You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

 

Insights >> Licenses

Kiuwan Insights informs you about the License type of every 3rd party component used in your application.

Are you aware of legal licensing implications of using those 3rd party components?

  1. When using 3rd components, is my software infringing some legal aspect?
  2. How the use of 3rd party components does affect my own licensing?

 

Kiuwan Insights helps you to answer these important questions based in information provided on licenses that apply to the components used in your software.

 

 

Software Licenses

Kiuwan Insights inspects your source code’s external components to discover their “license”.

Software licensing is primarily based on the legal concept of Copyright.

  • Copyright : Legal right created by the law of a country, that grants the creator of an original work ("copyright holder") exclusive rights for its use and distribution (during a limited time). Under many countries (UE, EU...) all software is copyright protected, in source and object code form. The copyright holder is typically the work's creator/employer, or a publisher or other business to whom copyright has been assigned.

Consequently, Copyright Infringement is the use of works protected by copyright without permission, infringing certain exclusive rights granted to the copyright holder, such as the right to reproduce, distribute, display or perform the protected work, or to make derivative works.

A Software License is a legal instrument (usually by way of contract law) governing the use or redistribution of software. A software license grants the licensee (typically an end-user) permission to use one or more copies of software. Without a software license, the use of the software would constitute copyright infringement of the software owner's exclusive rights under copyright law.

As you could read further in this document, two common categories of licenses are proprietary software and free and open source software (FOSS).

Proprietary licenses are, of course, privative of the copyright holder. But FOSS licenses are widespread used and there exist several standards for communicating components, licenses and copyrights associated to software packages. 

Kiuwan Insights adheres to SPDX (Software Package Data Exchange®, https://spdx.org) to report the components’ licensing name and related information.

 

Licenses Types

Kiuwan Insights categorizes any license according to its copyright content so you can easily visualize its type regarding copyrights.

 

Most software can be categorized according to its license type.

Two common categories are proprietary software and free and open source software (FOSS).

The distinct conceptual difference between them is the granting of rights to modify and re-use the software product by the user:

  • Free and open-source software (FOSS) grants any user to use, copy, study, and change the software in any way, and the source code is openly shared.
  • Proprietary software is computer software for which the software's publisher retains intellectual property copyrights (usually copyright of the source code), the source code is usually hidden from the users and typically does not grant above rights. In proprietary software, an end-user license agreement (EULA) is the contract between the licensor and purchaser, establishing the purchaser's rights on the software. The license may define ways under which the copy can be installed, used, executed, archived, re-sold, backed-up, etc.

Software licenses in context of copyright according to Mark Webbink (https://web.archive.org/web/20160306062502/https:/www.redhat.com/f/summitfiles/presentation/May31/Open%20Source%20Dynamics/Troan_OpenSourceProprietyPersp.pdf)

 

 

  • Public Domain : free of all restrictions
  • Non­Protective (or Permissive) : retain copyright but grant all rights to copyright the licensee
  • Protective (or Copyleft) : non­protective plus restrictions (typically requirement to publish source code)
  • Proprietary :  retain copy and grant few rights (specific terms of use in a end-user license agreement - EULA)
  • Trade Secret :  all rights retained

 

 

License Types

Kiuwan Insights inspect your software source code to fetch the license type for all 3rd party components.

Kiuwan License Engine analyzes app’s code, identifies the components and extracts their License information from several sources (license txt files, repository information, etc).

After gathering relevant information, Kiuwan categorizes the component’s license under following types (ordered from most permissive to less):

  • PublicDomain
  • Permissive
  • WeakCopyleft
  • Copyleft
  • Copyrighted
  • Propietary

 

 

 

 

For an easy and efficient identification of such licenses, Kiuwan matches the gathered information against SPDX License List (https://spdx.org/licenses/) and provides links to explanatory description as well as license’s text.

 

For those cases that a license is found but cannot match any of the above list, Kiuwan assigns that license Unknown type. These cases require manual intervention.

 

PublicDomain

PublicDomain license type is related to software that has been placed in the public domain.

Software in the public domain can be modified, distributed, or sold even without any attribution by anyone; this is unlike the common case of software under exclusive copyright, where software licenses grant limited usage rights.

PublicDomain license type means that there is no copyright on the work at all. You can do anything with public domain software if the software has been explicitly released to the public domain (IMPORTANT: see description on Copyrighted license type).

In other words, there is absolutely no ownership such as copyright, trademark, or patent.

Examples of PublicDomain licenses are BSD Zero Clause ("0BSD"), Creative Commons Zero v1.0 Universal or Sax Public Domain Notice.

 

Permissive

Permissive software license is a free software license with minimal requirements about how the software can be redistributed: basically, you can do just about anything as long as you provide attribution (acknowledgement) and don’t sue the author.

Examples of Permissive licenses are MIT, X11, BSD (2-3-4) and Apache.

 

Copyleft

Copyleft (a play on the word copyright) is the practice of offering people the right to freely distribute copies and modified versions of a work with the stipulation that the same rights be preserved in derivative works down the line. Under copyleft, an author may give every person who receives a copy of the work permission to reproduce, adapt, or distribute it, with the accompanying requirement that any resulting copies or adaptations are also bound by the same licensing agreement.

Copyleft licenses are “strongly protective” because prevent the software from becoming proprietary. This type includes the most popular FOSS license, the GNU General Public License (GPL v2+, v3+) as well as Creative Commons Share Alike.

 

WeakCopyleft

 A WeakCopyleft software license is weakly protective, a trade-off between Permissive and Copyleft. This type of license prevents the component (often a software library) from becoming proprietary, yet permitting it to be part of a larger proprietary program.

The GNU Lesser General Public License (LGPL) is the most popular WeakCopyleft license. Mozilla Public License 1.1 and Common Development and Distribution License 1.1 are other examples.

What are exactly the differences between Copyleft and WeakCopyleft license types ?

Both license types are closely related.  In both cases you have obligations to distribute source code under certain conditions. Where there differ is the scope of code that had to be distributed.

If you software using the component keeps private and you do not distribute code or binary to a 3rd party, then you don't have obligations to make source code available. The obligation becomes effective if you give your software (plus the component) to a 3rd party. 

The basic difference between Copyleft and WeakCopyleft is the scope of impact when it comes to the case of derivative works. 

  • Copyleft impacts derivative works -- those that are not independent or separate from the original code. 
  • WeakCopyleft excludes the category of dependent work that uses, but is not based on the original work from the license obligations. 

An example would make the difference more clear:

  • You use a copyleft’d component (CLeft-Comp) in your own software (Sw), compile them and create final software (CLeft-Sw).
    • If you distribute CLeft-Sw to a 3rd party, then you must make available the complete source code (any modifications you made to Cleft-comp plus the code of Sw).
  • Instead, you download the same component but weakcopyleft’d (WCLeft-Comp) and you use it to create WCLeft-Sw.
    • If you distribute the WCLeft-Sw binary to a 3rd party, then you must make available WCLeft-Comp source code, but you do not have to make available WCLeft-Sw source code (unless it is based on WCLeft-Comp, in which case you do).

This is a broad general theory, you should read specific terms of involved licenses, but as a general advice “Pay close attention to components with a CopyLeft license”.

 

Copyrighted

IMPORTANT: Since Berne Convention (1988), which most countries have signed, all works are by default copyright protected, and need to be actively given into public domain by a waiver statement, or an explicit license need to be provided.

When no explicit license... full, intact, copyright retained.

Copyrighted licenses are assumed to public domain software (PD) with no explicit license.

When Kiuwan does not find any licensing information for a public component, Copyrighted type is assigned to that component.

Contrary to popular belief, distributed unlicensed software (not in the public domain) is fully copyright protected, and therefore legally unusable (as no usage rights at all are granted by a license) until it passes into public domain after the copyright term.

Examples for this are software projects which are placed on public software repositories like GitHub, without specified license.

 

Propietary

Propietary is any commercial license from a software vendor granted to a final user through a signed end-user license agreement (EULA).

 

Overall Information on Licenses

According to the above explanation of concepts, Insights >> Licenses tab displays overall licensing information of the components used in your application.

 

 

Overall section displays:

  • Number of Licenses by Type (according to above described types)
  • Top-5 Used Licences (according to SPDX Licences)
  • Alert on number of licenses with a High value of License Risk (CopyLeft licenses).

 

List of Licenses

Kiuwan Insights provides a full listing of all those licenses being used by components of your application.

Kiuwan Insights adheres to SPDX (Software Package Data Exchange®, https://spdx.org) to report the components’ licensing name and related information.

For every License, you will have access to detailed information such as:

  • License:
    • Descriptive (and unique) license name, as registered at SPDX.
    • Example: “Eclipse Public License 1.0”
  • Components
    • Number of components using this specific license
  • SPDX code:
    • SPDX short license identifier (unique and immutable)
    • Example: “EPL-1.0”
  • URL:
  • Lincese Type:
    • Type of the license according to its level of copyright (see chapter on linces types)
    • Example: "Copyleft"

License Risk

License Risk:

  • A visual indicator that advises you on licenses (and involved components) that might have some legal implications.
    • Red color is associated to High risk (Copyleft, Copyrighted and Propietary ) 
    • Green color (None) for PublicDomain, Permissive and WeakCopyleft
    • Gray (Unknown) for those licenses that without a License Type.

 

 

For every license, Kiuwan Insights displays the number of components in your app that are using that license as well as the specific component name and description.



 

·   

 

  • No labels