License Incompatibilities in Software Ecosystems

03/03/2022
by   Rolf-Helge Pfeiffer, et al.
0

Contemporary software is characterized by reuse of components that are declared as dependencies and that are received from package managers/registries, such as, NPM, PyPI, RubyGems, Maven Central, etc. Direct and indirect dependency relations often form opaque dependency networks, that sometimes lead to conflicting software licenses within these. In this paper, we study license use and license incompatibilities between all components from seven package registries (Cargo, Maven, NPM, NuGet, Packagist, PyPI, RubyGems) with a closer investigation of license incompatibilities caused by the GNU Affero General Public License (AGPL). We find that the relative amount of used licenses vary between ecosystems (permissive licenses such as MIT and Apache are most frequent), that the number of direct license incompatibilities ranges from low 2.3 direct license incompatibilities are caused by AGPL licenses (max. 0.04 PyPI), but that a whopping 6.62 license of an indirect dependency. Our results suggest that it is not too unlikely that applications that are reusing packages from PyPI or Maven are confronted with license incompatibilities that could mean that applications would have to be open-sourced on distribution (PyPI) or as soon as they are publicly available as web-applications (Maven).

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/23/2021

Präzi: From Package-based to Call-based Dependency Networks

Software reuse has emerged as one of the most crucial elements of modern...
research
06/12/2021

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

The increasing interest in open source software has led to the emergence...
research
10/13/2017

An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems

Nearly every popular programming language comes with one or more package...
research
11/26/2018

Refactoring Software Packages via Community Detection from Stability Point of View

As the complexity and size of software projects increases in real-world ...
research
11/16/2020

Dependency Solving Is Still Hard, but We Are Getting Better at It

Dependency solving is a hard (NP-complete) problem in all non-trivial co...
research
08/20/2019

Preserving Command Line Workflow for a Package Management System using ASCII DAG Visualization

Package managers provide ease of access to applications by removing the ...
research
02/10/2023

A Mathematical Model of Package Management Systems – from General Event Structures to Antimatroids

This paper brings mathematical tools to bear on the study of package dep...

Please sign up or login with your details

Forgot password? Click here to reset