Hi,

I managed to get there and I asked several questions. 

Below is my subjective summary of the meeting. 

I've added conservancy in the CC in case they find this summary useful,
as I wasn't able to do that while trying to follow the meeting at the
same time.

At some point somebody (not me) suggested to separate the legal
concerns from the ethical concerns in conservancy recommendations[1],
and I think it would be a good idea to do that in the Guix policy
proposal about LLMs as well.

At some point I asked:
> The risk of having LLM output be under a license incompatible with the
> FLOSS project (like nonfree code generated included in GPLv2+
> codebase) is not often talked about, why is that?

I also asked about the case where the LLM output produces code under a
copyleft license that is incompatible with the one used by the project.

An example (not mentioned in the meeting) would be the CDDL and the
GPLv2(+?) which become incompatible when compiled.

And I was told that it was unlikely that the training data contained
nonfree code unless it was leaked (as I understand people do post
leaked source code on Github from time to time, and they told that
Github (most likely?) didn't train on nonfree software like the
nonfree Microsoft Windows source code for instance), so the most likely
situation was to combine code under incompatible copyleft license, and
in that case they were welcoming lawsuits.

According to them 2 cases could happen:

- Or the output can be copyrighted by the prompt author, and in this
  case we could probably use LLMs to produce features similar to
  nonfree software (like use an LLM to make Libreoffice complete enough
  to completely replace Microsoft Office) and copyleft the result.

- Or the output has the license of the training data, and in this case
  the companies producing nonfree LLM models would have a huge legal
  issue (I don't remember why. Maybe it's because it invalidates their
  business model, or maybe they have to publish it all under copyleft
  licenses like the GPL, or it would just become illegal).

They also talked about the fact that before LLMs there were a lot of
legal risks projects didn't really take into account or talk about it
(example: code copied from Stack Overflow[2]), but that globally
speaking, lawyers manage to educate FLOSS communities about the most
common issues and this way avoid most of the risks.

I then asked about other related risks:

> Assuming that the output of the LLM can be copyrighted, have you
> considered the risk of copyright trolls using LLMs to detect copyright
> issues and shut down projects and/or the power imbalance between FLOSS
> projects and big companies involved in LLMs, some of which are trying
> to actively shut down FLOSS projects (example: F-Droid, reference:
> https://f-droid.org/en/2025/09/29/google-developer-registration-decree.html).
> Is there some assement of the risks that we could face in court here?
> Or even risks of having terms of services modified later on to shut
> some projects down?

And as an answer, I was basically told that these risks were taken into
account by people at Conservancy. This is also because the 1 hour of
Q&A was ending at that point so the answer was kept very short.

For the context, during the Q&A the legal information we got (like
links to lawsuits) were about the US legal system. 

And as I understand, their most important recommendations go against
LLMs (see for yourself in [1]), and they then try to see how to limit
the damages if projects still use them.

So my understanding is that there is still significant risks and/or
uncertainty.

They seem to also be motivated by the fact that employers force
employees to use LLMs. They told that in a huge company the
productivity was evaluated by LLM token count, and that before LLMs
many employee managed to convince the companies to allow them to work
on FLOSS for instance for one day a week. These concerns is also
visible in their recommendations[1].

I also asked if the models being used to generate code could be used
offline in a reproducible way, and the answer is currently no (they are
not run on users computers but as SASS), so because of that Bradley Kuhn
advocates for storing as much information as we can on how the LLM
output was generated, in case we need crucial information on that later
on.

As for the feeling of this meeting, it was really nice as it wasn't
confrontational at all and they was nothing pressuring people.

Though I didn't manage to follow it all due to some disconnections at
the beginning and also because of the heat wave (I was tired and I
barely managed to prepare my questions and follow the answers to my own
questions).

At the end we also got a specific contact email address in case we have
further questions (I've added them in CC).

Also note that while I was allowed to post my notes and/or the meeting
official notes on guix-devel, they asked participant to not share the
meeting notes on social networks that are susceptible to trolling.

References:
-----------
[1]https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html
[2]They didn't talk about specifics at all on StackOverflow, but I did
   some research not so long ago, and if I recall it's possible to
   combine the CC-BY-SA 4.0 (stack overflow license) with GPL code
   (which version?) but that was complex to do (I didn't really
   understand how to do it in practice).

   In any case I personally document code when it is copied form
   StackOverflow and I also try to rewrite it unless it is in a
   canonical form which I assume is not copyrightable in at least the
   US jurisdiction as per the lawsuit between Oracle and Google on
   Java. 

   Other laws might apply as well in other jurisdictions, like laws
   enabling student to use examples in programming books in projects
   they make if these projects aren't books.

Denis.

Attachment: pgpnTitKOOeOw.pgp
Description: OpenPGP digital signature

Reply via email to