License Management in Software Projects

---

Why do license management as a developer?

Because you have to - plain and simple. If you publish your or your employers source code under an open source license, you must always check if a library you use is available under a compatible license.

What license should I use?

For general information about licenses, please see LicenseManagement.

How to do license management best in Java?

Start from the beginning by including the following two Maven plugins in your Java project. And yes, bind them to the check goal so that they run with every clean build and the build fails if licensing information is incomplete! Also, both plugins are bound to the initialize phase so that the build fails early - before all test run etc.

Collaborate by helping to maintain the shared files at http://52north.github.io/cdn/.

License file

A one-time manual step: Add a file LICENSE to the root of your project (next to the pom.xml) including the full license text.

license-maven-plugin by mycila

This plugin is used for adding of license headers to source files.

Basic Configuration

Create a file misc/license_header.txt containing the license of your project, and much easier than the codehaus plugin's header model.

For the pom:

<plugin>
   <groupId>com.mycila</groupId>
   <artifactId>license-maven-plugin</artifactId>
   <version>2.6</version>
   <configuration>
      <header>misc/license_header.txt</header>
      <properties>
         <inceptionYear>${project.inceptionYear}</inceptionYear>
      </properties>
      <includes>
         <include>src/**/*.java</include>
         <include>src/**/*.xml</include>
      </includes>
      <excludes>
         <exclude>**/logback.xml</exclude>
         <exclude>**/logback-test.xml</exclude>
         <exclude>**/src/test/resources/**</exclude>
      </excludes>
   </configuration>
   <executions>
      <execution>
         <id>check-license</id>
         <phase>initialize</phase>
         <goals>
            <goal>check</goal>
         </goals>
      </execution>
   </executions>
</plugin>

In a multi-module setup, the following configuration might be useful. inherited is set to false, which disables execution in submodules. aggregate is enabled, which enables the plugin to crawl through sub-modules folders as well.

<plugin>
   <groupId>com.mycila</groupId>
   <artifactId>license-maven-plugin</artifactId>
   <version>2.2</version>
   <inherited>false</inherited>
   <configuration>
      <header>${license.header.file}</header>
      <aggregate>true</aggregate>
   </configuration>
...
</plugin>

Usage

mvn license:check

mvn license:format

License Header

A new license header has been developed, taking some execptions to certain license types of third-party libraries into account. Every software project licensed under the GPLv2 SHALL use this license header above each source file. note that there are some UTF-8 characters in the header, so make sure to set the correct encoding - or replace problematic characters with reasonable substitutions.

ThirdPartyLicensesForGPL

The parameters for the years can be configured in the license-maven-plugin as follows. Note that jenkins has an open issue for the dynamic approach, so the manual fallback might be required.

<properties>
    <currentYear>2014</currentYear> <!-- manual setting -->
    <maven.build.timestamp.format>yyyy</maven.build.timestamp.format>
    <currentYearDynamic>${maven.build.timestamp}</currentYearDynamic>
</properties>
...
<plugin>
   <groupId>com.mycila</groupId>
   <artifactId>license-maven-plugin</artifactId>
...
   <configuration>
...
      <properties>
         <inceptionYear>${project.inceptionYear}</inceptionYear>
         <latestYearOfContribution>${currentYear}</latestYearOfContribution>
<!--         <latestYearOfContribution>${currentYearDynamic}</latestYearOfContribution> -->
      </properties>
...
   </configuration>
...
</plugin>

maven-license-plugin by codehaus (optional, more powerful)

This plugin is used for generation of a THIRD-PARTY.txt file including the libraries and dependencies. In contrast to the maven-notice-plugin this file is more extensive (includes version, URL) but the plugin cannot check on every build.

This plugin can be configured in a profile, since it takes some time to complete because the required goal downloads all dependencies into a clean temporary repository.

Basic Configuration

<profile>
   <id>create-license-list</id>
   <build>
      <plugins>
         <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>license-maven-plugin</artifactId>
            <version>1.5</version>
            <configuration>
               <useMissingFile>true</useMissingFile>
            </configuration>
            <executions>
               <execution>
                  <id>create-license-list</id>
                  <goals>
                     <goal>aggregate-add-third-party</goal>
                  </goals>
                  <phase>generate-resources</phase>
               </execution>
            </executions>
         </plugin>
      </plugins>
   </build>
</profile>

Usage

mvn clean generate-resources -Pcreate-license-list - documentation

After the first usage you have to add the missing license information in each modules src/license/THIRD-PARTY.properties file (a good tool is notepad++ as it can search and replace over directories -- just add THIRD-PARTY.properties as file filter). You can probably find this information in the missing license file for the notice plugin...

To harmonize license output (licenses are often named a bit differently) just add something like:

<licenseMerges>
    <licenseMerge>The Apache Software License, Version 2.0|Apache 2|Apache License, Version 2.0|Apache Public License 2.0</licenseMerge>
    <licenseMerge>Apache Software Licenses|Apache Software License</licenseMerge>
    <licenseMerge>GNU General Public License, v2.0|GNU GENERAL PUBLIC LICENSE Version 2, June 1991|GNU General Public License, Version 2.0</licenseMerge>
    <licenseMerge>Common Development and Distribution License (CDDL), version 1.0| Common Development and Distribution License (CDDL) v1.0|COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL), Version 1.0</licenseMerge>
    <licenseMerge>GNU Lesser General Public License, version 2.1|LGPL 2.1|GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1</licenseMerge>
    <licenseMerge>GNU Lesser General Public License|GNU LESSER GENERAL PUBLIC LICENSE</licenseMerge>
    <licenseMerge>Mozilla Public License version 1.1|MPL 1.1</licenseMerge>
    <licenseMerge>BSD Style License|BSD License|BSD style|BSD style License</licenseMerge>
</licenseMerges>

to the tag.

maven-notice-plugin

This plugin is used to compare an existing NOTICE file with one generated at each build to be notified about missing license information. The license-maven-plugin does not provide this feature, so we need this plugin as well.

Notice that the generated NOTICE file does not distinguish between provided libraries and compile time libraries.

Basic Configuration

Create a file misc/NOTICE.template containing the license and name of your project and a token at the bottom which is replaced by the plugin (check the year manually, please):

Copyright 2015 52°North Initiative for Geospatial Open Source Software GmbH

Licensed under [...]

This project includes:

#GENERATED_NOTICES#

For the POM.xml (as part of the plugins that are active by default):

<plugin>
   <groupId>org.jasig.maven</groupId>
   <artifactId>maven-notice-plugin</artifactId>
   <version>1.0.6</version>
   <configuration>
      <noticeTemplate>misc/NOTICE.template</noticeTemplate>
      <licenseMapping>
         <param>http://52north.github.io/cdn/licenses/license-mappings.xml</param>
      </licenseMapping>
      <generateChildNotices>false</generateChildNotices>
   </configuration>
   <executions>
      <execution>
         <id>check-license</id>
         <phase>initialize</phase>
         <goals>
            <goal>check</goal>
         </goals>
      </execution>
   </executions>
</plugin>

Usage

mvn notice:check checks if the current licenses differ from the ones listed in the notice file and also returns an error if licensing information is missing. Please add these licenses to the shared online license file by submitting a pull request to the https://github.com/52North/cdn. Details

For the initial set-up, run notice:check until you get the error that there is no notice file - this means that all dependencies could be resoulved. Then run

mvn notice:generate

Adding missing license information

If you execute the Maven license plugin and get the message [ERROR] Failed to find Licenses for the following dependencies then one or more of the libraries that is used does not provide licensing information. This can happen although the configuration above already contains a link to an online license mapping file that developers at 52°North try to keep as complete as possible.

To add missing licenses you can either

• Fork the CDN project, edit the mapping file and send a pull request
• Create your own license mapping file, see https://wiki.jasig.org/display/LIC/maven-notice-plugin

Add a License to your own library

Add a <license> tag to your pom.xml file.

For documentation see http://maven.apache.org/pom.html#Licenses.

And to make sure to use a compatible name and identifier for the license, consider using the SPDX names: http://spdx.org/licenses/

The Eclipse pom editor can (probably since Kepler) suggest a license tag for you.

Add a license to a C/C++ Project

• Add a LICENSE file to the root directory of your project
• Add a note about the license to your readme file (along other information)
• Add a list of used libraries and their license to your readme file
• Add a license header to all files. If the project is under GPLv2, then you can use this template: ThirdPartyLicensesForGPL

If you use *Qt creator*, you can automatically add a license file, see http://doc.qt.digia.com/qtcreator-2.4/creator-tips.html#adding-a-license-header-template-for-c-code.

Additional Tools

VersionEye

VersionEye can keep track of out-dated project dependencies. It also has a feature for parsing and grouping the licenses of dependencies (several mngmnt system like Maven, Grade, Gem, ... are supported). It also supports License whitelisting: once a license not contained in the whitelist is added, you can receive a notification.

How to do license management best in R?

• Add a valid license name to the DESCRIPTION file, see http://cran.r-project.org/doc/manuals/R-exts.html#Licensing
• Add a LICENSE file
• You can use the following function to preprend a license header saved in inst/license-header to all .R files:
  

  ...