Hi all,
I want to bring to attention a situation which has unfolded over the past two days. In this Mastodon thread, we in the Python community have learned that the GitHub account mdmintz, as well as their single-user GitHub organizations SeleniumBase and TensorPy, have published several packages improperly. At least one of those packages, pynose, is currently included in nixpkgs; a PR to remove it is available here. This thread is for discussing what further action, if any, needs to be taken to avoid problems with this account in the future.
To be specific, it appears that the published packages are improperly licensed; they substantially include code from other packages under other licenses. Additionally, attribution has not always been properly preserved. We have confirmed for pynose that at least one original author had their attribution and license improperly removed. Other packages suspected of improper licensing at this time include:
I recognize that recommending removal is an extreme position and not my personal preference; I would prefer to see this as an accidental-LGPL situation, where the account restores the LGPL and gives their commits back to the community. However, they have made it clear that their plagiarism is intentional, unrepentant, and unguided by legal advice; they cite this closed outdated Stack Overflow answer for their justification, which implies that they genuinely believe themselves to be the sole and original author. We would not be alone in distrusting this upstream; Fedora’s maintainer indicated that they are obligated by Fedora’s legal policy, crafted by attorneys, to undergo a similar examination.