First of all, huge respect to the Ghost team. Their open source contributions are valuable, and their approach to theming enables some great-looking things. That said, some important corrections:
Substack is not "powered by Ghost". Rather, we built our own theming API that’s compatible with themes built for Ghost, including those built by third parties.
The Free Press is using a modified Tripoli theme, built by Ahmad Ajmi, under a paid license. This is how this is supposed to work. It's good for the theme developer if we support this – you should check them out here.
https://aspirethemes.com/themes/tripoli
This was relatively quick to build for Substack devs, because the structure of Ghost sites matches Substack fairly closely.
With respect to the search library, this is an open source library that we are using in a fully compliant way. John's own screen shot shows that we don't load it "from Ghost’s own CDN", it comes from jsDelivr
https://www.jsdelivr.com
This is a standard way to use an open source library. It's pulling from the version that the sodo-search maintainers published to NPM (thank you!).
It is a good point that we should lock a version, so that if they accidentally published a minor version revision with breaking changes it doesn't cause problems for us. We’ve fixed that.
We’re grateful to the developer of the Tripoli theme and to Ghost for its contributors to open source work. We’re exploring ways to give writers more customization on Substack. This is one approach we’re considering but it’s too early to know if we’ll scale it up.
And @JohnONolan, thanks for the note at the end about potential collaboration. In our minds, we’re on the same side of an important battle for a better internet. We’re definitely up to chat.
Having themes work across multiple major platforms is a boon for theme designers (and people creating blogs). It's a great idea to standardize it as much as possible.
> John's own screen shot shows that we don't load it "from Ghost’s own CDN", it comes from jsDelivr
That bit was the strangest part of the accusations, this is the Ghost CEO, he should know jsDelivr is not really "their" CDN but a generic asset host.
jsDelivr is meant exactly for this purpose though, isn't it? For JS files to be reused across different sites so it can be cached easier? Not locking versions is the only real issue here.
TIL, makes sense from a (very limited) security perspective.
CDN caching was never that useful anyway, non-cached jQuery etc downloads fast these days. Publishing libraries on a centralized public CDN, where the same URL is used across different sites is still the primary value prop for jsDelivr regardless.
Why even in brackets? It is NOT powered by Ghost. They use code so they can use Ghost themes and some search lib that was made by ghost or ghost uses as well or whatever but its NOT AT ALL Ghost.
Hi Chris! Love what you're doing with Substack. One quick thing though - this may seem weird, but Substack at the moment does not, in my opinion, offer a lot of customisation of the website. If you see a website, it's extremely easy to tell its a Substack.
Over the past year, I've only read high quality Substack posts - and my brain has sort of come to instinctively believe that if I see that specific layout, the post will be high quality. E.g. (not a very nice one) but in general, if I see the Medium layout, my brain almost immediately get turned off, believing the quality of the content to be sub-par.
I think individual theming, as in the case of The Free Press, takes away that immediate notion. I understand that the vast majority of people will not face this issue, but I think I will. I just wanted to know if you think this is an issue, and if it is, what you'll do to 'counter' it. I'd really like to hear your thoughts on this!
This is a great point, and one that we're honestly in the process of trying to make progress on.
Ideally, I would love to have both:
- Writers and creators on Substack are in complete control of the brand and feel of their publication
And:
- All publications look & work well
- Readers get the benefit of already understanding some of what this thing is, which makes it easier to subscribe with confidence
- We can continue to ship rapid improvements across all of Substack
In practice, there are tradeoffs involved here and we're trying to figure out how to push both sides as far as possible, while maintaining a simple and powerful product.
> E.g. (not a very nice one) but in general, if I see the Medium layout, my brain almost immediately get turned off, believing the quality of the content to be sub-par.
What you're saying about Substack is what people said about Medium in 2013. Just as Medium didn't go into the toilet overnight, Substack's universal theme isn't going to save it from irrelevance if the content isn't there.
Right now I would just be happy with code highlighting and formatting for my posts that wasnt utterly broken. Since last year, GitHub gist imports have had a warning message on them that is only supposed to trigger on non-printable characters, but triggers on literally every gist import for Substack.
Unfortunately, there is no other method for syntax highlighting on Substack.
Support responded after a few weeks that its on their roadmap, but considering how long its been, I'm not hopeful.
I love substack. You guys have been doing a lot for the info landscape to return to the blogsphere. But I would love you even more if there was dark mode, I want to read in bed! -sincerely a huge fan of your platform
Substack is not "powered by Ghost". Rather, we built our own theming API that’s compatible with themes built for Ghost, including those built by third parties.
The Free Press is using a modified Tripoli theme, built by Ahmad Ajmi, under a paid license. This is how this is supposed to work. It's good for the theme developer if we support this – you should check them out here.
Great set of replies and a wonderful example of why hearing both sides is important. You should definitely click and read through Chris' thread, but the final note "We’re definitely up to chat" is a great olive branch.
> One thing that’s a little disappointing: Ghost uses the MIT license, one of the most permissive OSS licenses there is. Essentially, anyone can do anything they want with our code, with ONE basic requirement: You must include copyright attribution. Which they have not.
For a SaaS app, wouldn't that copyright attribution be on the server side, where the code is (hidden from the end user)?
Is John stating he expects that copyright attribution to be in the "view source" of the HTML or some other user accessible location? What happens if that HTML/JS is minified/stripped/"compiled"?
IANAL: but I'm genuinely curious how this situation is handled.
As far as I understand it, MIT only requires you to include the attribution next to the binary so ias you guessed next to the source code on the server.
However, the js shipped to clients is usually minified and transformed which means it may count as "compiled" and thus the same rules as for binaries would apply.
Cases like these are the reason why the AGPL exists.
> Cases like these are the reason why the AGPL exists
Exactly. Not sure why they Ghost doesn't use AGPL. Still, it would have been kind of fair from Substack to approach this more open and collaboratively...
While agree that it would be nice from the Substack to give credit to Ghost, they are not required to do.
It's unfair to complain about Substack doing exactly what they are explicitly allowed to do by the company that released Ghost under that specific licence that they choose to.
Yes I agree it's unfair to complain, and I don't think Ghost is complaining (at least I don't see complaints from what John tweeted). It's more about "giving credit where credit's due" I think...
Why would AGPL have made it a no-go for Substack? Also, it looks like Ghost wants to collab but there's nothing from Substack in the Twitter thread you linekd?
IANAL but I think integrating AGPL code would affect the license of the rest of the codebase too: Substack would be forced to release the rest of their codebase as AGPL too. This is why AGPL is considered a "viral" license.
Because AGPL infects their entire service. You'll be hard pressed to find any commercial service adopting AGPL projects. Even the GPLv3 is often immiscible with commercial services. At least GPLv3 can be contained to only part of your stack.
Hey, Substack CTO here. We actually link directly to the jsdeliver CDN to use the files that get built for distribution in the sodo-search npm library. We make no modifications to the files (including not minifying them anymore than they are). The files actually do have a link at the top to the license file, which is hosted in the same directory on jsdeliver.
> The files actually do have a link at the top to the license file
That's not actually the license for the file; it's the license for the resources it includes. The license for the file is available elsewhere but is not directly linked. See my comment at https://news.ycombinator.com/item?id=33959622
Not really hard... for one there's a convention of putting an exclamation point at the start of comments that should survive the minification/compilation process, for this very purpose.
I highly doubt you can count minified as "compiled"
Minification is a form of compression. Compilation is a form of conversion from a high level to a lower level interpretation and that is fundamentally different.
If the CDN is just a part of your architecture that you voluntarily setup then you’re likely the one violating. Even if not the CDN very likely has an indemnification clause in their contract which would shift that liability back to you.
Hey, Substack CTO here. We actually don't minify or modify the files in question at all and simply link to the versions hosted on the public jsdelivr CDN (which includes a link to the license right at the top of the file)
First off: weird take, and one that would be unlikely to hold up. But secondly: what is that supposed to matter, anyway? That is, why are you litigating the definition of the word "compiled"? No finding, whether for or against your argument, would have any bearing on questions about compliance with the terms of the MIT license, so the word's definition and its significance is null. It's a total red herring and a distraction to bring up in any discussion on the topic.
If you want people who use the software you develop to pay you to use it, you should not release your software under an open source license.
You probably already knew this, I don't mean to point out the obvious. I am just confused by your comment, and others like it that frequently come up on HN these days. People saying or implying that there is something unfair about using open source software under the license terms that its developers have chosen to release it.
> For a SaaS app, wouldn't that copyright attribution be on the server side (hidden to the end user)?
I agree and my take on this is based on the way compilers generate binaries. I would not expect a compiler to inject random copyright notices in sdtout, for example. Ghost, in this case, is acting like "compiler" and the HTML can be thought of as the "output" akin to a binary generated by a traditional compiler. The MIT license (and similarly permissive ones) do not dictate software usage and thus it's output is not required to have any attribution, only source code.
Hey, Substack CTO here. We're actually not using Ghost's platform and have instead built a theming API that is compatible with third-party themes that are built for Ghost. The one piece of code that the theme uses that's developed by Ghost is the open source search library used on the frontend. In this case the theme links directly to the files that Ghost has distributed on jsdelivr via npm
Ah you may find it interesting, the GPL3 license actually does prescribe showing copyright notices in stdout [1].
> If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode ...
> The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.
This is to say it is not entire unusual to have copyright notices in output.
I mean, I get it. This will be nigh impossible to codify, such that there will be reasons things can and cannot work in certain situations. This line of attack here, though, is feeling overly forced and would actually sway me to never use such licensed stuff. And I'm pretty heavy on the open source support.
Yeah it's clearly a "recommendation" and people seem to use it pretty sanely.
bash doesn't do it even if you start a subshell. I know I've seen the NO WARRANTY message flash on my screen but darned if I can find a gnu program that does it by default.
Would be nice if upstream Ghost made this easier for users. I just checked my blog and it has a default footer with a link "powered by ghost", they could just as easily have a link to the license.
> For a SaaS app, wouldn't that copyright attribution be on the server side, where the code is (hidden from the end user)?
I'm curious about this because the end user's browser is where the (copied) code is run, not on the server. That's why they need to hot-load additional code from Ghost's CDN, rather than doing so on build servers.
I think I'm safe just having a .txt file you can somehow discover and read from the same server that hosts the website. But in order to do what feels right, I always put it into an "About" section somewhere.
Hey Substack CTO here. We actually don't host, modify, or minify the client side library in question. We link directly to the jsdelivr CDN for it and the distributed files from there have a license link at the top
I've always found open source projects to build superior libraries that commercial entities always end up adopting.
I've always found commercial entities to build superior products that open source projects always end up adopting.
One makes the tools, the other assembles them and sells it.
Must be the focus on profits that helps push companies to build products users want, while the love of the craft pushes developers to make the best foundations.
> Must be the focus on profits that helps push companies to build products users want, while the love of the craft pushes developers to make the best foundations.
Shamelessly stealing this line of thinking to use in the future.
I love this line and I personally think there's nothing wrong with it (not that I'm suggesting anyone implied there is).
And this is also how I separate my work from my hobby. I'm proud of those who can make money from a hobby, but I simply do not try. The motivations are fundamentally different and it changes how much I enjoy my hobby. I wish I learned this in my early 20s. I spent years thinking, "if it can't make money or someone's done it better, it's not worth doing."
> Must be the focus on profits that helps push companies to build products users want, while the love of the craft pushes developers to make the best foundations.
Ghost is a non-profit organization that publishes it code as MIT.
You don't structure your company as such because you're wanting to generate a lot of profits nor prevent others from profiting from your work.
It seems like Substack is just embarrassing what Ghost set its charter as: a non-profit that allows others to benefit from its work.
If anything private capital funds OSS as much or more than anything else. OSS is primarily driven by time donation by the coders anyway. If they don't want companies using it there is a well established system to prevent that... it's called licensing.
It could be preying, but it doesn't have to be. In recent decades we've seen a rise of IGMFY capitalism. But there are varieties of capitalist thinking that see companies as situated in a society that they are part of in a way that gives them duties as well as rights. That's not popular today, of course, but it's not impossible that we'd return to it.
On the one hand, it does seem like it'd be nice if Substack had signed a support/integration deal with the Ghost team. That way Ghost could have gotten paid something for their hard work, and Substack could have avoided critical mistakes like the CDN security issue.
On the other hand, this seems like what success looks like for an MIT licensed project. A big company using the code to power their product without even having to contact, let alone ask permission of, anyone.
It seems to feel different for end-user applications like Ghost. But it's not actually any different than if they had powered Substack with SQLite or Postgres.
> But it's not actually any different than if they had powered Substack with SQLite or Postgres.
I disagree. It's more comprable to if they used WordPress instead of Ghost. The database is a few layers further down, whereas Ghost is basically 90% of the end product (not sure how much they've adapted, but looks like a lot from John's Tweet)
Substack is positioning themselves to their customers, which are journalists/authors, as a comprehensive alternative to having a normal job working at a newspaper or magazine. That seems to include high-touch customer support, an integrated business model with payments, a mailing list system, a distribution method, etc. It's more of a service than a piece of software.
Ghost actually seems to have jumped on Substack's bandwagon by trying to skew their blog software toward being a direct Substack alternative.
So Ghost seems to have adopted Substack's business model and Substack seems to have adopted some of their blog technology.
I don't think you understood the linked thread. The problem is not that they are using Ghost. The problem is they are not including the attribution required by the license.
Hey, Substack CTO here. We don't distribute Ghost's code at all and the only piece of code included is a client-side search library used by the third party theme. But that library is actually hotlinked and hosted on jsdelivr (via npm) with no modifications made to it what-so-ever. This includes the line at the top with the license link as Ghost originally built it
I understood that criticism but don't think it's correct, as many others have pointed out. This is MIT licensed software running on a server. Substack is not redistributing software to end users, by any common definition.
Seems like this is a bit of a clickbait. The theme is made by the substack user, substack is only using a single library from ghost to show search, and the cdn in question is jsdeliver which isn't ghost's cdn, it is basically a cdn for any open source javascript.
I quite O'Nolan's tone here. It's obviously not a collaboration as you might first expect from the top tweet (and title on HN), but he's quite gracious about it at the same time. It would be quite easy to get frustrated and outraged at Substack, we've seen it happen before. However despite the two, fairly substantial, issues he's pretty gracious about it while poking a bit of fun.
Hopefully Substack do the right thing here and correct those two problems openly. It would only be a good thing for blogging/publishing if they actually contributed back as well.
Hey, Substack CTO here. The Ghost-written code in question here is the client-side search library that the third-party theme uses. We link directly to the files hosted on jsdelivr (via npm) which in-turn uses the files Ghost built for distribution. Those files include the license link at the top, as Ghost intended, and are not modified or minified by us at all
A customer of substack is using a port of an open source ghost theme.
3: some screenshots
Of the substack sourcecode showing that they're loading an open source ghost JS search UI library from the jsdelivr CDN service.
Substack are using an open source front-end lib that the Ghost team open sourced. For other people to use.
4. Screenshots of the substack HTML sourcecode showing the classes are the same as ghost
Because they're using an open source theme ported from ghost...
6 & 7. Substack are loading the open source library from "Ghost’s own CDN"
First I've heard that Ghost have acquired Jsdelivr.
8. "directly loading scripts from our CDN on their platform is very bad for security [...] Any updates or changes we ship could inadvertently brick their whole platform"
I actually do agree that using 3rd party CDNs like Jsdelivr is bad for security (supply chain attacks are a real pain with package managers, using other people's CDNs increase that pain significantly). But... it's not Ghost's CDN & the implication that Ghost could push a release of their open source JS lib to jsdelivr that would brick consumers is pretty sinister.
9. Substack are using MIT without attribution
They're not. Already covered by multiple comments on HN & in the Twitter replies. John just doesn't understand how the MIT license he chose works.
Tbh he doesn't really seem to understand how open source works in general.
---
Note: large companies using open source code and not contributing back is a big problem. It's what Substack are doing and we should talk about it. But that conversation should be informed and fact-based. This thread is ignorance start to finish.
I used to really dislike John. I've sparred with him on Hacker News a couple of times on various issues (under a different account).
I then listened to a podcast [0] he was on and basically changed my mind on the guy. I still feel he desperately needs to hire a communications director for Ghost but I've softened my view on him as a person.
Thanks for the rec, I'll definitely try and give it a listen.
He can't be that bad if he's behind what Ghost have to date presented themselves as. He does seem to have some pretty severe gaps in technical literacy though: which is very excusable if it's not coupled with blind confidence.
You have no right to dictate what the goal of FOSS is about. It's also patronizing to claim Ghost made some kind of mistake here. They obviously picked MIT for a reason, which means they are fine with companies making profits from their unpaid work.
It's written in a very passive aggressive way. He's not congratulating substack, he's calling them out.
The attribution aspect of it seems intentionally misleading in my view. Are the MSM, who'll be chomping at the bit to attack their competitor, Substack, going to delve into the finer points of software licenses or rather just quote the tweet?
I'm not saying that Ghost should use the AGPL, I'm saying that this is a warning to other projects that use the MIT license and wouldn't want to see their work commercialized this way.
Substack support has been nonexistent for the past 6 months. I've reached out about a handful of broken features and get no response, except in one case months ago where they dismissed it in the weirdest way. Archive search does not work; ex. I have a post about monkeys, it has "monkey" in the title and the body, and when I search "monkey" it doesn't come up in results. The support response said "this is normal, just because a post has a keyword in the title or body doesn't mean it's always included in search results"...what? I asked for clarification and they never replied.
It feels like Substack has strayed from the promise of being focused on writing and email. They added "Save" and "Listen" buttons to the top of emails, which are visually prominent; and those buttons make no sense in an email. They're a trick to take people to the iOS app.
They endlessly promote new features to writers and readers and it all feels like their trying to lock you into something that's harder to migrate out of.
I've put in a couple of support requests and gotten reasonably prompt, helpful responses.
Possibly you're not a writer? They make it possible for writers to earn a decent amount of money (not that I am) and keep their copyright. Can you tell us another platform that does that better?
Hmm I had the opposite experience. I emailed them 3 or 4 bugs and they fixed it. This was several months ago though. I am a paid user to several substacks in case that matters.
That's interesting. Prior to July I did get replies, but they never fixed anything. "Thanks we'll pass this on to the dev team" but then nothing. I think that's normal but not great.
Since July I've sent emails about 3 issues and the only response I got was the one I mentioned above.
The way they used our search library is kind of interesting. They could've
copied the code locally and modified it to work with the Substack API, but I
guess Substack doesn’t have an API?
Substack doesn't have an API. Their editor is laughably primitive compared with other solutions. Their visual look hasn't changed at all since their inception. They don't have discoverability. Can anyone tell me what Substack is doing with all the millions of dollars of funding they've taken? We joke about Twitter being massively overstaffed, but Substack, to me, looks just as bloated, organizationally.
Maybe you have something else in mind when you say "discoverability", but.. https://substack.com/discover Seems they do have it.
As for the bloat, I can't really comment, but would note that Substack did substantial layoffs like everyone else.
As for what they're doing: they built mobile apps, adding podcasting and video, etc, better discoverability.
I can't say whether they've done "enough" to satisfy you, but I also don't think we should pretend Substack hasn't done any new product development work since inception.
Those are all fair responses. I guess I just haven't seen much uptake of those new features among the Substack writers that I follow. When they do podcasts, they're hosted by ACast, SimpleCast, or one of the other podcast hosting platforms out there. Videos are hosted on YouTube (like everyone else's).
I would prefer if Substack spent more resources on improving its "core" newsletter/blog experience, but I can understand, given their status as a home for controversial writers, their desire to be a self-contained service.
My understanding is that these days most technical people are wary of being locked into a single platform, so even though substack is making a pretty compelling walled garden anyone with knowledge of recent SV history is hesitant to dive head first into it. As once they get big enough they’re pretty much guaranteed to do something anti-competitive that is against the interests of their customers/users who now have no choice as the cost of leaving has grown too large.
I help with podcasts at Substack. Substack is a podcast-hosting platform like the others you describe (although in my biased opinion we have a number of other great features that set us apart). Most of the podcasts on Substack are hosted and distributed by Substack. A few Substack podcasts do point back at other platforms, but this isn't the norm.
Writers can embed youtube videos in their posts. When they do, those are hosted on youtube.
It would be sad if these, who are very tame, and not long ago would have been considered doing a mighty fine job to the side they're now rejected by, were the "biggest contrarians". Would imply a total lack of actual contrarians, and an overencompassing uniformity and party line-ism...
Then again that's what you get when you build two bipartisan monocultures of echo chambers...
"Mainstream Media" especially in contexts like these is meaningless. You seem to mean many PEOPLE don't like them. There's an argument to be made that for the average person, being attacked by a number of Substack's writers would make that average person less likely to explore their other writers offerings. Fewer readers means less revenue.
"Mainstream media" is certainly not meaningless. A good proxy would be any organ considered an "authoritative source" by Facebook: NYT, WaPo, CNN, Politico, AP, etc.
As for "fewer readers" I don't know what you mean. The "readers" are paying their money, aren't they?
Meaningless in that the phrase is used almost exclusively in the way you use it, and yet you (and others) aren't able to construct a coherent definition. Regarding your examples, Facebook was a weird choice of authority when viewership/readership are easily researched numbers. I bring this up partially because the only thing that you believe is "media" is news sources but the most popular news sources aren't "mainstream media"? There is clearly something specific you're filtering for but are unwilling to say. Until you do the term means nothing.
Wow, you're really going to elaborate lengths of pedantry here, aren't you?
"Please define 'mainstream media' and no, I'm not satisfied with your definition."
Why is this important? You could make a list of 100 news sources and ask a random sample of 1,000 people to check Yes/No on "is this mainstream media?" You would get a very high level of agreement. It's not my responsibility to give you a definition you're happy with. This isn't a scientific debate.
Your definition differs from the results offered as evidenced by your examples differing from other examples: i.e. of The Big Five[1] you picked on only the smallest, not even focusing on journalisitic enterprises because one of the larger organizations literally called "News Corp" didn't have a single of its publications make your list of news outlets. Curious.
Exhibit A: Alex Jones. Whacky conspiracy theory and snake oil peddler. It's literally in nobody's interest he be published anywhere, apart his own personal financial one.
In most cases there's probably a good reason for someone to be shunned by everyone "mainstream".
No one is worth reading solely because the “mainstream media” doesn’t like them. People who jabber complete fiction are disliked in that way. Doesn’t mean they’re worth the time.
Glenn Greenwald in particular depresses me. The days of his blockbuster stories feel like distant memories, now he just posts poorly edited (or more likely not edited at all) opinion pieces powered by nothing but rage. I genuinely don’t get why people would pay for it.
They don't have "paid gigs" there. They bring in tons of subscription revenue, and Substack gave them advances against that subscription revenue. In each case, they quickly earned out the advance.
In addition to advances they will sometimes just pay a writer to move to Substack.
> But the advances also had limitations. On a per-deal basis, we could never really do better than break-even. A Substack advance was effectively an interest-free loan that would never be paid back if a publication failed.
> With Substack Pro, we pay a writer an upfront sum to cover their first year on the platform. The idea is that the payment can be more attractive to a writer than a salary, so they don’t have to stay in a job (or take one) that’s less interesting to them than being independent. In return for that financial security, a Pro writer agrees to let Substack keep 85% of the subscription revenue in that first year. After that year, the deal flips, so that the writer no longer gets a minimum guarantee but from then on keeps 90% of the subscription revenue
Depending on the payment it's possible that a writer could lose money on this, because they would have made more from subscriptions than they did from Substack, but I'm guessing for very big names Substack is paying quite a bit more than they would have made from their first year of subscriptions.
Also, this wasn't public for a while and there's probably more that is still not public.
> We haven’t said anything about Substack Pro in public until now because we have been in a “figuring it out” phase, seeing what resonates with writers and how the deals perform over time.
> On a per-deal basis, we could never really do better than break-even. A Substack advance was effectively an interest-free loan that would never be paid back if a publication failed.
They made a ton of money on Matt Yglesias's advance. His advance was ~$250k, and he brought in two or three times that in revenue (the terms of his deal were: he gets 250k upfront, they get his first year's revenue). I'm not aware of any other writers who've published their numbers, but Greenwald, Sullivan and Taibbi all have a TON of subscribers.
Scott Alexander didn't give a number, but reported the advance was less than he would have made if he just did the default system, as of March 2022[0].
He also points out that Taibbi says "Every one of the Substack Pro writers I know would have made more money not taking the advance", which obviously includes Taibbi himself.
On the surface that’s a better deal than many publishing houses give actual book authors - some major percentage of books never “pay back” the advance and it rarely gets to be heavily author-favoring.
Yeah I don't think there's anything wrong with this kind of arrangement, writers getting paid is good. I do think it's possible that Substack is spending more than a sustainable amount on acquiring big name writers because they want to show results and growth to their investors.
Are you sure that any of those three got an advance from Substack? They don’t appear in any of the articles listing authors with paid advances except in providing commentary about the existence of such a system. They might have all even joined before Substack had its advance program.
You are otherwise correct about them not having a “paid gig”. They each built their own large paid subscriber base from which Substack takes a 10% cut. They pay Substack for the service, not the other way around.
But how else are they going to advertise that horribly full of themselves writers with subjects as interesting as How The Silicob Valley Accepted Me As Its Child And How I Made My First Million (contents: a load of self serving crap oh and also my dad is a millionaire and used his connections for me) are now writing on Substack?
It's just another Medium, except for some reason the writers there are _even more_ pompous and full of themselves.
They are not hotlinking ghost urls... JSdelivr is a giant JS CDN. Ghost is in the url because they developed the library so it's the GitHub path. You could use this library on your website right now... They open sourced it!
There's more to it than that. There are two resources involved. One is using Ghost's (jsdelivr-backed) CDN. The other is just using jsdelivr's CDN for any and every NPM package that gets published in the clear.
The asset that thefp.com is using is the one that gets loaded from the latter (the one served from the public CDN), and you can see that this was true even at the time that O'Nolan's screenshots were taken. For some reason, he mixed them up; the only evidence that we have of anyone here using the CDN that Ghost is (presumably) paying for is Ghost's own use of it themselves.
Hey, Substack CTO here. We don't hotlink to Ghost at all and instead use jsdelivr to link to client-side open-source libraries. jsdelivr is awesome btw, works with any npm module, and is fast and reliable https://www.jsdelivr.com
Totally. I feel like Ghost has integrity and wouldn't resort to shenanigans, but this is a wildly poor security posture and really a faux pas to be forcing ghost to incur CDN costs on this.
Hey, Substack CTO here. We don't distribute Ghost's code at all and the only piece of code included is a client-side search library used by the third party theme. But that library is actually hotlinked and hosted on jsdelivr (via npm) with no modifications made to it what-so-ever. This includes the line at the top with the license link as Ghost originally built it
Based on Ghost's MIT license, seems Substack using it is fine, but damn would have been nice to have at least some kind of attribution... leaves a sour taste to take without acknowledging.
Hey, Substack CTO here. We don't distribute Ghost's code at all and the only piece of code included is a client-side search library used by the third party theme. But that library is actually hotlinked and hosted on jsdelivr (via npm) with no modifications made to it what-so-ever. This includes the line at the top with the license link as Ghost originally built it
That’s not obviously clear - after all MIT software can be used to produce output that doesn’t need to include a “made by X” - and arguably that’s what ghost provides.
And they didn’t even copy the JavaScript to their own CDN …
> Based on Ghost's MIT license, seems Substack using it is fine,
As long as they provide appropriate attribution, which apparently¹ they are not so it isn't fine.
> but damn would have been nice to have at least some kind of attribution...
Not just nice, but required. From the licence: “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.”
Many projects, commercial and other OSS ones, get conformance with MIT and similar licences wrong in this way.
----
[1] Caveat: Going by the Twitter thread. I've not verified this. Maybe they have it somewhere hidden away, so are compliant but minimally so².
[2] Which would be a dick move³, but compliant.
[3] Which I wouldn't put past them as they are using Ghost's CDN to include some of the stuff instead of covering the hosting for that themselves, which is hard to think is accidental. If this is accidental then I'd never trust them from either a code quality PoV or an infrastructure security PoV.
The copyright notice and license is referenced in the JS library, that's enough.
This is literally no different from any reason person using bootstrap on their site in terms of license. Does every site powered by bootstrap have a link or attribution to Twitter?
I'd not checked personally, but the original Twitter thread suggested more than "a library" had been used.
[knee jerks back]
Though I'm assuming here, as I reply without having yet revisited the full thread, you have checked or otherwise have been furnished with new information, and are right!
Quick everyone, to the research-o-tron!
----
Update: it looks like the library was being drawn in by a 3rd party theme/add-in that isn't included in the main distribution at all. More detail elsewhere in this thread (above, unless voting has for some reason reversed).
> Caveat: Going by the Twitter thread. I've not verified this.
That's the problem. The Twitter thread is wrong.
If someone makes a fact claim that doesn't hold up under scrutiny, then consider what effect comments have when they uncritically take those claims at face value. They end up demanding/diverting attention towards what is just noise.
We have enough experience by now that we shouldn't have to relearn where hot takes go wrong, and yet here we are: in the comments on what was a #1 story on HN with dozens of people getting a false impression after swallowing unsubstantiated (and ultimately untrue) alleged facts.
in a non-gotcha world, john of ghost reaches out privately to chris (or someone else) of substack to compare notes and clarify what's going on here. but those regretful days of chivalry are long gone, aren't they? they're replaced by the superior practice of submitting your grievances to the universal jury, in the absence of the accused. civility and principle of charity be damned. a few people have highlighted the calmness of the exchange—i think the public part was absolutely unnecessary. my one-and-a-half cents.
Here's [1] the actual JS file which Substack is loading, pulled directly from the network tab on the page linked in the thread.
Notably, the first line is "For license information please see sodo-search.min.js.LICENSE.txt". But if you go to that file [2], it's not the license _for this file_; it's the licenses _for the OSS code it includes_. I suspect that Substack thought that link pointed to the actual license; I did too before I started writing this comment. Possibly that confusion has lead to some talking past each other.
The actual license is at [3], which is obvious if you know how npm packages work, and probably not obvious otherwise. I don't see a link to that file anywhere.
Seems like minimal overlap potentially if they were just using it for a theme, but the tone is a bit defensive, and I don't think that John was rude in his original tweets and more of like tongue in cheek sort of fun and offering to collaborate.
A more direct, yes we use some code, oops we will add attribution, thanks again, much appreciated, would have sufficed.
By putting this on Twitter, it immediately gets turned into something that could spawn clickbait headlines and could tarnish the company's reputation long term. Maybe John didn't mean for any of that, but his tweets don't mention the MIT licence initially and seem like they're building up an allegation.
I think Chris responded exactly like a for-profit company's CEO should, pre-emptively countering tech journalist headlines, clearly and concisely describing the situation, and still reaching out for the potential of collaboration.
You're not following/understanding what the linked Twitter threads are actually saying.
There is no mention of O'Nolan being rude (although he did make a number of untrue claims, which at least pretty negligent—but that's not a charge that the linked tweets say, either...)
There was no code use, and there was no copyright violation/failure of attribution, so there is no "yes we use some code, oops we will add attribution" called for, nor would it even be logical to do so.
Funny side-note: @substack is the wrong handle, I assume John meant to tag @SubstackInc.
AFAIK there's no formal mechanism for bidding on naming rights, but Twitter could easily set up an auction platform, take a small cut off the top, and do quite nicely.
You can request an already registered name if you own the brand. Owning the domain substack.com might be enough to prove ownership. People have been successful with this in the past.
They may not do anything about it, though, if @substack is being used. Logging into Twitter is enough to keep the account active. I don't know if that is changing with the new owner. I know that Musk said they will be making names for inactive accounts available soon.
That makes sense. It would also make sense to have auctions for high-value handles.
Or, to take a page from 'Radical Markets', twitter accounts could be associated with a reservation price (a price at which a person would definitely sell), and 'taxed' (re: charged) a proportion of that reservation price. I believe it was Patio11 who observed that his upper limit on willingness to pay for twitter would be very high. Right now, Twitter doesn't capture any of that.
That might only work for bluecheck accounts, not sure. I don't want to lose my random 10 follower account for $100, but neither do I want to pay to be a lurker
So at what point does Substack cut the man and his team a check because from the looks of his observations Substack will likely need consultation and support.
Genuinely curious (I don't know all that much about these things): To what extent does the SQLite model incentivize poor documentation since that would drive use of paid support services?
For what it's worth, SQLite's documentation is one of the best among all software I've ever used. It's clear, detailed, well-organized, and everything is documented.
Mildly off-topic, but I'm somewhat tired of the reuse of names for different software. Originally, I was confused by this post and why Substack would be using Norton Ghost. There's also the Android post-explotation framework and ImmersionRC's Ghost radio control protocol.
As long as it's a distinctly different product category / market it's not a big deal. You can usually glean the meaning from the context pretty quickly.
If one brand becomes large then the other one's can just have context added like appending "Norton" to Ghost. Or just say "Ghost blog service".
I think one of the points that Substack reverse engineered how search works. They use this package https://github.com/TryGhost/sodo-search which does not have any docs.
When John says "product engineers" does that mean "the engineers who specifically work on the code that gets used by customers"? Ie. excluding the engineers who do all the support stuff: CI/CD/testing/etc. ?
Hi Chris! Love what you're doing with Substack. One quick thing though - this may seem weird, but Substack at the moment does not, in my opinion, offer a lot of customisation of the website. If you see a website, it's extremely easy to tell its a Substack.
Over the past year, I've only read high quality Substack posts - and my brain has sort of come to instinctively believe that if I see that specific layout, the post will be high quality. E.g. (not a very nice one) but in general, if I see the Medium layout, my brain almost immediately get turned off, believing the quality of the content to be sub-par.
I think individual theming, as in the case of The Free Press, takes away that immediate notion. I understand that the vast majority of people will not face this issue, but I think I will. I just wanted to know if you think this is an issue, and if it is, what you'll do to 'counter' it. I'd really like to hear your thoughts on this!
Sleazy and disrespectful behavior by substack. Just like medium, all these publishing/newsletter platforms go to $%@& real quick. The first time I saw the "sign up to continue reading" banner I knew substack was done, this just confirms it.
--
A response to @JohnONolan here to clear up some serious misunderstandings https://twitter.com/JohnONolan/status/1602330377812643850
First of all, huge respect to the Ghost team. Their open source contributions are valuable, and their approach to theming enables some great-looking things. That said, some important corrections:
Substack is not "powered by Ghost". Rather, we built our own theming API that’s compatible with themes built for Ghost, including those built by third parties.
The Free Press is using a modified Tripoli theme, built by Ahmad Ajmi, under a paid license. This is how this is supposed to work. It's good for the theme developer if we support this – you should check them out here. https://aspirethemes.com/themes/tripoli
This was relatively quick to build for Substack devs, because the structure of Ghost sites matches Substack fairly closely.
With respect to the search library, this is an open source library that we are using in a fully compliant way. John's own screen shot shows that we don't load it "from Ghost’s own CDN", it comes from jsDelivr https://www.jsdelivr.com
This is a standard way to use an open source library. It's pulling from the version that the sodo-search maintainers published to NPM (thank you!).
It is a good point that we should lock a version, so that if they accidentally published a minor version revision with breaking changes it doesn't cause problems for us. We’ve fixed that.
We’re grateful to the developer of the Tripoli theme and to Ghost for its contributors to open source work. We’re exploring ways to give writers more customization on Substack. This is one approach we’re considering but it’s too early to know if we’ll scale it up.
And @JohnONolan, thanks for the note at the end about potential collaboration. In our minds, we’re on the same side of an important battle for a better internet. We’re definitely up to chat.