Understanding and Remediating Open-Source License Incompatibilities in the PyPI Ecosystem

TL;DR

This paper empirically studies license incompatibilities in the PyPI ecosystem, revealing their prevalence and remediation practices, and introduces SILENCE, an SMT-solver-based tool to recommend cost-effective license conflict resolutions.

Contribution

It provides the first large-scale empirical analysis of license incompatibilities in PyPI and proposes SILENCE, an automated approach for recommending remediation strategies.

Findings

7.27% of PyPI packages have license incompatibilities

61.3% of incompatibilities are caused by transitive dependencies

SILENCE's recommendations match 19 real-world cases and are accepted by five packages

Abstract

The reuse and distribution of open-source software must be in compliance with its accompanying open-source license. In modern packaging ecosystems, maintaining such compliance is challenging because a package may have a complex multi-layered dependency graph with many packages, any of which may have an incompatible license. Although prior research finds that license incompatibilities are prevalent, empirical evidence is still scarce in some modern packaging ecosystems (e.g., PyPI). It also remains unclear how developers remediate the license incompatibilities in the dependency graphs of their packages (including direct and transitive dependencies), let alone any automated approaches. To bridge this gap, we conduct a large-scale empirical study of license incompatibilities and their remediation practices in the PyPI ecosystem. We find that 7.27% of the PyPI package releases have license incompatibilities and 61.3% of them are caused by transitive dependencies, causing challenges in their remediation; for remediation, developers can apply one of the five strategies: migration, removal, pinning versions, changing their own licenses, and negotiation. Inspired by our findings, we propose SILENCE, an SMT-solver-based approach to recommend license incompatibility remediations with minimal costs in package dependency graph. Our evaluation shows that the remediations proposed by SILENCE can match 19 historical real-world cases (except for migrations not covered by an existing knowledge base) and have been accepted by five popular PyPI packages whose developers were previously unaware of their license incompatibilities.