Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
September 20, 2024
In the early 2000s, as open source software was gaining momentum, a small Swedish company called MySQL AB found itself at a crossroads. Their popular database software, MySQL, was released under the GNU General Public License (GPL), but they faced a challenge: how could they allow developers to use MySQL with proprietary software without violating the GPL?
In 2004, they turned to a solution that, while not new, was still relatively uncommon in commercial open-source products: a license exception. The Free and Open Source Software ("FOSS") License Exception (formerly known as the FLOSS License Exception) allowed developers to link MySQL with software under certain non-GPL licenses, effectively bridging the gap between open source and proprietary worlds. While not without controversy, this move highlighted a growing need in the software industry: the ability to adopt OSS incrementally.
Open source software was gaining traction, but the licensing models were often seen as barriers for businesses wanting to leverage open-source code without fully opening their own products. MySQL was already becoming a favorite among developers for its simplicity and cost-effectiveness compared to proprietary databases. However, its strict GPL license required that any software using MySQL had to also be GPL-compliant, meaning companies had to open source their code—a tough pill to swallow for commercial projects.
MySQL’s FOSS Exception was a strategic response to this tension between open source ideals and commercial realities. It’s what enabled MySQL to become one of the most widely used open source relational database management systems in the world. License exceptions have encouraged wider adoption of FOSS components in commercial software by allowing developers to integrate FOSS code without having to release the entirety of their proprietary codebase under the same open source license.
In 2010, Richard Stallman said that selling exceptions to the GPL could be a pragmatic way to encourage companies to release more of their code as open source, stating, “I've considered selling exceptions acceptable since the 1990s, and on occasion I've suggested it to companies. Sometimes this approach has made it possible for important programs to become free software.”
It’s difficult to overstate how much license exceptions have contributed to the massive adoption of open source software that we see today.
When working with open-source software, licensing is a critical factor that determines how developers can use, modify, and distribute code. Most developers are familiar with popular licenses like MIT, Apache, or GPL, but fewer know about a more nuanced aspect of licensing: license exceptions.
A license exception is a modification to the standard terms of an open-source license. It provides additional permissions (or sometimes restrictions) that override specific aspects of the base license. These exceptions can affect how the software can be used or how derivative works can be licensed.
The concept of a license exception is relatively uncommon, but they can significantly impact how a project is used or shared. If you're not paying attention, a license exception could introduce complexities you weren't expecting. At Socket, we flag license exceptions separately in our alerts because they can alter the terms of a license in unpredictable ways.
Here’s an example: The GNU General Public License (GPL) is known for its strict “copyleft” requirement, which mandates that derivative works are distributed under the same license. However, a GPL linking exception allows you to link non-GPL code to a GPL-licensed library without triggering the copyleft requirements. In this case, the exception makes the GPL license more flexible in specific contexts.
Linking Exceptions: One of the most common exceptions involves linking. A project might use a strong copyleft license like GPL, but the license exception allows linking with proprietary or non-GPL software. This is crucial for projects that need to work with third-party libraries or frameworks that don't use the same license.
Classpath Exceptions: The Java Classpath Exception is another well-known exception. It allows proprietary software to use Java libraries without inheriting the GPL license. This was critical in ensuring the widespread use of Java in commercial software.
Font Exceptions: Some software licenses provide exceptions for fonts. For example, the SIL Open Font License allows fonts to be embedded and used in documents without applying the license's terms to the entire document. Without this exception, using an open-source font in a commercial product might require that product to be open-sourced as well.
Non-Commercial Exceptions: In some cases, developers add exceptions to permit non-commercial use while maintaining stricter restrictions for commercial distribution. This type of exception creates a dual-licensing scenario, allowing free use by hobbyists and non-profits while requiring a paid license for commercial use.
License exceptions may sound like small nuances, but they can dramatically shift the legal landscape for your project. When an exception is applied to a license, it can:
Because of these potential complications, Socket’s License Exception Alert helps you spot exceptions in your dependencies before they cause an issue down the road. The alert identifies which exception is in play and the location of the file.
Packages are flagged with a License Exception alert when a license paired with some kind of exception was detected. Because license exceptions are rare and may change the terms of the base license in unpredictable ways, the appearance of an exception is its own alert.
If you’re surprised to find license exceptions among your dependencies, there are a few recommended actions to ensure you can move forward with confidence and avoid complicated licensing issues.
License exceptions are a powerful tool for developers and organizations to fine-tune the terms of open-source software. They add both flexibility and complexity to the open source landscape. Understanding these exceptions is crucial for making informed decisions that align with project goals and prevent license compliance issues down the road. If you want to delve deeper into the specifics of various license exceptions, the Software Package Data Exchange (SPDX) maintains a comprehensive index of known license exceptions.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.