Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Ilyas Saïd Makari; Ahmed Zerouali; Coen De Roover

doi:10.1007/978-3-031-08129-3_6

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Ilyas Saïd Makari, Ahmed Zerouali, Coen De Roover

Research output: Chapter in Book/Report/Conference proceeding › Conference paper

42 Downloads (Pure)

Abstract

It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.

Original language	English
Title of host publication	The 20th International Conference on Software and Systems Reuse (ICSR-2022)
Editors	Gilles Perrouin, Naouel Moha, Abdelhak-Djamel Seriai
Publisher	Springer
Pages	85-100
Number of pages	16
ISBN (Electronic)	978-3-031-08129-3
ISBN (Print)	978-3-031-08128-6
DOIs	https://doi.org/10.1007/978-3-031-08129-3_6
Publication status	Published - 10 Jun 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13297 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Bibliographical note

Funding Information:
Acknowledgments. This research was partially funded by the Excellence of Science project 30446992 SECO-Assist financed by F.R.S.-FNRS and FWO-Vlaanderen.

Publisher Copyright:
© 2022, Springer Nature Switzerland AG.

Copyright:
Copyright 2022 Elsevier B.V., All rights reserved.

Keywords

Open Source Software
Software Packages
Software Licenses

Access to Document

10.1007/978-3-031-08129-3_6

vub-tr-soft-22-08Accepted author manuscript, 692 KB

Cite this

Makari, I. S., Zerouali, A., & De Roover, C. (2022). Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. In G. Perrouin, N. Moha, & A-D. Seriai (Eds.), The 20th International Conference on Software and Systems Reuse (ICSR-2022) (pp. 85-100). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13297 LNCS). Springer. https://doi.org/10.1007/978-3-031-08129-3_6

Makari, Ilyas Saïd ; Zerouali, Ahmed ; De Roover, Coen. / Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. The 20th International Conference on Software and Systems Reuse (ICSR-2022). editor / Gilles Perrouin ; Naouel Moha ; Abdelhak-Djamel Seriai. Springer, 2022. pp. 85-100 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{3395b3ec0f7a4b9db614f8760ccb77fe,

title = "Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks",

abstract = "It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.",

keywords = "Open Source Software, Software Packages, Software Licenses",

author = "Makari, {Ilyas Sa{\"i}d} and Ahmed Zerouali and {De Roover}, Coen",

note = "Funding Information: Acknowledgments. This research was partially funded by the Excellence of Science project 30446992 SECO-Assist financed by F.R.S.-FNRS and FWO-Vlaanderen. Publisher Copyright: {\textcopyright} 2022, Springer Nature Switzerland AG. Copyright: Copyright 2022 Elsevier B.V., All rights reserved.",

year = "2022",

month = jun,

day = "10",

doi = "10.1007/978-3-031-08129-3_6",

language = "English",

isbn = "978-3-031-08128-6",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "85--100",

editor = "Gilles Perrouin and Naouel Moha and Abdelhak-Djamel Seriai",

booktitle = "The 20th International Conference on Software and Systems Reuse (ICSR-2022)",

}

Makari, IS, Zerouali, A & De Roover, C 2022, Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. in G Perrouin, N Moha & A-D Seriai (eds), The 20th International Conference on Software and Systems Reuse (ICSR-2022). Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13297 LNCS, Springer, pp. 85-100. https://doi.org/10.1007/978-3-031-08129-3_6

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. / Makari, Ilyas Saïd; Zerouali, Ahmed ; De Roover, Coen.

The 20th International Conference on Software and Systems Reuse (ICSR-2022). ed. / Gilles Perrouin; Naouel Moha; Abdelhak-Djamel Seriai. Springer, 2022. p. 85-100 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13297 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper

TY - GEN

T1 - Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

AU - Makari, Ilyas Saïd

AU - Zerouali, Ahmed

AU - De Roover, Coen

N1 - Funding Information: Acknowledgments. This research was partially funded by the Excellence of Science project 30446992 SECO-Assist financed by F.R.S.-FNRS and FWO-Vlaanderen. Publisher Copyright: © 2022, Springer Nature Switzerland AG. Copyright: Copyright 2022 Elsevier B.V., All rights reserved.

PY - 2022/6/10

Y1 - 2022/6/10

N2 - It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.

AB - It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.

KW - Open Source Software

KW - Software Packages

KW - Software Licenses

UR - http://www.scopus.com/inward/record.url?scp=85132973118&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-08129-3_6

DO - 10.1007/978-3-031-08129-3_6

M3 - Conference paper

SN - 978-3-031-08128-6

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 85

EP - 100

BT - The 20th International Conference on Software and Systems Reuse (ICSR-2022)

A2 - Perrouin, Gilles

A2 - Moha, Naouel

A2 - Seriai, Abdelhak-Djamel

PB - Springer

ER -

Makari IS, Zerouali A , De Roover C. Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. In Perrouin G, Moha N, Seriai A-D, editors, The 20th International Conference on Software and Systems Reuse (ICSR-2022). Springer. 2022. p. 85-100. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-031-08129-3_6

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Abstract

Publication series

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this