The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app—he also created separate apps designed to bypass MuseScore Pro subscription fees.
After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray—known on GitHub by the moniker "workedintheory"—to get to the bottom of the controversy.
What’s MuseScore?
Before we can talk about how Muse Group got itself in trouble, we have to talk about what the MuseScore app itself is—and is not. The MuseScore application provides access to sheet music, including legitimate access to sheet music copyrighted and owned by large groups such as Disney.
It's important to note that the application itself and the sheet music to which it provides access are not the same thing, and they are not provided under the same license. The application itself is GPLv3, but the musical works it enables access to via musescore.com have a wide variety of licenses, including public domain, Creative Commons, and fully commercial.
In the case of commercial all-rights-reserved scores, Muse Group is not generally the rightsholder for the copyrighted work—Muse Group is an intermediary that has secured the rights to distribute that work via the MuseScore app.
According to Muse Group, MuseScore is the most popular application of its kind—it claims more than 200,000 musicians find scores on it every day from a repository of more than 1,000,000 publicly available scores. It also claims more than 1,000 new scores are uploaded to the service each day.
What’s Muse Group’s beef with Xmader?
While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total—all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository.
Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020).
Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded.
For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself—and this has several important implications.
Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads.
Further, those downloads can often cost the distributor real money—a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score—in many cases, based on the number of downloads made.
Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).
What’s the OSS community’s beef with Muse Group?
In February 2020, MuseScore developer Max Chistyakov sent Xmader a takedown request—which Xmader republished as an issue on GitHub—for musescore-downloader. He declared that Xmader "illegally use[s] our private API with licensed music content." Chistyakov goes on to state that much of the content in question is licensed to Muse Group by major publishers like EMI and Sony and that Xmader's downloader violates those rightsholders' rights.
Chistyakov then threatens that, if the repositories in question are not closed, he will have to "transfer information about you to our lawyers who will cooperate with Github.com and Chinese government to physically find you and stop the illegal use of licensed content." (This cryptic reference to the Chinese government will come up again later.)
In June 2020, MuseScore's Daniel Ray (aka workedintheory) responded to the GitHub issue "to see if we may be able to resolve this situation without need for further processes." Ray discussed legal issues of copyright and distribution with Xmader and various Github users for several months. For the most part, those discussions were devoid of acrimony. In October 2020, Ray declared that he "gave ample time for response, but now must proceed with requesting takedown from GitHub."
Unfortunately, this proved less simple than Ray imagined—while musescore-downloader facilitates unlicensed downloads of DMCA-protected works, it does not itself contain those works, which means GitHub itself can ignore DMCA takedown requests. This stalled takedown efforts at Github, and in the months-long absence of continued feedback from Muse Group, commenters on the GitHub thread declared themselves victorious, and the thread languished untouched from December 2020 to May 2021.
The dormant controversy returns
In May 2021, interest in the GitHub issue returned, possibly due to cross-referencing by GitHub user "marcan" from the telemetry pull request on the Audacity repository (that repository is also owned by Muse Group). In June, the musescore-downloader extension for Google Chrome was removed from the Chrome Web Store due to a trademark claim, and in July, freelance journalist Arki J. Kirwin-Muller (aka "kirwinia") requested permission of all involved to quote their Github posts.
Kirwin-Muller's request brought Ray out of the woodwork again to offer further explanation of Muse Group's side of the controversy. Ray states that musescore-downloader and musescore-dataset violate US Code Title 17, which regulates copyright enforcement in the US, linking directly to § 1201 (circumvention of copyright protection systems) and, more seriously, § 506 (criminal offenses).
Ray goes on to state that he has "hesitated" (for well over a year) in prosecuting these alleged offenses due in part to Xmader's personal status. In addition to the potentially draconian legal penalties associated with Title 17 itself, Ray fears that criminal prosecution could result in Xmader being deported from his current country of residence.
Deportation, too, could be worse for Xmader than most—he is highly and publicly critical of the Chinese government and, in another Github repo, notes himself that he might one day be arrested for that criticism.
Ray winds up addressing Xmader directly, stating that he is "young, clearly bright, but very naive," and asking, "do you really want to risk your entire life so a kid can download your illegal bootleg of the Pirates of the Caribbean theme for oboe?"
There are two obvious ways to interpret Ray's closing question. Is it an earnest appeal, or is it a thinly veiled and very public threat? Most of the community appears to have opted for the latter.
It’s about the content, not the code
Before writing this piece, Ars spoke to Ray himself via phone. During our conversation, Ray came across as earnest and passionate about both music and open source software. Unprompted, he made clear that Muse Group has no issue with forking the code itself—in fact, the company encourages doing so; Ray expressed unconflicted understanding and appreciation of forks as a vital part of "how free software—I'm a free software guy specifically, and I suspect you know the difference—is done."
Ray went on to point out that, when Muse Group first acquired MuseScore, none of the content was properly licensed—in short, MuseScore was a piracy hub. According to Ray, the original MuseScore was "on the verge of being shut down by music publishers and rights groups" when it was acquired by Muse Group. This becomes important both to explain Muse Group's necessary due diligence in responding to musescore-downloader and also to his clumsily expressed concern for Xmader—even if Muse Group ignored musescore-downloader, the odds of rightsholders such as Sony, Disney, and BMI ignoring it once it comes to their attention seem close to nil.
We pressed Ray about licensing. We wanted to get a better idea of his—and Muse Group's—true open source bona fides. One controversial aspect of Muse Group's recent acquisition of open source audio editor Audacity involved a license change—from GPLv2 to GPLv3. Ray explained that the GPLv3 license change was necessary to allow incorporation of the VST3 digital signal processing library, which is itself licensed GPLv3.
Ray also explained that Muse Group reached out to all 117 individual contributors to the Audacity project to request permission for the license change. He said that more than 90 of those contributors responded and that every response was a "yes"—and the remaining contributions were easy enough to simply refactor.
A quick "sniff check" with git-blame makes this sound reasonable—roughly speaking, 99 percent of Audacity's total code comes from only 30 people. As is the case with many open source projects, the majority of individual contributors are "drive-bys" who write a few lines of code to solve an immediate problem, then disappear. In addition, Audacity's most prolific contributor—who is single-handedly responsible for 28 percent of its total lines of code and more than 50 percent of the last two years' commits to the project—is a current full-time Muse Group employee.
Conclusions
We can't make absolute statements about the real intentions of Ray or Muse Group. We can only comment on their actions. That said, we've spent hours reviewing the company's interactions with the open source community as well as speaking directly to Ray himself—and it seems difficult to make a case for malice, rather than simple ham-handed public relations.
Ray (for MuseScore) and Tantacrul (head of design for Audacity) each spent enormous amounts of time patiently interacting directly with the upset open source community, attempting to explain the takedown request of musescore-downloader and the proposed addition of basic telemetry in Audacity. Tantacrul himself is a well-known composer and software designer (for example, he contributed heavily to Ubuntu Touch), and Ray is clearly both enthusiastic and knowledgeable about open source software.
The worst facet of Muse Group's attempt to take down musescore-downloader is its discussion of Xmader's status as a Chinese expat and warnings of the possible draconian consequences for him should litigation begin. On face value, it's easy to interpret this as a thinly veiled blackmail attempt—but given Muse Group's repeated and lengthy attempts to engage with the community on a direct, personal level, we don't find that likely.
It seems much more likely that Ray's statements should be taken exactly at face value—as earnest, if ham-handed, concern about a bright, young developer's future and a desire to avoid hurting him in the process of exercising Muse Group's own necessary due diligence. Assuming that's the case, Muse Group's next acquisition should probably be a public relations firm instead of a software project.
223 Reader Comments
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
In short they trust the client to decide whether it's entitled to download the score. That's fundamentally flawed. This problem has been demonstrated since November 2019. Convincing someone to take down a fork is not a solution, it's just kicking the can down the road. They've had almost two years to implement a real solution. Why haven't they?
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
Exactly. My sense is that MusicScore has no interest in the hard work/significant contracting costs required to fix their repository access and API issues so is trying to fix with legal threats instead.
Seems like they could fix this unilaterally, if they'd just stop letting the client app decide what content it can legally access or not.
I guess Xmader could be on the hook for contributing to the infringement, a la Napster, but fundamentally this seems just like if Netflix was dumb enough to provide an open API that let any client app stream movies just by saying "oh, sure...I'm authorized, you can trust me."
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
Agree. The issue is very similar to the situation with cryptosystems. Any cryptosystem has two basic components: the algorithm, which is the mathematical 'recipes' for generating the encryption, which are typically very public (so multiple implementations can be made as well as peer review conducted); and the keying data, which is used by the algorithm to generate a specific encryption and must be kept secret by the parties to a specific communication.
It sounds like they have either neglected to implement a security layer at all on the central data store(s) used for scores, or have included the keys for such within the FOSS-licensed code itself. That's a fundamental error. Those keys are not properly speaking part of the application's code base, but rather a type of user data. They shouldn't come under the licensing regime at all.
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
In short they trust the client to decide whether it's entitled to download the score. That's fundamentally flawed. This problem has been demonstrated since November 2019. Convincing someone to take down a fork is not a solution, it's just kicking the can down the road. They've had almost two years to implement a real solution. Why haven't they?
Well, true. It is on MuseScore to find a better solution. Though I can imagine in the music community there are few legacy devices that might not be happy about changing something as fundamental, hence simply stop working. I don't know, maybe they have stuff implemented into epianos? Good luck updating them.
Mostly however, just because hacking is possible doesn't make it right. And it's also true that the music industry has many ruthless players that could bring the guy into serious trouble.
If you wanna fight Disney, Sony, and EMI in hand to hand combat you can’t punch them in the mouth and then just stand their slack jawed whining about how mean they are when they fight back.
I’m not here to argue about the morality of IP & Piracy, but if you’re gonna do it, git gud.
Especially if you have so much gd exposure like you’re a resident vulnerable to deportation to an unfriendly home country.
Last edited by panoptotron on Wed Jul 21, 2021 8:15 am
Well, true. It is on MuseScore to find a better solution. Though I can imagine in the music community there are few legacy devices that might not be happy about changing something as fundamental, hence simply stop working. I don't know, maybe they have stuff implemented into epianos? Good luck updating them.
Mostly however, just because hacking is possible doesn't make it right. And it's also true that the music industry has many ruthless players that could bring the guy into serious trouble.
You can't just throw the term "hacking" at it when it's clearly not, it's just accessing data via an API. That isn't hacking, no more than scanning in a page of a book or clicking a link someone told you not to click.
While I agree to question whether it's right, musescore-dataset sounds like an incredibly dumb idea to distribute considering it's just a collection of copyrighted works, it's an easy solution. The epiano shouldn't have to change as it's passing credentials somewhere in there, all MuseScore need to do is verify the credentials before granting access.
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
Exactly. My sense is that MusicScore has no interest in the hard work/significant contracting costs required to fix their repository access and API issues so is trying to fix with legal threats instead.
What I'm confused about is why they weren't using API keys or OAuth to begin with. Those are completely standard technologies that have been around for years, are explicitly designed to support this exact use case, and have numerous robust library implementations. Just how old is this API?
Still doesn’t excuse the original system design though.
I am very surprised no one mentioned the possible CFAA violation in the discussions.
The problem is on MuseScores side, the the apps in question are simply POC of the vulnerability. Removing the apps doesn’t fix the problem.
CFAA doesn't care about the security level. It considers unauthorized access.
True, it should have been better secured, but that is irrelevant to the matter of willful CFAA violation
You can't just throw the term "hacking" at it when it's clearly not, it's just accessing data via an API. That isn't hacking, no more than scanning in a page of a book or clicking a link someone told you not to click.
While I agree to question whether it's right, musescore-dataset sounds like an incredibly dumb idea to distribute considering it's just a collection of copyrighted works, it's an easy solution. The epiano shouldn't have to change as it's passing credentials somewhere in there, all MuseScore need to do is verify the credentials before granting access.
While I wouldn’t consider it hacking in the sense of skilled attack, I’d consider it hacking in the sense of gaining unauthorized access. It’s kind of like B&E. You may have simply turned the unlocked doorknob instead of picking the lock, but you still entered illegally.
I don’t have a bone to pick with the rest of your comment. I am just surprised some are placing the onus on Muse for having failed to secure access rather than on users to not take stuff that isn’t theirs.
This feels kinda funny, like it isn't neutral or something, but I can't quite put my finger on it.
This feels kinda funny, like it isn't neutral or something, but I can't quite put my finger on it.
Jim has come out swinging twice on behalf of Muse Group, and he was even stronger in the last article. And it doesn't feel like he's even trying to involve the other side in either case; he's extremely dismissive of those who hold different views, to the point of simply poopoohing them.
It feels more like a blog post than journalism to me.
The article mentions 200,000 downloads a day, though not how much of that is licensed content.
Just because it's a niche site doesn't mean that losing the subscriptions that pay for the licenses doesn't hurt.
Muse: ham-handed and not good at security.
Xmader: built a piracy app to bypass their poor security.
Neither one looks great here, but I'll side with the people paying for composers' work.
What I'm confused about is why they weren't using API keys or OAuth to begin with. Those are completely standard technologies that have been around for years, are explicitly designed to support this exact use case, and have numerous robust library implementations. Just how old is this API?
I imagine the API is as old as it was when the program was "effectively a sheet music piracy tool", which, as such, wouldn't have needed any way to determine what is and isn't legal to download for a particular user.
Which makes me wonder why that wasn't the very very very first thing that was changed when the program was acquired by a license-compliance oriented organisation! I, too, don't see any reason to let Muse off on that front!
Well, true. It is on MuseScore to find a better solution. Though I can imagine in the music community there are few legacy devices that might not be happy about changing something as fundamental, hence simply stop working. I don't know, maybe they have stuff implemented into epianos? Good luck updating them.
Mostly however, just because hacking is possible doesn't make it right. And it's also true that the music industry has many ruthless players that could bring the guy into serious trouble.
If I had to guess the transition from piracy hub to legitimate service involved some shortcuts that are now creating legacy issues. Can MuseScore determine on the server side whether a score acquired by a user in 2005 was legitimate or piracy?
This becomes even further complicated given another repo of his - Fuck 学习强国, which is highly critical of the Chinese government. Were he deported to China, who knows how he may be received.
The idea that this was "ham-handed" is undermined by the following, which makes quite clear that Ray knew how his comments would be interpreted.
This feels kinda funny, like it isn't neutral or something, but I can't quite put my finger on it.
Maybe they reached out to Xmader for comment, but didn't receive one. If so, that should be mentioned in the article.
The Register wrote an article about this where they did get statements from Xmader:
https://www.theregister.com/2021/07/20/ ... on_threat/
Xmader has commented on the related Github issue threads:
https://github.com/Xmader/musescore-downloader/issues/5
https://github.com/Xmader/musescore-dow ... issues/130
The part the article doesn't make clear is why Xmader doesn't just take the offending repositories down. Does he somehow think he has the right to the copyrighted material because it's inadequately protected, or does he not understand the issue of theft?
In short they trust the client to decide whether it's entitled to download the score. That's fundamentally flawed. This problem has been demonstrated since November 2019. Convincing someone to take down a fork is not a solution, it's just kicking the can down the road. They've had almost two years to implement a real solution. Why haven't they?
When I worked on VPN software, our motto was "never trust the client". Same idea.
While that sounds like a reasonable interpretation of Ray's statements, I'm not sure how Chistyakov's:
It's as blatant as a mobster's "This is a nice shop, shame if anything were to happen to it."
From the quotes in the Register article, he seems to view himself as the righteous one:
https://www.theregister.com/2021/07/20/ ... on_threat/
"My project has existed long before the API closure, and the project was initially designed to eliminate the need of an account to download a score, utilizing the API," he said. "I believe my project was primarily the reason for the API closure, and many developers were not informed, asking why the API was closed."
"MuseScore illegally paywalled all of the downloads, not because they are protected by copyright laws, but because they want to monetize the contents on their platform after the acquisition," he elaborated. "In contrast, the musicians cannot receive a penny for their work. MuseScore does not own any of the 'copyrighted' work, and indeed many of the work are under public domain or creative commons. Therefore, they cannot fill any DMCA requests on anyone else's behalf."
Note that by "API closure," he means the old API that was open to all developers was closed, and a new API that was meant to be only accessed by the official MuseScore client was created. Xmader allegedly reverse engineered the way the MuseScore client accessed the new "private" API to modify his app to be able to access those files again.
[_] the repository hunt is wrong
yeah, those sound like soil for tedious essay conversations, I'll leave that to others and take the escape pod others have:
[x] the repository hunt is futile
*unless the original hole is plugged
So, snipping some of this, does this part that imply the MuseScore project was originally not paywalled, and later was? Trying to understand for a bit more context
So, snipping some of this, does this part that imply the MuseScore project was originally not paywalled, and later was? Trying to understand for a bit more context
It at least wasn't licensed:
Ray went on to point out that, when Muse Group first acquired MuseScore, none of the content was properly licensed—in short, MuseScore was a piracy hub. According to Ray, the original MuseScore was "on the verge of being shut down by music publishers and rights groups" when it was acquired by Muse Group.
If they were originally running a piracy hub for profit, I would have expected them to have already been shut down, but I don't know for certain.
So, snipping some of this, does this part that imply the MuseScore project was originally not paywalled, and later was? Trying to understand for a bit more context
Yes, this is mentioned in the Ars article.
MuseScore started as a company that had an open source client with an online database that had basically unrestricted download of scores, including a lot of pirated/unlicensed scores.
https://en.wikipedia.org/wiki/MuseScore ... ght_issues
Ultimate Guitar acquired MuseScore and later renamed itself to Muse Group:
https://musescore.org/en/node/269605
https://mu.se/about
Another example of someone from China ripping off someone from the west, with the intent to steal copyrighted works / intellectual property.
In other words, a normal day for many Chinese "entrepreneurs".
No, the exact opposite. It's was a piracy hub that people are mad that it's going legit.
Last edited by xaxxon on Wed Jul 21, 2021 1:03 am
In the name of that other repo, Fuck-XueXiQiangGuo, the bolded part is pinyin for 学习强国,with Xi being the same character as Xi Jinping's last name. The term originally means "education is the way to strengthen the country," but has taken on the new meaning of "study the thoughts of Chairman Xi to strengthen the country" due to the convenient homonym, much like Maoist/Leninist slogans back in the old days.
Xmader's comments in Chinese expressed his strong distaste for the cult of personality worship building around Xi, uniformity in thought, and formalism.
Last edited by PandaCheese on Tue Jul 20, 2021 10:25 pm
Another example of someone from China ripping off someone from the west, with the intent to steal copyrighted works / intellectual property.
In other words, a normal day for many Chinese "entrepreneurs".
No, the exact opposite. It's was a piracy hub that people are made that it's going legit.
Yep. And that seems to be the reason why everything is client side. The original app was just a way to get hold of pirated files and display them. You can change that to a licensed model pretty easily, but you can't prevent someone simply rewriting the client to remove any protections without changing the very essence of how the app works.
You must login or create an account to comment.