I don't advocate people use Copilot for anything but hobby toy projects.
I have lower expectations of the rigor with which companies police their internal codebases, though. Seeing Copilot banned for internal use too is a pleasant surprise. Companies tend to be a lot more "liberal" in what kind of legal liabilities they accept for their internal tooling in my experience.
I think the bigger reason it is banned at most companies is because it's nearly impossible to know what kind of license the generated code is available under. Copilot is trained on open source codebases, which carry a number of different licensing agreements to use that code in your own codebase. Companies simply do not want to deal with using software that opens them up to unknown legal risks.
A tool can't be held accountable and can't infringe on copyright or any other law for that matter. It's more of a product. It seems to me like it's a gray area that's just going to have to be decided in court. Like did the company that sells the tool that can very easily be used to do illegal things take enough reasonable measures to prevent it from being accidently used in such a way? In the case of Copilot, I don't believe so, because there aren't really even any adequate warnings to the end user that say it can produce code which can only legally be used in software that meets the criteria of the original license.
This. If copilot suggests anything more than basic syntax or boilerplate I don’t use it. If it writes code I don’t understand or wouldn’t be able to write myself I won’t use it. Why? Because at the end of the day it’s my code. In what world is a good engineer submitting a PR for coworkers to look over that isn’t their code?
If this is a real issue the solution is not banning yet another tool. It’s education. Teaching engineers how to properly understand code attribution and licenses.
I thought the general consensus was that copilot was untouchably bad for unlawfully utilizing open source code. I had forgotten it was an actual product that people could still consume
I don't think my company even knows Copilot exists, let alone bans it.
I certainly haven't seen any message about it, nor evidence of any coworkers using it. But if they did, it'd probably get banned for that same data issue, since they're very worried about folks transferring data from their machines and tend to restrict things like most companies emails being sent to third party addresses, USB devices being used, etc.
Copilot isn't strange from a technical prespective.
The strange bit is how they are allowed to use other peoples code to create derivative works (this is how I see it from my non-legal perspective anyway).
Even if it's legal (to the letter of the law, not the spirit) it leaves a sour taste.
Yeah, that's definitely the impression I get from the few Copilot examples I've seen. I've not personally used Copilot so I refrained from making absolute statements about its behavior in my top comment.
But I think the conclusion most people are settling on is that it's definitely infringing.
I don't see how the way the software was built is particularly relevant.
It's just a tool used by the developer; the onus is on the developer to ensure they don't infringe the licenses of the source code they incorporate in their software. Since Copilot makes it impossible to know where it's barfing code up from and what license that code is under, a developer who cares about not getting sued probably needs to avoid using Copilot.
My employer has banned Copilot (and presumably this app as well), for what it's worth. I'm guessing most large employers will end up doing the same if they're at all paranoid about their code, although by that time Copilot may offer an on-site version, or at least a version that can be deployed to an enterprise's cloud instance.
Yea it basically is concerning if you have code in GitHub or you want to play with copilot. If anyone can reply to me that uses copilot in a business setting because to me it’s a nightmare to use because of the probability of it being a liability.
FWIW this in consequence means you can't legally use Copilot without becoming liable to copyright violations because it's essentially a black box and you have no insight into where the code it generates originated and even if it isn't a 1-to-1 copy it might be a "derivative work".
This is why I'm gnashing my teeth whenever I hear companies being fine with their employees using Copilot for public-facing code. In terms of liability, this is like going back from package managers to copying code snippets of blogs and forum posts.
I'm okay with reuse and commercialization as long as the licensing terms of my code are adhered to. That means proper attribution, distribution of copyright notice and license, and making modified code available to users. Copilot does none of that.
Wouldn't it be the people publishing code written with Copilot that (potentially) violate any licenses? It doesn't seem to be that the tool violates anything, though it may put the _user_ at risk of violating something.
Like, don't use it if you're worried about violating licenses, but I don't see how Microsoft could get in trouble for the tool. It doesn't write and publish code by itself.
I run product security for a large enterprise, and I've already gotten the ball rolling on prohibiting copilot for all the reasons above.
It's too big a risk. I'd be shocked if GitHub could remedy the negative impressions minted in the last day or so. Even with other compensating controls around open source management, this flies right under the radar with a c130's worth of adverse consequences.
Same here. I’ve directed our teams and infra managers that we must be able to block the use of copilot for our firm’s code.
Id be very surprised if the other large enterprises that I have worked at downs doing exactly the same thing. Too much legal risk, for practically no benefit.
I have lower expectations of the rigor with which companies police their internal codebases, though. Seeing Copilot banned for internal use too is a pleasant surprise. Companies tend to be a lot more "liberal" in what kind of legal liabilities they accept for their internal tooling in my experience.
reply