Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

"The Law Doesn't Work Like a Computer": Exploring Software Licensing Issues Faced by Legal Practitioners (2403.14927v1)

Published 22 Mar 2024 in cs.SE

Abstract: Most modern software products incorporate open source components, which requires compliance with each component's licenses. As noncompliance can lead to significant repercussions, organizations often seek advice from legal practitioners to maintain license compliance, address licensing issues, and manage the risks of noncompliance. While legal practitioners play a critical role in the process, little is known in the software engineering community about their experiences within the open source license compliance ecosystem. To fill this knowledge gap, a joint team of software engineering and legal researchers designed and conducted a survey with 30 legal practitioners and related occupations and then held 16 follow-up interviews. We identified different aspects of OSS license compliance from the perspective of legal practitioners, resulting in 14 key findings in three main areas of interest: the general ecosystem of compliance, the specific compliance practices of legal practitioners, and the challenges that legal practitioners face. We discuss the implications of our findings.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (89)
  1. [n. d.]. The 3-Clause BSD License. https://opensource.org/license/bsd-3-clause/. Accessed: 2023-14-09.
  2. [n. d.]. BlackDuck Software Composition Analysis. https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html. Accessed: 2023-27-09.
  3. [n. d.]. FOSSology. https://www.fossology.org/. Accessed: 2023-27-09.
  4. [n. d.]. Free Software Foundation. https://www.fsf.org/. Accessed: 2023-20-09.
  5. [n. d.]. Frequently Asked Questions about the GNU Licenses. https://www.gnu.org/licenses/gpl-faq.html. Accessed: 2023-26-09.
  6. [n. d.]. GitHub. https://github.com/. Accessed: 2023-20-09.
  7. [n. d.]. GNU General Public License version 3. https://opensource.org/license/gpl-3-0/. Accessed: 2023-14-09.
  8. [n. d.]. GNU Lesser General Public License version 2.1. https://opensource.org/license/lgpl-2-1/. Accessed: 2023-14-09.
  9. [n. d.]. Hacker News. https://news.ycombinator.com/. Accessed: 2023-25-09.
  10. [n. d.]. MIT License. https://opensource.org/license/mit/. Accessed: 2023-14-09.
  11. [n. d.]. Open Source Initiative. https://opensource.org/. Accessed: 2023-20-09.
  12. [n. d.]. ScanCode Toolkit. https://github.com/nexB/scancode-toolkit. Accessed: 2023-27-09.
  13. 1992. U.S. Court of Appeals for the Ninth Circuit, Lewis Galoob Toys, Inc. v. Nintendo of America, Inc., 964 F.2d 965.
  14. 2006. Report of License Proliferation Committee and draft FAQ. https://opensource.org/proliferation-report/. Accessed: 2023-20-09.
  15. 2011. VLC engine relicensed to LGPL. https://www.videolan.org/press/lgpl-libvlc.html. Accessed: 2023-20-09.
  16. 2019. MySQL-MariaDB History talk. https://mariadb.org/wp-content/uploads/2019/11/MySQL-MariaDB-story.pdf. Accessed: 2023-27-09.
  17. 2021. Copyright Registration of Computer Programs. https://www.copyright.gov/circs/circ61.pdf. Accessed: 2023-25-09.
  18. 2021. U.S. Code Title 17, Section 106. https://www.govinfo.gov/app/details/USCODE-2021-title17/USCODE-2021-title17-chap1-sec106/summary. Accessed: 2023-25-09.
  19. 2023. HashiCorp’s Licensing Change is only the Latest Challenge to Open Source. https://thenewstack.io/hashicorp-abandons-open-source-for-business-source-license/. Accessed: 2023-20-09.
  20. 2023. Open Source Security and Risk Analysis report. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-2023.pdf. Accessed: 2023-14-09.
  21. 2023. The 2023 Am Law 100. https://www.law.com/americanlawyer/am-law-100/.
  22. 2024. OSI Approved Licenses. https://opensource.org/licenses/. Accessed: 2024-20-02.
  23. 2024. SPDX License List. https://spdx.org/licenses/. Accessed: 2024-20-02.
  24. [n.d.]. Qualtrics. https://www.qualtrics.com/. Accessed: 2023-21-06.
  25. You get where you’re looking for: The impact of information sources on code security. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP’16). IEEE, 289–305. https://doi.org/10.1109/SP.2016.25.
  26. Do software developers understand open source licenses?. In Proceedings of the 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC’17). IEEE, 1–11. https://doi.org/10.1109/ICPC.2017.7.
  27. Investigating whether and how software developers understand open source software licensing. Empirical Software Engineering 24 (2019), 211–239. https://doi.org/10.1007/s10664-018-9614-9.
  28. Stack overflow: A code laundering platform?. In Proceedings of the 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER’17). IEEE, 283–293. https://doi.org/10.1109/SANER.2017.7884629.
  29. Miriam Ballhausen. 2019. Free and Open Source Software Licenses Explained. Computer 52, 6 (2019), 82–86. https://doi.org/10.1109/MC.2019.2907766.
  30. Sebastian Baltes and Stephan Diehl. 2019. Usage and attribution of Stack Overflow code snippets in GitHub projects. Empirical Software Engineering 24, 3 (2019), 1259–1295. https://doi.org/10.1007/s10664-018-9650-5.
  31. Mahak Bandi. 2019. All About Open Source Licenses. https://fossa.com/blog/what-do-open-source-licenses-even-mean/. Accessed: 2023-24-09.
  32. Knut Blind and Torben Schubert. 2023. Estimating the GDP effect of Open Source Software and its complementarities with R&D and patents: evidence and policy implications. The Journal of Technology Transfer (2023), 1–26. https://doi.org/10.1007/s10961-023-09993-x.
  33. Thomas Claburn. 2022. GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims. https://www.theregister.com/2022/05/16/vizio_gpl_contract/. Accessed: 2023-14-09.
  34. Thomas Claburn. 2023. John Deere urged to surrender source code under GPL. https://www.theregister.com/2023/03/17/john_deere_sfc_gpl/. Accessed: 2023-14-09.
  35. Michael Cusumano. 2010. Cloud computing and SaaS as new computing platforms. Commun. ACM 53, 4 (2010), 27–29. https://doi.org/10.1145/1721654.1721667.
  36. An exploratory study of the evolution of software licensing. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 1. 145–154. https://doi.org/10.1145/1806799.1806824.
  37. Open-source license violations of binary software at large scale. In Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER’19). IEEE, 564–568. https://doi.org/10.1109/SANER.2019.8667977.
  38. Stack overflow considered harmful? the impact of copy&paste on android application security. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP’17). IEEE, 121–136. https://doi.org/10.1109/SP.2017.31.
  39. Managing license compliance in free and open source software development. Information Systems Frontiers 14 (2012), 143–154. https://doi.org/10.1007/s10796-009-9180-1.
  40. Daniel German and Massimiliano Di Penta. 2012. A method for open source license compliance of java applications. IEEE software 29, 3 (2012), 58–63. https://doi.org/10.1109/MS.2012.50.
  41. Understanding and auditing the licensing of open source software distributions. In Proceedings of the 2010 IEEE 18th International Conference on Program Comprehension (ICPC’10). IEEE, 84–93. https://doi.org/10.1109/ICPC.2010.48.
  42. Code siblings: Technical and legal implications of copying code between applications. In Proceedings of the 2009 6th IEEE International Working Conference on Mining Software Repositories (MSR’09). IEEE, 81–90. https://doi.org/10.1109/MSR.2009.5069483.
  43. Daniel M German and Ahmed E Hassan. 2009. License integration patterns: Addressing license mismatches in component-based development. In Proceedings of the 2009 IEEE 31st International Conference on Software Engineering (ICSE’09). IEEE, 188–198. https://doi.org/10.1109/ICSE.2009.5070520.
  44. Rishab Aiyer Ghosh. 2007. Economic impact of open source software on innovation and the competitiveness of the Information and Communication Technologies (ICT) sector in the EU. https://www.semanticscholar.org/paper/Economic-impact-of-open-source-software-on-and-the-Ghosh/4f0469c3702f5a22176265c72d0d764bc0447774
  45. A Study of Potential Code Borrowing and License Violations in Java Projects on GitHub. In Proceedings of the 17th International Conference on Mining Software Repositories (MSR’20). 54–64. https://doi.org/10.1145/3379597.3387455.
  46. Grant Gross. 2007. Open-source legal group strikes again on BusyBox, suing Verizon. https://www.computerworld.com/article/2537947/open-source-legal-group-strikes-again-on-busybox--suing-verizon.html. Accessed: 2023-14-09.
  47. Survey Methodology, 2nd edition. Wiley.
  48. Mapping the Issues of Automated Legal Systems: Why Worry About Automatically Processable Regulation? Artificial Intelligence and Law 31, 3 (2023), 571–599. https://doi.org/10.1007/s10506-022-09323-w.
  49. Social License and Environmental Protection: Why Businesses Go Beyond Compliance. Law & Social Inquiry 29, 2 (2004), 307–341. https://doi.org/10.1111/j.1747-4469.2004.tb00338.x.
  50. Finding software license violations through binary code clone detection. In Proceedings of the 8th Working Conference on Mining Software Repositories (MSR’11). 63–72. https://doi.org/10.1145/1985441.1985453.
  51. Georgia M Kapitsaki and Georgia Charalambous. 2019. Modeling and recommending open source licenses with findOSSLicense. IEEE Transactions on Software Engineering 47, 5 (2019), 919–935. https://doi.org/10.1109/TSE.2019.2909021.
  52. Automating the license compatibility process in open source software with SPDX. Journal of systems and software 131 (2017), 386–401. https://doi.org/10.1016/j.jss.2016.06.064.
  53. What do developers talk about open source software licensing?. In Proceedings of the 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA’20). IEEE, 72–79. https://doi.org/10.1109/SEAA51224.2020.00022.
  54. Barbara A. Kitchenham and Shari Lawrence Pfleeger. 2002a. Principles of Survey Research Part 2: Designing a Survey. ACM SIGSOFT Software Engineering Notes 27, 1 (2002), 18–20. https://doi.org/10.1145/566493.566495.
  55. Barbara A. Kitchenham and Shari Lawrence Pfleeger. 2002b. Principles of Survey Research: Part 3: Constructing a Survey Instrument. ACM SIGSOFT Software Engineering Notes 27, 2 (2002), 20–24. https://doi.org/10.1145/511152.511155.
  56. Barbara A. Kitchenham and Shari Lawrence Pfleeger. 2002c. Principles of Survey Research Part 4: Questionnaire Evaluation. ACM SIGSOFT Software Engineering Notes 27, 3 (2002), 20–23. https://doi.org/10.1145/638574.638580.
  57. Barbara A. Kitchenham and Shari Lawrence Pfleeger. 2002d. Principles of Survey Research: Part 5: Populations and Samples. ACM SIGSOFT Software Engineering Notes 27, 5 (2002), 17–20. https://doi.org/10.1145/571681.571686.
  58. Barbara A. Kitchenham and Shari Lawrence Pfleeger. 2003. Principles of Survey Research part 6: Data Analysis. ACM SIGSOFT Software Engineering Notes 28, 2 (2003), 24–27. https://doi.org/10.1145/638750.638758.
  59. Predicting Licenses for Changed Source Code. In Proceedings of the 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE’19). IEEE, 686–697. https://doi.org/10.1109/ASE.2019.00070.
  60. Choosing an Open Source License Based on Software Dependencies. In Proceedings of the 2021 IEEE International Conference on Software Engineering and Artificial Intelligence (SEAI’21). IEEE, 30–36. https://doi.org/10.1109/SEAI52285.2021.9477531.
  61. Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. In Proceedings of the International Conference on Software and Software Reuse (ICSR’22). Springer, 85–100. https://doi.org/10.1007/978-3-031-08129-3_6.
  62. Laura Manor and Junyi Jessy Li. 2019. Plain English Summarization of Contracts. arXiv preprint arXiv:1906.00424 (2019). https://doi.org/10.48550/arXiv.1906.00424.
  63. Heather Meeker. 2017. Open source for business: a practical guide to open source software licensing. CreateSpace.
  64. Understanding the Usage, Impact, and Adoption of Non-OSI Approved Licenses. In Proceedings of the 15th International Conference on Mining Software Repositories. 270–280. https://doi.org/10.1145/3196398.3196427.
  65. Catala: A Programming Language for the Law. Proceedings of the ACM on Programming Languages 5, ICFP (2021), 1–29. https://doi.org/10.1145/3473582.
  66. Ron Miller. 2023. Terraform fork gets renamed OpenTofu, and joins Linux Foundation. https://techcrunch.com/2023/09/20/terraform-fork-gets-a-new-name-opentofu-and-joins-linux-foundation/. Accessed: 2023-21-09.
  67. On the Detection of Licenses Violations in the Android Ecosystem. In Proceedings of the 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Vol. 1. IEEE, 382–392. https://doi.org/10.1109/SANER.2016.73.
  68. From one to hundreds: multi-licensing in the JavaScript ecosystem. Empirical Software Engineering 26 (2021), 1–29. https://doi.org/10.1007/s10664-020-09936-2.
  69. Philippe Ombredanne. 2020. Free and Open Source Software License Compliance: Tools for Software Composition Analysis. Computer 53, 10 (2020), 105–109. https://doi.org/10.1109/MC.2020.3011082.
  70. An analysis of open source software licensing questions in Stack Exchange sites. Journal of Systems and Software 183 (2022), 111113. https://doi.org/10.1016/j.jss.2021.111113.
  71. Shari Lawrence Pfleeger and Barbara A. Kitchenham. 2001. Principles of Survey Research: Part 1: Turning Lemons into Lemonade. ACM SIGSOFT Software Engineering Notes 26, 6 (2001), 16–18. https://doi.org/10.1145/505532.505535.
  72. Empirical Study on Dependency-related License Violation in the JavaScript Package Ecosystem. Journal of Information Processing 29 (2021), 296–304. https://doi.org/10.2197/ipsjjip.29.296.
  73. Toxic Code Snippets on Stack Overflow. IEEE Transactions on Software Engineering 47, 3 (2019), 560–581. https://doi.org/10.1109/TSE.2019.2900307.
  74. Dirk Riehle and Nikolay Harutyunyan. 2019. Open-Source License Compliance in Software Supply Chains. In Towards Engineering Free/Libre Open Source Software (FLOSS) Ecosystems for Impact and Sustainability: Communications of NII Shonan Meetings. Springer, 83–95. https://doi.org/10.1007/978-981-13-7099-1_5.
  75. Donna Spencer. 2009. Card sorting: Designing usable categories. Rosenfeld Media.
  76. BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems. In Proceedings of the 46th IEEE/ACM International Conference on Software Engineering (ICSE’24). 1–13. https://doi.org/10.1145/3597503.3623347.
  77. Can you tell me if it smells?: A study on how developers discuss code smells and anti-patterns in Stack Overflow. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering (EASE’18). 68–78. https://doi.org/10.1145/3210459.3210466.
  78. Automated software license analysis. Automated Software Engineering 16 (2009), 455–490. https://doi.org/10.1007/s10515-009-0054-z.
  79. Ashlee Vance. 2010. The Defenders of Free Software. https://www.nytimes.com/2010/09/26/business/26ping.html. Accessed: 2023-14-09.
  80. License usage and changes: a large-scale study on github. Empirical Software Engineering 22 (2017), 1537–1577. https://doi.org/10.1007/s10664-016-9438-4.
  81. To Distribute or Not to Distribute? Why Licensing Bugs Matter. In Proceedings of the 40th International Conference on Software Engineering (ICSE’18). 268–279. https://doi.org/10.1145/3180155.3180221.
  82. Machine Learning-Based Detection of Open Source License Exceptions. In Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE’17). IEEE, 118–129. https://doi.org/10.1109/ICSE.2017.19.
  83. Bart Verheij. 2017. Formalizing Arguments, Rules and Cases. In Proceedings of the 16th edition of the International Conference on Artificial Intelligence and Law (ICAIL’17). 199–208. https://doi.org/10.1145/3086512.3086533.
  84. James Vincent. 2022. The lawsuit that could rewrite the rules of AI copyright. https://www.theverge.com/2022/11/8/23446821/microsoft-openai-github-copilot-class-action-lawsuit-ai-copyright-violation-training-data. Accessed: 2023-14-09.
  85. Online replication package. https://github.com/nwintersgill/licensing_issues_study.
  86. A Method to Detect License Inconsistencies in Large-Scale Open Source Projects. In Proceedings of the 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories (MSR’15). IEEE, 324–333. https://doi.org/10.1109/MSR.2015.37.
  87. Analysis of license inconsistency in large collections of open source projects. Empirical Software Engineering 22 (2017), 1194–1222. https://doi.org/10.1007/s10664-016-9487-8.
  88. Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 178–190. https://doi.org/10.1109/ASE56229.2023.00175.
  89. Stefano Zacchiroli. 2022. A Large-scale Dataset of (Open Source) License Text Variants. In Proceedings of the 19th International Conference on Mining Software Repositories (MSR’22). 757–761. https://doi.org/10.1145/3524842.3528491.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now