Ambiguous License Classifier

Information

The Ambiguous License Classifier alert focuses on identifying cases where PEP 301 license classifiers in Python packages are too vague or ambiguous to be certain which specific license applies. PEP 301 classifiers are metadata used in PyPI packages to indicate the license under which the package is distributed. However, some of these classifiers are not specific enough, leading to potential confusion about the exact licensing terms.

Why Ambiguity Happens

For example, the classifier License :: OSI Approved :: BSD License indicates that the package uses a BSD license, but it doesn't clarify which one. The BSD family includes licenses like the BSD 2-Clause License, BSD 3-Clause License, and others, each with slightly different terms. This lack of specificity creates uncertainty about which rules apply when using, modifying, or distributing the software.

PEP 639 proposes using SPDX identifiers for precise license specification. This would allow developers to specify the exact license, such as License-Expression: BSD-3-Clause.

While PEP 639 has been accepted, the transition to SPDX identifiers is still ongoing.

Risks of Ambiguous Classifiers

• Legal Uncertainty: When the exact license is unclear, you might unknowingly violate license terms, which could result in legal action.
• Compliance Challenges: Without clarity on which BSD (or other license) applies, ensuring compliance across your project becomes more difficult.
• Incompatibility: Different licenses have different obligations. Without clarity, you might integrate a package that imposes unexpected requirements on your project.

Recommended actions

In the Python ecosystem, many older packages still use these vague classifiers, and Socket's Ambiguous Classifier alert helps flag these packages for further review. It serves as a signal to double-check the licensing information before proceeding with the package, ensuring you're not at risk of violating any unknown license terms.

If you encounter a dependency with this alert, here are some recommended actions:

1. Review the Package Documentation:

• Check the package’s documentation or homepage for a more detailed license explanation. Sometimes, the classifier might be ambiguous, but the author may have provided clarification elsewhere.

2. Contact the Maintainer:

• Reach out to the package maintainer for clarification. They may be able to provide details on the exact license terms if it’s not clear from the metadata.

3. Search for License Files:

• Look for a LICENSE file within the source code repository. This is often where the exact license is detailed, even if the classifier is ambiguous.

4. Evaluate Alternatives:

• If the license cannot be clarified, consider switching to an alternative package with clear licensing terms. It’s safer to use well-documented open-source packages with explicit licenses.

5. Consult Legal Counsel:

• If you’re unsure about how to proceed or if the package’s license ambiguity poses a risk to your project, consult with legal experts familiar with open-source licensing.

Examples

Here's a common example of the Ambiguous License Classifier alert flagging multiple files where the License :: OSI Approved :: BSD License classifier is used.

Detection Method

The Ambiguous License Classifier alert is triggered when a package's license classifier is unclear. PEP 301 classifiers were an attempt by the Python ecosystem to do license identification. They created a closed universe of license classifiers, some of which were ambiguous in that they identify more than one license without any additional information.

For example, the PEP 301 classifier License :: OSI Approved :: BSD License does not specify which of the many BSD licenses applies, nor does it specify whether would-be licensees must abide by the terms of all BSD licenses, or whether they can choose any of the BSD licenses. These classifiers are still common in PyPI packages and need to be analyzed.

Currently this alert only applies to the Python ecosystem but support may be expanded in the future.

Additional resources

PEP 301 – Package Index and Metadata for Python

Python Package Index (PyPI) – Classifiers