Re: Transition to Litigation Phase Regarding License Violation

[David Williams <da...@cynthia.io>]

Roman,

Please look at POM files before making claims about licenses.

https://github.com/natf17/shopify-embedded-app/blob/master/pom.xml

Best regards,

[A picture containing text, clipart  Description automatically generated]
David George Williams
+1 (310) 266-9401
Founder & Creator of Cynthia | Cynthia.io<https://cynthia.io/>
Artificial Intelligence on Demand

Confidentiality Notice:

This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this email is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system.

If you are not the intended recipient(s), you are also hereby notified that disclosing, copying, distributing, or taking any action in reliance on the contents of the information contained herein is strictly prohibited and may be unlawful.

Cynthia.io Inc. is incorporated under the laws of the State of Delaware and has a principal place of business in California.

From: David Williams <da...@cynthia.io>
Date: Saturday, November 18, 2023 at 1:01 AM
To: board@apache.org <bo...@apache.org>, legal-discuss@apache.org <le...@apache.org>, vp-legal@apache.org <vp...@apache.org>, rvs@apache.org <rv...@apache.org>
Cc: Todd Welling <to...@overdose.digital>, Jenny Mesdag <je...@overdose.digital>, Jimmy Fursman <ji...@overdose.digital>, Bobby Jaffe <bo...@overdose.digital>, salvatore.boenzi@overdose.digital <sa...@overdose.digital>, Rheaume, Warren <Wa...@dwt.com>
Subject: Transition to Litigation Phase Regarding License Violation
Dear Apache Software Foundation Team,

I hope this message finds you well.

Over the recent period, we have endeavored to keep you fully informed about the license violation we have identified, involving the unauthorized use of software protected under the Apache 2.0 License by Overdose Digital. We appreciate the guidance you have provided thus far.

As the situation has not resolved to our satisfaction, we find it necessary to proceed to the next appropriate phase of our legal strategy, which will involve formal litigation. This step is taken with a heavy heart, as we hold the principles and values of the open-source community in high regard.

Please be assured that our legal team will handle all proceedings with the utmost respect for the rules and traditions of the ASF. We anticipate that we may require further assistance from the ASF to ensure that our processes align with all requisite legal requirements. We will reach out accordingly to request any necessary information or documentation.

Thank you once again for your attention to this matter. We look forward to resolving this issue in a manner that upholds the integrity of the open-source community and the licenses that protect it.

Warm regards,

David George Williams

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: David Williams <da...@cynthia.io>
Sent: Monday, November 6, 2023 9:15:24 AM
To: board@apache.org <bo...@apache.org>; legal-discuss@apache.org <le...@apache.org>; vp-legal@apache.org <vp...@apache.org>; rvs@apache.org <rv...@apache.org>
Cc: Todd Welling <to...@overdose.digital>; Jenny Mesdag <je...@overdose.digital>; Jimmy Fursman <ji...@overdose.digital>; Bobby Jaffe <bo...@overdose.digital>; salvatore.boenzi@overdose.digital <sa...@overdose.digital>; Rheaume, Warren <Wa...@dwt.com>
Subject: FW: Formal Notification of License Violation and Request for Guidance


Subject: Update on Legal Matter Engagement with Mr. Roman Shaposhnik



Dear Board of Directors,



I hope this message finds you well.



I am writing to inform you that we have engaged with Mr. Roman Shaposhnik regarding a legal matter concerning the alleged misuse of software protected under the Apache License by Overdose Digital. Mr. Shaposhnik has been presented with a detailed response to his initial inquiries, providing clarity and substantiating our position with respect to the issue at hand.



We are committed to transparency and thoroughness in this dialogue and have taken steps to ensure that all communications are of a professional standard, accurately detailed, and reflective of the situation's gravity. Our interactions with Mr. Shaposhnik are ongoing, and we are prepared to maintain this level of discourse throughout any potential court proceedings.



Please rest assured that we respect the procedures and responsibilities of the ASF and aim to uphold the integrity of the licensing arrangements that protect open-source software. We believe that direct communication with Mr. Shaposhnik is the most effective course of action and we are dedicated to resolving this matter in accordance with the principles and guidelines set forth by the ASF.



We appreciate the Board’s attention to this matter and are available should you require further information or wish to discuss any aspect of this situation in more detail.



Thank you for your time and understanding.



Best regards,



[A picture containing text, clipart  Description automatically generated]

David George Williams

+1 (310) 266-9401

Founder & Creator of Cynthia | Cynthia.io<https://cynthia.io/>
Artificial Intelligence on Demand



Confidentiality Notice:



This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this email is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system.



If you are not the intended recipient(s), you are also hereby notified that disclosing, copying, distributing, or taking any action in reliance on the contents of the information contained herein is strictly prohibited and may be unlawful.



Cynthia.io Inc. is incorporated under the laws of the State of Delaware and has a principal place of business in California



From: David Williams <da...@cynthia.io>
Date: Monday, November 6, 2023 at 9:10 AM
To: Roman Shaposhnik <rv...@apache.org>
Cc: vp-legal@apache.org <vp...@apache.org>, Rheaume, Warren <Wa...@dwt.com>, Todd Welling <to...@overdose.digital>, Jenny Mesdag <je...@overdose.digital>, Jimmy Fursman <ji...@overdose.digital>
Subject: Re: Formal Notification of License Violation and Request for Guidance

Dear Roman,



Thank you for your prompt and thorough response. I appreciate your need for clarity on this matter and will address each of your questions accordingly.



Re: Licensing Under ASF



Concerning your question about the Apache License for the software hosted at https://github.com/natf17/shopify-embedded-app, the licensing information is indeed available and can be found here: https://central.sonatype.com/artifact/com.ppublica.shopify/shopify-embedded-app/1.0.0-RELEASE/overview. Please find attached a screenshot from this link that clearly shows the license as Apache 2.0.



[A screenshot of a computer  Description automatically generated]



Re: Access to Overdose Digital's Delivery

Regarding your second query, the overall delivery from Overdose Digital is not open source and is not available in a public repository for review. However, I am attaching three tarfiles containing the relevant code for your perusal. We are prepared to grant access to the repository if required for court proceedings, understanding the sensitivity and confidentiality of such legal matters.



Re: Next Steps and Desired Outcome

In response to your third question, while we are reporting this incident as a violation to you, we are separately pursuing the return of our retainer from Overdose Digital. We have been put in an untenable position by Overdose Digital's actions, which have shown a disregard for legal obligations and ethics. We do not intend to maintain a working relationship with an entity that engages in such practices.



Re: Communication with Overdose Digital

Finally, in answer to your last question, we have indeed contacted Overdose Digital regarding this issue. We have stated our position and our desired outcome clearly—that Overdose Digital must comply with the Apache License terms.



We respect the ASF's position and acknowledge that you may not have standing in this matter. Nonetheless, we felt it necessary to inform you due to the involvement of software that is purported to be under the Apache License. Your guidance in these initial stages has been invaluable, and we will proceed with contacting the original developer as you suggested.



Thank you once again for your time and assistance. We are prepared to cooperate fully in any capacity that would aid in resolving this matter according to legal and ethical standards.



P.S. Roman, it's important to note that upon initial delivery of the software by Overdose Digital, we conducted a meticulous review and within approximately three hours, we were able to trace the origin of the code. Following this discovery, we took immediate action to safeguard our interests: Overdose Digital was denied further access to our repository, and the affected branch was secured. Since then, we have dedicated our efforts to develop new, entirely original code to ensure that we maintain the integrity of our projects and uphold the values of open source software.



Best regards,



[A picture containing text, clipart  Description automatically generated]

David George Williams

+1 (310) 266-9401

Founder & Creator of Cynthia | Cynthia.io<https://cynthia.io/>
Artificial Intelligence on Demand



Confidentiality Notice:



This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this email is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system.



If you are not the intended recipient(s), you are also hereby notified that disclosing, copying, distributing, or taking any action in reliance on the contents of the information contained herein is strictly prohibited and may be unlawful.



Cynthia.io Inc. is incorporated under the laws of the State of Delaware and has a principal place of business in California



From: Roman Shaposhnik <rv...@apache.org>
Date: Monday, November 6, 2023 at 5:57 AM
To: David Williams <da...@cynthia.io>
Cc: vp-legal@apache.org <vp...@apache.org>, Rheaume, Warren <Wa...@dwt.com>, Todd Welling <to...@overdose.digital>, Jenny Mesdag <je...@overdose.digital>, Jimmy Fursman <ji...@overdose.digital>
Subject: Re: Formal Notification of License Violation and Request for Guidance

Hi David!



Thanks for contacting me. Please make sure to go over my response and answer every question I ask as clearly as you can:



On Mon, Nov 6, 2023 at 3:19 PM David Williams <da...@cynthia.io>> wrote:

Dear Vice President, Legal Affairs, Apache Software Foundation,

I am writing to you in your capacity as the Vice President of Legal Affairs at the Apache Software Foundation (ASF) to formally notify you of a matter that significantly concerns the integrity of software protected under the ASF's purview,



Just to be extremely clear: the software package you identified over at https://github.com/natf17/shopify-embedded-app is most definitely NOT under the ASF's purview. In fact, I am not even sure it is covered by the Apache License, since I didn't find any licensing attribution at that URL.



QUESTION #1: What makes you think the software over at https://github.com/natf17/shopify-embedded-app is under the Apache License?



and to seek guidance on the ASF’s policies and procedures in handling such issues.



We have identified an instance where Overdose Digital has delivered to us a derivative work based on the repository located at:



https://github.com/natf17/shopify-embedded-app



Upon our investigation, it has become clear that Overdose Digital has redistributed derivative works based on the code protected under ASF licensing, corresponding with artifacts found at the provided link, without adhering to the attribution requirements outlined in the Apache 2.0 License.



QUESTION #2: is the overall delivery from Overdose Digital open source and available in a repository where I can take a look to verify your claim?



Specifically, Overdose Digital has failed to provide any attribution to the original author(s), as mandated by the license's terms for redistribution, and has instead wrongfully passed off the work as their own creation.



https://central.sonatype.com/artifact/com.ppublica.shopify/shopify-embedded-app/1.0.0-RELEASE/overview



I don't see anything that has to do with Overdose Digital at the above URL. The above URL is controlled by the original developer of the software in question.



 https://www.apache.org/licenses/LICENSE-2.0



The specific GitLab commit in question is identified as:

8bd800dd2d5cb54880b12a9f42443ee06f7953e8



Please be advised that this evidence has been securely locked, protected, and preserved, with the intention to be presented in a court of law, should it be necessary.



See my question #2 above -- unless that evidence can be made public, I'm afraid there's not much I can do to help.



The problem being -- you effectively are asking me to trust your legal judgement in a matter that can be extremely complex and nuanced.



But even if I trust you, see my QUESTION #3 below



Given the gravity of this situation, and in light of ASF's commitment to protecting open-source software and its contributors, we are reaching out for your expert advice on how the ASF typically proceeds in matters where its licensed software has been used in violation of its terms.



Since there's not a single line of ASF governed software that you have referenced so far -- ASF has no legal standing in this. The software package you identified belongs to the user https://stackoverflow.com/users/9773274/natfar and I suggest you contact that person if you want to help them right the wrong that Overdose Digital has allegedly perpetrated. It appears you can reach that person over at natfar.dev@gmail.com<ma...@gmail.com>



Feel free to CC me on your communication with natfar.



Your guidance will be invaluable in determining our next steps



QUESTION #3: what are the next steps you are thinking of? Is your desired outcome simply to make sure Overdose Digital abides by the Apache License terms?



QUESTION #4: have you contacted Overdose Digital to clearly state your desired outcome?



and ensuring that the integrity of ASF-licensed software is maintained. We stand ready to provide any additional information required and are prepared to assist in any investigations or actions that the ASF deems appropriate.



We look forward to your prompt response and thank you in advance for your attention to this critical matter.



Thanks,

Roman.