Understanding the Usage, Impact, and Adoption of Non-OSI Approved Licenses

Understanding the Usage, Impact, and Adoption of Non-OSI Approved Licenses

Understanding the Usage, Impact, and Adoption of Non-OSI Approved Licenses Rômulo Meloca1, Gustavo Pinto2, Leonardo Baiser1, Marco Mattos1, Ivanilton Polato1, Igor Scaliante Wiese1, Daniel M German3 1Federal University of Technology – Paraná (UTFPR), 2University of Pará (UFPA), 3University of Victoria ABSTRACT 1 INTRODUCTION The software license is one of the most important non-executable The software licenses are one of the most important non-executable pieces of any software system. However, due to its non-technical part of any software system [5]. Particularly relevant to open- nature, developers often misuse or misunderstand software licenses. source software (OSS), open-source licenses not only drive how Although previous studies reported problems related to licenses one can use an OSS but also ensure to what extent others can reuse clashes and inconsistencies, in this paper we shed the light on it [19]. Similarly to software code, software licenses change [27] an important but yet overlooked issue: the use of non-approved and evolve [25]. Software relicensing is, indeed, commonplace in open-source licenses. Such licenses claim to be open-source, but open-source software world [7]. As an example, Facebook recently have not been formally approved by the Open Source Initiative relicensed four key open-source softwares from BSD + Patents to (OSI). When a developer releases a software under a non-approved MIT license1. According to them, this change was motivated by license, even if the interest is to make it open-source, the original an unhappy community looking for alternatives under permissive author might not be granting the rights required by those who licenses. This concern, however, pertains not only to large software use the software. To uncover the reasons behind the use of non- companies that maintain open-source softwares, since software approved licenses, we conducted a mix-method study, mining data license is a common good of any open-source software. Therefore, from 657K open-source projects and their 4,367K versions, and there is no surprise that software licensing is an active research surveying 76 developers that published some of these projects. field [1, 4, 16, 23]. Although 1,058,554 of the project versions employ at least one Despite of its importance, developers do not fully understand non-approved license, non-approved licenses account for 21.51% problems related to license usage [1], such as the lack of licenses or of license usage. We also observed that it is not uncommon for license inconsistencies. The way developers develop software only developers to change from a non-approved to an approved license. exacerbates this problem, since simple actions such as copying a When asked, some developers mentioned that this transition was code snippet from the web has the potential of infringing a software due to a better understanding of the disadvantages of using an non- license [12, 13]. This issue becomes even more relevant in the open- approved license. This perspective is particularly important since source era, where a constant flow of new open-source software is developers often rely on package managers to easily and quickly born at a regular basis [10]. That is, developers have a myriad of get their dependencies working. codebases to refer to, but the way they do might infringe a software license (and consequently the whole chain of software that depends CCS CONCEPTS on it). • Software and its engineering → Open source model; Another relevant yet not fully understood problem is the use of open-source licenses that have not been approved by OSI, the KEYWORDS Open Source Initiative (see Section 2 for details). Such software licenses were not formally approved by an open-source regulator Open Source Software, Software license, OSI approved and, therefore, has not been vetted to be open-source. Currently, OSI ACM Reference Format: maintains a list with 83 approved open-source software licenses2. 1 2 1 1 Rômulo Meloca , Gustavo Pinto , Leonardo Baiser , Marco Mattos , Ivanil- All these licenses went through a rigorous review process, and 1 1 3 ton Polato , Igor Scaliante Wiese , Daniel M German . 2018. Understanding not all licenses submitted are approved (e.g., the CC0 license3 has Proceed- the Usage, Impact, and Adoption of Non-OSI Approved Licenses. In been submitted but was not approved). According to their website, ings of MSR ’18: 15th International Conference on Mining Software Repositories the purpose of the OSI’s license review process is to “(1) Ensure , Gothenburg, Sweden, May 28–29, 2018 (MSR ’18), 11 pages. https://doi.org/10.1145/3196398.3196427 approved licenses conform to the Open Source Definition (OSD), (2) Identify appropriate License Proliferation Category, (3) Discourage Permission to make digital or hard copies of all or part of this work for personal or vanity and duplicative Licenses”4. Furthermore, because OSI defined classroom use is granted without fee provided that copies are not made or distributed what open source is (the Open Source Definition) it claims that for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the “only software licensed under an OSI-approved Open Source license author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or should be labeled ‘Open Source’ software.”5 republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. MSR ’18, May 28–29, 2018, Gothenburg, Sweden 1https://code.facebook.com/posts/300798627056246 2 © 2018 Copyright held by the owner/author(s). Publication rights licensed to Associa- https://opensource.org/licenses/alphabetical tion for Computing Machinery. 3https://opensource.org/faq#cc-zero ACM ISBN 978-1-4503-5716-6/18/05...$15.00 4https://opensource.org/approval https://doi.org/10.1145/3196398.3196427 5https://opensource.org/faq MSR ’18, May 28–29, 2018, Gothenburg, Sweden R. Meloca, G. Pinto, L. Baiser, M. Mattos, I. Polato, I. Wiese, D. German In this study, we investigate to what extent software licenses that community participation, a crucial aspect of modern open-source do not provide open-source guarantees (or “non-approved licenses” software[2, 18], is much more strong at the OSI side. for short) are used in open-source projects published on package To better understand the approval process and the implications of managers. Package managers are particularly relevant to license not using an OSI approved license, we conducted a semi-structured usage due to at least two reasons: (1) they are growing up faster in interview with an OSI’s board member. According to him, anybody terms of number of libraries available and packages6 published [3, can submit a license for OSI approval. During the certification pro- 28], and (2) since packages obey a standardized architecture [22], cess, everyone is invited to participate in the review and discussion installing and reusing a third-party package comes with no pain. about the license. The goal of the certification process is to make Therefore, packages published in package managers might have sure that the submitted license meets all criteria stated at the Open- a higher number of dependencies than those that do not rely on Source Definition. If the licenses satisfies the requirements setby a package manager. As we shall see in Section 4, on average, a the Open-Source definition, the license is approved. package at NPM has 4.80 dependencies (3rd Quartile: 5, Max: 792). One of the main benefits of using an OSI approved license isthe In this paper we study three well-known package managers: guarantee that OSI—and the open source community at large—has NPM (Node Package Manager), RubyGems and CRAN (The Com- vetted the license and that the license is widely known. Therefore, prehensive R Archive Network). For each one of these package man- the community can understand, trust, and use a license. Otherwise, agers, we downloaded and investigated all packages available on if there was no OSI, everyone could develop a new license and claim them. After this process, we ended up with a comprehensive list of that it was open-source; this would require that those using the 657,811 software packages scattered through the three well-known, software hire lawyers to understand such license. long lived package managers. Specifically, we investigated 510,964 This means that, even if some license is very popular in other NPM packages, 11,366 CRAN packages, and 135,481 RubyGems domains, such as the Create Commons Zero (CC0) license, software packages. Still, in order to provide an evolutionary perspective of released under CC0 is not open-source software. According to the the license usage on these packages, we studied 4,367,440 different board member, more importantly, this threat applies recursively: “if packages versions (3,539,494 on NPM and 816,580 on RubyGems, project ‘A’ (which uses an OSI approved license) depends on project ‘B’ and 11,366 on CRAN. We manually analyzed each license employed (which does not use an OSI approved license), this would be as danger- in each one of these package versions. ous as project ‘A’ not using an OSI approved license”. Nevertheless, if This paper makes the following contributions: one is interested in publishing software assets only (such as data or (1) We conducted the largest study on licenses usage and evolu- images), such open-source data can be safely released under CC0 tion targeting ∼660k packages (and their 4.3 million versions) (the requirements of the OSD does not apply for assets). A similar published in three well-known package managers (NPM, issue occurs when one does not state any license.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us