License Incompatibilities in Software Ecosystems

March 03, 2022 Β· Declared Dead Β· πŸ› arXiv.org

πŸ‘» CAUSE OF DEATH: Ghosted
No code link whatsoever

"No code URL or promise found in abstract"

Evidence collected by the PWNC Scanner

Authors Rolf-Helge Pfeiffer arXiv ID 2203.01634 Category cs.SE: Software Engineering Citations 2 Venue arXiv.org Last Checked 4 months ago
Abstract
Contemporary software is characterized by reuse of components that are declared as dependencies and that are received from package managers/registries, such as, NPM, PyPI, RubyGems, Maven Central, etc. Direct and indirect dependency relations often form opaque dependency networks, that sometimes lead to conflicting software licenses within these. In this paper, we study license use and license incompatibilities between all components from seven package registries (Cargo, Maven, NPM, NuGet, Packagist, PyPI, RubyGems) with a closer investigation of license incompatibilities caused by the GNU Affero General Public License (AGPL). We find that the relative amount of used licenses vary between ecosystems (permissive licenses such as MIT and Apache are most frequent), that the number of direct license incompatibilities ranges from low 2.3% in Cargo to a large 20.8% in PyPI, that only a low amount of direct license incompatibilities are caused by AGPL licenses (max. 0.04% in PyPI), but that a whopping 6.62% of Maven packages are violating the AGPL license of an indirect dependency. Our results suggest that it is not too unlikely that applications that are reusing packages from PyPI or Maven are confronted with license incompatibilities that could mean that applications would have to be open-sourced on distribution (PyPI) or as soon as they are publicly available as web-applications (Maven).
Community shame:
Not yet rated
Community Contributions

Found the code? Know the venue? Think something is wrong? Let us know!

πŸ“œ Similar Papers

In the same crypt β€” Software Engineering

Died the same way β€” πŸ‘» Ghosted