Makefile.feld

BSD License Audit

 Mon 22 December 2014 by feld

I recently did an audit of the "BSD" licenses in the FreeBSD ports tree. This pertains strictly to those defined as LICENSE=BSD which could be one of several licenses. It was an extremely tedious process manually verifying the license of each port, and except for a dozen which are not identifiable or waiting for email responses from the authors it has been completed successfully.

Things I've learned:

  • Lots of people don't understand open source licenses and incorrectly label their own license. BSD == MIT, etc.

  • Services like pypi don't get any more granular than "BSD" which made this audit frustrating and perpetuates the idea that there is a single "BSD" license. Go look in PKG-INFO files -- just says License: BSD.

  • Developers have this fantastic idea where they say "This project is under the BSD license" and then never point the enduser to any license text anywhere.

  • Many people are leaving their LICENSE or COPYING files out of their release tarballs -- incredibly daft of them.

  • BSD community members seem to know when you author software you license files not an entire projects, and put the license in the header of every source file. (Thanks!)

  • Some people think they can just edit standard licenses because they're smarter than the lawyers who helped develop these licenses and cause unnecessary work to myself and others. (ZPL2.1 with a clause cut out)

  • There are far too many variants of the MIT license.

  • OpenBSD actually uses the ISCL license, not a classic BSD license. (Don't worry, it's just shorter)

  • Even Debian can make mistakes. (That's not a GPLv3 license.)

  • Tons of copies of the BSD 3-CLAUSE out there that have clauses numbered 1., 2., and 4.. Makes me chuckle every time I see it.

  • An unofficial BSD 1-CLAUSE is floating out there in use by a few projects which indicates the author only cares about its source distribution and not the binary...

  • The Sendmail license had an older variant that implied that you have to fly to California to defend yourself if you violate it.

  • Never trust the license of a package. If you're a vendor you better verify it by hand before selling your product.

Results:

   1 ART20
   1 BSD1
   1 BSD2 BSD3 ART10
   1 BSD2 MIT
   1 BSD3 TclTk
   1 CC
   1 CPL
   1 GPLv2 BSD3CLAUSE BSD4CLAUSE
   1 GPLv2 ISCL
   1 GPLv3
   1 PHP202
   1 PHP30
   1 Sendmail
   1 ZPL21
   2 BSD2 BSD3
   2 BSD3 MIT
   2 REPOZE -- ZPL21 modified
   4 GPLv2
   4 TclTk
   5 CUSTOM
   8 BSD4
  17 ISCL
  24 MIT
  62 BSD2
 148 BSD3

This isn't 100% accurate either as sometimes there were ports which had multiple licenses defined and I only fixed and noted the "BSD" one. However, those that have multiple licenses listed were instances that I discovered that the project didn't fit strictly under one license.

What a nightmare.