BSD License AuditMon 22 December 2014 by feld
I recently did an audit of the "BSD" licenses in the FreeBSD ports tree. This pertains strictly to those defined as LICENSE=BSD which could be one of several licenses. It was an extremely tedious process manually verifying the license of each port, and except for a dozen which are not identifiable or waiting for email responses from the authors it has been completed successfully.
Things I've learned:
Lots of people don't understand open source licenses and incorrectly label their own license. BSD == MIT, etc.
Services like pypi don't get any more granular than "BSD" which made this audit frustrating and perpetuates the idea that there is a single "BSD" license. Go look in PKG-INFO files -- just says License: BSD.
Developers have this fantastic idea where they say "This project is under the BSD license" and then never point the enduser to any license text anywhere.
Many people are leaving their LICENSE or COPYING files out of their release tarballs -- incredibly daft of them.
BSD community members seem to know when you author software you license files not an entire projects, and put the license in the header of every source file. (Thanks!)
Some people think they can just edit standard licenses because they're smarter than the lawyers who helped develop these licenses and cause unnecessary work to myself and others. (ZPL2.1 with a clause cut out)
There are far too many variants of the MIT license.
OpenBSD actually uses the ISCL license, not a classic BSD license. (Don't worry, it's just shorter)
Even Debian can make mistakes. (That's not a GPLv3 license.)
Tons of copies of the BSD 3-CLAUSE out there that have clauses numbered 1., 2., and 4.. Makes me chuckle every time I see it.
An unofficial BSD 1-CLAUSE is floating out there in use by a few projects which indicates the author only cares about its source distribution and not the binary...
The Sendmail license had an older variant that implied that you have to fly to California to defend yourself if you violate it.
Never trust the license of a package. If you're a vendor you better verify it by hand before selling your product.
1 BSD2 BSD3 ART10
1 BSD2 MIT
1 BSD3 TclTk
1 GPLv2 BSD3CLAUSE BSD4CLAUSE
1 GPLv2 ISCL
2 BSD2 BSD3
2 BSD3 MIT
2 REPOZE -- ZPL21 modified
This isn't 100% accurate either as sometimes there were ports which had multiple licenses defined and I only fixed and noted the "BSD" one. However, those that have multiple licenses listed were instances that I discovered that the project didn't fit strictly under one license.