I was wondering if there is a recent overview of open source licenses used by those packages being the ROS2 core who a ROS2 user would need to distribute to his/her customers when using ROS2 in a product (e.g. plumbing, middleware, tf, tools, … NOT INCLUDING functional packages e.g. nav2, MoveIt etc).
In addition to the tooling that @Katherine_Scott mentioned, it is also pretty straightforward to compute it yourself. Every package in the core has a LICENSE file and also declares its license in the package.xml (most packages not in the core also do this, but we don’t enforce it there). So it should be pretty simple to write a tool to look over the sources and compute all of the licenses that are used.
The downside to this approach is that:
It is possible that the LICENSE file and the package.xml disagree, but this would be considered a bug and we would fix any reports of that immediately.
You have to trust that the LICENSE file and the package.xml accurately reflect the licenses of the code. We believe it does, but for those who are extra paranoid about this there exists third-party commercial software to do this kind of deep auditing for you.
Thanks for the mention @Katherine_Scott
The idea of my tool is to make sure that the information about licensing in the package.xml is accurate and correct. But it has to be done per package. So, as @clalancette writes, you can not fully rely on the package.xml right now.
But you were asking for something else, which is an overview of all licenses of all ROS core packages in this does, to my knowledge, not exist.
To this question yes people are running many different analyses. The most common are larger companies who are building products and worry about larger liabilities. Unfortunately, by the terms of most of these tools, the results are not allowed to be shared publicly. Though they are not prevented from filing very, specific, tickets, if there’s something that they might want to be cleaned up or clarified. Or directly messaging developers to ask to improve or add clarification to the codebase. And some are more straight forward: ROS GNU GPL v1.2 issue
There have also been some discussions in the past about aggregating results like this. A few good starting points.