Presentation is loading. Please wait.

Presentation is loading. Please wait.

Empirical Studies on License Compliance and Copyright Inconsistency Risks in Open Source Software Shi QIU.

Published byGesche Sachs Modified over 5 years ago

Similar presentations

Presentation on theme: "Empirical Studies on License Compliance and Copyright Inconsistency Risks in Open Source Software Shi QIU."— Presentation transcript:

1 Empirical Studies on License Compliance and Copyright Inconsistency Risks in Open Source Software
Shi QIU

2 Introduction Open source license Copyright
Open source license describes the terms and conditions when OSS software is used, modified and shared. Software copyright is a special case of copyright, which is used to prevents the unauthorized copying of software.

3 Enforce package A under GPL-2.0 as well !
Definition The situation that the license of an OSS software is not compatible with the license of its dependency[1]. Copyleft license: e.g. GPL-2.0, GPL-3.0, LGPL-2.1, etc. Package A Package B Enforce package A under GPL-2.0 as well ! MIT License GPL-2.0 License [1] Daniel German and Massimiliano Di Penta. A method for open source license compliance of java applications. IEEE software, Vol. 29, No. 3, pp. 58–63, 2012.

4 Problems 1. Direct risk 2. Indirect risk 3. Self risk Name: Package6
Version: 1.0.1 License: MIT Name: Package2 Version: 1.0.4 License: GPL-2.0 2. Indirect risk Name: Package3 Version: 1.0.1 License: MIT Name: Package4 Version: 2.0.1 License: MIT Name: Package5 Version: 1.2.1 License: GPL-3.0 OSS ecosystems consist of software projects that are developed and evolve together in a shared environment. Name: Package6 Version: 1.0.2 License: MIT 3. Self risk File1 File2 GPL-2.0 MIT

5 Research Questions Research Questions Data collection
RQ1: What is the proportion of packages with license compliance risk? RQ2: Is the reuse of packages licensed under the copyleft license more likely to cause license compliance risk? RQ3: Does transitive dependency have an impact on the occurrence of license compliance risk? RQ4: What are the characteristics of license compliance risk at file level? Data collection

6 GPL-2, GPLv2, GPL 2, GNU GPL-2.0, GPL version 2, …
Method 1. Build the license dictionary 2. Build the software evolutionary dataset GPL-2, GPLv2, GPL 2, GNU GPL-2.0, GPL version 2, … GPL-2.0 Name: package7 Version License Dependency (version) 1.0.1 MIT package8 (1.0.1), package9 (2.3.1) 1.0.2 package8 (1.0.2) 1.1.0 GPL-2.0 package9 (2.4.0), package10 (1.0.1)

7 Method 3. Build the license compatibility dataset
MIT, GPL-2.0, Apache-2.0, … Name: Package1 Version: 1.0.1 License: MIT Name: Package2 Version: 1.0.4 License: GPL-2.0 19 popular licenses Name: Package1 Version: 1.0.1 License: MIT Name: Package2 Version: 1.0.4 License: GPL-2.0 [2]

8 Method 4. Detect direct and indirect risk
Name: Package1 Version: 1.0.1 License: MIT Name: Package2 Version: 1.2.1 License: MIT Name: Package3 Version: 2.0.1 License: GPL-2.0 software evolutionary dataset Name: Package4 Version: 1.2.3 License: GPL-3.0 Report Name: Package1 License: MIT Direct risks: Package4 (GPL-3.0) Indirect risks: Package3 (GPL-2.0) license compatibility dataset

9 Method 5. Detect self risk license compatibility dataset
Name: Package1 Version: 1.0.2 License: MIT File1 File2 GPL-2.0 MIT Report Name: Package1 License: MIT self risks: File1 (GPL-2.0) license compatibility dataset

10 Proportion of Risky Packages
RQ1: What is the proportion of packages with license compliance risk? Result: 2,704 packages are detected as having direct or indirect dependency risk out of 419,708 packages. The proportion is only 0.644%. We define these packages as risky packages. Answer: Packages with license compliance risk in npm is very few.

11 An Example A real example of risky packages
cstar (MIT) commander (GPL-2.0) graceful-readlink (MIT) mucbuc-filebase (ISC) walk-json (MIT) travejs (GPL-2.0) inject-json (MIT) commander and travejs packages are not compatible with cstar package.

12 Risk of Copyleft License
RQ2: Is the reuse of packages licensed under the copyleft license more likely to cause license compliance risk? Result: In npm, 4,067 packages includes at least one package licensed under the selected copyleft licenses in its dependency chain. Among them, 2,704 packages are detected as risky packages. The proportion is 66.49%. Answer: Yes, reuse of packages licensed under the copyleft license is more likely to cause license compliance risk.

13 Impact of Transitive Dependency
RQ3: Does transitive dependency have an impact on the occurrence of license compliance risk? Result: Answer: Yes, it does. The direct or indirect dependency risk has a tendency to happen in the shallow transitive dependency. Direct Dependency Indirect Dependency

14 Self Risk RQ4: What are the characteristics of license compliance risk at file level? Result: 964 packages in 2,704 risky packages are detected as having self risk as well. The proportion is 66.49%. In the 9,679,468 source code files of 2,704 risky packages, only 291,340 files are detected. The proportion is 3.01%. Answer: The packages having direct or indirect dependency risk have a high possibility of having self risk as well. The source code files causing compliance risk only take a small part of all source code files of a package.

15 Conclusion A method to detect license compliance risk and an empirical study on NPM. A method to detect copyright inconsistency risk and an evolutionary study on Linux kernel. Future Work - More OSS ecosystems - A web service for developers

Download ppt "Empirical Studies on License Compliance and Copyright Inconsistency Risks in Open Source Software Shi QIU."

Similar presentations

Open Source in Android Apps: Tips for Becoming a Good Open Source Citizen AnDevCon Kim Weins, SVP Marketing, OpenLogic.

Open Source in Android Apps: Tips for Becoming a Good Open Source Citizen AnDevCon Kim Weins, SVP Marketing, OpenLogic.
Technology Analysis LINUX Alper Alansal Brian Blumberg Ramank Bharti Taihoon Lee.

Technology Analysis LINUX Alper Alansal Brian Blumberg Ramank Bharti Taihoon Lee.
Free Beer and Free Speech Thomas Krichel

Free Beer and Free Speech Thomas Krichel
Platinum Sponsors Gold Sponsors Navigating the Open Source Legal Waters Presenter: Jeff Strauss August 14, 2013.

Platinum Sponsors Gold Sponsors Navigating the Open Source Legal Waters Presenter: Jeff Strauss August 14, 2013.
The Importance of Open Source Software Networking 2002 Washington, D.C. April 18, 2002 Carol A. Kunze Napa, California.

The Importance of Open Source Software Networking 2002 Washington, D.C. April 18, 2002 Carol A. Kunze Napa, California.
Www.iaitam.org Hot Topics in Open Source Licensing Robert J. Scott Managing Partner Scott & Scott, LLP.

Hot Topics in Open Source Licensing Robert J. Scott Managing Partner Scott & Scott, LLP.
University of Utah 1 “Free software” Remember... In the beginning, all software was free -Just a means to sell hardware.

University of Utah 1 “Free software” Remember... In the beginning, all software was free -Just a means to sell hardware.
A DAPT IST-2001-37126 Dissemination and Use Plan Revised version Ricardo Jiménez-Peris Universidad Politécnica de Madrid.

A DAPT IST Dissemination and Use Plan Revised version Ricardo Jiménez-Peris Universidad Politécnica de Madrid.
Open Source Basics: Definitions, Models, and Questions Johndan Johnson-Eilola Clarkson University.

Open Source Basics: Definitions, Models, and Questions Johndan Johnson-Eilola Clarkson University.
Provided by OSS Watch Licensed under the Creative Commons Attribution 2.0 England & Wales licence

Provided by OSS Watch Licensed under the Creative Commons Attribution 2.0 England & Wales licence
Open Source/Free Software Source code is available Extensible Can be changed, modified Freely distributed Copies Modified versions Alternatives to commercial/proprietary.

Open Source/Free Software Source code is available Extensible Can be changed, modified Freely distributed Copies Modified versions Alternatives to commercial/proprietary.
Data Management: Documentation & Metadata Types of Documentation.

Data Management: Documentation & Metadata Types of Documentation.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.
Software of Information Systems Hun Myoung Park, Ph.D., Public Management and Policy Analysis Program Graduate School of International Relations International.

Software of Information Systems Hun Myoung Park, Ph.D., Public Management and Policy Analysis Program Graduate School of International Relations International.
Selenium Web Test Tool Training Using Ruby Language Discover the automating power of Selenium Kavin School Kavin School Presents: Presented by: Kangeyan.

Selenium Web Test Tool Training Using Ruby Language Discover the automating power of Selenium Kavin School Kavin School Presents: Presented by: Kangeyan.
CHAPTER 6 OPEN SOURCE SOFTWARE AND FREE SOFTWARE

CHAPTER 6 OPEN SOURCE SOFTWARE AND FREE SOFTWARE
 Open-source software ( OSS ) is computer software that is available in source code form: the source code and certain other rights normally reserved.

 Open-source software ( OSS ) is computer software that is available in source code form: the source code and certain other rights normally reserved.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved LESSON 9  Internet Services and Tools for Business.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved LESSON 9  Internet Services and Tools for Business.
Computers and Society Examine the extent to which Richard Stallman’s GNU manifesto has succeeded in challenging the dominance of conventionally distributed.

Computers and Society Examine the extent to which Richard Stallman’s GNU manifesto has succeeded in challenging the dominance of conventionally distributed.
Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†

Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†

Similar presentations

Ads by Google