymous reader quotes a report from Ars Technica: Muse Group -- owner of the popular audio-editing app Audacity -- is in hot water with the open source community again. This time, the controversy isn't over Audacity -- it's about MuseScore, an open source application that allows musicians to create, share, and download musical scores (especially, but not only, in the form of sheet music). The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app -- he also created separate apps designed to bypass MuseScore Pro subscription fees. After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray -- known on GitHub by the moniker "workedintheory" -- to get to the bottom of the controversy.
While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications.
Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).
While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications.
Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).
Just for reference. (Score:1)
The owner of MuseScore and Audacity is the group that operates the long running Ultimate Guitar, which used to a big thorn in the RIAA and performing rights organizations. They are trying to go legit and muscle in on the tabbing program scene that is dominated by Guitar Pro from Arobas.
Lesson 1 when you're going to charge for content: (Score:5, Insightful)
Don't make the access authorization user-side in an open source program.
I'm not a coder and even I know that.
Re: Lesson 1 when you're going to charge for conte (Score:2)
Agree: this sounds like a STOOOPID design for an app.
How, by forking the client, (or even the server, assuming you don't have an account on the score repository) could you access all the content or make it available? Did somebody hard code a service account or something?
Oops...
Re: (Score:2)
If he forked the client software and was able to change something in it so a user could access the server respositories and make downloads without entering credentials, then too much of the authentication check lived in the client. That's a pretty stupid design. Maybe they inherited it from their more eyepatch-and-parrot-ish days before now, but hey look at that it bit them.
The other repository sounds like scraped the server for a bunch of content and reposted it, that will probably be what gets him in ho
Re: (Score:2)
No, the other repo isn't that. It's just a list of links to the content - the owner posted the content to IPFS and put the URLs in the document.
So even that repository is legit. Delete the repository, you still have the files in IPFS. And I believe IPFS makes it very hard to remove content once posted.
Re:Lesson 1 when you're going to charge for conten (Score:5, Informative)
That's not how it works and none of what you said makes sense.
The downloader is a web scraper built in javascript. You can browse all of the music for free, you just can't download it via the website unless you log in. This tool loads the music as if a free user were browsing it, and then has its own libraries to convert them into a pdf. Go to the website and look at the music. It still loads in your browser for free, but the download button will require a login. The tool takes advantage of that.
Re:Lesson 1 when you're going to charge for conten (Score:4, Interesting)
Indeed. As most music sites do. They first play only a preview (one even says that over the music), and when one buys they get the full thing. In one form or another (from sheet music to samples) NEVER give out the entire thing in a usable form (watermarks, cropped, lower resolution images).
Re: (Score:2)
This is on point. I wish I could give you mod points.
Re: (Score:2)
If you can browse the content for free then you've already been given access to it. Modifying the client just makes it easier.
Not a legal right to copy it,though.
Re: (Score:3)
If you can browse the content for free then you've already been given access to it. Modifying the client just makes it easier.
Not a legal right to copy it,though.
Actually a legal right to copy. What you may not be allowed to do is distribute it, but you have been given access already. (Copyright is actually mostly about distribution, the terminology does not translate well to digital goods.) And there is no such thing as retracting that access and requiring you to delete your copies. You can only stop providing new copies, the copy the user has, the user has.
Re: (Score:1)
Actually a legal right to copy.
While the details vary with jurisdiction in many you don't have a legal right to copy. But the devil is in the details and depends on how much you pay your lawyer to come with with fancy weasel words.
"I wasn't copying, I was format shifting." is a classic one.
What is clear is that simply having access to something doesn't give you a right to said something.
Re: (Score:2)
"I wasn't copying, I was format shifting." is a classic one.
That's not really weasel words, that's just trying to deal with the fact that copyright is fundamentally incompatible with computer technology. Consider storage technologies, for example, perpendicular magnetic storage. Since the stored bits overlap each other, in order to perform operations on data, it needs to be read, buffered, and re-written. That can mean multiple operations that all count as copying on a file or part of a file even when that particular file isn't even being read if there are other fil
Re: (Score:2)
As another example, the Samsung 840 Evo SSD shipped with a flaw that the NAND cells became harder and much slower to read back after a month or more of sitting untouched. The fix for this was to add monthly rewrites for every cell to the garbage collection routines. I was initially concerned about lifespan but realized it would take a century of monthly writes to kill the drive.
Re: (Score:2)
Right, and every time that happens, the data on the drive, which may be material where the copyright belongs to someone else, is being copied, converted into a derivative work, technically by the owner of the device. There is no real "fixed form" even for static data on a drive that is not being accessed by the operating system. So applying copyright rules to that is almost impossible.
As far as software from the article, my understanding is that their complaint is that people can freely access data in one f
Re: Lesson 1 when you're going to charge for conte (Score:2)
Re: (Score:2)
Sooo, if you print that website or make a screenshot, that is different from looking at it? That does not make any sense. Legally, as soon as it is in the browser cache, there is a copy. And all the instructions from the server about caching are _advisory_ only and routinely ignored.
Re: (Score:1)
> That's not how it works and none of what you said makes sense.
If unauthenticated remote client can view all data, the only restriction preventing user from downloading is in javascript or css.
As OP said that is dumb and restriction should be on server side. Web designers relying on noselect or javascript to block users from copying website content are idiots.
Re: (Score:2)
Game designers make this mistake time and again, especially in RTS. The problem is a server round-trip costs time. The other problem is all that is on the client is accessible. You could do some advanced things with encryption to solve that to a degree, but here is the problem: Most coders do understand neither security nor encryption.
Re: (Score:2)
Don't make the access authorization user-side in an open source program.
I'm not a coder and even I know that.
Actually that is one of the things that we drill into students when teaching secure coding: Never, ever make authorizations on user-side. This one is obvious to anybody halfway smart, because obviously the user-side is under user control. As this is FOSS, they may even lose legal protection of their content that way, because at least in the EU, there must be working protection mechanisms. However there is no limit on how you are allowed to change GPL code and you may redistribute it without limits.
I usually
Re: (Score:1)
Trivial. (Score:1)
Re: (Score:2)
I mean, you'd think so? But apparently it was enough of a problem that we're here, on Slashdot, asking that question. Which means it's either way more difficult than it probably has any business being (cue the sinister entrance motif for LEGACY IMPLEMENTATION), or they're really bad at what they're trying to do. Possibly both.
Re: (Score:2)
> Which means it's either way more difficult than it probably has any business being
I mean, the guy put all their files on ipfs and his github is just a script to poll ipfs.
The first is impossible to undo and the second isn't something they can do a take-down on.
The Discord channel is gone but that's a centralized service so it's easy to target.
He basically sounds like a communist, and his bash is ugly, too. The
idiom has compatibility problems.
Bash usually works better, for me a
Re: Trivial. (Score:2)
That idiom is compatible with every version of bash I've ever encountered.
And spawning sub-shells is almost never a problem unless you're doing it in a tight loop. Bash is slow. You shouldn't be using it for high performance code. Trying to optimize it is usually dumb.
Re: (Score:2)
I'm going to go with the latter here. If it was the former, the right thing would have been to come up with a second protocol to use for the free software network client to use so they wouldn't have to disclose their crappy legacy locked unsecurable interface to the public view.
Incompetence AND malice. (Score:2)
This really looks like incompetence on the part of the MuseScore people, and malice (by irrevocably releasing the scores) on Xmader's part. They should have -- and probably will, now -- just made the whole library thing a standalone app, which they could have kept closed. Then also add a web interface people can log into.
The Audacity licensing thing also seemed pretty incompetent and tone-deaf, but potentially also malicious. This one just seems like straight up incompetence (from them).
Re: (Score:2)
Well, yes. Unfortunately some "activists" lose sight of their goals and go way overboard.
Muse is in the right here (Score:5, Informative)
The individual wrote a program that scrapes copyrighted content from a web page that would otherwise only be available with a paid subscription. IANAL but a program who's sole purpose is to enable the user of that program to violate copyright by stealing copyrighted sheet music without paying for it is probably going to be illegal somewhere.
But the same individual set up a repository holding copyrighted sheet music. That's definitely illegal and an open and shut case for any copyright lawyer to make.
Re: (Score:2)
Re:Muse is in the right here (Score:5, Informative)
From what I understand some of the sheet music is user-contributed and is under creative commons.
Some, yes. Those which are can be downloaded freely without a subscription.
The issue here is that he's intentionally scraping copyrighted music which has had paid for licenses attached to it. This is one step more nefarious to the arguments currently about youtube video downloading, since at least youtube provides a stream in original and usable format. In this case someone is effectively back building a product based on available data that requires a license fee to distribute.
The youtube downloader arguments often fail on the fact that no attempt to protect content has been bypassed. This example here would very likely fail that same legal test.
Re: (Score:3, Insightful)
The company has shown a lot of patience and restraint here, they could have started with take-downs and by suing the guy but instead tried their best to explain it to him in the hopes he would stop.
As Ars noted the site used to be a piracy hub and in imminent danger of being shut down. They took it legit and while copyright law sucks it is what it is and they are at least making this stuff available easily. Previously you had to either pirate or go buy a bunch of compilation books to get the few scores you
Re: Muse is in the right here (Score:2)
It seems that's not accurate. The website allows you to view the content without login. The app this guy wrote just refuses to distinguish between a download and a view (which requires a download), because there is no difference. The website operators don't realize there's no difference between a download and a view (which requires a download). So, nothing untoward is going on.
If the GUI is the limit, it is broken by design (Score:3, Insightful)
Re: (Score:2)
In cases like this, where the GUI is suppose to be the limit but it isn't, I feel little sympathy for the designer of the back end.
Indeed. The back-end must do all access control enforcement or the designer is simply incompetent.
Only fools "enforce" things on parts of the system they do not control. Great fools have no clue what they control and what not. There are a lot of great fools that write software.
Re: (Score:2)
The GUI isn't the limit. Copyright law is the limit. Just because you can do something doesn't mean you're allowed to do something. Kind of like just because someone could stab you in a street doesn't mean they are allowed to.
The act of providing viewable but not downloadable access to something relies on trust that the end user is obeying the law. That is a fundamental tenant of DRM. When you give someone locked content, a key to the locked content, and then instructions to only use the key under specific
Re: If the GUI is the limit, it is broken by desig (Score:2)
If you publish something to a public website, you are implicitly granting the right to make personal copies. Copyright stops you from distributing works, not copying them.
Re: (Score:1)
If you publish something to a public website, you are implicitly granting the right to make personal copies. Copyright stops you from distributing works, not copying them.
Not necessarily. You have an implicit license to make sufficient copies to display it on your browser. The server initially made a copy which it transmitted over the internet to you. That was the service provider performing the copying and distribution, so it's on them to ensure that they have a license to copy/distribute it.
Then your computer makes several copies: copy from network buffer to browser heap, from heap to display buffer, probably several other in-memory copies in the process of rendering th
Re: (Score:2)
Yep, once the data has been copied to my device, I can modify and use it any way I want. I just can't distributed it to others.
Re: If the GUI is the limit, it is broken by desi (Score:1)
Re: (Score:2)
If you publish something to a public website, you are implicitly granting the right to make personal copies. Copyright stops you from distributing works, not copying them.
Nope. It doesn't work like that. You can't distill hundreds of pages of copyright law into one line. The devil is in the details. This isn't a case of right clicking and downloading an image to your computer. The software specifically works around and reformats data presented to you in a way that allows you access to it in a format not granted.
Incidentally this detail works both ways and is specifically why Youtube-dl passed a legal challenge. Youtube directly streams you mp4 and aac data, writing it to a f
Re: (Score:2)
Relying on a stranger to not break the law because they might get in trouble for it is reasonable. Relying on a stranger to not break the law because you might get in trouble for it is extremely stupid.
Re: (Score:2)
It's only stupid if there's an alternative. It's impossible to meet the conditions of any license to display but not distribute without relying on a stranger not breaking the law. The only recourse is to either give up business or use the law.
Re: (Score:2)
It sounds like they gave up after trying nothing. Sheet music stores I've seen will display only one page in low resolution so you can get an idea of what you are buying without seeing the whole thing. This is just one possibility to deal with the problem.
Money talks so shut up now (Score:3)
Easy to fix (Score:2)
Simple fix, either do not display the score on the website for users that are not allowed to download said score, or display it, but with some wrong notes and other errors. The preview on the website looks fine but the download requires manual fixing and for most is not worth the trouble.
Re: (Score:2)
That would be "creating a derivative work" which is almost certainly as much of a copyright violation as bypassing controls -- except it would be their bad behavior.
not a fight with the open source community (Score:2)