Search papers, labs, and topics across Lattice.
This study constructs a copy-based code reuse network using the World of Code infrastructure to analyze the extent of potential license noncompliance in open source software. The researchers found that 39.4% of project combinations are at risk of noncompliance, particularly influenced by the type of license, with permissive licenses leading to higher reuse rates compared to copyleft and public domain licenses. Notably, only 2.43% of the identified reuse was detectable through traditional dependency analysis, underscoring the inadequacies of current tools in addressing copy-based reuse.
A staggering 39.4% of open source projects may be at risk of license noncompliance due to copy-based reuse, challenging the effectiveness of existing dependency tracking methods.
As other creative work, source code is protected by copyright. The owner can license the work, e.g., to permit copy and other kinds of use, and even start legal proceeding against license violators. However, source code can be reused in subtle ways, e.g., via copying without explicit package manager dependencies, making it hard to reason about potential license noncompliance. Using the World of Code infrastructure approximating the entirety of open source software, in this paper we create a copy-based code reuse network mapping direct copying across projects, and use it to quantify the extent of potential license noncompliance across the entire open source ecosystem. In addition, we estimate regression models to understand whether code copying is affected by the origin project's license, and, if so, how it varies with other project characteristics. We find that code in repositories with permissive licenses, such as MIT and Apache, shows higher likelihood of reuse across programming languages. In contrast, copyleft licenses, like the GPL, exhibit mixed effects. Public domain licenses, despite their aim of allowing unrestricted use, are associated with lower likelihood of copy-based reuse. A widespread potential license noncompliance appears to accompany copy-based reuse, with 39.4% of project combinations at potential noncompliance risk, particularly when licenses are unclear or absent. Our findings reveal that only 2.43% of reuse detected through the copy-based network was discoverable via dependency analysis, highlighting the limitations of existing dependency-tracking tools in capturing copy-based reuse.