Distrusting upstream packages from mdmintz

Hi all,

I want to bring to attention a situation which has unfolded over the past two days. In this Mastodon thread, we in the Python community have learned that the GitHub account mdmintz, as well as their single-user GitHub organizations SeleniumBase and TensorPy, have published several packages improperly. At least one of those packages, pynose, is currently included in nixpkgs; a PR to remove it is available here. This thread is for discussing what further action, if any, needs to be taken to avoid problems with this account in the future.

To be specific, it appears that the published packages are improperly licensed; they substantially include code from other packages under other licenses. Additionally, attribution has not always been properly preserved. We have confirmed for pynose that at least one original author had their attribution and license improperly removed. Other packages suspected of improper licensing at this time include:

  • pbrkr (GH)
  • pdbp (GH)
  • sbVirtualDisplay (GH)
  • SeleniumBase/resource-files (GH)
  • TensorPy/TensorPy (GH)

I recognize that recommending removal is an extreme position and not my personal preference; I would prefer to see this as an accidental-LGPL situation, where the account restores the LGPL and gives their commits back to the community. However, they have made it clear that their plagiarism is intentional, unrepentant, and unguided by legal advice; they cite this closed outdated Stack Overflow answer for their justification, which implies that they genuinely believe themselves to be the sole and original author. We would not be alone in distrusting this upstream; Fedora’s maintainer indicated that they are obligated by Fedora’s legal policy, crafted by attorneys, to undergo a similar examination.

7 Likes

I don’t see any other packages from this upstream in Nixpkgs currently. Do you know of any? I agree that removal would be a reasonable step given the way events have unfolded and continue to unfold.

This post was flagged by the community and is temporarily hidden.

I don’t think we have any other packages from this upstream, no. I think that any further discussion should center around whether an upstream can temporarily or permanently lose our trust. In this particular case, pynose has had its license fixed in this PR, but the other cases have been ignored and some of the provoking issues have been deleted entirely. We might be better off forbidding code from an upstream source who only properly licenses code when under immense community pressure.

1 Like