A simple dev’s guide to software licensing

Software licenses definitely aren’t something that get developers very excited. In fact, in my experience the most common response is to look for a sandy spot to bury one’s head. Legally and morally, however, getting it right is kind of a big deal.

At Media Suite we’ve aimed for a fluid and adaptive approach that ensures we’re managing our use of open source libraries responsibly, while freeing us up to do what we enjoy most – writing great code. The goal is to strike a balance between managing compliance without disrupting development within a Sprint.

Open source licensing at Media Suite

The first thing we start with is a general guide to software licensing within the company, which lists out our process to follow for tracking software licences.

In a nutshell it comes down to:

  1. Knowing when to flag or escalate a licence choice (both internally, but also potentially to a client if the licence is more restrictive than we are comfortable with or has ongoing costs associated with it).
  2. Tracking licences used in the project in a way which gives us clarity and context.

Having a reasonably consistent approach at a project level enables us to better manage the legal (and moral) risks of getting this wrong.  

Knowing when to flag or escalate a licence choice

To decide when a license choice needs to be escalated we manage three lists to help:

  1. “Safe” Licences
  2. Approach with Caution / Escalate
  3. Probably not OK / Escalate

“Safe” licences make up the vast majority of open source licences you encounter today (think MIT, Apache, BSD, and friends). What we are looking for here are the most permissive terms (perpetual, royalty free, allowing unfettered reuse modification & reselling). We effectively “pre approve” these with our clients and so if you encounter one in a library you’d like to use, go right ahead. Given the popularity of these licences having a “pre approved” approach frees us up to focus on development.

Approach with caution licences are typically fine to use, but may have a potential problem or an obligation that warrant flagging to the project lead or even out for a legal review  so someone can double check the specifics and consider that the license is indeed OK for the contemplated use in this particular project.

Probably not OK are ones that are generally problematic enough that they shouldn’t be used in a commercial context but can still be escalated to double check as they may be acceptable depending on specific circumstances (or with the informed consent of the client).

Our general guidelines have a good starting point for these lists but as every project is its own unique snowflake of contractual joy they really do need review and tailoring to match the requirements of a specific project.

Tracking licences that are pulled into the project

To track the licences that are used, we create a register, which is a spreadsheet of the libraries along with their licence (including version). This is regularly updated during the course of the project to represent the current state of the codebase.

This is the arduous part of the process but luckily something that is easily automated (a must given the dependency tree sizes of Javascript projects).

Dependencies pulled in from the knex library, produced from https://npm.anvaka.com/#/view/2d/knex

Here are some tools we’ve used to generate registers in our most common language choices.

Javascript / Node

The Node Licence Finder (nlf) package is a great little tool to use for NPM packages. You can simply install it and run it in the same directory as your package.json file. 

For example, to generate CSV with package and licence information, you can use:

nlf -c

Note, that this can take some time to run. You can adjust the level of dependencies to follow with the -r flag, e.g.

nlf -r 1 -c

See nlf –help for the full list of options, but it has a couple of other useful features like adding a -d flag to exclude dev dependencies.

Some other useful tools:

Python

For pip installed dependencies we’ve written a script (MIT licensed :D) that wraps around setuptools pkg_resources module. You can give it the path to the requirements.txt file and have it output CSV information about the packages and their licences.

list-licenses.py requirements.txt

Some other useful tools:

  • Pipdeptree – As the requirements.txt file is flat, sometimes it’s useful to see which library is pulling in other dependencies, for that pipdeptree is very useful.

Final word

This is an evolving process and as we encounter different languages, package managers and licences in our work we’ll obviously continue to grow our guidelines and improve our toolkit.

Some other handy resources:

 

Lego’s back, back again…

It’s orange. It’s plastic, and it hurts like hell when you stand on it.

Lego is back at this year’s Canterbury Tech Summit, and once again we’ll be asking Summit-goers to care.  

As the Summit Web Partner, Media Suite is lined up as a swag bag contributor. (You can read more about our position on swag bags here.) Put simply, we’re faced with providing hundreds of items for conference attendees that, realistically, would spend the next few years on someone’s desk. Once again, we want to do more than stress balls, branded pens or glossy pamphlets.

What’s the deal?

Last year, we trialled a charitable giving project at the Tech Summit which called for 600 Lego bricks and three worthy causes. Summit-goers received a Lego brick in their swag bag, and each brick was worth a $10 donation – if all 600 came back, we would be donating $6000 split across three charities. All that was needed, was for every attendee to visit our booth and place their Lego brick in front of the charity of their choosing – we pre-selected three that met our criteria. At the end of the day, we counted up the number of bricks for each charity, and made a donation to that value.

Last year, 207 of the 600 bricks were returned as votes = $2070 in donations made ($1260 to Code Club Aotearoa, $450 to YMCA Christchurch, and $360 to Action Station).

The aim of the game was to turn our swag bag contribution into a chance for doing good. We wanted to inspire people to give back, and at the same time, boost the coffers of some great causes.

And this year?

We’re determined to improve on 207 votes. There will be 650 bricks handed to Summit-goers as they enter through the main door, and we sincerely hope to get all 650 back. That’s a whopping $6500 we could be donating.

After scouring the country, we’ve identified three great causes that are sure to inspire your giving side. We were looking for Registered Charities that had a tech or software development focus or programme, that were active in their community and used their funding to maximise their output.

  • Code Club Aotearoa: Thanks to their tireless efforts to get children from all socio-economic backgrounds into coding, Code Club have again secured a spot in our lineup. This Christchurch-born charity has a strong history of putting their funding right where it’s needed most, and working hard to make every dollar count ,”to give every Kiwi kid the opportunity to learn to code, no matter who or where they are”.

  • The Champion Centre: Specialises in providing early intervention services to Canterbury infants and children with significant disabilities. Our donation will be targeted at contributing to the centre’s Computer Supported Learning Programme, which costs $50,000 in staff costs to run annually.  Learn more about the programme here.

  • Ministry of Inspiration: A Nelson-based charity working to get kids excited about careers and opportunities in Science, Technology, Engineering, Arts and Maths. They have specific coding and tech programmes, and 20% of their participants are accepted on scholarship if they can’t afford to attend. The organisation runs on a shoe-string and invests back into the programmes it offers.

How do I vote?

As you enter Tech Summit through the main door, our team will be there to put an orange Lego brick in your hand. It’s up to you whether or not you use it. Swing by our booth at the Summit, add your vote to the charity of your choice.

See you there!