Forums, WG or trackers of OS projects and their potential license changes

[anajsana]

Question raised via TODO slack channel by Don Sudduth:

Hello! Looking for some advice here. We’re struggling with the number of OS projects changing their licensing from standard/common permissive and-or copyleft licenses to paid revenue models over the last couple of years.
Wondering if there are any forums/working groups/trackers of OS projects and their potential license changes - or, if there are other suggestions. Thanks!

[anajsana]

Gil Yehuda replied:

Have you looked at ClearlyDefined.io

Actually looking up something there leaves me with similar questions. For example: Highcharts is a commercially licensed charting tool that people sometimes get confused with open source. Much like iTextPDF and other products — it looks “free” since it’s super simple to include in your app and then “surprise” it’s not open source and it’s not free to use in many cases.

But unless you read the website, it’s not simple to notice. BlackDuck’s database tells me that HighCharts is licensed under MIT, however it’s not really the case. It might be confusing this with HighCharts-react which is MIT licensed.

But wait — what does it mean to use the HighCharts-react node module under the MIT license? If you “scan” and “approve” since MIT is fine, did you miss out on the part where using that module implies you are using the commercial product too? Is that how it works?

[stephenkilbaneadi]

Thanks for pointing out that Black Duck has this wrong. I've just raised a support request with Synopsys in the hope of getting this corrected in their KB.

[anajsana]

Jeff McAffer replied:

ClearlyDefined is a great place to get the raw data. The "change" scenario is interesting. It would be relatively easy (I think) for ClearlyDefined to write a "change log" that then you could poll to see what's been happening. @don Sudduth , is that something your team could help with?

[anajsana]

Don Sudduth replied:

Yes, I’ve definitely looked at clearly defined @ gilyehuda -but, as you noted, it’s point-in-time. Maybe we could help @ jeffmcaffer on this. I’m not sure how to anticipate these types of license changes, however. Some are pretty significant which causes immediate “tech debt” in the org.

[anajsana]

Mats Wichmann replied:

Not even sure it's going to be a Current point-in-time. I've had high hopes for it and tried to "fix" for the project I work on several times, but it's still multiple releases out of date. Just one data point, but...

[anajsana]

Jeff McAffer replied:

@ Mats Wichmann are you saying ClearlyDefined is out of date or some other project? IIRC ClearlyDefined either automatically harvests data for things it's asked for and doesn't have or you can request harvesting.

It is possible that all attempts to harvest are failing because of some anomaly with the target component...
As for always being a point in time, it has the history of versions it's seen up to the latest thing harvested (see above). Predicting future changes would be a bit of a miracle no?

[anajsana]

Don Sudduth replied:

yes, predicting wouldn’t work. However, projects do announce upcoming pending license changes typically. Wonder if there’s some way to harvest that

[anajsana]

jeffmcaffer replied:

Announcement tracking feels like a social media tracker. Close might be hooking ClearlyDefined up to a channel of prereleases for a project. I could imagine having a definition for the "latest prelease version" and then being able to diff that against existing versions.

Would be a fair bit of computation assuming the project builds frequently. Also a bit of a challenge to know where they put their prerelease stuff (if anywhere).

[anajsana]

Mats Wichmann replied:

Well, my case doesn't involve any license changes... but, if we can't keep the info up to date, who would ever know? Automatic harvesting seems to have stopped a bit over two years ago, and my attempts to send manual "fix this" information have had no effect. This is nothing magical here, it's a Python package available through PyPI with no strange issues going on. So now I can no longer trust ClearlyDefined to be an accurate reflection of the state of... anything?

[anajsana]

jeffmcaffer replied:

I can believe that auto-harvesting was turned off. When you did "fix this" that should open a PR in https://github.com/clearlydefined/curated-data/pulls. Is that not happening? From there someone has to curate that. I don't see any opened PRs from more than a month or so ago.

Can you point me at the actual component we;re talking about here?

[anajsana]

Mats Wichmann replied:
https://clearlydefined.io/?sortDesc=true&sort=releaseDate&name=scons which seems to have stopped in 2019

[anajsana]

jeffmcaffer replied:

Thanks @ Mats Wichmann. Not sure what's going on there. I see that version 4.1 was "partially harvested" in October 2021. That usually means that there were some errors running some of the harvesting tools. I don't have any insight/access on that data currently.

As an experiment I used https://clearlydefined.io/harvest to queue up a harvesting of v 4.3.0. That data is now available at https://clearlydefined.io/definitions/pypi/pypi/-/scons/4.3.0.

For fun, I just queued up all the versions back to (and including) 4.0.0. Will take a couple minutes for the data to show up. Let's see if 4.1 fails again or if that was a transient problem.

[anajsana]

Mats Wichmann replied:

Hey, that's really cool, thanks. I had made some efforts to improve the metadata, maybe it was still deficient in 4.1 and managed to break something?

[anajsana]

jeffmcaffer replied:

Honestly doubt that. When "partial" shows up that's more likely a system failure of some sort. For example, if, at that particular time, a server was down or if one of the harvesting tools runs too long or has a bug. The harvesting infrastructure retries 5 times (IIRC) before giving up.

Great that you were improving the metadata. Looks like there are some issues in the new UI so it's a bit hard to see why 4.3 lost some points on the licensing side.

[anajsana]

Hen replied:

I want to get a CVE when a project moves to a more closed licensing

[anajsana]

Mats Wichmann replied:

The project has an embedded (lightly vendored) copy of the DocBook stylesheets, so we're never going to have it look great - we leave those alone

[anajsana]

jeffmcaffer replied:

yeah, we were talking about that (noticing license changes). I think it would be relatively easy to create a feed of changes like that.

@ Mats Wichmann a bunch more versions are now in the data if you look for them individually. In theory, they should all show up in https://clearlydefined.io/?type=pypi&sortDesc=true&sort=releaseDate&name=scons but there may be some caching going on.

They're all showing up now and FWIW, 4.1.0 was fully harvested. Not sure why it was only partially done in October.