How does the lack of licensing affect code security and slow down the development process?
The 2023 report on used licenses in the largest package managers revealed the need to inform developers about the importance of licensing information. Despite the widespread use of open source software, the report shows that most of the software is distributed and used without a license.
An analysis conducted by independent Swedish researcher Alexander Volodzhkins based on data from the ClearlyDefined project from September 21, 2023, reveals trends in the Open Source ecosystem. ClearlyDefined is a collaborative project that provides complete and standardized metadata about the origin of software components, as well as their licenses.
The most popular licenses were MIT and Apache 2.0, whose simplicity and minimal limitations contributed to their wide distribution. However, license preferences vary greatly depending on the specific programming language and package manager used.
One of the most pressing problems in this area is the large percentage of Open Source components without a license or marked "NOASSERTION". This creates uncertainty about the permissibility of using such components, which complicates cooperation and introduces legal and security risks.
Solving this problem is critical for the Open Source community. Clarity and standardization of licensing facilitates collaboration, ensures compliance with the law, and protects the intellectual property of participants. It also helps you track components with vulnerabilities.
The ClearlyDefined project encourages developers from various organizations to build a global database of license metadata for each published software component. This approach will allow you to create an accurate library of information that all developers can benefit from.
The 2023 report on used licenses in the largest package managers revealed the need to inform developers about the importance of licensing information. Despite the widespread use of open source software, the report shows that most of the software is distributed and used without a license.
An analysis conducted by independent Swedish researcher Alexander Volodzhkins based on data from the ClearlyDefined project from September 21, 2023, reveals trends in the Open Source ecosystem. ClearlyDefined is a collaborative project that provides complete and standardized metadata about the origin of software components, as well as their licenses.
The most popular licenses were MIT and Apache 2.0, whose simplicity and minimal limitations contributed to their wide distribution. However, license preferences vary greatly depending on the specific programming language and package manager used.
- JavaScript (npm). The MIT license is mostly used (53%), followed by Apache 2.0 (14.76%) and ISC (10.48%). About 8% of projects do not have a license, and 5.49% are marked "NOASSERTION".
- .NET (Nuget). There are 26.76% of components without a license and 31.95% labeled "NOASSERTION". MIT and Apache 2.0 licenses account for 21.55% and 13.37%, respectively.
- Java (Maven). Most components use the Apache 2.0 license (69.18%). The MIT license occupies only 7.4%, and 14.75% of the components have the "NOASSERTION" status.
- Python (Pypi). MIT and Apache 2.0 licenses lead the way with 29.14% and 23.98%, respectively. BSD 2-Clause and GPL 3.0 licenses occupy 6.25% and 6.11%. 23.69% of components remain without a license.
- Ruby (Gem). The vast majority use MIT (63.11%), followed by Apache 2.0 (8.22%) and BSD 3-Clause (6.66%).
- PHP (Composer). MIT is preferred by 64.37% of components, projects under BSD 3-Clause and Apache 2.0 account for 5.72% and 3.92%.
- Go. Apache 2.0 and MIT lead the way with 32.49% and 20.1%, respectively. 29.67% of components remain without a license.
- Rust (Crate). MIT and / or Apache 2.0 dominate, together accounting for 83.52%.
One of the most pressing problems in this area is the large percentage of Open Source components without a license or marked "NOASSERTION". This creates uncertainty about the permissibility of using such components, which complicates cooperation and introduces legal and security risks.
Solving this problem is critical for the Open Source community. Clarity and standardization of licensing facilitates collaboration, ensures compliance with the law, and protects the intellectual property of participants. It also helps you track components with vulnerabilities.
The ClearlyDefined project encourages developers from various organizations to build a global database of license metadata for each published software component. This approach will allow you to create an accurate library of information that all developers can benefit from.
