From one to hundreds: multi-licensing in the JavaScript ecosystem

Open source licenses create a legal framework that plays a crucial role in the widespread adoption of open source projects. Without a license, any source code available on the internet could not be openly (re)distributed. Although recent studies provide evidence that most popular open source projects have a license, developers might lack confidence or expertise when they need to combine software licenses, leading to a mistaken project license unification.This license usage is challenged by the high degree of reuse that occurs in the heart of modern software development practices, in which third-party libraries and frameworks are easily and quickly integrated into a software codebase.This scenario creates what we call "multi-licensed" projects, which happens when one project has components that are licensed under more than one license. Although these components exist at the file-level, they naturally impact licensing decisions at the project-level. In this paper, we conducted a mix-method study to shed some light on these questions. We started by parsing 1,426,263 (source code and non-source code) files available on 1,552 JavaScript projects, looking for license information. Among these projects, we observed that 947 projects (61%) employ more than one license. On average, there are 4.7 licenses per studied project (max: 256). Among the reasons for multi-licensing is to incorporate the source code of third-party libraries into the project's codebase. When doing so, we observed that 373 of the multi-licensed projects introduced at least one license incompatibility issue. We also surveyed with 83 maintainers of these projects aimed to cross-validate our findings. We observed that 63% of the surveyed maintainers are not aware of the multi-licensing implications. For those that are aware, they adopt multiple licenses mostly to conform with third-party libraries' licenses.

[1]  Gabriele Bavota,et al.  License usage and changes: a large-scale study on gitHub , 2017, Empirical Software Engineering.

[2]  Katsuro Inoue,et al.  A Method to Detect License Inconsistencies in Large-Scale Open Source Projects , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[3]  Georgia M. Kapitsaki,et al.  Validate your SPDX files for open source license violations , 2016, SIGSOFT FSE.

[4]  Gabriele Bavota,et al.  When and why developers adopt and change software licenses , 2015, 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[5]  Ioannis E. Foukarakis,et al.  An insight into license tools for open source software systems , 2015, J. Syst. Softw..

[6]  Georgia M. Kapitsaki,et al.  Automating the license compatibility process in open source software with SPDX , 2017, J. Syst. Softw..

[7]  Andrew M. St. Laurent Understanding Open Source and Free Software Licensing , 2004 .

[8]  Gabriele Bavota,et al.  To Distribute or Not to Distribute? Why Licensing Bugs Matter , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[9]  Stefano Comino,et al.  Dual Licensing in Open Source Software Markets , 2011 .

[10]  Diomidis Spinellis,et al.  Open Source Licensing Across Package Dependencies , 2010, 2010 14th Panhellenic Conference on Informatics.

[11]  Mikko Vlimki,et al.  Dual Licensing in Open Source Software Industry , 2003 .

[12]  Andrew M. Saint-Laurent,et al.  Understanding open source and free software licensing - guide to navigation licensing issues in existing and new software , 2004 .

[13]  Gabriele Bavota,et al.  License Usage and Changes: A Large-Scale Study of Java Projects on GitHub , 2015, 2015 IEEE 23rd International Conference on Program Comprehension.

[14]  Daniel M. Germán,et al.  License integration patterns: Addressing license mismatches in component-based development , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[15]  Miryung Kim,et al.  Are Code Examples on an Online Q&A Forum Reliable?: A Study of API Misuse on Stack Overflow , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[16]  Leif Singer,et al.  How Social and Communication Channels Shape and Challenge a Participatory Culture in Software Development , 2017, IEEE Transactions on Software Engineering.

[17]  Fernando Castor Filho,et al.  A Study on the Energy Consumption of Android App Development Approaches , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[18]  Stefano Comino,et al.  Dual licensing in open source software markets , 2011, Inf. Econ. Policy.

[19]  Katsuro Inoue,et al.  Analysis of license inconsistency in large collections of open source projects , 2016, Empirical Software Engineering.

[20]  Shari Lawrence Pfleeger,et al.  Personal Opinion Surveys , 2008, Guide to Advanced Empirical Software Engineering.

[21]  Gail C. Murphy,et al.  Do Software Developers Understand Open Source Licenses? , 2017, 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC).

[22]  Marco Tulio Valente,et al.  Understanding the Factors That Impact the Popularity of GitHub Repositories , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[23]  Gustavo Pinto,et al.  Recommending energy-efficient Java collections , 2019, MSR.

[24]  Daniel M. Germán,et al.  An exploratory study of the evolution of software licensing , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[25]  Wenke Lee,et al.  Identifying Open-Source License Violation and 1-day Security Risk at Large Scale , 2017, CCS.

[26]  Gabriele Bavota,et al.  Machine Learning-Based Detection of Open Source License Exceptions , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[27]  Heli A. Koski OSS Production and Licensing Strategies of Software Firms , 2005 .

[28]  Rabe Abdalkareem,et al.  Why do developers use trivial packages? an empirical case study on npm , 2017, ESEC/SIGSOFT FSE.

[29]  Robert Gobeille,et al.  The FOSSology project , 2008, MSR '08.

[30]  Shane McIntosh,et al.  The evolution of Java build systems , 2012, Empirical Software Engineering.

[31]  Gustavo Pinto,et al.  Mining Rule Violations in JavaScript Code Snippets , 2019, 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).