License Incompatibilities in Software Ecosystems

by   Rolf-Helge Pfeiffer, et al.

Contemporary software is characterized by reuse of components that are declared as dependencies and that are received from package managers/registries, such as, NPM, PyPI, RubyGems, Maven Central, etc. Direct and indirect dependency relations often form opaque dependency networks, that sometimes lead to conflicting software licenses within these. In this paper, we study license use and license incompatibilities between all components from seven package registries (Cargo, Maven, NPM, NuGet, Packagist, PyPI, RubyGems) with a closer investigation of license incompatibilities caused by the GNU Affero General Public License (AGPL). We find that the relative amount of used licenses vary between ecosystems (permissive licenses such as MIT and Apache are most frequent), that the number of direct license incompatibilities ranges from low 2.3 direct license incompatibilities are caused by AGPL licenses (max. 0.04 PyPI), but that a whopping 6.62 license of an indirect dependency. Our results suggest that it is not too unlikely that applications that are reusing packages from PyPI or Maven are confronted with license incompatibilities that could mean that applications would have to be open-sourced on distribution (PyPI) or as soon as they are publicly available as web-applications (Maven).


page 1

page 2

page 3

page 4


Präzi: From Package-based to Call-based Dependency Networks

Software reuse has emerged as one of the most crucial elements of modern...

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

The increasing interest in open source software has led to the emergence...

An Empirical Comparison of Dependency Network Evolution in Seven Software Packaging Ecosystems

Nearly every popular programming language comes with one or more package...

Refactoring Software Packages via Community Detection from Stability Point of View

As the complexity and size of software projects increases in real-world ...

Dependency Solving Is Still Hard, but We Are Getting Better at It

Dependency solving is a hard (NP-complete) problem in all non-trivial co...

Preserving Command Line Workflow for a Package Management System using ASCII DAG Visualization

Package managers provide ease of access to applications by removing the ...

A Mathematical Model of Package Management Systems – from General Event Structures to Antimatroids

This paper brings mathematical tools to bear on the study of package dep...

Please sign up or login with your details

Forgot password? Click here to reset