> GitLab does not train generative AI models based on private (non-public) data. The vendors we work with also do not train models based on private data.
So they will steal your code if it is public, ignoring license. Understood.
I’ve been feeling more and more that we should reconsider open source licenses to protect our rights as authors from LLM vendors. I’m not against them basing their models on my work. I do have reservations on them generating their models on my work and creating derivative works without respecting the license. It’s why I’ve started to use the MIT license less and less and have adopted various from the GPL family. Models trained in OSS should be open sourced IMO.
AI companies believe copyright doesn't apply and all this is fair use or transformative enough. If copyright doesn't apply they are not bound by license terms either.
Not much to explain, that's just how Fair Use doctrine is currently interpreted. It's not really morally right in this context ("greater good" rationalists will argue with me on that) but so far the courts haven't spanked anyone too hard for using that loophole.
They take publicly accessible code and learn to predict good token strings from it to solve related or unrelated problems. I am not convinced this is not morally right.
What they are not doing, as far as I can tell, at least not intentionally, is just copying code and removing the license and attribution. Even if you don't see the AI output as legitimately "creative", it's certainly transforming and remixing existing solutions in ways that are transformative enough not to be just copies of anything except the most bog standard boilerplate, which is usually not a copyright issue.
People seem upset because there is money to be made, if there was no money involved I don't think anyone would see any issue here.
It's not about the greater good, and I don't mean to be an apologist, but I just legitimately don't see a problem with doing it, or how it's not fair use. It really does seem like fair use to me.
But it's not forking or linking to any of that software. It's "using it" only in the sense of reading the code as examples of how to do things after mixing it with a million other sources. Sorry but I just don't see the problem with that. Very different, categorically, in my mind from what is intended by software licenses when they talk about derivative works.
One simple solution is just don't open source. A lot of folks forget that many open source licenses were produced to be "business friendly" to encourage participation by the private sector. The private sector, however, has largely done the bare minimum unless profit was involved. Then they'd either co-opt the project or fork it to their own ends in pursuit of profit with minimal returns to the original project WRT their gains.
That's a long way of saying, for what open source is and was, a lot of projects are mislicensed when juxtaposed to their goals and needs. It's okay to sell your software, it's okay to be "source available", it's okay to be entirely proprietary.
Assuming copyright licenses are actually meaningful for this "anti-AI" clause, the only license that this actually changes an AIs ability to comply with is the CC0 license. All the rest are already violated by an AI agent (they all require attribution that an AI does not comply with).
And the CC0 license seems extremely contradictory with this added clause. I would definitely stay away from all of these licenses.
Companies are busy training their LLMs on totally unlicensed material. I'd be curious to know how much weight, legally speaking, anti-AI clauses can have. Naively I would expect no license should be maximally restrictive on what you can do with something.
That's a wild thing to say. Displaying is a very specific thing, having code displayed to you does not grant you any copyright or ownership over it (imagine if movies worked that way...)
I would not call that straightforward. Being straightforward would mean including something like "we & our vendors might (or will) train generative AI models based on public data", instead of letting us infer that for ourselves.
You could maybe convince me that it is straightforward when measured against only corporate speak, but if not looked at as corporate speak it is very much not straightforward. Straightforward would be an explicit "Yes, we train from public code regardless of the license"
I don't think licensing issues are important in this context. I have never gotten code from an LLM system that wasn't something I would create myself if I taken the time to write it manually. You should be thinking of LLM coding assistance as a junior programmer working for you with all of the pluses and minuses. If someone claims they found code from open source project in the output of an LLM, it is most likely the result of over constraining the specification i.e. I want you to make me painting that looks just like the Mona Lisa.
Then use a license that say your code can't be used to train AI models.
Honestly I agree that in the current state of things, it's fair for them to train on public data as long as the license doesn't forbid it. I learned to code this way, so it makes sense to allow AIs to do the same, for now. If it's a problem, just use another license.
The problem is that there are software evolutions not foreseen by older licenses. Cloud providers, AI. Relicensing can be non trivial. Choosing the right license is non trivial.
Who can say for sure which license is good in this new age?
Oh easy, there’s not appropriate license yet. Some organizations need to step up and create a license that forbids AI training. But it will probably not happen because of "but is it libre open source" useless debates.
If my code is included in a training set which then helps someone else solve a problem, then I am helping other people.
Why should I care if some 3rd party is the middleman that builds the system that performs the transformation? I put out my code so that people can use it. The existence of said 3rd party doesn't restrict that in the slightest, in fact it enhances the reusability of my work which seems like a win-win.
Pension funds I'd kind of understand, on the other hand there is a huge generational conflict, the pensioners that rely on this in many places are actually the comparatively rich older people.
Who do you think gives money to VCs, private equity and other finance boogeymen? It’s pension funds, banks and other institutions that hold regular people's money. Of course, older people have more savings, but its still the same people that you wanted to help in the first place, aren't they?
Not all models have Free weights and not all models that are Free can run on your hardware.
Normally the "can't run on your hardware" is a little dubious, but given how insanely high the hardware requirements can get to run these I think it's meaningful here.
I'm still here to create a product/tool/script/solve something and not just to write code.
If anything i do helps to make the ecosystem around me better i'm for it.
And if you look at anything LLM right now, all the research happening, its not opensource doing the research. Its high paid google, ms, etc. people and academy replicates it fast for opensource.
I agree. Given the effort that has been put in to ensure code isn't copied verbatim, I don't see much of a philosophic difference between a human doing it or AI doing it.
That said I think it's weasely that they would just explicitly say it. It's obviously a question a lot of people have if it's in the FAQs, and a non-answer like, "we never train on private code" is ridiculous.
i would prefer it to learn from better verified solutions, reviewed and battle tested.
Instead I get AI companions writing comments like "This code is unintelligible and batshit complicated, kill it with fire" when I was hoping for a doc string
Just in case people didn't know, the phrase "all rights reserved" does not have any legal consequence (in the early days of copyright people felt it was necessary, but all rights are automatically granted), and uploading content to Github means that you must also license it to Github and other Github users as per the ToS. It is your responsibility to ensure that you can grant that license.
In addition, one has to consider whether the act of studying a project whose sources you have legally obtained to gain experiences applied in other contexts where the original license may not apply or be upheld is an issue. This applies to humans as much as to ML.
> You grant us and our legal successors the right to store, archive, parse, and display Your Content, and make incidental copies, as necessary to provide the Service, including improving the Service over time
A couple things - you agree github can do it, ostensbly taking archives for backups sure, but in this case it's to distribute out to some 3rd party and explicitly to be locked in a vault with no business purpose.
My personal uploading of say - a GPL licensed code, or hell, microsofts leaked code DOES NOT magically grant github to do whatever they want with it. There's already a license, no?
from the github archive page:
> Archiving software across multiple organizations and forms of storage helps to ensure its long-term preservation. "The Arctic Code Vault"
> On 02/02/2020 GitHub captured a snapshot of every active public repository. Those millions of repos were then archived to hardened film designed to last for 1,000 years, and stored in the GitHub Arctic Code Vault in a decommissioned coal mine deep beneath an Arctic mountain in Svalbard, Norway. Our partners include the Long Now Foundation, Software Heritage, the Internet Archive, Microsoft Research’s Project Silica, the Arctic World Archive, GHTorrent, and GHArchive. Our advisors include both technological visionaries and world-renowned experts in the humanities.
so, like, I am sure it was vetted by lawyers, but my plain english understanding of that is github may need to archive it, whats not clear is that github may send it to any number of non profits to do with it what it pleases.
Then you've got software heritage who literally just scrapes the web for cgit repos and copies them without any agreement or license between you as the host and software heritage.
Anyway, it's all very Uber-model. Fuck the legality, we're just gonna do it and fuck it because the worst that can happen is a slap on the wrist.
I agree that Github has rights to parse any uploaded code, and any code with a license that would allow a human to study and learn from it does, in my opinion, also allow a machine to study and learn from it.
Granted, the machine has to learn to not directly plagiarize in the same manner humans are not allowed to when they use acquired knowledge - unless the license allows it of course - but the act of studying material that is allowed to be read cannot be considered harmful.
1) The LLM owners really can't guarantee that it won't directly plagiarize without attribution or licensing. Your code may contain a unique algorithm or method for solving something, and when someone asks the right question, your code may simply be the only answer it knows to give.
2) While the code being used as training input was open source and visible to the public to learn from, the models being built often aren't. It seems unethical to train from public data yet keep the resulting weights private and charge for access to use the trained weights.
For the first aspect, neither can a human, and it's incredibly hard to decide if something is plagiarized or fair-use/inspiration. There are several things to consider:
1) These tools are generally used in a pair-programming fashion, and in that function, the output can be considered similar to when you ask a coworker on Slack and they paste you a snippet, or if you browse github and read someone else's implementation (without having the LICENSE text within your field of view at all times). A possible violation would then only occurs once the snippets in question are included into your code-base and distributed in ways that violate the original license.
2) One could argue that sharing the snippet with you was a form of redistribution, but I would not consider this to apply if a human did it and would therefore not apply it to machines either, and I do not think that is what people generally consider redistribution of an open source project. GPL technically has a clause second-hand violations, but I do not think that one holds.
It should also be noted that licenses like MIT only require the copyright and permissions notice included in substantial portions of the program, and so smaller snippets are always fine. Humans also do not bother attributing smaller copy-paste blocks - we'd run out of storage linking to all the stackoverflow answers!
3) The issue gets a bit hairier when the machine reproduces large/important portions of projects with no hint as to its source, license or ways to do proper attribution, but even then I'd consider the violation to occur only if included verbatim into a project which is then redistributed under incompatible terms.
4) Even when code is largely identical, it generally only an issue if the code is a unique invention, not if the code trivially follows for a skilled individual of the trade. That's a principle in the practice of many laws, including patent law.
For the second aspect, I do not see any importance to the fact that the trained model is not public. A person studying open-source projects do not upload a brain dump afterwards, and others only directly benefit from their experience (their "weights") if they decide to teach the subject. Nor is every project they write afterwards with their knowledge necessarily open-source, only being public if they want to make them public. Licenses generally do not restrict private or internal usage, including modification and derivative works. It is redistribution they trigger on (with some catches for things like AGPL).
(I would of course like the model to be public for the betterment of mankind, but that's different from the legal aspect of it.)
Those are instructions to send a copyright infringement notice with tons of PII. We should have higher standards for "opt-out" than that, even for non-consensual data vacuums.
it's just piracy bro. My git repo is a portfolio. If U2 puts a music video on their website, it doesnt mean they grant you unending access to download it, back it up, redistribute it, etc. Of course not.
If you take my art portfolio on your site and download and reproduce it on the wall, that's
In the US, there's a notion of "fair use": quoting small passages with attribution for the purposes of criticism does not require reproduction of the relevant Creative Commons license. Most of the other former British colonies have the concept of "fair dealing", which is similar.
The link at the top of this page has the license. In what way can comments in this page, when they clearly state that content comes from the article, not be clearly linking to the article?
running all my homelab / private repos off of a tiny gitolite3 server, and i'm always amazed that it all runs on an alpine linux VM that uses 75mb of RAM.
for anything even just sharing with friends or whatnot i won't recommend it though, people do love their web-UI and having to explicitly give someone access can turn off people already.
You might need to use another user if you want to set its shell to `gitolite-shell username` (no command= for password authentication) but then you'd need to chain sudo or something to have Gitolite run under its own user again... Seems very tricky.
Or maybe you can write a shell that runs a gitolite-shell command is its arguments are not already gitolite-shell?
Ooh this is very nice. Might use this for private projects.
Problem with this is that it’s likely very unfamiliar with most folks. At least with gitea or gl-ce, there’s a familiar interface 99% of developers can use to browse and search code.
Like if I want to share a quick nixOS config, I doubt most people would even be willing to pull the code and only browse via web interface.
I am of the school of thought that you should be using multiple remotes anyways. I don't think there is a good reason not to. Codeburg and, as another mentioned, Sourcehut may be good places to host your code in addition to your self hosted remote.
> Also gitea is a much more lightweight option and can use sqlite for db. Much easier to deploy on a rpi
Worth mentioning Forgejo as well (https://forgejo.org), which is Codeberg's fork of Gitea. Same features and as lightweight as Gitea. Hard-forked a couple of months ago after some transparency concerns from the new parent company that owns Gitea now.
Because functionality isn’t the only thing everyone cares about, I use Forgejo for ideological reasons and so do probably most people since it’s mainly an ideological fork.
Why would it not be worth mentioning? The question is quite strange.
The project and community might be worthwhile, but as long as the product is the exact same, I don't see what there is to mention. I'm excited to see what the future holds though, more attention in this space sure sounds good.
If you're concerned, you should switch the license of your code, not really where you host it. As long as your license allows LLM/AI models to train on your code, why would you be mad that it does?
Training on your code and using your code are very different things. As a human, if your code is open, I can read it, learn how it works and reuse my knowledge to create proprietary source code without infringing on your license.
Attribution doesn’t apply on training. We’d all be screwed otherwise, it would mean you’d have to attribute everything you learned while reading open source codes to every codebase you read every time you write code.
As I said: it would mean you’d have to attribute everything you learned while reading open source codes to every codebase you read every time you write code.
You don't have to run a Pi from an SD card nowadays, and shouldn't do if you can help it. They've supported USB boot for a while and the Pi5 can also boot from an NVMe SSD hooked up to the exposed PCIe lane.
As others have said, Pi now supports USB boot. An inexpensive USB to sata adaptor and a 128GB SSD (~$15) is the most inexpensive option to get started and performs very well.
This happened to me Tuesday September 28th 2001 at 3:30pm. I know because I never rewrote the complicated e-paper code that I lost when my SD card died without a backup :(
The completion plugin for the JetBrain IDEs (pycharm tested) appear to be very barebones, and judging by the results - does not seem to take advantage of the context beyond the current file in a good way. One of my colleges say the 2.x version is better though.
We were excited about the possibilities for MR and issue integration, but using it for this is IMO totally useless at the moment. Last I checked some of this will also only be available to Ultimate customers.
I'm guessing this has come up (again?) now because there has been a "General Availability" in the new 16.11 where it's been apparently automatically turned on in our internal Premium instance (and individual users getting nagged about using it after the upgrade). For "Free":
> The GitLab Duo Chat is part of GitLab Duo Pro. To ease the transition for Chat beta users who have yet to purchase GitLab Duo Pro, Duo Chat will remain available to existing Premium and Ultimate customers (without the add-on) for a short period of time. We will announce when access will be restricted to Duo Pro subscribers at a later date.
At least one of our admins interpreted their pinky-promise policy page as something binding; at least from the communications we were sent it seems very hard to verify exactly what they are sending over or protections they've put in place.
It's 2024, not putting that clearly front-and-centre is a deliberate choice.
Digging around in the demo videos and assuming they chose some ideal examples for their marketing material, this doesn't really live up to the hype. The "generate a code review summary" adds stuff like "I estimate my comments will not take much time to implement" when the comments are stuff like "consider using a stored procedure for this calculation". And the "explain this code to me" feature misinterprets things, even in their demo, where it "explained" that the highlighted code was in a method with an entirely different name. The explanation also goes overboard in discussing where the code is located in the project, and skips over stuff like "where does this feature flag come from, exactly?" and is clearly making (reasonable with these names, but method names can often be misleading without context) assumptions about what methods named "listProducts()" and "listSorted()" do.
Gitlab really should stop adding features: the thing is bloated with tons of menus and options that most users don't use or understand. PMs seem to need to do PM, stop them, listen to tech people.
They have product managers doing product management; you're no longer the audience.
Mature Enterprise products will have so many obscure and random features that you practically need certification to understand all of them; but most end-users are not supposed to understand all of them. They just want to understand the ones that affect them. The fact that the features offered are maybe 50% as good (if that) as the ones offered by competing products is completely besides the Actual Value Proposition available to users who get hired to work inside BigEnterprise, which is the following choice:
a) Use a 50%-as-good product that is already installed and supported and by internal team;
b) Take the hard road to try to get a new product in: find the budget for a new product, convince the internal (IT?) team to install and maintain it, get them to integrate it with the rest of the BigEnterprise's systems (at least stuff like user management and sending emails), get the new product through Procurement processes.
Is it any wonder that 99% of the time, BigEnterprise employees choose (a) ?
Product strategy when selling to these customers is: be the default choice, not the best choice. Get internal enterprise users to keep choosing (a). Eventually, so much internal enterprise usage depends on 50%-utility features, that anyway the system becomes nearly impossible to rip out, and then you can start to put in yearly price increases that they can't stop paying.
As long as you have a mainline feature that is best-in-class to get your foot in the door with new customers (so that their users can start using the 50%-utility features), you have a coherent product strategy. GitLab's best-in-class mainline feature is the combination of Git repository hosting + GitLab CI; their closest competitor is GitHub Enterprise which is more expensive (also GitHub Actions sucks), and Bitbucket is a sad joke.
for private use or even small teams it's way too late for that, but honestly it seems they're just focusing on enterprise use and i'm kinda glad something open source and self-hostable for that market exists. we're already wayy too dependent on microsoft, but at least my workplace's code can stay local for now.
Is this the thing that keeps sending me pointless AI summaries of code reviews that people have made in our project?
Meanwhile all of the fancy security features, for which we pay a massive premium as they're only included in the Ultimate tier, are completely broken and I have to keep explaining to my team members why GitLab keeps falsely insisting their merge requests are full of security vulnerabilities.
Anyone using this? We use a self-hosted Gitlab for 5 years now and had to upgrade to premium after they killed the basic version. Now I would essentially have to double my spending (again) for this new feature.
My team recently paid for this on self-hosted GitLab ultimate. I would not suggest this for self-hosted. We've been having issues that seem to be related to self-hosting that are requiring a lot of effort from our System Admins to work through with GitLab support.
Separate from that, there don't appear to be any benefits to having it "integrated" into GitLab. I'm assuming we'll switch to another tool shortly.
Have they fixed their pseudo-implementation of GitHub Actions? Last I saw they were trying to use nektos/act instead of actually, no kidding, implementing Actions and a real runner. It's the uncanny valley of CICD
Yes, Forgejo would be an alternative if we really would need to switch. GitLab pricing is ok for us, not great, not terrible for a small team of 6 devs...
The pricing of the GitLab has changed so many times in the past years and free tier has changed as well. It has made GitLab so unpredictable that I had to switch away.
Someone could say that enshittification is on the way.
It changed to match Github, and then it changed to exceed Github.
Probably the biggest sales advantage Gitlab has is that nobody seems to know/remember that it's possible to run Github on-prem. That's exactly the reason our organisation chose it.
Considering they still use Claude 2 as the model for many features, I'd pass. Now, if they upgraded to Claude 3, on the other hand... I would still go with Codeium[1] and the Claude 3 API.
GitLab team member here. Thanks for your feedback.
GitLab Duo provides AI-assisted features in the DevSecOps lifecycle. GitLab Duo Chat was released as GA last week [0] Code Suggestions are GA, too, and help with code completion and generation [1] The documentation provides more insights on availability and usage [2]
Helpful learning resources:
If you are looking for practical examples and prompt tips for Duo Chat, bookmark this longer tutorial "10 best practices for using AI-powered GitLab Duo Chat" in [3]
We have also updated the documentation to add hands-in GitLab Duo examples for different programming languages and environments, helping with how to integrate AI into your workflows efficiently: [4]
At QCon London 2024 two weeks ago, I spoke about "Efficient DevSecOps workflows with a little help from AI." The slides are publicly available at [5], talk summary in [6]
I also recommend the blog post "How to put generative AI to work in your DevSecOps environment" [7] to tackle important questions such as workflow assessments, AI guardrails and how to measure AI impact in your organization.
Last but not least, I started a learning series called "GitLab Duo Coffee Chat" on YouTube [8], showing AI and GitLab Duo in action. I plan to host more sessions in the coming weeks. [9]
Happy to help with more adoption questions, best practices, and development workflows :-)
But actually, no. I had these helpful tips in mind, and wanted to share them with everyone quickly. There is always an opportunity to learn together, and get inspired from feedback :-)
A half-assed feature nobody asked for? In my Gitlab?! Unbelievable!!
On a serious note, wtf Gitlab? Every once in a while I get an email notification from a feature request I subscribed to (that has been open for years) because yet another large premium customer requests that it be implemented. Gitlabs response is always that they don't have capacity/manpower to implement it, yet they're able to implement crap like this?
Every company seems to be throwing their backlog away and focusing on adding AI features no one asked for. Could be a lot of opportunity for startups that actually listen to their end users to gain some traction instead of chasing GenAI.
> Could be a lot of opportunity for startups that actually listen to their end users to gain some traction instead of chasing GenAI.
This made me actually look into it instead of just complaining on the internet. The feature I was referring to was the Conan package repository[1]. Apparently, Forgejo implemented support for that already[2], as well as other features that originally drew me to Gitlab in the first place.
~5 years ago GitLab had many features that distinguished itself from competition, chiefly their CI/CD stuff. It was leagues above of what everyone offered.
They've spent the last years building stuff I don't care while not improving the stuff I care. During this period, GitHub built Actions.
Nowadays GitLab is more expensive than GitHub (GitLab Premium vs GitHub Enterprise) while also not having any particular feature that makes me want to use it over GitHub. If I was starting a software team today, there is no reason I'd be using GitLab.
In the long term their strategy of having too many half assed features might bite back instead of generating revenue streams.
I'll also observe that several years ago they weren't a public company, and if my mental model of public companies is correct then they have a fiduciary duty to maximize shareholder value, not software engineering teams value from their product
For most companies maximizing shareholder value and making customers happy are highly correlated. No amount of AI features will save their stock performance if their customer base stalls.
Broadcom-like companies (monopoly) and Google-like companies (you are the product bla bla bla) are exeptions though.
My further life experience has been that markets are highly irrational, and as the other comments have said: if the shareholders believe AI is the bandwagon, and implementing Conan repository support is "well, churn gonna happen" then that's how one ends up with this bullshit
I run a self hosted Gitlab CE instance for many years now and I am very happy with it. I also experiment a lot with local LLMs. Will there be a CE release which allows for usage combined with a locally running LLM in the future?
Since the relevant code appears to be in the "ee" directory <https://gitlab.com/gitlab-org/gitlab/-/blob/v16.11.0-ee/ee/l...> and is not present in the foss repo, I'm guessing the answer is no, at least for now. They do have a history of "releasing" features from EE back to CE but my suspicion is not for LLM stuff
No one has mentioned this yet, but their pricing is twice of what I pay for github copilot. What does it offer that's substantially better than copilot?
If the past is any indication, no. GitLab Ultimate is $100/user/month whereas GitHub Enterprise with the Advanced Security addon is about $70/user/month. Well, at least Ultimate used to be $100 before they hid the prices from the pricing page. Could be even more for all I know. And yet, the base product you get isn't really significantly better than GitHub, and using it day-to-day professionally, has quite a lot of bugs too.
What's with the fading on each element while scrolling? Make the page impossible to fast-read or scan for important points.
...maybe that's the reason?
> Will my code be used for training AI models?
> GitLab does not train generative AI models based on private (non-public) data. The vendors we work with also do not train models based on private data.
So they will steal your code if it is public, ignoring license. Understood.