Re: Next Steps For the Software Heritage Problem

[Ian Eure <ian@retrospec.tv>]

Hi MSavoritias,

Thank you for the email.

I’m going to lay out this situation as clearly as I can, in the 
hope that others will better understand, and hopefully treat it 
with the seriousness it deserves.

1. Guix requests SWH to archive some source code.  This is fine.

2. SWH archives the code.  This is also fine.

3. SWH gives all their source to an AI company, HuggingFace.  This 
is questionable.  While fine in theory, the company they gave it 
to, HuggingFace, violates both the licenses of the code they’re 
given, and SWH’s own policy on LLMs.  Instead of terminating the 
partnership, SWH has continued to tout it as "responsible AI" in 
the face of these violations[1].  This makes me doubt whether 
they’re acting in good faith.

4. HuggingFace trains a LLM out of all the code they’re given and 
redistributes it.  This is *not* fine.  The LLM is a derivative 
work of the source code it’s trained on, which violates the 
licenses of many projects in its training set -- it’s akin to 
compiling a gigantic .so file built from the SWH dataset.

5. HuggingFace uses its StarCoder2 LLM to generate source code. 
This is *also* not fine.  This output is also a derivative work of 
the inputs, and it’s redistributed with no license or attribution 
whatsoever.  HuggingFace purports to include attribution in their 
model, however, their own tools make no use of it and emit code 
with no attribution.  You can observe this behavior yourself: 
https://huggingface.co/spaces/HuggingFaceH4/starchat2-playground

I understand Guix’s participation is several degrees removed from 
where the core of the problem lies.  However, the partnership with 
SWH is indirectly enabling massive violations of the licenses of 
the software it packages.  Guix should stop doing that.

Thanks,

  — Ian

[1]: 
https://www.softwareheritage.org/2024/02/28/responsible-ai-with-starcoder2/

MSavoritias <email@msavoritias.me> writes:

> Hello,
>
> Context:
>
> As you may already know there have discussions around Software 
> Heritage
> and the LLM model they are collaborating with for a bit now. The 
> model
> itself was announced at
> https://www.softwareheritage.org/2023/10/19/swh-statement-on-llm-for-code/
>
> As I have started writing some packages I became interested in 
> how I
> might actually stop my code from ever reaching Software Heritage 
> or at
> the very least said LLM model. Every single package in guix is 
> added
> there automatically.
>
> I sent an email on Friday and I got an answer back that such 
> consent
> mechanism hasn't been implemented and I was shown the legal 
> terms.
> instead what I am supposed to do is:
>
> After guix has my code, my code will be automatically in 
> Software
> Heritage and the LLM model. So I am supposed to opt out 
> seperately with
> both of them to ensure that my code wont be used for future 
> versions.
> This of course means that my code will stay forever in Software
> Heritage and the LLM model (or some version of it at least).
>
> The reasoning that was given was that code harvesting happens 
> anyway
> and we give an opt-out. I am guessing its opt-out and not opt-in
> because they would have less code but this is speculation of 
> course :)
>
> This is against our desire to make it a welcoming space and also
> against the spirit of our CoC. Specifically because authors do 
> not know
> this happens when they submit packages to Guix. So it is all 
> done
> without consent.
>
> Next Steps:
>
> So what can we do as a Guix community from here?
> Communication/Writing wise:
>
> 1. Add a clear disclaimer/requirment that any new package that 
> is added
> in Guix, the person has to give consent or get consent from the 
> person
> that the package is written in. This needs to be added in the 
> docs and
> in the email procedures.
> 2. Make a blog post of our stance towards Software Heritage and 
> the
> code harvesting they are doing. This post will write in 
> environmental
> and ethical grounds why Guix is against this and mention 
> specifically
> Software Heritage. This is done to separate and mention that we 
> do not
> like what is happening in case anyone comes asking, and 
> hopefully give
> public pressure to Software Heritage.
> 3. Exclude all Software Heritage merch, stands, talks, people in
> official capacity, logos, or anything else that participates in 
> social
> events of guix and write it in some rules we have. also write in
> channel rules that Software Heritage is offtopic same way 
> Non-Free
> Software is offtopic.
> 4. There doesn't seem to be any movement on the side of Guix 
> towards:
> - Accountability in an official capacity of SH for the terrible
>   handling of the trans name incident and a plan to make it 
>   easier in
>   the future.
> - The LLM problem that was mentioned in this email.
> So with that said I urge anybody who has been in contact with 
> them in
> an official Guix capacity to come forward, otherwise I can 
> volunteer to
> be that. Idk if we have a community outreach thing I need to be 
> in also
> for that. (we should if not)
>
> The above make two assumptions:
> 1. That the Guix community is against LLM/"AI". Which for 
> environmental
> and ethical grounds we should be.
> 2. That we are a consent culture.
>
> Coding Wise this has been talked about before some potential 
> options
> are:
> - Communicate with Software Heritage to be able to give a "sign" 
> that
> the code that is sent should go or not in the code harvesting 
> project.
> - Remove all Software Heritage integration since its too hard to 
> be
>   ethical about it and built a better solution.
>
> Conclusion:
>
> To summarize from the steps I wrote above, it seems Software 
> Heritage
> makes it harder and harder for us to actually be an inclusive,
> welcoming space we want to be. Idk what that leaves us, as I 
> said I am
> not part of any "insider" discussions. But it seems to not move 
> that
> much and its time to start doing actionable things in another 
> direction.
>
> MSavoritias