
Investigating whether and how devs understand open-source software licensing - luu
https://link.springer.com/epdf/10.1007/s10664-018-9614-9?author_access_token=2UnutwNg1ErgHKAORtk4uPe4RwlQNchNByi7wbcMAY50XawtljjgcPug1I4idRs00WMeujxLeMa1wXS5ALugATd2Saw5MPX4qzW7xc9pHSVIeN4LnAZyJHebXO9FGiXb5Xh_xCbIoVNl4wcZOzkpEw%3D%3D
======
wrs
Aside from understanding the license, you have to remember to _look_ for the
license.

For example, Stack Overflow content is very nonintuitively licensed CC-BY-SA,
so if you copy and paste code from Stack Overflow (who doesn't?) it's
essentially the same as including GPL code. Apparently there was a movement to
MIT-license the code (as opposed to the textual content) that failed for some
reason, so this is now a ticking time bomb. (And if you try to sell your
company, the acquirer _will_ find that code in diligence.)

Even worse, ruby-forum.com is CC-BY-NC-SA, so you can't use code from there
for commercial purposes in the first place, never mind the copyleft aspect.

~~~
cycloptic
With the amount of copy-pasting going on it should be required by any company
developers at this point to attach SPDX copyright and licensing statements [0]
to everything that passes through their text editor. I recently watched a talk
at FOSDEM about a neat tool called REUSE [1] that will audit your project for
these statements and spit out a bill of materials.

[0]: [https://spdx.org/using-spdx-license-identifier](https://spdx.org/using-
spdx-license-identifier)

[1]: [https://reuse.software/tutorial/](https://reuse.software/tutorial/)

~~~
saagarjha
> their text editor

Good luck getting this to work with every text editor your engineers will use,
and not having them revolt because it messes with their workflow…

~~~
cycloptic
It really doesn't mess with any workflow. It's asking them to write the
copyright information at the top of the file when they copy something from
Github or whatever. The tool can do it in an automated fashion and ensure you
do it right before check-in. It's good practice to do this when contributing
something upstream too. You'll usually want the engineer to add your company's
name and copyright info if they do it on company time.

I would actually raise an eyebrow if your engineers were resistant to keeping
a written log of copyright information based on workflow grounds. That could
indicate that there is a lot more copy-pasting going on that they don't want
you to know about — when the code is 100% written by the same team without
copy-pasting then there is a lot less question on who owns what. And I don't
mean that to discourage teams from reusing open source components, but rather
to help them understand that there are associated bookkeeping costs that can
potentially be reduced with the right workflow.

------
Rochus
Interesting paper. Actually it's not only the developers who are challenged.
Even lawyers often have trouble understanding these licenses, because often
formulations are used that are not written by lawyers and are not common.
Moreover, final clarity on the exact interpretation and effect of these
licences will only be achieved once there are judgments from the highest
courts. And since every country has its own legal system and there are many
different aspects to clarify, many such judgments are needed. So the matter is
not so simple. Whether the developers understand the licenses or not is just
one of many problems.

------
belorn
> The interviews with software developers also may not represent all themes
> that arise in license incompatibility scenarios... They came from
> organizations that had between 51 and 1000 employees. Licensing
> incompatibility issues might be more or less frequent in organizations of
> different sizes and the themes that emerged could be different given a
> different population.

I wonder how representative this study is for the debian community and all the
packages listed in the repository.

Looking at the quotes, it seems the typical developer in the study is one
delivering products to customer, which I guess, the customer either own the
copyright to in the end or want to integrate into proprietary systems.

------
erdos4d
I grew up in the piracy era, if the code is possible to get and I want it, I
get the code and do what I want. What is this license everyone keeps talking
about? Never read one of those. Seems like a lot of wasted time and energy to
me. I'd rather use that time and energy to building something cool. If I gotta
be anon to do that, I'm black as night. This legal shit is for bean counter
types. I get shit done for a living.

