Here's a license for a library you probably use right now. Notice the clause I circled in an alarmist shade of red:
If you saw this license flagged in a Nexus RHC report it might make you stop, chuckle a bit. "Right, don't be evil clause. Ok, whatever." But, remember, you are a developer, not a lawyer.
A lawyer sees that clause, and they have to take it seriously. You see, lawyers usually don't have a sense of humor when it comes to the law, and they can't ignore something in a license. A license is just that, a legal document, everything in it must be taken at face value.
Assuming you take the law seriously, there are two things about this license:
-
Compliance is impossible. A distinction between good and evil is barely possible within strictly defined cultural contexts, but coming up with a universal definition of good and evil is impossible within the confines of international law. You could try, but you would need to employ the services of a committee including philosophers and scholars familiar with the descriptive meta-ethics who could render opinions on the software that incorporates this library. You have some specialists on meta-ethics on staff, right?
-
This isn't even open source. The Open Source Initiative has a criteria for open source licenses here: http://opensource.org/docs/osd - The Open Source Definition. Clause #6 is "No Discrimination Against Fields of Endeavor" - The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. Forget the definition of Evil, you can't restrict fields of endeavor.
So if this license isn't an open source license, what is it? That's a good question. Is it unenforceable? Does the clause invalidate the standard MIT license it is contained in? I can't answer these questions for you, I'm not a lawyer. I'd only trust a lawyer familiar with your approach to software development and your distribution footprint to render an opinion.
But, the most important thing I take away from this license is that this additional clause adds an unnecessary complication... one that many people don't even know is lurking in their dependency tree. If it were just a stock MIT license, you wouldn't have to pay a legal professional to take time to evaluate it, it would show up in Sonatype Insight as a standard license, but at least Insight and the Nexus Repository Health Check would alert you to the presence of this obscure obligation.
What license is this? JSON.org has this clause embedded in a standard MIT license: http://www.json.org/license.html Do you use JSON in your systems today? Have fun explaining the "Don't be evil" clause to your in-house counsel.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.