Open Source Compliance Training
Why should we care about licenses?
Licenses in projects are essentially contracts between the author/maintainers and the users. "I'm giving you the source code for free, you can do anything you want as long as it's fair to me" is what all licenses generally dictate. Now, how do we know what's fair to the authors? This bit is easy to decipher (for the most part) because they choose to ship their project with a license that embodies their ideas for what's fair.
The classes of licenses are broadly defined, if they're using the mainstream licenses, which they most likely are...unless they have their own crayon licenses or lack there of...Yeah, if it's without a license, you have to take approval from the authors before using it...who will likely tell you NO lol #nolicense
Also, our website text and design content also has to be licensed. I'm not sure if we've done that for the ERPNext docs, our blogs, courses, community discuss posts or anything else...I know that Frappe docs has a MIT license which doesn't make a lot of sense for knowledge bases. For instance, Stackoverflow posts are licensed under
CC-by-SA 4.0 (ref).
So, are we doing anything about licenses at this point? I mean, do we really care?
I came across this project, which was supposed to enable monkey patching in golang called monkey.
Copyright Bouke van der Bijl
I do not give anyone permissions to use this tool for any purpose. Don't use it.
I’m not interested in changing this license. Please don’t ask.
For a 2.6k+ starred, 750+ usedby project to have a Nolicense was a bit odd. Wondered if we're dependent on any such dependencies too, because that would suck lol. I started looking into how we could identify and fix these issues, came across fossa.com. Imported Frappe, ERPNext & Bench and they flagged a bunch of licensing issues. I reviewed the issues in the Bench project, resolved the 50 flagged issues and it's fully compliant.
Check out the FOSSA Dashboard for the Bench Project here.
How many dependencies do you think Frappe directly uses? We have ~80 direct Python dependencies, which are separated now into dev and general class, ~50 direct Node dependencies, and 10+ system-level dependencies. So, if one of our dependencies isn't compliant, that makes us non-compliant too.
Training video for Open Source Compliance
We conducted a training with LegaliTech for the same on Feb 8, 2022. Here's the video:
There are some things that the Frappe Engineering Team needs to do to be sure all our projects are going to be compliant with the licenses of the software we use. OpenChain 2.1 is an ISO compliant standard for Open Source. We have a long way to go with setting up an Open Source Policy, Contributors License Agreement, etc.
GamePlan Thread: https://gameplan.frappe.io/t/dependencies-and-open-source-licenses