Software licensing

Objectives

Knowing about what derivative work is and whether we can share it.
Get familiar with terminology around licensing.
Practical advice for software licensing.

Copyright

Photo of somebody taking a photo of an artwork that contains the text "WHO OWNS WHAT?"

Trademark: Protects a name/brand from impersonation.
Patent: Protects a novel, non-obvious, technical invention.
Copyright: Protects creative expression: software, writing, graphics, photos, certain datasets, this presentation. Practically “forever” (lifetime of author + 70 years).

Copyright controls whether and how we can distribute the original work or the derivative work.

Derivative work: Sampling/remixing

Generated image of a monk operating a record player

[Midjourney, CC-BY-NC 4.0]

Generated image of a monk operating two record players

[Midjourney, CC-BY-NC 4.0]

Changing and distributing software is similar to changing and distributing music
You can do almost anything if you don’t distribute it

Often we don’t have the choice:

We are expected to publish software
Sharing can be good insurance against being locked out

Exercise: Derivative work

Licensing-1: What constitutes derivative work?

This question 5 below can be used as a starting point and copied to the collaborative document or form input for an online poll:

## Question 5: Which of these are derivative works?

**Choose many**. Vote by adding an `o` character:

- A. Download some code from a website and add on to it
  - votes:

- B. Download some code and use one of the functions in your code
  - votes:

- C. Changing code you got from somewhere
  - votes:

- D. Extending code you got from somewhere
  - votes:

- E. Completely rewriting code you got from somewhere
  - votes:

- F. Rewriting code to a different programming language
  - votes:

- G. Linking to libraries (static or dynamic), plug-ins, and drivers
  - votes:

- H. Clean room design (somebody explains you the code but you have never seen it)
  - votes:

- I. You read a paper, understand algorithm, write own code
  - votes:

Solution

Derivative work: A-F
Not derivative work: G-I
E and F: This depends on how you do it, see clean room design.

Derivative work and containers

(I haven’t found a discussion/paper on this so only speculating; please suggest changes/improvements)

Distribution of container recipes: it’s like distributing source code
Distribution of container images: it’s like distributing binary form

Taxonomy of software licenses

European Commission, Directorate-General for Informatics, Schmitz, P., European Union Public Licence (EUPL): guidelines July 2021, Publications Office, 2021, https://data.europa.eu/doi/10.2799/77160

Comments:

Arrows represent compatibility (A -> B: B can reuse A)
Proprietary/custom: Derivative work typically not possible (no arrow goes from proprietary to open)
Permissive: Derivative work does not have to be shared
Copyleft/reciprocal: Derivative work must be made available under the same license terms
NC (non-commercial) and ND (non-derivative) exist for data licenses but not really for software licenses

Great resource for comparing software licenses: Joinup Licensing Assistant

Provides comments on licenses
Easy to compare licenses (example)
Joinup Licensing Assistant - Compatibility Checker
Not biased by some company agenda

If you would like to learn more about licenses, check out our slide deck: “Software licensing and open source explained with cakes”.

Exercise: Licensing situations

Licensing-2: Consider some common licensing situations

What is the StackOverflow license for code you copy and paste?
A journal requests that you release your software during publication. You have copied a portion of the code from another package, which you have forgotten. Can you satisfy the journal’s request?
You want to fix a bug in a project someone else has released, but there is no license. What risks are there?
How would you ask someone to add a license?
You incorporate MIT, GPL, and BSD3 licensed code into your project. What possible licenses can you pick for your project?
You do the same as above but add in another license that looks strong copyleft. What possible licenses can you use now?
Do licenses apply if you don’t distribute your code? Why or why not?
Which licenses are most/least attractive for companies with proprietary software?

Solution

As indicated here, all publicly accessible user contributions are licensed under Creative Commons Attribution-ShareAlike license. See Stackoverflow Terms of service for more detailed information.
“Standard” licensing rules apply. So in this case, you would need to remove the portion of code you have copied from another package before being able to release your software.
By default you are no authorized to use the content of a repository when there is no license. And derivative work is also not possible by default. Other risks: it may not be clear whether you can use and distribute (publish) the bugfixed code. For the repo owners it may not be clear whether they can use and distributed the bugfixed code. However, the authors may have forgotten to add a license so we suggest you to contact the authors (e.g. make an issue) and ask whether they are willing to add a license.
As mentionned in 3., the easiest is to fill an issue and explain the reasons why you would like to use this software (or update it).
Combining software with different licenses can be tricky and it is important to understand compatibilities (or lack of compatibilities) of the various licenses. GPL license is the most protective (BSD and MIT are quite permissive) so for the resulting combined software you could use a GPL license. However, re-licensing may not be necessary.
Derivative work would need to be shared under this strong copyleft license (e.g. AGPL or GPL), unless the components are only plugins or libraries.
If you keep your code for yourself, you may think you do not need a license. However, remember that in most companies/universities, your employer is “owning” your work and when you leave you may not be allowed to “distribute your code to your future self”. So the best is always to add a license!
The least attractive licenses for companies with proprietary software are licenses where you would need to keep an open license when creating derivative work. For instance GPL and and AGPL. The most attractive licenses are permissive licenses where they can reuse, modify and relicense with no conditions. For instance MIT, BSD and Apache License.

When should I add a license?

Choose a license early in the project, even before you publish it. Later in the project it may become complicated to change it. Agreeing on a software license does not mean that you have to make it open immediately. You can also follow the “open core” approach: You don’t have to open source all your work. Core can be open and on a public branch. Unpublished code can be on a private repository.

However, we recommend to work as if the code is public even though it still may be private (thanks to E. Glerean for this great suggestion): This is to avoid surprises about code in the history with incompatible license years later when you decide to open the project.

How to add a license if your work is derivative work

Your code is derivative work if you have started from an existing code and made changes to it or if you incorporated an existing code into your code.

If your code is derivative work, then you need to check the license of the original code. Depending on the license, your choices might be limited. In this case we recommend to use these two resources:

If the original code does not have a license, you may not be able to distribute your derivative code. You can try to contact the authors and ask them to clarify the license of their code.

Practical steps for incorporating something small into your own project with a license that allows you to do so (as an example incorporating a function or two from another project):

Create a LICENSES/ folder in your project and “put the unmodified license text (i.e., the license text template without any copyright notices) in your LICENSES/ folder” (https://reuse.software/faq/#license-templates). This way if you reuse code from multiple projects, you can keep there multiple license files.
Put the code that you incorporate into a separate file or separate files. This makes it later easier to see what was incorporated, and what was written from scratch. On top of the file(s) which you have incorporated into your project add (and adapt) the following header (more examples):
```
# SPDX-FileCopyrightText: 2023 Jane Doe <jane@example.com>
#
# SPDX-License-Identifier: MIT
```
The REUSE initiative was started by the Free Software Foundation Europe to make licensing of software projects easier. It is OK if you prefer to not follow this strict format but the advantage of following it is that the reuse-tool makes it then easy to verify and update license headers if you have many files from different sources.
If it does not make sense to have several files in your project (e.g. when incorporating something into a notebook), then add a note/comment about the license and where the code came from on top of the function.
Although it is not dictated by the license but it can still be nice to acknowledge the incorporated functions/code in your README/documentation and to cite their work if you publish a paper about your code.
Some licenses are more permissive (you can keep your changes private) but some licenses require you to publish the changes (share-alike).

Practical steps for making changes to an existing project with a license that allows you to do so:

If the project is on GitHub or GitLab or similar, first fork the project (copy it into your user space where you can make changes).
For the BSD and MIT licenses you are not obliged to state your changes but it can still be helpful for others if you do. You can state your changes in the header of the files you have modified. It can be helpful to state bigger-picture changes in the README file of the project.
Some licenses are more permissive (you can keep your changes private) but some licenses require you to publish the changes (share-alike).

If your work is not derivative work

If you have started “from scratch”, and not used any existing code, or incorporated existing code into your code, then you may consider your code to be not derivative work.

Before you may choose a license, clarify the following points with, for example, your supervisor, collaborators, or principal investigator:

Does your work contract, grant, or collaboration agreement dictate a specific license?
Is there an intent to commercialize the code?
When there is unknown or mixed ownership: If there are multiple persons or organizations as owners of the code, all must agree to the license.

Do not invent your own license. Choose one of the standard licenses, otherwise compatibility is not clear:

Practical steps:

Create a LICENSES/ folder (example).
Put the unmodified license text (i.e., the license text template without any copyright notices) in plain text format into the folder (example). Here are the two above licenses in plain text: EUPL and MIT (but the latter contains a copyright notice which we rather want to have on top of files).
Add copyright and license information to each file following https://reuse.software/tutorial/ which uses a standard format with so-called SPDX identifiers. Example below (example):
```
# SPDX-FileCopyrightText: 2023 Jane Doe <jane@example.com>
#
# SPDX-License-Identifier: EUPL-1.2
```
The REUSE initiative was started by the Free Software Foundation Europe to make licensing of software projects easier. It is OK if you prefer to not follow this strict format but the advantage of following it is that the reuse-tool makes it then easy to verify and update license headers if you have many files from different sources.
For really small projects with one or two files the above may seem excessive and some projects choose to not have copyright information on top of their files and they only have one LICENSE file and that is OK for really small projects.

Great resources

Research institution policies to support research software (compiled by the Research Software Alliance)
Guide from the Aalto University in Finland: “Opening your Software at Aalto University”
Draft: Research software licensing guide
Joinup Licensing Assistant - Find and compare software licenses
Joinup Licensing Assistant - Compatibility Checker
Social coding lesson material by CodeRefinery
Citation File Format (CFF)
License Selector
GitHub licensing guide
Choosing an open-source licence
Understanding Open Source and Free Software Licensing
Software Licenses in Plain English
Don’s Bibliography of Ethical Source Reading and Resources
Mikko Välimäki: The Rise of Open Source Licensing
Lawrence Rosen: Open Source Licensing
Aalto IPR Cheatsheet
Contributor License Agreements
4OSS recommendations
4OSS lesson
Intellectual Property Rights (IPR), Licensing And Patents
Dispelling Open Source Confusion: An Introduction to Licenses
https://choosealicense.com (can send automatic pull request to your GitHub repo)
https://hintjens.gitbooks.io/social-architecture/content/chapter2.html
http://rkd.zgib.net/scicomp/open-science/open-science.html
Nadia Asparouhova (formerly Nadia Eghbal): “Working in Public: The Making and Maintenance of Open Source Software” (Stripe Press)
Open Source Guides
The Architecture of Open Source Applications
Christopher M. Kelty: “Two Bits: The Cultural Significance of Free Software” (Duke University Press, 2008)
Open Source (Almost) Everything
99 ways to ruin an open source project
Open Source Casebook

Keypoints

You cannot ignore licensing: default is “no one can make copies or derivative works”.