Malus – Clean Room as a Service (malus.sh)

We should welcome more precise law enforcement. Imperfect enforcement is too easy for law enforcement officers to turn into selective enforcement. By choosing who to go after, law enforcement gets the unearned power to change the law however they want, enforcing unwritten rules of their choosing. Having law enforcement make the laws is bad.

The big caveat, though, is that when enforcement becomes more accurate, the rules and penalties need to change. As you point out, a rigidly enforced law is very different from one that is less rigorously enforced. You are right that there is very little recognition of this. The law is difficult to change by design, but it may soon have to change faster than it has in the past, and it's not clear how or if that can happen. Historically, it seems like the only way rapid governmental change happens is by violent revolution, and I would rather not live in a time of violent revolution...

Dean Ball made this exact point on the Ezra Klein show a few days ago. I always thought laws would get more just with perfect enforcement -- the people passing mandatory sentencing laws for minor drug offenses would think twice if their own children, and not just minorities and unfavourable groups, were subject to the same consequences (instead of rehab or community service).

But if I've learned anything in 20 years of software eng, it's that migration plans matter. The perfect system is irrelevant if you can't figure out how to transition to it. AI is dangling a beautiful future in front of us, but the transition looks... Very challenging

> Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.

Hey, I really like this framing. This is a topic that I've thought about from a different perspective.

We have all kinds of 18th and 19th century legal precedents about search, subpoenas, plain sight, surveillance in public spaces, etc... that really took for granted that police effort was limited and that enforcement would be imperfect.

But they break down when you read all the license plates, or you can subpoena anyone's email, or... whatever.

Making the laws rigid and having perfect enforcement has a cost-- but just the baseline cost to privacy and the squashing of innocent transgression is a cost.

(A counterpoint: a lot of selective law enforcement came down to whether you were unpopular or unprivileged in some way... cheaper and automated enforcement may take some of these effects away and make things more fair. Discretion in enforcement can lead to both more and less just outcomes).

There was this scholarly article from Pamela Samuelson and Suzanne Scotchmer

https://yalelawjournal.org/pdf/200_ay258cck.pdf

which, as I recall it, suggested that the copyright law effectively considered that it was good that there was a way around copyright (with reverse engineering and clean-room implementation), and also good that the way around copyright required some investment in its own right, rather than being free, easy, and automatic.

I think Samuelson and Scotchmer thought that, as you say, costs matter, and that the legal system was recognizing this, but in a kind of indirect way, not overtly.

And this goes both ways.

Many governments around the world have entities to which you can write a letter, and those entities are frequently obligated to respond to that letter within a specific time frame. Those laws have been written with the understanding that most people don't know how to write letters, and those who do, will not write them unless absolutely necessary.

This allows the regulators to be slow and operate by shuffling around inefficient paper forms, instead of keeping things in an efficient ticket tracking system.

LLMs make it much, much easier to write letters, even if you don't speak the language and can only communicate at the level of a sixth-grader. Imagine what happens when the worst kind of "can I talk to your supervisor" Karen gets access to a sycophantic LLM, which tells her that she's "absolutely right, this is absolutely unacceptable behavior, I will help you write a letter to your regulator, who should help you out in this situation."

Agree with all this, but am not sure how it applies to this case. This seems rather the opposite behavior: accelerated bad de facto behavior because de jure enforcement is infeasible.

We are seeing this in the world of digital media, where frivolous DMCA and YouTube takedown reports are used indiscriminately and with seemingly little consequence to the bad actor. Corporations are prematurely complying with bad actors as a risk reduction measure. The de jure avenues to push back on this are weak, slow, expensive, and/or infeasible.

So if you ask me what's the bigger threat right now, stricter or less strict enforcement, I'd argue that it's still generally the latter. Though in the specific case of copyright I'd like to see a bunch of the law junked, and temporal scope greatly reduced (sorry not sorry, Disney and various literary estates), because the de facto effects of it on the digital (and analog!) commons are so insidious.

My mom, who's a lawyer, always told us that laws don't matter, what matter is how hard they're enforced, and we can simply ignore laws that exist but we know for a fact they're not enforced (or not enforceable).

I once had small talk with Lawrence Lessig after a conference of his, and when I told him that he was visibly shocked, as if I had told him I was raised to be a criminal.

Now I'm not sure what to think anymore.

Privacy protection has the exact same issue. Wiretapping laws were created at the time there was literally a detective listening to a private phone conversation as it was happening. Now we record almost everything online, and processing it is trivial and essentially free. The safeguards are the same but the scale of privacy invasion is many orders of magnitude different.

Yup :P

As in their post:

"The future of software is not open. It is not closed. It is liberated, freed from the constraints of licenses written for a world in which reproduction required effort, maintained by a generation of developers who believed that sharing code was its own reward and have been comprehensively proven right about the sharing and wrong about the reward."

This applies to open-source but also very well to proprietary software too ;) Reversing your competitors' software has never been easier!

I think this distinction also gets at some issue with things like privacy and facial recognition.

There’s the old approach of hanging a wanted poster and asking people to “call us if you see this guy”. Then there’s the new approach matching faces in a comprehensive database and camera networks.

The later is just the perfect, efficient implementation of the former. But it’s… different somehow.

I see many comments focusing on whether speed limits (or the law) should or should not be enforced, while the main idea in this post is to say that today any agreement can be measured to the dot.

I agree with the author that we are not prepared for the consequences of such a change and that it can lead to abuse on many instances.

To understand speeding you need to understand the concept of "speed choice". Everyone chooses how fast to drive, only those who choose above the speed limit are speeding. If your environment gets you to choose a speed below the speed limit you won't break the law. Your choice can be influenced by many factors such as:

* narrow looking roadway * speed limit signs * your car has self driving * what everybody else is doing * speed limiter on your car * curvy road * bad weather * male or female * risk appetite * driving experience * experience of that route * perceived risk of getting caught

If you fix "speed choice" the problem of speeding diminishes.

The answer to this is just changing the law as enforcement becomes different, instead of leaning on the rule of a few people to determine what the appropriate level of enforcement is.

To do this, though, you're going to have to get rid of veto points! A bit hard in our disastrously constitutional system.

> This could, perhaps surprisingly, be one of the first places we directly grapple with this in a legal case someday soon, that the legality of something may be at least partially influenced by the expense of the operation.

Well said.

I think another area where this problem has already emerged is with public records laws.

It's one thing if records of, let's say, real estate sales are made "publicly available" by requiring interested parties to physically visit a local government building, speak in the local language to other human beings in order to politely request them, and to spend a few hours and some money in order to actually get them.

It's quite another thing if "publicly available" means that anyone anywhere can scrape those records off the web en masse and use them to target online scams at elderly homeowners halfway around the world.

Absolutely! We're not all making that error, I've been venting about it for years.

"Costs matter" is one way to say it, probably a lot easier to digest and more popular than the "Quantity has a quality all it's own" quote I've been using, which is generally attributed to Stalin which is a little bit of a problem.

But it's absolutely true! Flock ALPRs are equivalent to a police officer with binoculars and a post-it for a wanted vehicle's make, model, and license plate, except we can put hundreds of them on the major intersections throughout a city 24/7 for $20k instead of multiplying the police budget by 20x.

A warrant to gather gigabytes of data from an ISP or email provider is equivalent to a literal wiretap and tape recorder on a suspect's phone line, except the former costs pennies to implement and the later requires a human to actually move wires and then listen for the duration.

Speed cameras are another excellent example.

Technology that changes the cost of enforcement changes the character of the law. I don't think that no one realizes this. I think many in office, many implementing the changes, and many supporting or voting for those groups are acutely aware and greedy for the increased authoritarian control but blind to the human rights harms they're causing.

This has also been a common theme in recent decades with respect to privacy.

In the US, the police do not generally need a warrant to tail you as you go around town, but it is phenomenally expensive and difficult to do so. Cellphone location records, despite largely providing the same information, do require warrants because it provides extremely cheap, scalable tracking of anyone. In other words, we allow the government to acquire certain information through difficult means in hopes that it forces them to be very selective about how they use it. When the costs changed, what was allowed also had to change.

Not exactly the same but at least in Spain, the cost of constructing a new building subject to all the regulations makes them completely unafforfable for low salaries.

(There are other problems, I know, but the regulations are crazy).

> We are all making a continual and ongoing grave error

> Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.

I understand your point that changing the enforcement changes how the law is "felt" even though on the paper the law has not changed. And I think it makes sense to review and potentially revise the laws when enforcement methods change. But in the specific case of the 55 mph limit, would the consequences really be grave and terrible if the enforcement was enforced by a robot, but the law remained the same?

The issue with strictly enforcing the speed limit on roads is that sometimes, people must speed. They must break the law. Wife giving birth, rushing a wounded person to the ER, speeding to avoid a collision, etc.

If we wanted to strictly enforce speed limits, we would put governors on engines. However, doing that would cause a lot of harm to normal people. That's why we don't do it.

Stop and think about what it means to be human. We use judgement and decide when we must break the laws. And that is OK and indeed... expected.

Seconded, thirded, fourthed. I spend a lot of time thinking about how laws, in practice, are not actually intended to be perfectly enforced, and not even in the usual selective-enforcement way, just in the pragmatic sense.

> There is a difference between "putting up a sign that says 55 mph and walking away", "putting up a sign that says 55 mph and occasionally enforcing it with expensive humans when they get around to it", and "putting up a sign that says 55 mph and rigidly enforcing it to the exact mph through a robot". Nominally, the law is "don't go faster than 55 mph". Realistically, those are three completely different policies in every way that matters.

...and there's also a large difference between any of those three shifts, and the secular shift (i.e. through no change in regulatory implementation whatsoever!) that occurs when the majority of traffic begins to consist of autonomous vehicles that completely ignore the de facto flow-of-traffic speeds, because they've been programmed to rigorously follow the all laws, including posted de jure speed limits (because the car companies want to CYA.)

Which is to say: even if regulators do literally nothing, they might eventually have to change the letter of the law to better match the de facto spirit of the law, lest we are overcome by a world of robotic "work to rule" inefficiencies.

---

Also, a complete tangent: there's also an even-bigger difference between any of those shifts, and the shift that occurs when traffic calming measures are imposed on the road (narrowing, adding medians, adding curves, etc.) Speed limits are an extremely weird category of regulation, as they try to "prompt" humans to control their behavior in a way that runs directly counter to the way the road has been designed (by the very state imposing the regulations!) to "read" as being high- or low-speed. Ideally, "speed limits" wouldn't be a regulatory cudgel at all; they'd just be an internal analytical calculation on the way to to figuring out how to design the road, so that it feels unsafe to go beyond the "speed limit" speed.

> Realistically, those are three completely different policies in every way that matters.

I think that the failure to distinguish them is due to a really childish outlook on law and government that is encouraged by people who are simple-minded (because it is easy and moralistic) and by people who are in control of law and government (because it extends their control to social enforcement.)

I don't think any discussion about government, law, or democracy is worth anything without an analysis of government that actually looks at it - through seeing where decisions are made, how those decisions are disseminated, what obligations the people who receive those decisions have to follow them and what latitude they have to change them, and ultimately how they are carried out: the endpoint of government is the application of threats, physical restraint, pain, or death in order to prevent people from doing something they wish to do or force them to do something they do not wish to do, and the means to discover where those methods should be applied. The police officer, the federal agent, the private individual given indemnity from police officers and federal agencies under particular circumstances, the networked cameras pointed into the streets are government. Government has a physical, material existence, a reach.

Democracy is simpler to explain under that premise. It's the degree to which the people that this system controls control the decisions that this system carries out. The degree to which the people who control the system are indemnified from its effects is the degree of authoritarianism. Rule by the ungoverned.

It's also why the biggest sign of political childishness for me are these sort of simple ideas of "international law." International law is a bunch of understandings between nations that any one of them can back out of or simply ignore at any time for any reason, if they are willing to accept the calculated risk of consequences from the nations on the other side of the agreement. It's like national law in quality, but absolutely unlike it in quantity. Even Costa Rica has a far better chance of ignoring, without any long-term cost, the mighty US trying to enforce some treaty regulation than you as an individual have to ignore the police department.

Laws were constructed under this reality. If we hypothetically programmed those laws into unstoppable Terminator-like robots and told them to enforce them without question it would just be a completely different circumstance. If those unstoppable robots had already existed with absolute enforcement, we would have constructed the laws with more precision and absolute limitations. We wouldn't have been able to avoid it, because after a law was set the consequences would have almost instantly become apparent.

With no fuzziness, there's no selective enforcement, but also no discretion (what people call selective enforcement they agree with.) If enforcement has blanket access and reach, there's also no need to make an example or deter. Laws were explicitly formulated around these purposes, especially the penalties set. If every crime was caught current penalties would be draconian, because they implicitly assume that everyone who got caught doing one thing got away with three other things, and for each person who was caught doing a thing three others got away with doing that thing. It punishes for crimes undetected, and attempts to create fear in people still uncaught.

De jure, there is no difference between de facto and de jure. De facto there is.

Phenomenally illuminating, thank you.

> An interesting aspect of this, especially their blog post (https://malus.sh/blog.html ), is that it acknowledges a strain in our legal system I've been observing for decades, but don't think the legal system or people in general have dealt with, which is that generally costs matter.

Former lawyer here, who worked at a top end law firm. Throwaway account.

In my experience, the legal system and lawyers in general are deeply aware of this. It's the average Joe who fails to realize this, particularly a certain kind of Joe (older men with a strong sense that all rules are sacred, except those that affect them, those are all oppressive and corrupt and may possibly justify overthrowing the government).

Laws are social norms of varying strength. There's the law (stern face) and then there's the law (vague raising of hands). If you owe a bank $2m and you pay back $1m, then you're going to run into the law (stern face). If you have an obligation to use your best efforts to do something, and you don't do it, then we can all have a very long conversation about what exactly 'best efforts' means in this exact scenario, and we're more in the territory of law (vague raising of hands).

Administrative obligations are the vaguest of all, and that's where lawyers are genuinely most helpful. A good lawyer will know that Department so and so is shifting into harsher enforcement of this type of violation but is less concerned about that type of violation. They know that Justice so and so loves throwing the book in this kind of case, but rolls their eyes at that other kind of case. This is extremely helpful to you as a client.

> And without very many people consciously realizing it, we have centuries of laws that were written with the subconscious realization that enforcement is difficult and expensive, and that the discretion of that enforcement is part of the power of the government. Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.

Enforcement of laws is a political decision, and there is no way to ever escape this fact. If society gets concerned about something, politicians are going to mobilize old laws to get at it. If society relaxes about something, enforcement wanes. Drugs are an obvious example. A lot of the time the things society are concerned about are deeply stupid (is D&D satanic?), but in a democracy politicians are very sensitive to public sentiment. If you don't like the way the public debate is going, get involved.

> Yet we still have almost no recognition that that is an issue. This could, perhaps surprisingly, be one of the first places we directly grapple with this in a legal case someday soon, that the legality of something may be at least partially influenced by the expense of the operation.

The courts are only ever concerned about de jure legality. (It's the literal meaning of de jure!) There are other outlets for de facto legality in the legal system - e.g. the police can choose not to investigate, prosecutors can choose not to lay charges, or opt for lower-level charges, or seek a lenient sentence.

The legal system is fundamentally broken. It's not designed to handle the kind of throughput that is required to enforce justice in countries with many millions of inhabitants.

The legal system is mostly a fantasy. It doesn't exist for most people. Currently it only serves large corporate and political interests since only they can afford access.

Tangentially, this is also the reason why many forms of corruption can be done away with right now with modern technology.

Meaning that democratizing our existing political structures is a reality today and can be done effectively (think blockchain, think zero knowledge proofs).

On the other hand, the political struggle to actually enact this new democratic system will be THE defining struggle of our times.

If you had to put a name to this phenomenon, what would it be?

Yes, with current costs, most people literally cannot afford legal representation, especially in the plaintiff side.

For example, I've been cheated out of at least $100k net worth by the founder of a crypto project because he decided to abandon tech which was working and switched to a competitor's platform for no reason. Now I was already worried about repercussions outside of the legal system... This is crypto sector after all... But also, legally, there's no way I can afford to sue a company which controls almost $100 million in liquid assets and probably has got government regulators on their payroll... Even though it is a simple case, it would be difficult to win even if I'm right and the risk of losing is that they could seek reimbursement of lawyers fees which they seek to maximize just to make things difficult for me.

>https://malus.sh/blog.html

An interesting read, however I'd like to know how to stop websites from screwing around with my scrollbars. In this case it's hidden entirely. Why is this even a thing websites are allowed to do - to change and remove browser UI elements? It makes no sense even, because I have no idea where I am on the page, or how long it is, without scrolling to the bottom to check. God I miss 2005.

[dead]

Certain views of OSS and its relation to commercial software always seemed to be fraught with highly voluntarist and moralizing attitudes and an intellectual naivete.

This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.

I am only 50% certain that your idea is expanding on the satire, if not: project owners can provide dual licensing. I'm sorry if you are serious and didn't understand you.

Copyleft was intended as a principle to keep the software free (as in 'freedom'). Proposing to lock out certain areas of the codebase is directly opposite to this principle.

LOL. Same here. But the footer disclaimer and testimonials gave it away immediately:

> "We had 847 AGPL dependencies blocking our acquisition. MalusCorp liberated them all in 3 weeks. The due diligence team found zero license issues. We closed at $2.3B." - Marcus Wellington III, Former CTO, Definitely Real Corp (Acquired)

> © 2024 MalusCorp International Holdings Ltd. Registered in [JURISDICTION WITHHELD].

> This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services.

This could work out great, because the OSS devs can focus on building their project instead of marketing to businesses, running sales processes, consulting on implementation and supporting the implementation. No need to find corporate sponsors either.

> satire

I'm sure they've already received offers from investors who wish to build the next torment nexus.

If you don't have any contributors, you could just directly relicense without rewriting the whole codebase. If you do, it would be rude to do this.

Lol so instead of paying maintainers who already built the thing you want, we instead charge you to use AI to make countless copies of maintainers’ work and direct the profits back to the maintainers? That sounds like true satire.

This site is not satire. You can actually pay on Stripe and it will create code for you. The site is written with satirical language but it is a real service.

I didn't see it was satire (having only skimmed the site) until scrolling through the comments and seeing this fake review being quoted. That's when I went "surely not", checked the site, saw it was really there, and was quite relieved this is not yet an actual thing!

Under this name or not I think it's happening regardless..

lol - it's literally called malus but I guess that's only an obvious giveaway in retrospect

This is satire, but the very notion of open source license obligations is meaningless in context. FLOSS licenses do not require you to publish your purely internal changes to the code; any publication happens by your choice, and given that AI can now supposedly engineer a clean-room reimplementation of any published program whatsoever, publishing your software with a proprietary copyright isn't going to exactly save you either.

It's a satire. The authors presented it at FOSDEM. They are people that worked previously for foss communities.

It also shows why this approach is questionable. Opus 4.6 without tool use or web access can provide chardets source code in full from memory/training data (ironically, including the licensing header): https://gist.github.com/yannleretaille/1ce99e1872e5f3b7b133e...

Wow. The guy who’s been thanklessly maintaining the project for 10+ years, with very little help, went way out of his way to produce a zero-reuse, ground-up reimplementation so that it could be MIT licensed... and the very-online copyleft crowd is crucifying him for it and telling him to kick rocks.

Unbelievable. This is why we can’t have nice things.

That's worth its own submission and discussion.

The satire is A-grade.

On a quick glance, or skim read, you could be excused for believing this is real, but they drop just enough nuggets throughout that by the end there is no ambiguity.

Really helps illustrates how realistic this could be.

What would be the incentive for someone to do this for real?

We all have access to SOTA LLMs. If I want a "clean room" implementation of some OSS library, and I can choose between paying a third party to run a script to have AI rebuild the whole library for me and just asking Claude to generate the bits of the library I need, why would I choose to pay?

I think this argument applies to most straightforward "AI generated product" business ideas. Any dev can access a SOTA coding model for $20p/m. The value-add isn't "we used AI to do the thing fast", it's the wrapping around it.

Maybe in this case the "wrapping" is that some other company is taking on the legal risk?

What do you mean nobody has done it?

It's an inevitable outcome of automatic code generation that people will do this all the time without thinking about it.

Example: you want a feature in your project, and you know this github repo implements it, so you tell an AI agent to implement the feature and link to the github repo just for reference.

You didn't tell the agent to maliciously reimplement it, but the end result might be the same - you just did it earnestly.

There's a lot of things you could do to be malicious towards other people with minimal effort, yet strangely few people do it. Virtually everyone has morals, and most people's are quite compatible with society (hence we have a society) even if small perturbations in foundational morals sometimes lead to seemingly large discrepancies in resultant actions

You need the right kind of person, in the right life circumstances, to have this idea before it happens for real. By having publicity, it becomes vastly more likely that it finds someone who meets the former two criteria, like how it works with other crime (https://en.wikipedia.org/wiki/Copycat_crime). So thanks, Malus :P

At some level people are already doing this through LLMs. But large orgs are extremely risk averse to do such things. There’s a reason why we have “security audits” and “compliance certifications”. It’s not like organizations are not capable of securing or standardizing their systems, just they do want to point fingers to somebody when legal proceedings happens.

The bottleneck is trust and security. I'd rather defenestrate 3rd party libraries with a local instance of copilot than send all my secret sauce to some cloud/SaaS system.

Put differently, this system already exists and is in heavy use today.

> why hasn't anyone done this for real?

WDYM? LLMs are essentially this.

>why hasn't anyone done this for real?

because LLMs can't program anything of non-trivial complexity despite the persistent delusions from its advocates, same reason the lovers of OSS haven't magically fixed every bug in open source software.

At least you think that this is satire, until the author receives a DMCA from one of the big corps saying that he leaked the transcript of their last meeting

I don't know - if you upload a package.json with any dependencies that map to real npmjs.com packages, it does lead you to a Stripe payment page which appears to be real... and it appears you'd be sending real money.

Maybe that's part of the joke, though :)

Too late. Someone's senior executive management has probably already seen it and spinning up a new project to implement it.

The situation is a bit too Torment Nexus-y for my comfort, thank you very much

Yeah, thank you. I was starting to get a little heated.

its partial satire. I kinda believe Claude/Codex spill lots of OSS code without license attribution for many millions of devs already.

Thank you for pointing that out, I genuinely was scratching my head and questioning if this site was serious.

I know this is satire, but I would wish to see something like this for liberating proprietary & closed-source hardware drivers.

For now...

For now

Malus Corporation = EvilCorp

W.r.t. intent, yes. But w.r.t. content, we are long past a situation where it is unrealistic enough to function as satire.

While such tactics would render certain OSS software licenses absurd, the tactic itself, as a means to get around them, is entirely sound. It just reveals the flawed presupposition of such licenses. And I'm not sure there is really any way to patch them up now.

I was wondering. I had heard chardet story and wouldn't be surprised to see others moving into that same space.

It legit got me. An actual "whaaaaaatttt?" out loud and then I had to figure out why it was the top of HN haha.

it is straightforward to build this for real, here is my nearly one-shotted tldraw clone from a couple of weeks ago, https://x.com/c_pick/status/2028669568403578931 - the implementation side never saw the code, only the spec (in reality it did see the tldraw code in its training data, but you can't escape that anymore)

The Torment Nexus must be built, because someone wants a lambo.

Sounds like my CTO. Overuse of LLMs in c-suites is like overuse of weed by teenagers - it may not cause delusions, but it sure seems to make them worse.

Guaranteed CVE-free at time of delivery!

Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.

That’s how deep we are in neoliberal single truth shit now

This is going to bring back software patents.

This is a misreading of the law. Court cases say that AI cannot own copyright, not that AI output cannot be copyrighted.

If you’re referring to Thaler v. Perlmutter, that is not binding precedent nationwide, only in courts under the D.C. Circuit. And it only applies to “pure” AI-generated works; it did not address AI-assisted works, which seem very likely to be copyrightable.

I have actually very convincingly recreated a moderately complex 70s-era mainframe app by having an LLM reimplement it based on existing documentation and by accessing the textual user interface.

The biggest trick is that you need to spend 75% of your time designing and building very good verification tools (which you can do with help from the LLM), and having the LLM carefully trace as many paths as possible through the original application. This will be considerably harder for desktop apps unless you have access to something like an accessibility API that can faithfully capture and operate a GUI.

But in general, LLM performance is limited by how good your validation suite is, and whether you have scalable ways to convince yourself the software is correct.

I've done a little bit of this and Claude is pretty great. Take the app and let Claude run wild with it. It does require you to be relatively familiar with the app as you may need to guide it in the right direction.

I was able to get it to rebuild and hack together a .NET application that we don't have source for. This was done in a Linux VM and it gave me a version that I could build and run on Windows.

We're past the point of legacy blackbox apps being a mystery. Happy to talk more, my e-mail is available on my profile.

Interested to keep updated on this point. As a consultant, I've worked on transformation of legacy applications so this would help me greatly as well. We've worked on pretty archaic systems where no one knows how the system works even if we have the source code.

Well, what kind of desktop apps?

Unless obfuscated C# desktop apps are pretty friendly to decompile.

Often OSS is used not because you want the software, but the software and the upkeep. So even with such a service, you're now just taking code in-house that you have to maintain as well.

The people that will take this as a good thing unironically will just have their personal Yes Man do that work internally.

I was on this talk expecting to hear about MongoDB abusing open source (as you could guess from my profile, that’s a topic dear to my heart). Instead, I saw the most entertaining talk in my life.

Where do you see this? It doesn't appear to be in the website (if it's in the video, I didn't watch it but it's not in the subtitle file)

It's funny that humans working together for mutual benefit via any other mechanism than regimented corporate slavery is considered insane.

It's not true (and also not funny):

* Many of the people maintaining FOSS are paid to do so; and if we counted 'significance' of maintained FOSS, I would not be surprised if most FOSS of critical significance is maintained for-pay (although I'm not sure).

* Publishing software without a restrictive license is not 'generous', it's the trivial and obvious thing to do. It is the restriction of copying and of source access that is convoluted, anti-social, and if you will, "insane".

* Similarly, FOSS is not a "miracle" of human cooperation, and it what you get when it is difficult to sabotage human cooperation. The situation with physical objects - machines, consumables - is more of a nightmare than the FOSS situation is a miracle. (IIRC, an economist named Veblen wrote about the sabotaging role of pecuniary interests on collaborative industrial processes, about a century ago; but I'm not sure about the details.)

* Many people read licenses, and for the short, paragraph-long licenses, I would even say that most developers read them.

* It is not insane to use FOSS from a "fiduciary standpoint".

Isn't that the premise of Fallout ?

> observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.

and tbh, i cannot see any issues if this is how it is done - you just have to prove that the clean room ai has never been exposed to the source code of the app you're trying to clone.

>The 'Firewall' they describe is an illusion because [...]

it is an illusion because this is a satire site.

The solution here seems to be to impose some constraint or requirement which means that literal copying is impossible (remember, copyright governs copies, it doesn't govern ideas or algorithms - that would be 'patents', which essentially no open source software has) or where any 'copying' from vaguely remembered pretraining code is on such an abstract indirect level that it is 'transformative' and thus safe.

For example, the Anthropic Rust C compiler could hardly have copied GCC or any of the many C compilers it surely trained on, because then it wouldn't have spat out reasonably idiomatic and natural looking Rust in a differently organized codebase.

Good news for Rust and Lean, I guess, as it seems like everyone these days is looking for an excuse to rewrite everything into those for either speed or safety or both.

Obviously satire, but it will clearly be what happens in the future (predicting here, I'm not endorsing this practice). We can scratch train a new LLM on code generated from "contaminated" LLMs. We can then audit all the training data used and demonstrate that the original source wasn't in the training data. Therefore the cleanroom implementation holds. Current LLM training is relying less and less on human generated code. Just look at the open source models from China. They rely heavily on distilling from other models. One additional point. Exposure to the original source isn't enough to show infringement. Linus looked at UNIX source before writing linux.

I think this site is either satire, or serious but with a certain kind of humor in which both they and the reader know they're lying (but it's in everyone's interest to play along).

They do say this:

> Is this legal? / our clean room process is based on well-established legal precedent. The robots performing reconstruction have provably never accessed the original source code. We maintain detailed audit logs that definitely exist and are available upon request to courts in select jurisdictions.

Unless they're rejecting almost all of open source packages submitted by the customer, due to those packages being in the training set of the foundation model that they use, this is really the opposite of cleanroom.

This is definitely a parody though, not a real service.

[flagged]

This was already done, see: Grokipedia.

Look, outside of your corner, a world is much much bigger and every nation and every political leaning has rights to have their own POV(for better or worse), as quite frankly this style of thinking on enforcing what others should do is really irritating. Wikipedia for a time being had already different POVs and it was great for that time period, but as someone that does not have English as first language, I don't dream of a world, where everybody uniformly think the same - because that place already exists where that is a case and that is a graveyard.

aren't you describing what elon already did https://grokipedia.com/

So Grokipedia?

Yeah it's just a slightly more honest and simplified presentation of what LLMs providers do IMO.

> I view this as an unmitigated good.

Then I don't think you've thought it through.

This entire software ecosystem depends on volunteering and cooperation. It demands respect of the people doing the work. Adhering to their licensing terms is the payment they demand for the work they do.

If you steal their social currency, they may just walk away for good, and nobody will pick up the slack for you. And if you're a whole society of greedy little thieves, the future of software will be everyone preciously guarding and hiding their changes to the last open versions of software from some decades ago.

You should read Bruce Perens' testimony in the Jacobsen v. Katzer case that explained all this (and determined that licensing terms are enforceable, and you can't just say "his is open mine is open what's the difference?")

https://web.archive.org/web/20100331083827/http://perens.com...

> I view this as an unmitigated good. Open source every damn thing.

Agree, I said this in another comment, AI-generated anything should be public domain. Public data in, public domain out.

This train wreck in slow motion of AI slowly eroding the open web is no good, let's rip the bandaid.

Open sourcing all the things sounds fun right up until you hit the point where clean room claims collapse under real legal cross-examination. If you think companies with money on the line are just going to roll over and accept it all as fair play I'd like to introduce you to the concept of discovery at $900/hr. If your business model is a legal speedrun you better budget harder than you code.

Open source is good, washing open source licences is very bad.

I publish under AGPL and if someone ever took my project and washed it to MIT I would probably just take all my code offline forever. Fuck that.

[dead]

If the AI could do good refactor of OS project, remove unused code/features and make the code more efficient. Than we really would be out of jobs :D

It's already a term of art used for this very purpose. https://en.wikipedia.org/wiki/Clean-room_design

"I solemnly swear that I am up to no good" and their seal is ⍼.

https://www.hp-lexicon.org/magic/solemnly-swear-no-good/

https://news.ycombinator.com/item?id=47329605

https://www.explainxkcd.com/wiki/index.php/2606:_Weird_Unico...

>whatever that library is called

https://news.ycombinator.com/item?id=47259177

You'll find all the answers if you read more carefully:

> Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright

> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.

> "Our lawyers estimated $4M in compliance costs. MalusCorp's Total Liberation package was $50K. The board was thrilled. The open source maintainers were not, but who cares?" - Patricia Bottomline, VP of Legal, MegaSoft Industries

I expect that thousands of people are now doing just that. Most proprietary software is just a shiny UI in front of a crappy database schema.

Homonym of "malice" too. Honestly kind of a brilliant name.

I think the problem will be with enforcement. To be honest I don't see any way to stop this kind of thing from happening. I predict the slow decline of open source projects, sadly.

Everything is enforceable by the rich, nothing is enforceable by the poor

Yes. Provided you had access to the original source code. Pheonix technologies did this with the IBM bios.

It makes me really happy to see this comment :)

whoosh

A lot of people, including perhaps the creator of this, feel that LLMs themselves are this service.

It exists! It's called Claude Code.

What makes this service not real?

Is it satire? Or is it a warning?

No

Amazon C*s calling Amazon Legal to ask if they could get away with implementing something like this internally, more like.

I think we've already seen this with "AI writes a web-browser" type PR. I guess we can still look forward to when they make license evasion an explicit part of their marketing. Then I can wryly laugh when somebody robo-whitewashes leaked commercial software, knowing that they'll get sued anyways.

Upload your manifest and find out! :)

This is a good idea. Do you have a package in mind?

I wrote about that recently: [1] One of the ways that code will be valued in the AI era is the extent to which it has contact with the real world. It doesn't matter how smart the AI is, the real world is always more perverse and complicated, and until their code has been tested by the real world you can't really trust it. (Even if we get superhuman AIs in the future, we have the same superhuman AIs producing superhuman amounts of new code in the world that your AI will have to interact with, and a single AI won't be able to overpower all the superhuman output in that world without testing.)

In practice even with much better AIs this would still be a pretty big risk. The testing you'd need would be extensive.

[1]: https://jerf.org/iri/post/2026/what_value_code_in_ai_era/

Absolutely true, but there is a silver lining:

When people rewriting open source libs with a bot then come crying to maintainers that their rewrites have bugs, and they would like for someone to fix said bugs for free, there is absolutely no one who will feel obligated to help them out.

Eh I think part of the joke is that LLMs have gobbled up the original source code, and if you help them enough (identical type signatures and specs), they will output the same code, it's the copyright laundering problem.

Let's not spam HN with AI slop please.