Hidden Licensing Risks in the LLMware Ecosystem

TL;DR

This paper investigates licensing risks in the emerging LLMware ecosystem, analyzing supply chains, identifying conflicts, and proposing a new LLM-based tool that improves license compatibility detection significantly.

Contribution

It introduces LiAgent, an LLM-based framework for license compatibility analysis, and provides a large-scale dataset and analysis of licensing issues in LLMware supply chains.

Findings

License distributions in LLMware differ from traditional OSS.

LiAgent achieves 87% F1 score, outperforming prior methods.

Detected 60 license conflicts, with 11 confirmed by developers.

Abstract

Large Language Models (LLMs) are increasingly integrated into software systems, giving rise to a new class of systems referred to as LLMware. Beyond traditional source-code components, LLMware embeds or interacts with LLMs that depend on other models and datasets, forming complex supply chains across open-source software (OSS), models, and datasets. However, licensing issues emerging from these intertwined dependencies remain largely unexplored. Leveraging GitHub and Hugging Face, we curate a large-scale dataset capturing LLMware supply chains, including 12,180 OSS repositories, 3,988 LLMs, and 708 datasets. Our analysis reveals that license distributions in LLMware differ substantially from traditional OSS ecosystems. We further examine license-related discussions and find that license selection and maintenance are the dominant concerns, accounting for 84% of cases. To understand incompatibility risks, we analyze license conflicts along supply chains and evaluate state-of-the-art detection approaches, which achieve only 58% and 76% F1 scores in this setting. Motivated by these limitations, we propose LiAgent, an LLM-based agent framework for ecosystem-level license compatibility analysis. LiAgent achieves an F1 score of 87%, improving performance by 14 percentage points over prior methods. We reported 60 incompatibility issues detected by LiAgent, 11 of which have been confirmed by developers. Notably, two conflicted LLMs have over 107 million and 5 million downloads on Hugging Face, respectively, indicating potentially widespread downstream impact. We conclude with implications and recommendations to support the sustainable growth of the LLMware ecosystem.