How are OSPOers handling AI-generated or AI-assisted code contributions to the projects they maintain?

[anajsana]

Discussion mirrored from TODO general slack channel

How are folks handling AI-generated or AI-assisted code contributions to the projects they maintain? Are there concerns around accepting such contributions due to potential license issues?

[anajsana]

Jordan Harband replied:

That's the same concern as any contributed code, right? like, the contributor is implying that they have the rights to the contribution

[anajsana]

John Coghlan replied:

I suppose that could be a concern. I was thinking more along the lines of licensing concerns as a result of using code generated by an AI system based on the licensing of the training data. E.g: If a model is (even partially) trained on code with a GPL license, would all of the output of that model be required to be GPL licensed?

[anajsana]

Jordan Harband replied:

if you know it's generated, I would definitely disallow it, pending a number of current court cases

[anajsana]

John replied:

are you aware of any projects that have explicitly communicated they will not accept such code?

[anajsana]

Kevin P. fleming replied:

@ John there is no answer to that question, today. there may never be an objectively-reached answer either.

[anajsana]

Anonymous person replied:

Something that a DCO could well fix. Then you at least have moved to issue to the contributor. DCO stands for Developer Certificate of Origin. So you explicitly ask the developer to confirm that they indeed have the proper rights over the code they are wanting to contribute. Therefore moving the responsibility for the possible copyright issues to the contributor.
https://github.com/apps/dco

[anajsana]

MSW replied:

Many CLAs require the individual or corporation that is the signatory to make a representation about the IP rights of contributions to the project. E.g., see section 4. of the Apache ICLA. https://www.apache.org/licenses/icla.pdf (and ask a lawyer if you have any questions about this legal instrument, I am not a lawyer...)

My personal opinion on this is that we need to continue to educate participants about how to go about open source software development in responsible and respectful ways. Respecting the rights of others is also an important part of the ACM code of ethics (https://www.acm.org/code-of-ethics). See section 1.5.

My personal belief is that it is possible to reuse existing code in ways that are responsible, customary, and beneficial to the public. And AI-powered coding assistants may be a useful tool. As a practicing software developer, I would just want specific features to feel that I am using the tool in a responsible and respectful manner.

In particular, if an AI coding tool is able to provide references to publicly available code that it was trained on that's similar to a suggestion that it produces, I can go inspect that code as it's used elsewhere. I can understand if it comes with license obligations. I can decide if the suggestion is boilerplate, de minimis, or if it might potentially embody the creative expression of another software developer.

[anajsana]

Mats replied:

Do any of the current entrants provide such references to specifics in their training material? If so, I haven't seen it.

[jlprat]

Big plus one to this option. I'm not a lawyer so I'm not really on top of the latest developments in this area, but I think it's not clear yet who would own the copyright of the code generated by an AI.

[anajsana]

MSW replied:

disclosure: this is a link to some community discussion about a service that my employer offers. I'm not directly involved in the development of this service, but I have been known to share my personal perspectives freely to teams building such things, and that might influence their product roadmap. 😅 https://lwn.net/Articles/900045/

the other bit of common CLA language that I think could be relevant to this discussion is Apache ICLA section 7.

Should You wish to submit work that is not Your original creation, You may submit it to the Foundation separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".

With the emergence of AI coding assistants, we might want to encourage conspicuous marking of what tool was used, and how it was used.

so, I guess my TL;DR personal position on this is: I don't want to see hasty "policy ban"s of emerging tools. We need to be clear what the objectives are in protecting digital public goods, and give guidance to practitioners to go about their work in a responsible way. Just like we give guidance for things like how to structure copyright notices in code, or how to respect the license obligations software developers ask for when making their work available to others. https://github.com/cncf/foundation/blob/main/copyright-notices.md

[mswilson]

(for clarity, messages attributed to "msw" are me. They are my personal opinions as an individual)

[juliancoccia]

While I am not a legal expert, I welcome input from any attorneys who can offer their perspective on this matter.

In the realm of AI-assisted software development, the rights of the developer with regard to generated code remain largely the same. It's true that both AI and developers learn from copyrighted code, much like how a developer might learn from reading code in a book. Autocomplete features in word processors have long been in use without sparking the same level of concern as AI assistance in programming.

The crux of the issue lies in the level of granularity, which is more fine-grained in human language as opposed to source code. There exists a possibility that AI-generated code might produce an exact replication of input code used during its training. Although this can also occur when a developer writes code without AI assistance, the probability is likely lower.

To ensure license compliance and prevent plagiarism, it is essential to conduct thorough code reviews. SCANOSS has made a significant contribution in this regard by developing a comprehensive Software Composition Analysis solution, which is entirely Open Source. This tool has gained widespread acceptance within the Open Source community and has been validated in European courts.

[kappapiana]

It's correct. In theory, the copyright would be of the entity who has arranged the tools that generated the machine-generated code, possibly in co-ownership with those who have selected it. But since the owner of the code-generating apparatus waves their copyright, the developer will be owner and in charge.
I also agree with the need to have a filter to avoid (even if for sheer combination) a replica of already existing code. I am pretty sure AI-generating operator already implement something, but this something might not be enough (eg., the filter only covers code to which the AI has been exposed during the learning phase).
We have used Scanoss and it is surely an option we consider for this purpose.