Status of OS license clearing for ROS2

Quality Assurance
1

Hi community,

I was wondering if there is a recent overview of open source licenses used by those packages being the ROS2 core who a ROS2 user would need to distribute to his/her customers when using ROS2 in a product (e.g. plumbing, middleware, tf, tools, … NOT INCLUDING functional packages e.g. nav2, MoveIt etc).

Any insight here?

Best,

Georg

2

I believe this might help.

@ct2034 might have some insights here.

3

In addition to the tooling that @Katherine_Scott mentioned, it is also pretty straightforward to compute it yourself. Every package in the core has a LICENSE file and also declares its license in the package.xml (most packages not in the core also do this, but we don’t enforce it there). So it should be pretty simple to write a tool to look over the sources and compute all of the licenses that are used.

The downside to this approach is that:

  1. It is possible that the LICENSE file and the package.xml disagree, but this would be considered a bug and we would fix any reports of that immediately.
  2. You have to trust that the LICENSE file and the package.xml accurately reflect the licenses of the code. We believe it does, but for those who are extra paranoid about this there exists third-party commercial software to do this kind of deep auditing for you.
4

Hi,

thanks for the quick replies! Of course, the question is about the paranoid approach :wink: … ! Is there anyone who already has tried the mentioned 3rd party tools on the core ROS2 codebase?

Best,

Georg

5

Thanks for the mention @Katherine_Scott :slight_smile:
The idea of my tool is to make sure that the information about licensing in the package.xml is accurate and correct. But it has to be done per package. So, as @clalancette writes, you can not fully rely on the package.xml right now.

But you were asking for something else, which is an overview of all licenses of all ROS core packages in this does, to my knowledge, not exist.

6

To this question yes people are running many different analyses. The most common are larger companies who are building products and worry about larger liabilities. Unfortunately, by the terms of most of these tools, the results are not allowed to be shared publicly. Though they are not prevented from filing very, specific, tickets, if there’s something that they might want to be cleaned up or clarified. Or directly messaging developers to ask to improve or add clarification to the codebase. And some are more straight forward: ROS GNU GPL v1.2 issue

There have also been some discussions in the past about aggregating results like this. A few good starting points.

ROS-I 2016 Training and Conference slides on " “Understanding License Compatibility and Compliance Risks & Processes in Free and Open Source Software” Catharina Maracke - Software Compliance Academy" from this thread: ROS2 and DDS IPR issues - #9 by gbiggs

There’s been discussions of this in the QA working group: How to link license (clearing) information to ROS packages? - #7 by ArneF

Which has evolved into the previously mentioned:

1 Like