An interesting aspect of this, especially their blog post (https://malus.sh/blog.html ), is that it acknowledges a strain in our legal system I've been observing for decades, but don't think the legal system or people in general have dealt with, which is that generally costs matter.
A favorite example of mine is speed limits. There is a difference between "putting up a sign that says 55 mph and walking away", "putting up a sign that says 55 mph and occasionally enforcing it with expensive humans when they get around to it", and "putting up a sign that says 55 mph and rigidly enforcing it to the exact mph through a robot". Nominally, the law is "don't go faster than 55 mph". Realistically, those are three completely different policies in every way that matters.
We are all making a continual and ongoing grave error thinking that taking what were previously de jure policies that were de facto quite different in the real world, and thoughtlessly "upgrading" the de jure policies directly into de facto policies without realizing that that is in fact a huge change in policy. One that nobody voted for, one that no regulator even really thought about, one that we are just thoughtlessly putting into place because "well, the law is, 55 mph" without realizing that, no, in fact that never was the law before. That's what the law said, not what it was. In the past those could never really be the same thing. Now, more and more, they can.
This is a big change!
Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.
And without very many people consciously realizing it, we have centuries of laws that were written with the subconscious realization that enforcement is difficult and expensive, and that the discretion of that enforcement is part of the power of the government. Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.
Yet we still have almost no recognition that that is an issue. This could, perhaps surprisingly, be one of the first places we directly grapple with this in a legal case someday soon, that the legality of something may be at least partially influenced by the expense of the operation.
We should welcome more precise law enforcement. Imperfect enforcement is too easy for law enforcement officers to turn into selective enforcement. By choosing who to go after, law enforcement gets the unearned power to change the law however they want, enforcing unwritten rules of their choosing. Having law enforcement make the laws is bad.
The big caveat, though, is that when enforcement becomes more accurate, the rules and penalties need to change. As you point out, a rigidly enforced law is very different from one that is less rigorously enforced. You are right that there is very little recognition of this. The law is difficult to change by design, but it may soon have to change faster than it has in the past, and it's not clear how or if that can happen. Historically, it seems like the only way rapid governmental change happens is by violent revolution, and I would rather not live in a time of violent revolution...
Dean Ball made this exact point on the Ezra Klein show a few days ago. I always thought laws would get more just with perfect enforcement -- the people passing mandatory sentencing laws for minor drug offenses would think twice if their own children, and not just minorities and unfavourable groups, were subject to the same consequences (instead of rehab or community service).
But if I've learned anything in 20 years of software eng, it's that migration plans matter. The perfect system is irrelevant if you can't figure out how to transition to it. AI is dangling a beautiful future in front of us, but the transition looks... Very challenging
Many governments around the world have entities to which you can write a letter, and those entities are frequently obligated to respond to that letter within a specific time frame. Those laws have been written with the understanding that most people don't know how to write letters, and those who do, will not write them unless absolutely necessary.
This allows the regulators to be slow and operate by shuffling around inefficient paper forms, instead of keeping things in an efficient ticket tracking system.
LLMs make it much, much easier to write letters, even if you don't speak the language and can only communicate at the level of a sixth-grader. Imagine what happens when the worst kind of "can I talk to your supervisor" Karen gets access to a sycophantic LLM, which tells her that she's "absolutely right, this is absolutely unacceptable behavior, I will help you write a letter to your regulator, who should help you out in this situation."
which, as I recall it, suggested that the copyright law effectively considered that it was good that there was a way around copyright (with reverse engineering and clean-room implementation), and also good that the way around copyright required some investment in its own right, rather than being free, easy, and automatic.
I think Samuelson and Scotchmer thought that, as you say, costs matter, and that the legal system was recognizing this, but in a kind of indirect way, not overtly.
> Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.
Hey, I really like this framing. This is a topic that I've thought about from a different perspective.
We have all kinds of 18th and 19th century legal precedents about search, subpoenas, plain sight, surveillance in public spaces, etc... that really took for granted that police effort was limited and that enforcement would be imperfect.
But they break down when you read all the license plates, or you can subpoena anyone's email, or... whatever.
Making the laws rigid and having perfect enforcement has a cost-- but just the baseline cost to privacy and the squashing of innocent transgression is a cost.
(A counterpoint: a lot of selective law enforcement came down to whether you were unpopular or unprivileged in some way... cheaper and automated enforcement may take some of these effects away and make things more fair. Discretion in enforcement can lead to both more and less just outcomes).
"The future of software is not open. It is not closed. It is liberated, freed from the constraints of licenses written for a world in which reproduction required effort, maintained by a generation of developers who believed that sharing code was its own reward and have been comprehensively proven right about the sharing and wrong about the reward."
This applies to open-source but also very well to proprietary software too ;) Reversing your competitors' software has never been easier!
Privacy protection has the exact same issue. Wiretapping laws were created at the time there was literally a detective listening to a private phone conversation as it was happening. Now we record almost everything online, and processing it is trivial and essentially free. The safeguards are the same but the scale of privacy invasion is many orders of magnitude different.
I think this distinction also gets at some issue with things like privacy and facial recognition.
There’s the old approach of hanging a wanted poster and asking people to “call us if you see this guy”. Then there’s the new approach matching faces in a comprehensive database and camera networks.
The later is just the perfect, efficient implementation of the former. But it’s… different somehow.
The answer to this is just changing the law as enforcement becomes different, instead of leaning on the rule of a few people to determine what the appropriate level of enforcement is.
To do this, though, you're going to have to get rid of veto points! A bit hard in our disastrously constitutional system.
This has also been a common theme in recent decades with respect to privacy.
In the US, the police do not generally need a warrant to tail you as you go around town, but it is phenomenally expensive and difficult to do so. Cellphone location records, despite largely providing the same information, do require warrants because it provides extremely cheap, scalable tracking of anyone. In other words, we allow the government to acquire certain information through difficult means in hopes that it forces them to be very selective about how they use it. When the costs changed, what was allowed also had to change.
Absolutely! We're not all making that error, I've been venting about it for years.
"Costs matter" is one way to say it, probably a lot easier to digest and more popular than the "Quantity has a quality all it's own" quote I've been using, which is generally attributed to Stalin which is a little bit of a problem.
But it's absolutely true! Flock ALPRs are equivalent to a police officer with binoculars and a post-it for a wanted vehicle's make, model, and license plate, except we can put hundreds of them on the major intersections throughout a city 24/7 for $20k instead of multiplying the police budget by 20x.
A warrant to gather gigabytes of data from an ISP or email provider is equivalent to a literal wiretap and tape recorder on a suspect's phone line, except the former costs pennies to implement and the later requires a human to actually move wires and then listen for the duration.
Speed cameras are another excellent example.
Technology that changes the cost of enforcement changes the character of the law. I don't think that no one realizes this. I think many in office, many implementing the changes, and many supporting or voting for those groups are acutely aware and greedy for the increased authoritarian control but blind to the human rights harms they're causing.
> We are all making a continual and ongoing grave error
> Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.
I understand your point that changing the enforcement changes how the law is "felt" even though on the paper the law has not changed. And I think it makes sense to review and potentially revise the laws when enforcement methods change. But in the specific case of the 55 mph limit, would the consequences really be grave and terrible if the enforcement was enforced by a robot, but the law remained the same?
The issue with strictly enforcing the speed limit on roads is that sometimes, people must speed. They must break the law. Wife giving birth, rushing a wounded person to the ER, speeding to avoid a collision, etc.
If we wanted to strictly enforce speed limits, we would put governors on engines. However, doing that would cause a lot of harm to normal people. That's why we don't do it.
Stop and think about what it means to be human. We use judgement and decide when we must break the laws. And that is OK and indeed... expected.
Seconded, thirded, fourthed. I spend a lot of time thinking about how laws, in practice, are not actually intended to be perfectly enforced, and not even in the usual selective-enforcement way, just in the pragmatic sense.
> There is a difference between "putting up a sign that says 55 mph and walking away", "putting up a sign that says 55 mph and occasionally enforcing it with expensive humans when they get around to it", and "putting up a sign that says 55 mph and rigidly enforcing it to the exact mph through a robot". Nominally, the law is "don't go faster than 55 mph". Realistically, those are three completely different policies in every way that matters.
...and there's also a large difference between any of those three shifts, and the secular shift (i.e. through no change in regulatory implementation whatsoever!) that occurs when the majority of traffic begins to consist of autonomous vehicles that completely ignore the de facto flow-of-traffic speeds, because they've been programmed to rigorously follow the all laws, including posted de jure speed limits (because the car companies want to CYA.)
Which is to say: even if regulators do literally nothing, they might eventually have to change the letter of the law to better match the de facto spirit of the law, lest we are overcome by a world of robotic "work to rule" inefficiencies.
---
Also, a complete tangent: there's also an even-bigger difference between any of those shifts, and the shift that occurs when traffic calming measures are imposed on the road (narrowing, adding medians, adding curves, etc.) Speed limits are an extremely weird category of regulation, as they try to "prompt" humans to control their behavior in a way that runs directly counter to the way the road has been designed (by the very state imposing the regulations!) to "read" as being high- or low-speed. Ideally, "speed limits" wouldn't be a regulatory cudgel at all; they'd just be an internal analytical calculation on the way to to figuring out how to design the road, so that it feels unsafe to go beyond the "speed limit" speed.
Not exactly the same but at least in Spain, the cost of constructing a new building subject to all the regulations makes them completely unafforfable for low salaries.
(There are other problems, I know, but the regulations are crazy).
Tangentially, this is also the reason why many forms of corruption can be done away with right now with modern technology.
Meaning that democratizing our existing political structures is a reality today and can be done effectively (think blockchain, think zero knowledge proofs).
On the other hand, the political struggle to actually enact this new democratic system will be THE defining struggle of our times.
> Realistically, those are three completely different policies in every way that matters.
I think that the failure to distinguish them is due to a really childish outlook on law and government that is encouraged by people who are simple-minded (because it is easy and moralistic) and by people who are in control of law and government (because it extends their control to social enforcement.)
I don't think any discussion about government, law, or democracy is worth anything without an analysis of government that actually looks at it - through seeing where decisions are made, how those decisions are disseminated, what obligations the people who receive those decisions have to follow them and what latitude they have to change them, and ultimately how they are carried out: the endpoint of government is the application of threats, physical restraint, pain, or death in order to prevent people from doing something they wish to do or force them to do something they do not wish to do, and the means to discover where those methods should be applied. The police officer, the federal agent, the private individual given indemnity from police officers and federal agencies under particular circumstances, the networked cameras pointed into the streets are government. Government has a physical, material existence, a reach.
Democracy is simpler to explain under that premise. It's the degree to which the people that this system controls control the decisions that this system carries out. The degree to which the people who control the system are indemnified from its effects is the degree of authoritarianism. Rule by the ungoverned.
It's also why the biggest sign of political childishness for me are these sort of simple ideas of "international law." International law is a bunch of understandings between nations that any one of them can back out of or simply ignore at any time for any reason, if they are willing to accept the calculated risk of consequences from the nations on the other side of the agreement. It's like national law in quality, but absolutely unlike it in quantity. Even Costa Rica has a far better chance of ignoring, without any long-term cost, the mighty US trying to enforce some treaty regulation than you as an individual have to ignore the police department.
Laws were constructed under this reality. If we hypothetically programmed those laws into unstoppable Terminator-like robots and told them to enforce them without question it would just be a completely different circumstance. If those unstoppable robots had already existed with absolute enforcement, we would have constructed the laws with more precision and absolute limitations. We wouldn't have been able to avoid it, because after a law was set the consequences would have almost instantly become apparent.
With no fuzziness, there's no selective enforcement, but also no discretion (what people call selective enforcement they agree with.) If enforcement has blanket access and reach, there's also no need to make an example or deter. Laws were explicitly formulated around these purposes, especially the penalties set. If every crime was caught current penalties would be draconian, because they implicitly assume that everyone who got caught doing one thing got away with three other things, and for each person who was caught doing a thing three others got away with doing that thing. It punishes for crimes undetected, and attempts to create fear in people still uncaught.
An interesting read, however I'd like to know how to stop websites from screwing around with my scrollbars. In this case it's hidden entirely. Why is this even a thing websites are allowed to do - to change and remove browser UI elements? It makes no sense even, because I have no idea where I am on the page, or how long it is, without scrolling to the bottom to check. God I miss 2005.
It took me a minute to recognize this as satire (thank you HN comments). However it does actually make sense - maybe this could be a way for OSS devs to get paid.
What if we did build a clean room as a service but the proceeds from that didn't go to the "Malus.sh" corporation, but to the owners / maintainers of the OSS being implemented. Maybe all OSS repos should switch to AGPL or some viral license with link to pay-me-to-implement.com. Companies that want to use that package go get their own custom implementation that is under a license strictly for that company and the OSS maintainer gets paid.
I wonder what the MVP for such a thing would look like.
This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.
Copyleft was intended as a principle to keep the software free (as in 'freedom'). Proposing to lock out certain areas of the codebase is directly opposite to this principle.
I am only 50% certain that your idea is expanding on the satire, if not: project owners can provide dual licensing. I'm sorry if you are serious and didn't understand you.
This could work out great, because the OSS devs can focus on building their project instead of marketing to businesses, running sales processes, consulting on implementation and supporting the implementation. No need to find corporate sponsors either.
LOL. Same here. But the footer disclaimer and testimonials gave it away immediately:
> "We had 847 AGPL dependencies blocking our acquisition. MalusCorp liberated them all in 3 weeks. The due diligence team found zero license issues. We closed at $2.3B." - Marcus Wellington III, Former CTO, Definitely Real Corp (Acquired)
> This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services.
"I used to feel guilty about not attributing open source maintainers. Then I remembered that guilt doesn't show up on quarterly reports. Thank you, MalusCorp."
◆
Chad Stockholder
Engineering Director, Profit First LLC
Certain views of OSS and its relation to commercial software always seemed to be fraught with highly voluntarist and moralizing attitudes and an intellectual naivete.
Don't believe in hell but I were I hope they'd be a special place for them.
It's like... revert patent troll? I'm not even sure I get it but the wording "liberation from open source license obligations." just wants to make me puke. I also doubt it's legit but I'm not a lawyer. I hope somebody at the FSF or Apache foundation or ... whomever who is though will clarify.
"Our proprietary AI systems have never seen" how can they prove that? Independent audit? Whom? How often?
This is satire, but the very notion of open source license obligations is meaningless in context. FLOSS licenses do not require you to publish your purely internal changes to the code; any publication happens by your choice, and given that AI can now supposedly engineer a clean-room reimplementation of any published program whatsoever, publishing your software with a proprietary copyright isn't going to exactly save you either.
This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.
I didn't see it was satire (having only skimmed the site) until scrolling through the comments and seeing this fake review being quoted. That's when I went "surely not", checked the site, saw it was really there, and was quite relieved this is not yet an actual thing!
It also shows why this approach is questionable. Opus 4.6 without tool use or web access can provide chardets source code in full from memory/training data (ironically, including the licensing header): https://gist.github.com/yannleretaille/1ce99e1872e5f3b7b133e...
Wow. The guy who’s been thanklessly maintaining the project for 10+ years, with very little help, went way out of his way to produce a zero-reuse, ground-up reimplementation so that it could be MIT licensed... and the very-online copyleft crowd is crucifying him for it and telling him to kick rocks.
Unbelievable. This is why we can’t have nice things.
> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.*
I love it. Brilliant satire that foreshadows the future.
On a quick glance, or skim read, you could be excused for believing this is real, but they drop just enough nuggets throughout that by the end there is no ambiguity.
Really helps illustrates how realistic this could be.
I first encountered the concept of "clean room" in the context of Sean Lahman's free baseball stats database. While technically baseball stats are free, their compiling and manner of presentation in any given format may be claimed as proprietary by any particular provider. And so there's an extensive volunteer effort from baseball fans to "clean room" source them from independent sources such that they are verifying the stats independently of their provenance as a legally permitted basis for building out the database.
I even recall Baseball Mogul relied on the Lahman DB for a period of time. It does make me wonder if we'll see more of that.
This is extremely good satire. Question is, why hasn't anyone done this for real? There's enough people with the right knowledge and who would love to destroy open source for personal gain. Is it that this kind of service would be so open to litigation that it would need a lot of money upfront? Or is someone already working on this, and we're just living out the last good days of OSS?
What would be the incentive for someone to do this for real?
We all have access to SOTA LLMs. If I want a "clean room" implementation of some OSS library, and I can choose between paying a third party to run a script to have AI rebuild the whole library for me and just asking Claude to generate the bits of the library I need, why would I choose to pay?
I think this argument applies to most straightforward "AI generated product" business ideas. Any dev can access a SOTA coding model for $20p/m. The value-add isn't "we used AI to do the thing fast", it's the wrapping around it.
Maybe in this case the "wrapping" is that some other company is taking on the legal risk?
There's a lot of things you could do to be malicious towards other people with minimal effort, yet strangely few people do it. Virtually everyone has morals, and most people's are quite compatible with society (hence we have a society) even if small perturbations in foundational morals sometimes lead to seemingly large discrepancies in resultant actions
You need the right kind of person, in the right life circumstances, to have this idea before it happens for real. By having publicity, it becomes vastly more likely that it finds someone who meets the former two criteria, like how it works with other crime (https://en.wikipedia.org/wiki/Copycat_crime). So thanks, Malus :P
It's an inevitable outcome of automatic code generation that people will do this all the time without thinking about it.
Example: you want a feature in your project, and you know this github repo implements it, so you tell an AI agent to implement the feature and link to the github repo just for reference.
You didn't tell the agent to maliciously reimplement it, but the end result might be the same - you just did it earnestly.
The bottleneck is trust and security. I'd rather defenestrate 3rd party libraries with a local instance of copilot than send all my secret sauce to some cloud/SaaS system.
Put differently, this system already exists and is in heavy use today.
because LLMs can't program anything of non-trivial complexity despite the persistent delusions from its advocates, same reason the lovers of OSS haven't magically fixed every bug in open source software.
If you’re referring to Thaler v. Perlmutter, that is not binding precedent nationwide, only in courts under the D.C. Circuit. And it only applies to “pure” AI-generated works; it did not address AI-assisted works, which seem very likely to be copyrightable.
There are two teenagers who learned about Malus in the last hour and have started figuring out how to actually build it, right now. They will not cite their source in their IPO statements.
it is straightforward to build this for real, here is my nearly one-shotted tldraw clone from a couple of weeks ago, https://x.com/c_pick/status/2028669568403578931 - the implementation side never saw the code, only the spec (in reality it did see the tldraw code in its training data, but you can't escape that anymore)
At least you think that this is satire, until the author receives a DMCA from one of the big corps saying that he leaked the transcript of their last meeting
I don't know - if you upload a package.json with any dependencies that map to real npmjs.com packages, it does lead you to a Stripe payment page which appears to be real... and it appears you'd be sending real money.
W.r.t. intent, yes. But w.r.t. content, we are long past a situation where it is unrealistic enough to function as satire.
While such tactics would render certain OSS software licenses absurd, the tactic itself, as a means to get around them, is entirely sound. It just reveals the flawed presupposition of such licenses. And I'm not sure there is really any way to patch them up now.
This is satire but this is where things are heading. The impact on the OSS ecosystem is probably not a net positive overall, but don't forget that this also applies to commercial software as well.
There will be many questions asked, like why buy some SaaS with way too many features when you can just reimplement the parts you need? Why buy some expensive software package when you can point the LLM into the binary with Ghidra or IDA or whatever then spend a few weeks to reverse it?
Sounds like my CTO. Overuse of LLMs in c-suites is like overuse of weed by teenagers - it may not cause delusions, but it sure seems to make them worse.
Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.
That’s how deep we are in neoliberal single truth shit now
I know this is satire, but I have an adjacent problem I could use help with. In my company, we have some legacy apps that run, but we no longer have the source, any everyone that worked on them has probably left the planet.
We need to replatform them at some point, and ideally I'd like to let some agents "use" the apps as a means to copy them / rebuild. Most of these are desktop apps, but some have browser interfaces. Has anyone tried something like this or can recommend a service that's worked for them?
I have actually very convincingly recreated a moderately complex 70s-era mainframe app by having an LLM reimplement it based on existing documentation and by accessing the textual user interface.
The biggest trick is that you need to spend 75% of your time designing and building very good verification tools (which you can do with help from the LLM), and having the LLM carefully trace as many paths as possible through the original application. This will be considerably harder for desktop apps unless you have access to something like an accessibility API that can faithfully capture and operate a GUI.
But in general, LLM performance is limited by how good your validation suite is, and whether you have scalable ways to convince yourself the software is correct.
I've done a little bit of this and Claude is pretty great. Take the app and let Claude run wild with it. It does require you to be relatively familiar with the app as you may need to guide it in the right direction.
I was able to get it to rebuild and hack together a .NET application that we don't have source for. This was done in a Linux VM and it gave me a version that I could build and run on Windows.
We're past the point of legacy blackbox apps being a mystery. Happy to talk more, my e-mail is available on my profile.
Interested to keep updated on this point. As a consultant, I've worked on transformation of legacy applications so this would help me greatly as well. We've worked on pretty archaic systems where no one knows how the system works even if we have the source code.
Yes, we hate the abuse of open source, in its everlasting legal purgatory, by large evil "other" shadows acting at a distance...
But I'm stupefied at m/y/our own oblivious excitement when extracting our expertise for others in the form of skills we share. It's a profound hacking of our reward system, on the fear of losing a job and the hope of climbing the ladder of abstraction.
Tech companies have for decades subsidized developer training and careers with free tools and tiers, support for developer communities and open-source -- in order to reduce the costs of expertise and to expand their markets. Now skills do both. For developers, the result will be like developing for or at Apple: the lucky few will work in secret, based on personal connections and product skills.
> Our proprietary AI systems have never seen the original source code.
For this to be plausible satire, they need to show how they've trained their models to code, without mit, apache, bsd or GPL/agpl code being in the training set...
This time it's satire, but I bet someone will offer exactly that for real in the next few days. The idea is unethical but far too lucrative from a business perspective.
Often OSS is used not because you want the software, but the software and the upkeep. So even with such a service, you're now just taking code in-house that you have to maintain as well.
…scanning… …fuming… …blood pressure rising… sees a quote attributed to “Chad Stockholder
Engineering Director, Profit First LLC” …oh phew, thank god for that. I actually believed this could be real for a moment!
This is essentially 'License Laundering as a Service.' The 'Firewall' they describe is an illusion because the contamination happens at the training phase, not the inference phase. You can't claim independent creation when your 'independent developer' (the commercial LLM) already has the original implementation's patterns and edge cases baked into its weights.
In order to really do this, they would need to train LLMs from scratch that had no exposure whatsoever to open source code which they may be asked to reproduce. Those models in turn would be terrible at coding given how much of the training corpus is open source code.
The solution here seems to be to impose some constraint or requirement which means that literal copying is impossible (remember, copyright governs copies, it doesn't govern ideas or algorithms - that would be 'patents', which essentially no open source software has) or where any 'copying' from vaguely remembered pretraining code is on such an abstract indirect level that it is 'transformative' and thus safe.
For example, the Anthropic Rust C compiler could hardly have copied GCC or any of the many C compilers it surely trained on, because then it wouldn't have spat out reasonably idiomatic and natural looking Rust in a differently organized codebase.
Good news for Rust and Lean, I guess, as it seems like everyone these days is looking for an excuse to rewrite everything into those for either speed or safety or both.
Obviously satire, but it will clearly be what happens in the future (predicting here, I'm not endorsing this practice). We can scratch train a new LLM on code generated from "contaminated" LLMs. We can then audit all the training data used and demonstrate that the original source wasn't in the training data. Therefore the cleanroom implementation holds. Current LLM training is relying less and less on human generated code. Just look at the open source models from China. They rely heavily on distilling from other models. One additional point. Exposure to the original source isn't enough to show infringement. Linus looked at UNIX source before writing linux.
I think this site is either satire, or serious but with a certain kind of humor in which both they and the reader know they're lying (but it's in everyone's interest to play along).
They do say this:
> Is this legal? / our clean room process is based on well-established legal precedent. The robots performing reconstruction have provably never accessed the original source code. We maintain detailed audit logs that definitely exist and are available upon request to courts in select jurisdictions.
Unless they're rejecting almost all of open source packages submitted by the customer, due to those packages being in the training set of the foundation model that they use, this is really the opposite of cleanroom.
> You have been so generous, so unreasonably, almost suspiciously generous, that you have made it possible for an entire global economy to run on software that nobody technically owns, maintained by people that nobody technically employs, governed by licenses that nobody technically reads. It is a miracle of human cooperation. It is also, from a fiduciary standpoint, completely insane.
* Many of the people maintaining FOSS are paid to do so; and if we counted 'significance' of maintained FOSS, I would not be surprised if most FOSS of critical significance is maintained for-pay (although I'm not sure).
* Publishing software without a restrictive license is not 'generous', it's the trivial and obvious thing to do. It is the restriction of copying and of source access that is convoluted, anti-social, and if you will, "insane".
* Similarly, FOSS is not a "miracle" of human cooperation, and it what you get when it is difficult to sabotage human cooperation. The situation with physical objects - machines, consumables - is more of a nightmare than the FOSS situation is a miracle. (IIRC, an economist named Veblen wrote about the sabotaging role of pecuniary interests on collaborative industrial processes, about a century ago; but I'm not sure about the details.)
* Many people read licenses, and for the short, paragraph-long licenses, I would even say that most developers read them.
* It is not insane to use FOSS from a "fiduciary standpoint".
>Our proprietary AI robots independently recreate any open source project from scratch.
Fact that this is satire aside, why would a company like this limit this methodology to only open source? Since they can make a "dirty room" AI that uses computer-use models, plays with an app, observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.
> observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.
and tbh, i cannot see any issues if this is how it is done - you just have to prove that the clean room ai has never been exposed to the source code of the app you're trying to clone.
As if the models have not seen the open source software before. That should be considered in the upcoming ruling. Technically the models are trained on exactly that.
I find surprising that the polemic I heard more talking, seems to be in the open source to close source direction.
It seems to me, that the more relevant part of this new development, for the software industry, it's a teenager working in the weekend with a LLM and making a functional clone of Autocad, for instance.
Couldn't this be done on proprietary software as well? Have an agent fuzz an interface (any type) for every bit of functionality and document it. Then have it build based on the document?
Good idea, but as several comments here suggest, the time when this sort of thing could be taken as satire is gone. I promise you there are multiple people here thinking that this is a good idea. I predict that within a year we will see a service that does exactly this.
You take Wikipedia, an LLM rewrites every single article giving them your preferred political spin and generates many more pictures for it. You make it sleeker, and price it at 4.99$ per month.
EDIT: That's crazy. They already did that. Waiting for the torment nexus now I guess.
Look, outside of your corner, a world is much much bigger and every nation and every political leaning has rights to have their own POV(for better or worse), as quite frankly this style of thinking on enforcing what others should do is really irritating.
Wikipedia for a time being had already different POVs and it was great for that time period, but as someone that does not have English as first language, I don't dream of a world, where everybody uniformly think the same - because that place already exists where that is a case and that is a graveyard.
The law should be updated to limit clean room reimplementation to a strictly human endeavor. Person, in a faraday cage room, with a machine that is too underpowered to run local LLMs. Reference material (stack overflow archives, language docs, specs, etc) are permitted.
Not sure their attempted point lands the way they think it will. I view this as an unmitigated good. Open source every damn thing. Open the floodgates. Break the system.
I'd cheer for a company like this.
It seems to dance just on the other side of what's legal, though.
This entire software ecosystem depends on volunteering and cooperation. It demands respect of the people doing the work. Adhering to their licensing terms is the payment they demand for the work they do.
If you steal their social currency, they may just walk away for good, and nobody will pick up the slack for you. And if you're a whole society of greedy little thieves, the future of software will be everyone preciously guarding and hiding their changes to the last open versions of software from some decades ago.
You should read Bruce Perens' testimony in the Jacobsen v. Katzer case that explained all this (and determined that licensing terms are enforceable, and you can't just say "his is open mine is open what's the difference?")
Open sourcing all the things sounds fun right up until you hit the point where clean room claims collapse under real legal cross-examination. If you think companies with money on the line are just going to roll over and accept it all as fair play I'd like to introduce you to the concept of discovery at $900/hr. If your business model is a legal speedrun you better budget harder than you code.
I have a feeling this will lead to huge interoperability and ecosystem fragmentation issues.
Well, there is one way... You can have a government steal all open source code and force its citizens to only use proprietary hardware and proprietary code, all government sanctioned btw. I wonder if we're headed this way.
The frustrating thing is I also thought about this as a natural conclusion - but as a natural workflow that corporations will do when they see AGPL dependencies they want to use. (I also think there's a world where we start tightening our software bill of materials anyway.)
I do not believe it will ever again make sense to build open source for business. the era of OSS as a business model will be very limited going forward. As sad and frustrating as it is, we did it to ourselves.
I feel like we live in an interesting time, where you have to second guess whether someone would actually build something like this. Like, the language is very tongue in cheek, but given how messed up copyright law is, you'd think that by now someone would be doing this, and proudly.
I was on this talk expecting to hear about MongoDB abusing open source (as you could guess from my profile, that’s a topic dear to my heart). Instead, I saw the most entertaining talk in my life.
> MalusCorp International Holdings Ltd. is not responsible for any moral implications, existential crises, or late-night guilt spirals resulting from the use of our services.
You'll find all the answers if you read more carefully:
> Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright
> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.
> "Our lawyers estimated $4M in compliance costs. MalusCorp's Total Liberation package was $50K. The board was thrilled. The open source maintainers were not, but who cares?" - Patricia Bottomline, VP of Legal, MegaSoft Industries
Let’s say instead it consolidated a few packages into 1. This might even be a good idea for security reasons.
Then it offered a mandatory 15% revenue tip to the original projects.
So far GPL enforcement usually comes down to “umm, try and sue us lol”.
How much human intervention is needed for it to be a real innovation and not llm generated. Can I someone to watch Claude do its thing and press enter 3 times ?
Some parties wouldn't be thrilled about their "source available" getting cleaned this way. So when this gets completed it would only "clean" real open source that can't afford legal trouble. Satirically structured LLM text is not a defence.
The smells suspiciously like a well positioned gag that is secretly seeking VC attention. The emotional reaction turned attention seeking feels a bit like having ulterior motives... or maybe Moltbook has made me paranoid?
I'd have mined the copied libraries with something that makes it possible to later change terms and extract fees, as it'd be expected that nobody reads the terms for such service
I did try to upload a requirements.txt with "chardet < 7.0" in it ("Copyright (C) 2024 Dan Blanchard"? I don't think so buddy, it's mine now), but despite claiming otherwise, the satirical site only takes package.json so I uploaded the one from https://github.com/prokopschield/require-gpl/
It does actually generate a price (which is suspiciously like a fixed rate of $1 per megabyte), and does actually lead you to Stripe. What happens if someone actually pays? Are they going to be refunding everything, or are they actually going to file the serial numbers off for you?
It's interesting that the focus is just on open source licenses. If one can strip licenses from source code using LLMs, then surely a Microsoft employee could do the same with the Windows source code!
This is satire, but I actually have built something that can do this extremely well as an unintentional side effect. I will not be building my business around this capability however
interesting name. The opposite of a bonus. So what is, the fact that your fork looses the thousands of eyes (meat and ai) that spot and fix bugs and security leaks?
It's an interesting word in Latin, because depending on the phonetic length of the vowel and gender it vary greatly in meaning. The word 'malus' (short a, masculine adjective) means wicked, the word 'mālus' (long ā, feminine noun) means apple tree, and 'mālus' (long ā, masculine noun) means the mast of a ship.
Presumably this is a joke, based on the "Success Reports" and the footer, among other things.
"This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services."
if it were true that indeed was legal to rewrite and relicense open source code, would that also be true for non-open source code? as in, could someone do a similar rewrite of their employers proprietary code and release it publicly?
The name was too much of a giveaway. I just hope that somebody who inevitably builds this for real is self-aware enough to name themselves so transparently.
About the only reason nobody would actually build this is there's no money in it. Who'd pay for a CRaaS version when they're not even paying for the original open source version?
I do think somebody will eventually vibe-code it for the lulz.
This is quite literally the end of open source. projects will find themselves in the position of making their test suites private to avoid being sherlocked like this
Edit: I did it. Paid them $0.51 to clean room `copyleft`, just to see what would happen. A clean package is now sitting on my desktop, custom-built (I presume) and fully documented. Deleting it now, for obvious reasons. But is it still satire if they actually provide the literal service they're satirizing?
How far do they take the satire? If you pay them do they actually generate output?
1. Best part of this (satirical) post is, the service they offer isn't really needed. LLM's can do this already for small projects, and soon likely will for large ones too. You don't need a company to do this, we all have the LLM tooling to do it. Critical we're all spending time thinking about what that means in a thoughtful way.
2. For the sake of argument assume 1 is completely true and feasible now and / or in the near term. If LLM generated code is also non copyrightable... but even if it is... if you can just make a copyleft version via the same manner... what will the licenses even mean any longer?
> 2010, Jordan Peterson: clean your room
> 2026, Malus: Clean Room as a Service
> 2026, Jordan Peterson: how could I have missed this business opportunity
>*Full legal indemnification: *Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright*
Heh, ok. So, the thinking is:
1. You contract them.
2. The actual Copyright infringement is done by an __offshore__ company.
3. If you get sued by the original software devs, you seek indemnification from the offshore subsidiary.
4. That offshore subsidiary is in a country without copyright laws or with weak laws so "you're good!"
...
5. Profit.
This is a ridiculous legal defense since this "one-way-street" legal process will almost certainly result in you being sued first... the company actually using the infringing code.
The indemnification is likely worthless since the offshore company won't have any assets anyway and will dissolve once there's a lawsuit and legal process is established.
The "guarantee" is absurd: Their "MalusCorp Guarantee" promises a refund and moving headquarters to international waters if infringement is found. This is not a real legal remedy and is written to sound like a joke, which is telling about their seriousness...
This whole "clean room as a service" concept is a legal gray area at best. In practice, it's extremely difficult to prove tha ta "clean room" process was truly clean, especially with AI models that have been trained on vast amounts of existing code (including the very projects they are "recreating").
The indemnification is a marketing gimmick to make a legally dangerous service seem safe. It creates a facade of protection while ensuring that any financial liability stays with you, the customer who wants to avoid infringement .
I think we've already seen this with "AI writes a web-browser" type PR. I guess we can still look forward to when they make license evasion an explicit part of their marketing. Then I can wryly laugh when somebody robo-whitewashes leaked commercial software, knowing that they'll get sued anyways.
blegh, i like the motivation but why again and again do you need to write the content of the page with Slop-LLM-GPT? Your motive and points are valid, why waste it on a word filter that cannot capture it?
I wish we'd distinguish between bullshit and clearly identified things that _may_ be future threats.
The linked post contains a whopping lie - "What does it mean for the open source ecosystem that 90% of our open source supply chain can currently be recreated in seconds with today's AI agents"
It can't. Not even close. Please, do show a working clean-room implementation of a major opensource package. (Not left-pad)
We really need to stop hyperventilating and get back to reality.
I unironically want this service to exist. The GNU GPL "is a tumor on the programming community, in that not only is it completely braindead, but the people who use it go on to infect other people who can't think for themselves."
Historically, it was a good license, and was able to keep Microsoft and Apple in check, in certain respects. But it's too played out now. In the past, a lot of its value came from it being not fully understood. Now it's a known quantity. You will never have a situation where NeXT is forced to open source their Objective-C frontend, for example
edit: it's satire. but likely not too far off from the reality in 6 months.
> Our process is deliberately, provably, almost tediously legal. One set of AI agents analyzes only public documentation: README files, API specifications, type definitions.
since nearly all open source dependencies couple the implementation with type definitions, I'm curious how this could pass the legal bar of the clean room.
Even if they claim to strip the implementation during their clean room process -- their own staff & services have access to the implementation during the stripping process.
I know this is satire but we're in the process of rewriting the .NET Mediatr library because ... it's nothing but a simple design pattern packaged as a paid nuget package. We don't even need LLMs to reprogram it.
So the need is real, at least for enshittified libraries.
I am blown away. Just 16 days ago, we were discussing this HN post: "FreeBSD doesn't have Wi-Fi driver for my old MacBook, so AI built one for me": https://news.ycombinator.com/item?id=47129361
In this post that I wrote: https://news.ycombinator.com/item?id=47131572 ... I theorised about how a company could reuse a similar technique to re-implement an open source project to change its license. In short: (1) Use an LLM to write a "perfect" spec from an existing open source project. (2) Use a different LLM to implement a functionally identical project in same/different programming language then select any license that you wish. Honestly, this is a terrifying reality if you can pay some service to do it on your behalf.
An interesting aspect of this, especially their blog post (https://malus.sh/blog.html ), is that it acknowledges a strain in our legal system I've been observing for decades, but don't think the legal system or people in general have dealt with, which is that generally costs matter.
A favorite example of mine is speed limits. There is a difference between "putting up a sign that says 55 mph and walking away", "putting up a sign that says 55 mph and occasionally enforcing it with expensive humans when they get around to it", and "putting up a sign that says 55 mph and rigidly enforcing it to the exact mph through a robot". Nominally, the law is "don't go faster than 55 mph". Realistically, those are three completely different policies in every way that matters.
We are all making a continual and ongoing grave error thinking that taking what were previously de jure policies that were de facto quite different in the real world, and thoughtlessly "upgrading" the de jure policies directly into de facto policies without realizing that that is in fact a huge change in policy. One that nobody voted for, one that no regulator even really thought about, one that we are just thoughtlessly putting into place because "well, the law is, 55 mph" without realizing that, no, in fact that never was the law before. That's what the law said, not what it was. In the past those could never really be the same thing. Now, more and more, they can.
This is a big change!
Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.
And without very many people consciously realizing it, we have centuries of laws that were written with the subconscious realization that enforcement is difficult and expensive, and that the discretion of that enforcement is part of the power of the government. Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.
Yet we still have almost no recognition that that is an issue. This could, perhaps surprisingly, be one of the first places we directly grapple with this in a legal case someday soon, that the legality of something may be at least partially influenced by the expense of the operation.
We should welcome more precise law enforcement. Imperfect enforcement is too easy for law enforcement officers to turn into selective enforcement. By choosing who to go after, law enforcement gets the unearned power to change the law however they want, enforcing unwritten rules of their choosing. Having law enforcement make the laws is bad.
The big caveat, though, is that when enforcement becomes more accurate, the rules and penalties need to change. As you point out, a rigidly enforced law is very different from one that is less rigorously enforced. You are right that there is very little recognition of this. The law is difficult to change by design, but it may soon have to change faster than it has in the past, and it's not clear how or if that can happen. Historically, it seems like the only way rapid governmental change happens is by violent revolution, and I would rather not live in a time of violent revolution...
Dean Ball made this exact point on the Ezra Klein show a few days ago. I always thought laws would get more just with perfect enforcement -- the people passing mandatory sentencing laws for minor drug offenses would think twice if their own children, and not just minorities and unfavourable groups, were subject to the same consequences (instead of rehab or community service).
But if I've learned anything in 20 years of software eng, it's that migration plans matter. The perfect system is irrelevant if you can't figure out how to transition to it. AI is dangling a beautiful future in front of us, but the transition looks... Very challenging
And this goes both ways.
Many governments around the world have entities to which you can write a letter, and those entities are frequently obligated to respond to that letter within a specific time frame. Those laws have been written with the understanding that most people don't know how to write letters, and those who do, will not write them unless absolutely necessary.
This allows the regulators to be slow and operate by shuffling around inefficient paper forms, instead of keeping things in an efficient ticket tracking system.
LLMs make it much, much easier to write letters, even if you don't speak the language and can only communicate at the level of a sixth-grader. Imagine what happens when the worst kind of "can I talk to your supervisor" Karen gets access to a sycophantic LLM, which tells her that she's "absolutely right, this is absolutely unacceptable behavior, I will help you write a letter to your regulator, who should help you out in this situation."
There was this scholarly article from Pamela Samuelson and Suzanne Scotchmer
https://yalelawjournal.org/pdf/200_ay258cck.pdf
which, as I recall it, suggested that the copyright law effectively considered that it was good that there was a way around copyright (with reverse engineering and clean-room implementation), and also good that the way around copyright required some investment in its own right, rather than being free, easy, and automatic.
I think Samuelson and Scotchmer thought that, as you say, costs matter, and that the legal system was recognizing this, but in a kind of indirect way, not overtly.
> Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.
Hey, I really like this framing. This is a topic that I've thought about from a different perspective.
We have all kinds of 18th and 19th century legal precedents about search, subpoenas, plain sight, surveillance in public spaces, etc... that really took for granted that police effort was limited and that enforcement would be imperfect.
But they break down when you read all the license plates, or you can subpoena anyone's email, or... whatever.
Making the laws rigid and having perfect enforcement has a cost-- but just the baseline cost to privacy and the squashing of innocent transgression is a cost.
(A counterpoint: a lot of selective law enforcement came down to whether you were unpopular or unprivileged in some way... cheaper and automated enforcement may take some of these effects away and make things more fair. Discretion in enforcement can lead to both more and less just outcomes).
Yup :P
As in their post:
"The future of software is not open. It is not closed. It is liberated, freed from the constraints of licenses written for a world in which reproduction required effort, maintained by a generation of developers who believed that sharing code was its own reward and have been comprehensively proven right about the sharing and wrong about the reward."
This applies to open-source but also very well to proprietary software too ;) Reversing your competitors' software has never been easier!
Privacy protection has the exact same issue. Wiretapping laws were created at the time there was literally a detective listening to a private phone conversation as it was happening. Now we record almost everything online, and processing it is trivial and essentially free. The safeguards are the same but the scale of privacy invasion is many orders of magnitude different.
I think this distinction also gets at some issue with things like privacy and facial recognition.
There’s the old approach of hanging a wanted poster and asking people to “call us if you see this guy”. Then there’s the new approach matching faces in a comprehensive database and camera networks.
The later is just the perfect, efficient implementation of the former. But it’s… different somehow.
The answer to this is just changing the law as enforcement becomes different, instead of leaning on the rule of a few people to determine what the appropriate level of enforcement is.
To do this, though, you're going to have to get rid of veto points! A bit hard in our disastrously constitutional system.
This has also been a common theme in recent decades with respect to privacy.
In the US, the police do not generally need a warrant to tail you as you go around town, but it is phenomenally expensive and difficult to do so. Cellphone location records, despite largely providing the same information, do require warrants because it provides extremely cheap, scalable tracking of anyone. In other words, we allow the government to acquire certain information through difficult means in hopes that it forces them to be very selective about how they use it. When the costs changed, what was allowed also had to change.
Absolutely! We're not all making that error, I've been venting about it for years.
"Costs matter" is one way to say it, probably a lot easier to digest and more popular than the "Quantity has a quality all it's own" quote I've been using, which is generally attributed to Stalin which is a little bit of a problem.
But it's absolutely true! Flock ALPRs are equivalent to a police officer with binoculars and a post-it for a wanted vehicle's make, model, and license plate, except we can put hundreds of them on the major intersections throughout a city 24/7 for $20k instead of multiplying the police budget by 20x.
A warrant to gather gigabytes of data from an ISP or email provider is equivalent to a literal wiretap and tape recorder on a suspect's phone line, except the former costs pennies to implement and the later requires a human to actually move wires and then listen for the duration.
Speed cameras are another excellent example.
Technology that changes the cost of enforcement changes the character of the law. I don't think that no one realizes this. I think many in office, many implementing the changes, and many supporting or voting for those groups are acutely aware and greedy for the increased authoritarian control but blind to the human rights harms they're causing.
> We are all making a continual and ongoing grave error
> Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.
I understand your point that changing the enforcement changes how the law is "felt" even though on the paper the law has not changed. And I think it makes sense to review and potentially revise the laws when enforcement methods change. But in the specific case of the 55 mph limit, would the consequences really be grave and terrible if the enforcement was enforced by a robot, but the law remained the same?
The issue with strictly enforcing the speed limit on roads is that sometimes, people must speed. They must break the law. Wife giving birth, rushing a wounded person to the ER, speeding to avoid a collision, etc.
If we wanted to strictly enforce speed limits, we would put governors on engines. However, doing that would cause a lot of harm to normal people. That's why we don't do it.
Stop and think about what it means to be human. We use judgement and decide when we must break the laws. And that is OK and indeed... expected.
Seconded, thirded, fourthed. I spend a lot of time thinking about how laws, in practice, are not actually intended to be perfectly enforced, and not even in the usual selective-enforcement way, just in the pragmatic sense.
> There is a difference between "putting up a sign that says 55 mph and walking away", "putting up a sign that says 55 mph and occasionally enforcing it with expensive humans when they get around to it", and "putting up a sign that says 55 mph and rigidly enforcing it to the exact mph through a robot". Nominally, the law is "don't go faster than 55 mph". Realistically, those are three completely different policies in every way that matters.
...and there's also a large difference between any of those three shifts, and the secular shift (i.e. through no change in regulatory implementation whatsoever!) that occurs when the majority of traffic begins to consist of autonomous vehicles that completely ignore the de facto flow-of-traffic speeds, because they've been programmed to rigorously follow the all laws, including posted de jure speed limits (because the car companies want to CYA.)
Which is to say: even if regulators do literally nothing, they might eventually have to change the letter of the law to better match the de facto spirit of the law, lest we are overcome by a world of robotic "work to rule" inefficiencies.
---
Also, a complete tangent: there's also an even-bigger difference between any of those shifts, and the shift that occurs when traffic calming measures are imposed on the road (narrowing, adding medians, adding curves, etc.) Speed limits are an extremely weird category of regulation, as they try to "prompt" humans to control their behavior in a way that runs directly counter to the way the road has been designed (by the very state imposing the regulations!) to "read" as being high- or low-speed. Ideally, "speed limits" wouldn't be a regulatory cudgel at all; they'd just be an internal analytical calculation on the way to to figuring out how to design the road, so that it feels unsafe to go beyond the "speed limit" speed.
Not exactly the same but at least in Spain, the cost of constructing a new building subject to all the regulations makes them completely unafforfable for low salaries.
(There are other problems, I know, but the regulations are crazy).
De jure, there is no difference between de facto and de jure. De facto there is.
Tangentially, this is also the reason why many forms of corruption can be done away with right now with modern technology.
Meaning that democratizing our existing political structures is a reality today and can be done effectively (think blockchain, think zero knowledge proofs).
On the other hand, the political struggle to actually enact this new democratic system will be THE defining struggle of our times.
> Realistically, those are three completely different policies in every way that matters.
I think that the failure to distinguish them is due to a really childish outlook on law and government that is encouraged by people who are simple-minded (because it is easy and moralistic) and by people who are in control of law and government (because it extends their control to social enforcement.)
I don't think any discussion about government, law, or democracy is worth anything without an analysis of government that actually looks at it - through seeing where decisions are made, how those decisions are disseminated, what obligations the people who receive those decisions have to follow them and what latitude they have to change them, and ultimately how they are carried out: the endpoint of government is the application of threats, physical restraint, pain, or death in order to prevent people from doing something they wish to do or force them to do something they do not wish to do, and the means to discover where those methods should be applied. The police officer, the federal agent, the private individual given indemnity from police officers and federal agencies under particular circumstances, the networked cameras pointed into the streets are government. Government has a physical, material existence, a reach.
Democracy is simpler to explain under that premise. It's the degree to which the people that this system controls control the decisions that this system carries out. The degree to which the people who control the system are indemnified from its effects is the degree of authoritarianism. Rule by the ungoverned.
It's also why the biggest sign of political childishness for me are these sort of simple ideas of "international law." International law is a bunch of understandings between nations that any one of them can back out of or simply ignore at any time for any reason, if they are willing to accept the calculated risk of consequences from the nations on the other side of the agreement. It's like national law in quality, but absolutely unlike it in quantity. Even Costa Rica has a far better chance of ignoring, without any long-term cost, the mighty US trying to enforce some treaty regulation than you as an individual have to ignore the police department.
Laws were constructed under this reality. If we hypothetically programmed those laws into unstoppable Terminator-like robots and told them to enforce them without question it would just be a completely different circumstance. If those unstoppable robots had already existed with absolute enforcement, we would have constructed the laws with more precision and absolute limitations. We wouldn't have been able to avoid it, because after a law was set the consequences would have almost instantly become apparent.
With no fuzziness, there's no selective enforcement, but also no discretion (what people call selective enforcement they agree with.) If enforcement has blanket access and reach, there's also no need to make an example or deter. Laws were explicitly formulated around these purposes, especially the penalties set. If every crime was caught current penalties would be draconian, because they implicitly assume that everyone who got caught doing one thing got away with three other things, and for each person who was caught doing a thing three others got away with doing that thing. It punishes for crimes undetected, and attempts to create fear in people still uncaught.
If you had to put a name to this phenomenon, what would it be?
>https://malus.sh/blog.html
An interesting read, however I'd like to know how to stop websites from screwing around with my scrollbars. In this case it's hidden entirely. Why is this even a thing websites are allowed to do - to change and remove browser UI elements? It makes no sense even, because I have no idea where I am on the page, or how long it is, without scrolling to the bottom to check. God I miss 2005.
It took me a minute to recognize this as satire (thank you HN comments). However it does actually make sense - maybe this could be a way for OSS devs to get paid.
What if we did build a clean room as a service but the proceeds from that didn't go to the "Malus.sh" corporation, but to the owners / maintainers of the OSS being implemented. Maybe all OSS repos should switch to AGPL or some viral license with link to pay-me-to-implement.com. Companies that want to use that package go get their own custom implementation that is under a license strictly for that company and the OSS maintainer gets paid.
I wonder what the MVP for such a thing would look like.
This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.
Copyleft was intended as a principle to keep the software free (as in 'freedom'). Proposing to lock out certain areas of the codebase is directly opposite to this principle.
I am only 50% certain that your idea is expanding on the satire, if not: project owners can provide dual licensing. I'm sorry if you are serious and didn't understand you.
This could work out great, because the OSS devs can focus on building their project instead of marketing to businesses, running sales processes, consulting on implementation and supporting the implementation. No need to find corporate sponsors either.
LOL. Same here. But the footer disclaimer and testimonials gave it away immediately:
> "We had 847 AGPL dependencies blocking our acquisition. MalusCorp liberated them all in 3 weeks. The due diligence team found zero license issues. We closed at $2.3B." - Marcus Wellington III, Former CTO, Definitely Real Corp (Acquired)
> © 2024 MalusCorp International Holdings Ltd. Registered in [JURISDICTION WITHHELD].
> This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services.
If you don't have any contributors, you could just directly relicense without rewriting the whole codebase. If you do, it would be rude to do this.
"I used to feel guilty about not attributing open source maintainers. Then I remembered that guilt doesn't show up on quarterly reports. Thank you, MalusCorp." ◆ Chad Stockholder Engineering Director, Profit First LLC
Certain views of OSS and its relation to commercial software always seemed to be fraught with highly voluntarist and moralizing attitudes and an intellectual naivete.
Don't believe in hell but I were I hope they'd be a special place for them.
It's like... revert patent troll? I'm not even sure I get it but the wording "liberation from open source license obligations." just wants to make me puke. I also doubt it's legit but I'm not a lawyer. I hope somebody at the FSF or Apache foundation or ... whomever who is though will clarify.
"Our proprietary AI systems have never seen" how can they prove that? Independent audit? Whom? How often?
Satire... yes but my blood pressure?!
This is satire, but the very notion of open source license obligations is meaningless in context. FLOSS licenses do not require you to publish your purely internal changes to the code; any publication happens by your choice, and given that AI can now supposedly engineer a clean-room reimplementation of any published program whatsoever, publishing your software with a proprietary copyright isn't going to exactly save you either.
It's a satire. The authors presented it at FOSDEM. They are people that worked previously for foss communities.
The fact that it took me the comments sections to understand this is satire speaks a lot about the current status of where things are going.
EDIT: Reading it again its quite obvious, I was just skimming at first, but still damn. Hilarious
This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.
I didn't see it was satire (having only skimmed the site) until scrolling through the comments and seeing this fake review being quoted. That's when I went "surely not", checked the site, saw it was really there, and was quite relieved this is not yet an actual thing!
Under this name or not I think it's happening regardless..
lol - it's literally called malus but I guess that's only an obvious giveaway in retrospect
I feel like this is related to these issues (with somebody attempting this approach for real):
https://github.com/chardet/chardet/issues/327
https://github.com/chardet/chardet/issues/331
It also shows why this approach is questionable. Opus 4.6 without tool use or web access can provide chardets source code in full from memory/training data (ironically, including the licensing header): https://gist.github.com/yannleretaille/1ce99e1872e5f3b7b133e...
Wow. The guy who’s been thanklessly maintaining the project for 10+ years, with very little help, went way out of his way to produce a zero-reuse, ground-up reimplementation so that it could be MIT licensed... and the very-online copyleft crowd is crucifying him for it and telling him to kick rocks.
Unbelievable. This is why we can’t have nice things.
That's worth its own submission and discussion.
> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.*
I love it. Brilliant satire that foreshadows the future.
The satire is A-grade.
On a quick glance, or skim read, you could be excused for believing this is real, but they drop just enough nuggets throughout that by the end there is no ambiguity.
Really helps illustrates how realistic this could be.
I first encountered the concept of "clean room" in the context of Sean Lahman's free baseball stats database. While technically baseball stats are free, their compiling and manner of presentation in any given format may be claimed as proprietary by any particular provider. And so there's an extensive volunteer effort from baseball fans to "clean room" source them from independent sources such that they are verifying the stats independently of their provenance as a legally permitted basis for building out the database.
I even recall Baseball Mogul relied on the Lahman DB for a period of time. It does make me wonder if we'll see more of that.
This is extremely good satire. Question is, why hasn't anyone done this for real? There's enough people with the right knowledge and who would love to destroy open source for personal gain. Is it that this kind of service would be so open to litigation that it would need a lot of money upfront? Or is someone already working on this, and we're just living out the last good days of OSS?
What would be the incentive for someone to do this for real?
We all have access to SOTA LLMs. If I want a "clean room" implementation of some OSS library, and I can choose between paying a third party to run a script to have AI rebuild the whole library for me and just asking Claude to generate the bits of the library I need, why would I choose to pay?
I think this argument applies to most straightforward "AI generated product" business ideas. Any dev can access a SOTA coding model for $20p/m. The value-add isn't "we used AI to do the thing fast", it's the wrapping around it.
Maybe in this case the "wrapping" is that some other company is taking on the legal risk?
There's a lot of things you could do to be malicious towards other people with minimal effort, yet strangely few people do it. Virtually everyone has morals, and most people's are quite compatible with society (hence we have a society) even if small perturbations in foundational morals sometimes lead to seemingly large discrepancies in resultant actions
You need the right kind of person, in the right life circumstances, to have this idea before it happens for real. By having publicity, it becomes vastly more likely that it finds someone who meets the former two criteria, like how it works with other crime (https://en.wikipedia.org/wiki/Copycat_crime). So thanks, Malus :P
What do you mean nobody has done it?
It's an inevitable outcome of automatic code generation that people will do this all the time without thinking about it.
Example: you want a feature in your project, and you know this github repo implements it, so you tell an AI agent to implement the feature and link to the github repo just for reference.
You didn't tell the agent to maliciously reimplement it, but the end result might be the same - you just did it earnestly.
The bottleneck is trust and security. I'd rather defenestrate 3rd party libraries with a local instance of copilot than send all my secret sauce to some cloud/SaaS system.
Put differently, this system already exists and is in heavy use today.
>why hasn't anyone done this for real?
because LLMs can't program anything of non-trivial complexity despite the persistent delusions from its advocates, same reason the lovers of OSS haven't magically fixed every bug in open source software.
> why hasn't anyone done this for real?
WDYM? LLMs are essentially this.
The post claims (tongue-in-cheek, of course) that their customer owns the resulting code.
But that's not true!
According to binding precedent, works created by an AI are not protected by copyright. NO ONE OWNS THEM!!!
I think maybe this is a good thing, but honestly, it's hard to tell.
This is a misreading of the law. Court cases say that AI cannot own copyright, not that AI output cannot be copyrighted.
If you’re referring to Thaler v. Perlmutter, that is not binding precedent nationwide, only in courts under the D.C. Circuit. And it only applies to “pure” AI-generated works; it did not address AI-assisted works, which seem very likely to be copyrightable.
There are two teenagers who learned about Malus in the last hour and have started figuring out how to actually build it, right now. They will not cite their source in their IPO statements.
it is straightforward to build this for real, here is my nearly one-shotted tldraw clone from a couple of weeks ago, https://x.com/c_pick/status/2028669568403578931 - the implementation side never saw the code, only the spec (in reality it did see the tldraw code in its training data, but you can't escape that anymore)
The Torment Nexus must be built, because someone wants a lambo.
Note for people who just briefly skimmed the site: This is satire.
At least you think that this is satire, until the author receives a DMCA from one of the big corps saying that he leaked the transcript of their last meeting
Too late. Someone's senior executive management has probably already seen it and spinning up a new project to implement it.
Yeah, thank you. I was starting to get a little heated.
The situation is a bit too Torment Nexus-y for my comfort, thank you very much
its partial satire. I kinda believe Claude/Codex spill lots of OSS code without license attribution for many millions of devs already.
I don't know - if you upload a package.json with any dependencies that map to real npmjs.com packages, it does lead you to a Stripe payment page which appears to be real... and it appears you'd be sending real money.
Maybe that's part of the joke, though :)
Thank you for pointing that out, I genuinely was scratching my head and questioning if this site was serious.
I know this is satire, but I would wish to see something like this for liberating proprietary & closed-source hardware drivers.
For now
For now...
Malus Corporation = EvilCorp
W.r.t. intent, yes. But w.r.t. content, we are long past a situation where it is unrealistic enough to function as satire.
While such tactics would render certain OSS software licenses absurd, the tactic itself, as a means to get around them, is entirely sound. It just reveals the flawed presupposition of such licenses. And I'm not sure there is really any way to patch them up now.
I was wondering. I had heard chardet story and wouldn't be surprised to see others moving into that same space.
It legit got me. An actual "whaaaaaatttt?" out loud and then I had to figure out why it was the top of HN haha.
This is satire but this is where things are heading. The impact on the OSS ecosystem is probably not a net positive overall, but don't forget that this also applies to commercial software as well.
There will be many questions asked, like why buy some SaaS with way too many features when you can just reimplement the parts you need? Why buy some expensive software package when you can point the LLM into the binary with Ghidra or IDA or whatever then spend a few weeks to reverse it?
This is going to bring back software patents.
"Change all your core software library dependencies to be unmaintained ripoff copies of those libraries." Sounds wise.....¡¡
Guaranteed CVE-free at time of delivery!
Sounds like my CTO. Overuse of LLMs in c-suites is like overuse of weed by teenagers - it may not cause delusions, but it sure seems to make them worse.
Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.
That’s how deep we are in neoliberal single truth shit now
I was really hoping that this was just a service that would literally clean my room.
I know this is satire, but I have an adjacent problem I could use help with. In my company, we have some legacy apps that run, but we no longer have the source, any everyone that worked on them has probably left the planet.
We need to replatform them at some point, and ideally I'd like to let some agents "use" the apps as a means to copy them / rebuild. Most of these are desktop apps, but some have browser interfaces. Has anyone tried something like this or can recommend a service that's worked for them?
I have actually very convincingly recreated a moderately complex 70s-era mainframe app by having an LLM reimplement it based on existing documentation and by accessing the textual user interface.
The biggest trick is that you need to spend 75% of your time designing and building very good verification tools (which you can do with help from the LLM), and having the LLM carefully trace as many paths as possible through the original application. This will be considerably harder for desktop apps unless you have access to something like an accessibility API that can faithfully capture and operate a GUI.
But in general, LLM performance is limited by how good your validation suite is, and whether you have scalable ways to convince yourself the software is correct.
I've done a little bit of this and Claude is pretty great. Take the app and let Claude run wild with it. It does require you to be relatively familiar with the app as you may need to guide it in the right direction.
I was able to get it to rebuild and hack together a .NET application that we don't have source for. This was done in a Linux VM and it gave me a version that I could build and run on Windows.
We're past the point of legacy blackbox apps being a mystery. Happy to talk more, my e-mail is available on my profile.
Interested to keep updated on this point. As a consultant, I've worked on transformation of legacy applications so this would help me greatly as well. We've worked on pretty archaic systems where no one knows how the system works even if we have the source code.
Well, what kind of desktop apps?
Unless obfuscated C# desktop apps are pretty friendly to decompile.
Yes, we hate the abuse of open source, in its everlasting legal purgatory, by large evil "other" shadows acting at a distance...
But I'm stupefied at m/y/our own oblivious excitement when extracting our expertise for others in the form of skills we share. It's a profound hacking of our reward system, on the fear of losing a job and the hope of climbing the ladder of abstraction.
Tech companies have for decades subsidized developer training and careers with free tools and tiers, support for developer communities and open-source -- in order to reduce the costs of expertise and to expand their markets. Now skills do both. For developers, the result will be like developing for or at Apple: the lucky few will work in secret, based on personal connections and product skills.
Just give it 2 years and this will exist for real.
> Our proprietary AI systems have never seen the original source code.
For this to be plausible satire, they need to show how they've trained their models to code, without mit, apache, bsd or GPL/agpl code being in the training set...
Haha, was extremely rage-baited by this. Thanks.
This time it's satire, but I bet someone will offer exactly that for real in the next few days. The idea is unethical but far too lucrative from a business perspective.
Often OSS is used not because you want the software, but the software and the upkeep. So even with such a service, you're now just taking code in-house that you have to maintain as well.
The people that will take this as a good thing unironically will just have their personal Yes Man do that work internally.
…scanning… …fuming… …blood pressure rising… sees a quote attributed to “Chad Stockholder Engineering Director, Profit First LLC” …oh phew, thank god for that. I actually believed this could be real for a moment!
This is essentially 'License Laundering as a Service.' The 'Firewall' they describe is an illusion because the contamination happens at the training phase, not the inference phase. You can't claim independent creation when your 'independent developer' (the commercial LLM) already has the original implementation's patterns and edge cases baked into its weights.
In order to really do this, they would need to train LLMs from scratch that had no exposure whatsoever to open source code which they may be asked to reproduce. Those models in turn would be terrible at coding given how much of the training corpus is open source code.
>The 'Firewall' they describe is an illusion because [...]
it is an illusion because this is a satire site.
The solution here seems to be to impose some constraint or requirement which means that literal copying is impossible (remember, copyright governs copies, it doesn't govern ideas or algorithms - that would be 'patents', which essentially no open source software has) or where any 'copying' from vaguely remembered pretraining code is on such an abstract indirect level that it is 'transformative' and thus safe.
For example, the Anthropic Rust C compiler could hardly have copied GCC or any of the many C compilers it surely trained on, because then it wouldn't have spat out reasonably idiomatic and natural looking Rust in a differently organized codebase.
Good news for Rust and Lean, I guess, as it seems like everyone these days is looking for an excuse to rewrite everything into those for either speed or safety or both.
Obviously satire, but it will clearly be what happens in the future (predicting here, I'm not endorsing this practice). We can scratch train a new LLM on code generated from "contaminated" LLMs. We can then audit all the training data used and demonstrate that the original source wasn't in the training data. Therefore the cleanroom implementation holds. Current LLM training is relying less and less on human generated code. Just look at the open source models from China. They rely heavily on distilling from other models. One additional point. Exposure to the original source isn't enough to show infringement. Linus looked at UNIX source before writing linux.
I think this site is either satire, or serious but with a certain kind of humor in which both they and the reader know they're lying (but it's in everyone's interest to play along).
They do say this:
> Is this legal? / our clean room process is based on well-established legal precedent. The robots performing reconstruction have provably never accessed the original source code. We maintain detailed audit logs that definitely exist and are available upon request to courts in select jurisdictions.
Unless they're rejecting almost all of open source packages submitted by the customer, due to those packages being in the training set of the foundation model that they use, this is really the opposite of cleanroom.
This is definitely a parody though, not a real service.
> You have been so generous, so unreasonably, almost suspiciously generous, that you have made it possible for an entire global economy to run on software that nobody technically owns, maintained by people that nobody technically employs, governed by licenses that nobody technically reads. It is a miracle of human cooperation. It is also, from a fiduciary standpoint, completely insane.
Funny but true.
Where do you see this? It doesn't appear to be in the website (if it's in the video, I didn't watch it but it's not in the subtitle file)
It's funny that humans working together for mutual benefit via any other mechanism than regimented corporate slavery is considered insane.
It's not true (and also not funny):
* Many of the people maintaining FOSS are paid to do so; and if we counted 'significance' of maintained FOSS, I would not be surprised if most FOSS of critical significance is maintained for-pay (although I'm not sure).
* Publishing software without a restrictive license is not 'generous', it's the trivial and obvious thing to do. It is the restriction of copying and of source access that is convoluted, anti-social, and if you will, "insane".
* Similarly, FOSS is not a "miracle" of human cooperation, and it what you get when it is difficult to sabotage human cooperation. The situation with physical objects - machines, consumables - is more of a nightmare than the FOSS situation is a miracle. (IIRC, an economist named Veblen wrote about the sabotaging role of pecuniary interests on collaborative industrial processes, about a century ago; but I'm not sure about the details.)
* Many people read licenses, and for the short, paragraph-long licenses, I would even say that most developers read them.
* It is not insane to use FOSS from a "fiduciary standpoint".
Isn't that the premise of Fallout ?
>Our proprietary AI robots independently recreate any open source project from scratch.
Fact that this is satire aside, why would a company like this limit this methodology to only open source? Since they can make a "dirty room" AI that uses computer-use models, plays with an app, observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.
> observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.
and tbh, i cannot see any issues if this is how it is done - you just have to prove that the clean room ai has never been exposed to the source code of the app you're trying to clone.
As if the models have not seen the open source software before. That should be considered in the upcoming ruling. Technically the models are trained on exactly that.
That's funny.
I find surprising that the polemic I heard more talking, seems to be in the open source to close source direction.
It seems to me, that the more relevant part of this new development, for the software industry, it's a teenager working in the weekend with a LLM and making a functional clone of Autocad, for instance.
Couldn't this be done on proprietary software as well? Have an agent fuzz an interface (any type) for every bit of functionality and document it. Then have it build based on the document?
Theory: Any system, legal or otherwise, that denies the Axioms of Reality, will eventually fail.
Axiom of Reality: “Intellectual Property” does not exist.
This is brilliant satire. Wonderful response to the “rewrite” of chardet.
^ For those who haven’t been keeping up on the debacle.
Good idea, but as several comments here suggest, the time when this sort of thing could be taken as satire is gone. I promise you there are multiple people here thinking that this is a good idea. I predict that within a year we will see a service that does exactly this.
Love the product link in footer to "Emergency AGPL Removal"
If this site actually connects to Stripe, it's much more than just satire. It's a honeypot :D
Was hoping this was a service that cleaned actual rooms, combining organizing and cleaning. :-(
Clean room was a poor choice of words… I thought it was an actual clean room for semiconductor devices :(
It's already a term of art used for this very purpose. https://en.wikipedia.org/wiki/Clean-room_design
The joke is that the models have already seen the source code of said packages regardless, right?
Yeah it's just a slightly more honest and simplified presentation of what LLMs providers do IMO.
Why only FOSS? Why not Wikipedia?
You take Wikipedia, an LLM rewrites every single article giving them your preferred political spin and generates many more pictures for it. You make it sleeker, and price it at 4.99$ per month.
EDIT: That's crazy. They already did that. Waiting for the torment nexus now I guess.
This was already done, see: Grokipedia.
Look, outside of your corner, a world is much much bigger and every nation and every political leaning has rights to have their own POV(for better or worse), as quite frankly this style of thinking on enforcing what others should do is really irritating. Wikipedia for a time being had already different POVs and it was great for that time period, but as someone that does not have English as first language, I don't dream of a world, where everybody uniformly think the same - because that place already exists where that is a case and that is a graveyard.
aren't you describing what elon already did https://grokipedia.com/
So Grokipedia?
The law should be updated to limit clean room reimplementation to a strictly human endeavor. Person, in a faraday cage room, with a machine that is too underpowered to run local LLMs. Reference material (stack overflow archives, language docs, specs, etc) are permitted.
Not sure their attempted point lands the way they think it will. I view this as an unmitigated good. Open source every damn thing. Open the floodgates. Break the system.
I'd cheer for a company like this.
It seems to dance just on the other side of what's legal, though.
> I view this as an unmitigated good.
Then I don't think you've thought it through.
This entire software ecosystem depends on volunteering and cooperation. It demands respect of the people doing the work. Adhering to their licensing terms is the payment they demand for the work they do.
If you steal their social currency, they may just walk away for good, and nobody will pick up the slack for you. And if you're a whole society of greedy little thieves, the future of software will be everyone preciously guarding and hiding their changes to the last open versions of software from some decades ago.
You should read Bruce Perens' testimony in the Jacobsen v. Katzer case that explained all this (and determined that licensing terms are enforceable, and you can't just say "his is open mine is open what's the difference?")
https://web.archive.org/web/20100331083827/http://perens.com...
> I view this as an unmitigated good. Open source every damn thing.
Agree, I said this in another comment, AI-generated anything should be public domain. Public data in, public domain out.
This train wreck in slow motion of AI slowly eroding the open web is no good, let's rip the bandaid.
Open sourcing all the things sounds fun right up until you hit the point where clean room claims collapse under real legal cross-examination. If you think companies with money on the line are just going to roll over and accept it all as fair play I'd like to introduce you to the concept of discovery at $900/hr. If your business model is a legal speedrun you better budget harder than you code.
Open source is good, washing open source licences is very bad.
I publish under AGPL and if someone ever took my project and washed it to MIT I would probably just take all my code offline forever. Fuck that.
I have a feeling this will lead to huge interoperability and ecosystem fragmentation issues.
Well, there is one way... You can have a government steal all open source code and force its citizens to only use proprietary hardware and proprietary code, all government sanctioned btw. I wonder if we're headed this way.
Before I visited the site, I was really confused. First, the name means bad, as in evil. Second, I couldn't understand what CRaaS was supposed to be.
But I love it! The perfect response to the "clean room" AI re-implementation and re-licensing of whatever that library is called.
>whatever that library is called
https://news.ycombinator.com/item?id=47259177
I ate the onion. But in my defense, people are really putting forward this argument to relicense from GPL to MIT:
https://github.com/chardet/chardet/issues/327
The frustrating thing is I also thought about this as a natural conclusion - but as a natural workflow that corporations will do when they see AGPL dependencies they want to use. (I also think there's a world where we start tightening our software bill of materials anyway.)
I do not believe it will ever again make sense to build open source for business. the era of OSS as a business model will be very limited going forward. As sad and frustrating as it is, we did it to ourselves.
I feel like we live in an interesting time, where you have to second guess whether someone would actually build something like this. Like, the language is very tongue in cheek, but given how messed up copyright law is, you'd think that by now someone would be doing this, and proudly.
they really had an entertaining presentation in fosdem 2026 about this. bit too noisy for my taste but regardless:
https://fosdem.org/2026/schedule/event/SUVS7G-lets_end_open_...
I was on this talk expecting to hear about MongoDB abusing open source (as you could guess from my profile, that’s a topic dear to my heart). Instead, I saw the most entertaining talk in my life.
Why would I pay for this? Makes no sense.
It's just confirming to me "yes, LLMs can do it so reliably that someone is trying to sell it, so I can probably just ask an LLM then".
Is AI-driven clean room implementation a wild west at the moment? I suppose there haven't yet been any cases to test this out in real life?
> MalusCorp International Holdings Ltd. is not responsible for any moral implications, existential crises, or late-night guilt spirals resulting from the use of our services.
I think they should take some responsibility!
It will soon not be a joke, and it reminds me of these crypto bitcoin tumblers
How is this legal. Unless it’s trained excluding *all* open source code it’s not legal.
Also, using api and docs itself though not illegal seems defeat the purpose.
Also, it’s not right how creator says “pesky credits to creator”.
Just build your own then. Credit is the least thing everyone using should do.
You'll find all the answers if you read more carefully:
> Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright
> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.
> "Our lawyers estimated $4M in compliance costs. MalusCorp's Total Liberation package was $50K. The board was thrilled. The open source maintainers were not, but who cares?" - Patricia Bottomline, VP of Legal, MegaSoft Industries
So they recreate the open source project by using an llm that was trained in the open source project's source code.
As a hypothetical.
Let’s say instead it consolidated a few packages into 1. This might even be a good idea for security reasons.
Then it offered a mandatory 15% revenue tip to the original projects.
So far GPL enforcement usually comes down to “umm, try and sue us lol”.
How much human intervention is needed for it to be a real innovation and not llm generated. Can I someone to watch Claude do its thing and press enter 3 times ?
If the AI could do good refactor of OS project, remove unused code/features and make the code more efficient. Than we really would be out of jobs :D
Some parties wouldn't be thrilled about their "source available" getting cleaned this way. So when this gets completed it would only "clean" real open source that can't afford legal trouble. Satirically structured LLM text is not a defence.
The smells suspiciously like a well positioned gag that is secretly seeking VC attention. The emotional reaction turned attention seeking feels a bit like having ulterior motives... or maybe Moltbook has made me paranoid?
First I thought this is about manufacturing. Like semiconductor fabs requirement for room cleanness.
I'd have mined the copied libraries with something that makes it possible to later change terms and extract fees, as it'd be expected that nobody reads the terms for such service
Have fun when using this service is itself used in court as evidence for creating a malicious copy
Heh, why don't you do the opposite - recreate proprietary software with open source license
I expect that thousands of people are now doing just that. Most proprietary software is just a shiny UI in front of a crappy database schema.
You know the satire is so good that people actually confused this for something real:))
I did try to upload a requirements.txt with "chardet < 7.0" in it ("Copyright (C) 2024 Dan Blanchard"? I don't think so buddy, it's mine now), but despite claiming otherwise, the satirical site only takes package.json so I uploaded the one from https://github.com/prokopschield/require-gpl/
It does actually generate a price (which is suspiciously like a fixed rate of $1 per megabyte), and does actually lead you to Stripe. What happens if someone actually pays? Are they going to be refunding everything, or are they actually going to file the serial numbers off for you?
Today's satire is tomorrow's reality, if the last 50 or so years is anything to go by.
is the motto, "Don't be good?"
"I solemnly swear that I am up to no good" and their seal is ⍼.
https://www.hp-lexicon.org/magic/solemnly-swear-no-good/
https://news.ycombinator.com/item?id=47329605
https://www.explainxkcd.com/wiki/index.php/2606:_Weird_Unico...
I have to admit It took me an unconfortably long amount of time to realize this was fake-
It's interesting that the focus is just on open source licenses. If one can strip licenses from source code using LLMs, then surely a Microsoft employee could do the same with the Windows source code!
Hope they have very good lawyers...
This is satire, but I actually have built something that can do this extremely well as an unintentional side effect. I will not be building my business around this capability however
Are licenses even enforceable now? Given that the law is not being followed in the United States anymore?
Everything is enforceable by the rich, nothing is enforceable by the poor
interesting name. The opposite of a bonus. So what is, the fact that your fork looses the thousands of eyes (meat and ai) that spot and fix bugs and security leaks?
This is an art project right? …right?
malus, mala, malum ADJ
bad, evil, wicked; ugly; unlucky;
It's an interesting word in Latin, because depending on the phonetic length of the vowel and gender it vary greatly in meaning. The word 'malus' (short a, masculine adjective) means wicked, the word 'mālus' (long ā, feminine noun) means apple tree, and 'mālus' (long ā, masculine noun) means the mast of a ship.
Homonym of "malice" too. Honestly kind of a brilliant name.
Man, how could they not wait 2.5 weeks until April 1 !!!
It will be nice to know how many legal personnel fell for this trip. Maybe a leaderboard :D
Presumably this is a joke, based on the "Success Reports" and the footer, among other things.
"This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services."
Thought this was about semiconductor cleanrooms at first. Any startups doing that?
The name gives it away :)
Let's not give anyone ideas!
if it were true that indeed was legal to rewrite and relicense open source code, would that also be true for non-open source code? as in, could someone do a similar rewrite of their employers proprietary code and release it publicly?
Poe's Law just smacked me upside the head on this one. Hard.
The name was too much of a giveaway. I just hope that somebody who inevitably builds this for real is self-aware enough to name themselves so transparently.
About the only reason nobody would actually build this is there's no money in it. Who'd pay for a CRaaS version when they're not even paying for the original open source version?
I do think somebody will eventually vibe-code it for the lulz.
This is quite literally the end of open source. projects will find themselves in the position of making their test suites private to avoid being sherlocked like this
I hate to say it, but if you dropped the sarcasm and I think you'd have a viable business ... Truly a bizarre place we find ourselves in.
> per package = max( $0.01, size_kb × $0.01 )
> order total = max( $0.50, sum of all packages )
> $0.50 minimum applies per order (Stripe processing floor). No base fee.
Not sure I can trust their output if this simple thing is fluffed
Edit: I did it. Paid them $0.51 to clean room `copyleft`, just to see what would happen. A clean package is now sitting on my desktop, custom-built (I presume) and fully documented. Deleting it now, for obvious reasons. But is it still satire if they actually provide the literal service they're satirizing?
How far do they take the satire? If you pay them do they actually generate output?
Is it satire? Or is it a warning?
I bet someone has already made this service for real.
A lot of people, including perhaps the creator of this, feel that LLMs themselves are this service.
It exists! It's called Claude Code.
Distinguished staff level trolling
1. Best part of this (satirical) post is, the service they offer isn't really needed. LLM's can do this already for small projects, and soon likely will for large ones too. You don't need a company to do this, we all have the LLM tooling to do it. Critical we're all spending time thinking about what that means in a thoughtful way.
2. For the sake of argument assume 1 is completely true and feasible now and / or in the near term. If LLM generated code is also non copyrightable... but even if it is... if you can just make a copyleft version via the same manner... what will the licenses even mean any longer?
> 2010, Jordan Peterson: clean your room > 2026, Malus: Clean Room as a Service > 2026, Jordan Peterson: how could I have missed this business opportunity
From their front page:
>*Full legal indemnification: *Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright*
Heh, ok. So, the thinking is:
1. You contract them.
2. The actual Copyright infringement is done by an __offshore__ company.
3. If you get sued by the original software devs, you seek indemnification from the offshore subsidiary.
4. That offshore subsidiary is in a country without copyright laws or with weak laws so "you're good!"
...
5. Profit.
This is a ridiculous legal defense since this "one-way-street" legal process will almost certainly result in you being sued first... the company actually using the infringing code.
The indemnification is likely worthless since the offshore company won't have any assets anyway and will dissolve once there's a lawsuit and legal process is established.
The "guarantee" is absurd: Their "MalusCorp Guarantee" promises a refund and moving headquarters to international waters if infringement is found. This is not a real legal remedy and is written to sound like a joke, which is telling about their seriousness...
This whole "clean room as a service" concept is a legal gray area at best. In practice, it's extremely difficult to prove tha ta "clean room" process was truly clean, especially with AI models that have been trained on vast amounts of existing code (including the very projects they are "recreating").
The indemnification is a marketing gimmick to make a legally dangerous service seem safe. It creates a facade of protection while ensuring that any financial liability stays with you, the customer who wants to avoid infringement .
whoosh
Was malice.sh taken?
I love these satirical sites that take a jab at how LLMs are (genuinely) ruining software.
See: https://deploycel.org/
Am I the only one who saw the title and thought it was about physical clean-rooms?
No
It took me too long to understand it’s satire. BP went through stratosphere before I noticed.
Let’s hope one of these fake AI grifters doesn’t take this as a serious idea, raised a couple hundred million, and do real damage.
(I’m not against AI, I just don’t like nonsense either in tech, or people)
Wait this is joke, yep this is a joke... Wait it's not a joke why are people taking this seriously? Ok good this is a joke wait it's REAL?
See also: claw-guard.org/adnet, ai-ceo.org and ai-chro.org in this category
The irony of course is that this service already exists. It's called Claude Code (or Codex, etc...) and it costs $200 / month.
I know this is satire, but I worry that it's giving some scumbags out there ideas.
Amazon getting all excited hoping it's real.
Amazon C*s calling Amazon Legal to ask if they could get away with implementing something like this internally, more like.
Oof, this is unironically amazing!
Ah yes, how apropos, a "modest proposal" for a new AI era.
Oh no… VCs will see this and take it seriously
I think we've already seen this with "AI writes a web-browser" type PR. I guess we can still look forward to when they make license evasion an explicit part of their marketing. Then I can wryly laugh when somebody robo-whitewashes leaked commercial software, knowing that they'll get sued anyways.
blegh, i like the motivation but why again and again do you need to write the content of the page with Slop-LLM-GPT? Your motive and points are valid, why waste it on a word filter that cannot capture it?
turd.png classy
New_projectname
Brought to you by Jin Yang from Silicon Valley HBO.
In this climate, it almost feels like it's not satire.
Bruh this feels evil hahaha
Now this is a conversation piece
Can we stop with the AI slop here? Last chance then I have to look elsewhere for real content.
I wish we'd distinguish between bullshit and clearly identified things that _may_ be future threats.
The linked post contains a whopping lie - "What does it mean for the open source ecosystem that 90% of our open source supply chain can currently be recreated in seconds with today's AI agents"
It can't. Not even close. Please, do show a working clean-room implementation of a major opensource package. (Not left-pad)
We really need to stop hyperventilating and get back to reality.
I unironically want this service to exist. The GNU GPL "is a tumor on the programming community, in that not only is it completely braindead, but the people who use it go on to infect other people who can't think for themselves."
Historically, it was a good license, and was able to keep Microsoft and Apple in check, in certain respects. But it's too played out now. In the past, a lot of its value came from it being not fully understood. Now it's a known quantity. You will never have a situation where NeXT is forced to open source their Objective-C frontend, for example
edit: it's satire. but likely not too far off from the reality in 6 months.
> Our process is deliberately, provably, almost tediously legal. One set of AI agents analyzes only public documentation: README files, API specifications, type definitions.
since nearly all open source dependencies couple the implementation with type definitions, I'm curious how this could pass the legal bar of the clean room.
Even if they claim to strip the implementation during their clean room process -- their own staff & services have access to the implementation during the stripping process.
yay capitalism. thank god it is a joke!
> Those maintainers worked for free—why should they get credit?
ROFL
I know this is satire but we're in the process of rewriting the .NET Mediatr library because ... it's nothing but a simple design pattern packaged as a paid nuget package. We don't even need LLMs to reprogram it.
So the need is real, at least for enshittified libraries.
I am blown away. Just 16 days ago, we were discussing this HN post: "FreeBSD doesn't have Wi-Fi driver for my old MacBook, so AI built one for me": https://news.ycombinator.com/item?id=47129361
In this post that I wrote: https://news.ycombinator.com/item?id=47131572 ... I theorised about how a company could reuse a similar technique to re-implement an open source project to change its license. In short: (1) Use an LLM to write a "perfect" spec from an existing open source project. (2) Use a different LLM to implement a functionally identical project in same/different programming language then select any license that you wish. Honestly, this is a terrifying reality if you can pay some service to do it on your behalf.