🤖 AI Summary
This study addresses the widespread practice of directly copying open-source code to bypass dependency management, which obscures license compliance risks. Leveraging the World of Code dataset, the authors construct a code reuse network through large-scale clone detection and quantify, for the first time at the scale of the entire open-source ecosystem, the compliance risks arising from such copy-paste reuse. Their analysis reveals that 39.4% of project compositions entail potential license conflicts, yet conventional dependency analysis tools capture only 2.43% of these instances, indicating severe under-detection. Integrating network modeling and regression analysis, the study further finds that code under permissive licenses such as MIT and Apache is reused across programming languages more frequently, whereas public-domain-licensed code exhibits comparatively lower reuse rates.
📝 Abstract
As other creative work, source code is protected by copyright. The owner can license the work, e.g., to permit copy and other kinds of use, and even start legal proceeding against license violators. However, source code can be reused in subtle ways, e.g., via copying without explicit package manager dependencies, making it hard to reason about potential license noncompliance. Using the World of Code infrastructure approximating the entirety of open source software, in this paper we create a copy-based code reuse network mapping direct copying across projects, and use it to quantify the extent of potential license noncompliance across the entire open source ecosystem. In addition, we estimate regression models to understand whether code copying is affected by the origin project's license, and, if so, how it varies with other project characteristics. We find that code in repositories with permissive licenses, such as MIT and Apache, shows higher likelihood of reuse across programming languages. In contrast, copyleft licenses, like the GPL, exhibit mixed effects. Public domain licenses, despite their aim of allowing unrestricted use, are associated with lower likelihood of copy-based reuse. A widespread potential license noncompliance appears to accompany copy-based reuse, with 39.4% of project combinations at potential noncompliance risk, particularly when licenses are unclear or absent. Our findings reveal that only 2.43% of reuse detected through the copy-based network was discoverable via dependency analysis, highlighting the limitations of existing dependency-tracking tools in capturing copy-based reuse.