2023-09-25 08:03
Combining code from different sources in a free or open source software project requires making sure that the licences of each component are compatible. As an example, the GNU General Public Licence version 2 is incompabible with the Apache Licence version 2. However, GPLv3 is compatible with it.
Checking things manually is tedious and error prone. For the most common licences compatibilities are pretty clear, and when each component declares its licences, a program can check the easy cases.
Idea: Write a program that can do "licence arithmetic", by checking if combinations of licences are OK. The program would be given a "licence expression" giving the licences of its components, and outputs the effective licence, or "error", or "unknown".
Use SPDX licence expressions as input and output. See https://spdx.org/licenses/ for a list of licence identifiers. Assume AND and OR operators, and parentheses.
Examples:
The program should probably read a data file that explains the known cases. Something like this:
rules: - expr: GPL-2.0-only AND BSD-2-Clause result: GPL-2.0-only - expr: GPL-3.0-or-later AND (BSD-2-Clause OR Apache-2) result: GPL-3.0-or-later - expr: GPL-2.0-or-later AND Apache-2 result: GPL-3.0-or-later - expr: GPL-2.0-only AND Apache-2 result: error url: https://url.to.explanation explanation: "explanation of why the result"
The program would extract the SPDX licence expressions of all components, combine them with OR, and simplify the result, then check against it against the rules in its data file.
Software can't give legal advice. It should only be used in entirely unambiguous cases and even then the result should be checked by a competent human.