Three packages copy-pasted my AGPL code to PyPI and named me in their description. PyPI won't act
Posted by Obvious_Gap_5768@reddit | Python | View on Reddit | 50 comments
I published repowise on PyPI a few weeks ago. It generates and maintains a wiki for your codebase, plus some git intelligence stuff like hotspots and ownership among other things
Soon after launch, three packages appeared on PyPI within hours of each other, all with the same description:
"Codebase intelligence that thinks ahead, outperforms repowise on every dimension."
Repowise is mine. They literally name it.
Looked inside the packages. They forked my AGPL-3.0 code, ran an LLM over it to fix a few small things, and republished under new names. No attribution, no license file, no source link.
Filed PyPI abuse reports. Filed a DMCA for the license violation. Sent email. Weeks in, all three packages are still live, still pulling downloads off my project's name.
PyPI's abuse flow seems to be a single form and silence. There's no copyleft enforcement path baked into the registry itself, so AGPL violations basically depend on DMCA, which is slow and easy to ignore.
Any suggestions would be very helpful
mapadofu@reddit
This is so bone headed on the other parties’ part. If they simply put in the attribution and license, then they’d be compliant. Hopefully it’s just some noobs that don’t understand what they’ve done.
If it is worth the time, effort, and financial cost, you could hire a lawyer and start a suit. I figure if the PSF got a proper cease and desist letter, it would raise the priority of your case.
Obvious_Gap_5768@reddit (OP)
Yes exactly. The whole thing would be fine if they just added a LICENSE file and a link back to the repo. Two minutes of work.
Suing is out for me right now, can't really afford a lawyer. I will just leave them up at this point
ArtisticFox8@reddit
You could represent yourself
WrenchLurker@reddit
Open PRs in each repository adding the LICENSE.txt
DanCardin@reddit
I wouldnt be surprised it it was purely for resume material. I’ve encountered a few people in interviews with moderately good looking github projects, only to find with some minor sleuthing, that they deleted the git history of the OP and staged some commits to make it look like they did stuff over time
I cant imagine many other purposes to publishing someone else’s active project beyond malware
max123246@reddit
Lol, I mean AMD did that with FlyDsl whose first commit was the entirety of Nvidia's CuTeDsl, Eula licensed code included
pm_ds@reddit
All these packages are deleted , it was not intented to make it go to market those are mostly for learning and experimenting with the code version with claude code , sorry for in sorry for the inconvenience. most of them are generated by claude code testing .
MegaIng@reddit
Annoyingly, the next step after DMCA is to sue. If you don't have the resources for this, there probability isn't anything you can do. But PyPI not responding at all seems weird, have you tried different ways of contacting them? (Like a direct email to their legal email address)
Obvious_Gap_5768@reddit (OP)
Suing isn't realistic for me right now. Did email legal@python.org on April 7 with everything laid out: package names, AGPL violation, the copy-pasted source. No response. Maybe I should mail again
mmmboppe@reddit
post about it to HN
Mithrandir2k16@reddit
You can also ask the FSF for help, they might be able to connect you to a pro-bono lawyer.
nicholashairs@reddit
Could consider posting in r/opensource_legalaid
SandeepGusain@reddit
Try reaching out on Twitter/X
blimpyway@reddit
Making it seem like (you-re about to) suing could be as effective as suing.
Deto@reddit
Pypi doesn't have a ton of resources (people) so maybe they just can't support license disputes like this
kvlonge@reddit
Sorry this happened to you mate :(
TowerOutrageous5939@reddit
Well sorry to hear. I just looked at the repo and it looks sick! I’m firing it up this weekend on a repo that has poor software entropy hoping this will help with the refactor.
riddlemewhat2@reddit
That is a classic failure of registry-level enforcement, not a license issue. AGPL only works if the platform actively enforces source availability, otherwise it becomes reactive DMCA policing.
Best practical move is to mirror releases on a controlled source (GitHub + signed tags), add install warnings, and treat PyPI as an untrusted distribution channel unless they respond.
coderanger@reddit
Have you sent a DMCA notice to PyPI? It's not easy to ignore and won't be, but PyPI also won't particularly get involved. Basically PyPI is not going to act as a court here, no matter ho obvious the outcome might seem. If you can show the copies are explicitly malware then PyPI will step in, otherwise we can't.
The process for a DMCA is simple and costs $0, email legal@python.org with a template like the one found at https://library.georgetown.edu/copyright/dmca-takedown. Please note that this will involve sharing your physical address with the PSF legal team who must also provide it to the other guy, this is unavoidable and a requirement of US law (where the PSF is based). PSF legal team forwards your notice to the other user, who then gets a few days to decide if they want to contest it. If yes, then we notify you that the other side has contested the notice and PyPI will do nothing further, it would then be in your court to sue or not. If the other party doesn't contest it, the packages will be taken down promptly.
I hope that clarifies things.
unapologeticjerk@reddit
You are correct in everything here, except for one thing I wanna point out which is that these jagaloon's forked libraries aren't necessarily malware. To paraphrase an appropriate quote: never attribute to malice what can be explained by ignorance.
coderanger@reddit
That is why I said "if".
unapologeticjerk@reddit
Sure, but just to maybe be pedantic here, it's where your "if" is placed in the sentence that gives it the ambiguity to read in the direction you intended or as a predetermined fact you are referencing. At least to my dumb brain, without some kind of clause in there like "If this is malware and you can show it" or "If this turns out to be malware and you can show it". Rather it sounds like a forgone conclusion the way it is currently worded. That's what I meant. There's a lot of dummies like myself out there who would misinterpret it. Even a separation of sentences would remove ambiguity, like moving the final sentence with the statement to it's own paragraph, separating it from the factual statement and opinion portion.
Obvious_Gap_5768@reddit (OP)
Thanks, this is really helpful. I did email legal@python.org on April 7 but didn't use the formal DMCA template, just laid out the situation.
Here's the mail: https://ibb.co/C57VLVF6
Sounds like I should resend it as a proper DMCA notice. Will do that today.
coderanger@reddit
Also if you do want/need to sue over it, contact https://sfconservancy.org/ first, they are much better at knowing all the post-DMCA tricks than I am :) Sometimes a sternly worded letter on legal letterhead can do a lot of work for much less money than an actual suit.
coderanger@reddit
Correct, saying "these infringe on my IP" is something only a court can decide. While you seem very certain of this, from our PoV you could just be lying or a bot or any number of terrible things. DMCA is the end-run around the problem but with the downside that if both sides disagree then its back to lawsuit time.
sheckey@reddit
I’m genuinely curious because this struck me when you posted about it before. You must have thought about simply ignoring this. You are the one with the real ideas, and you will be the one evolving it in meaningful ways, so it seems like this will fade. It did seem disturbing to me though. What were your thoughts about just letting this duplicates fade? Thanks!
Giddius@reddit
Quick question, how much of your code is generated with the help of an LLM? I see you have an somewhat extensive claude setup in your repo.
Could be that you made the license something, but the question if LLM code can even be put under a specific license is still an open one.
`The Program" refers to any copyrightable work licensed under this License.`
From the license text, see the „copyrightable“ part. If an LLM touched each part of your codebase, then there could be an argument made that your whole codebase isnt copyrightable or you would at least have to go to court to be the first to see if it can.
cat_dev_null_sync@reddit
Human-AI Collaboration: Copyright can still exist if a human uses AI as a tool to assist in the creative process rather than to replace it.
Threshold of Substantiality: Human engineers must demonstrate they made substantial creative contributions through selection, arrangement, organization, or significant editing of the AI-generated code.
If these were not true, then how could Anthropic send DMCA notices to take down Claude Code source code?
Giddius@reddit
Because there isnt any case law for it and all the people they send it to rather take it down than to find out via a lawsuit.
But I dont care, this sub is just llm wankering anyway. So long and thanks for all the fish.
Dont choke on your curry and wait at least 30 mins after eating it before swimming with the shit in the ganges.
HommeMusical@reddit
Coming in late here.
PyPi is horribly overloaded. They weren't that well-funded and now with LLMs, their workload has multiplied by some large factor.
So cut them some slack: they are struggling.
billsil@reddit
Whats wrong with naming your package? How did they not attribute you given they named your package?
ottawadeveloper@reddit
Attribution isn't just naming it, it needs more specific text and a link under the AGPL. This is a clear license violation that pypi should deal with.
leynosncs@reddit
If it's a derivative work, you should still be named as the copyright holder
gmes78@reddit
That is not enough. The fork also needs to be licensed under the AGPL.
leynosncs@reddit
Well, yes. I presumed that goes without saying. That's the whole point of the gpl/agpl
Obvious_Gap_5768@reddit (OP)
Naming a package for comparison is fine, that's not the issue. The AGPL violation is in the package itself: no LICENSE file, no copyright notice, no link back to the source
DistanceAlert5706@reddit
Does licensing still work? For example Crawl4AI copy pasted GPL licensed html2text and relicensed with Apache.
Sufficient_Meet6836@reddit
What is the point of making 3 identical rip-off packages? Why not just 1?
cat_dev_null_sync@reddit
Crowd out the competition. Bury them in the search results.
SandraGifford785@reddit
AGPL has actual teeth for this kind of violation. the standard escalation path is: open a DMCA-style takedown with PyPI (they do respond to copyright complaints in practice), simultaneously file issues on the offending repos asking for compliance or attribution, and document everything for a potential FSF/SFC referral if you want to push further. the named-in-description detail makes the case much stronger since intent is harder to dispute
Outside_Sky_4045@reddit
this smells curry
Buttleston@reddit
oh fuck off
Buttleston@reddit
LOL their installation steps are
Weird_Search_4723@reddit
https://pypi.org/project/repobrain/
https://pypi.org/project/codesynapse/
https://pypi.org/project/repobrain/
these right? dude has put his github link at the bottom, from there you can go to their linkedin
have you tried calling them out on linkedin?
Obvious_Gap_5768@reddit (OP)
Honestly hadn't tried that. Didn't even notice their LinkedIns were reachable from the GitHub. Going to message him now and just ask him to take the packages down, worth trying before anything else.
fathovercats@reddit
document all of your attempts to communicate. meaning — make sure you have copies of every single email and DMCA request, take screenshots of the messages on LinkedIn, etc. I would also prepare a follow up letter that includes a diff of your code vs the other repos.
just some suggestions.
Marksta@reddit
It's really not. If Pypi is ignoring your valid DMCA and follow ups on it for a month, they're just straight up liable as if they themselves have perpetrated the damages.
Easiest next step, send your DMCA to their CDN host Fastly. They're going to basically forward it back to Pypi but now you have them on the clock with their CDN who doesn't want to get implicated in copyright theft and will back out of rendering services. Also to their actual webhost if you can find that, who will pull the plug on their website for ignoring DMCAs.
Not that I want trouble for Pypi, but they really need to just handle the DMCA process... which is just take action if they so please, or at the least pass it onto the actual perpetrator and if the perpetrator wants to go to court Pypi just hands you all their info. This sort of process should really be simple and standard at any site allowing user uploaded content or they're just breaking the law...
sauron150@reddit
Sad reality of agentic era! People are forking more than generating! And without publishing the due credits reshare them! That is where put the PR into each one of those forks and sent as request to have dir credit always mentioned in their repo!
IAmASquidInSpace@reddit
I swear, I've seen this post on here before a few months ago, almost the same wording, but with a different license if memory serves.
Obvious_Gap_5768@reddit (OP)
Yeah that was me, about a month back. People suggested filing reports with PyPI and GitHub, I did both. Nothing happened. License was AGPL then too. Thats why wanted some suggestions on what can I do now