Learning Licensing

All that legal stuff…
Author

Landon Getting

Published

March 9, 2023

Frontmatter check Render rmarkdown

Under what license does R operate? What is the license for ggplot2?

R operates under either V1 or V2 of the GNU General Public License.

license()

This software is distributed under the terms of the GNU General
Public License, either Version 2, June 1991 or Version 3, June 2007.
The terms of version 2 of the license are in a file called COPYING
which you should have received with
this software and which can be displayed by RShowDoc("COPYING").
Version 3 of the license can be displayed by RShowDoc("GPL-3").

Copies of both versions 2 and 3 of the license can be found
at https://www.R-project.org/Licenses/.

A small number of files (the API header files listed in
R_DOC_DIR/COPYRIGHTS) are distributed under the
LESSER GNU GENERAL PUBLIC LICENSE, version 2.1 or later.
This can be displayed by RShowDoc("LGPL-2.1"),
or obtained at the URI given.
Version 3 of the license can be displayed by RShowDoc("LGPL-3").

'Share and Enjoy.'

ggplot2 utilizes the MIT License as stated in the LICENSE.md file on the GitHub repository.

What are the dependencies of the package you made?

Read through chapter 5.2 of Licensing R. Combine and adjust the code pieces to create the dependencies for a package that is on github rather than CRAN. (Don’t forget about the package desc.) What dependencies does the package have that you created for Lab-3? (Don’t forget about the package desc.)

First, download the package from GitHub.

devtools::install_github("<author>/<repo name>")

Next, gather the package information with devtools::session_info() and filter to include the data regarding package dependencies. Listed are all the packages dependencies for Lab 3 Team 1.

pkg_deps <- devtools::session_info("Team1")$packages 
pkg_deps_df <- data.frame(pkg_deps$package, pkg_deps$ondiskversion)
pkg_deps_df
   pkg_deps.package pkg_deps.ondiskversion
1           askpass                    1.1
2               cli                  3.6.0
3             cpp11                  0.4.3
4              curl                  5.0.0
5             dplyr                  1.1.0
6             fansi                  1.0.4
7          generics                  0.1.3
8              glue                  1.6.2
9         lifecycle                  1.0.3
10        lubridate                  1.9.2
11         magrittr                  2.0.3
12         pdftools                  3.3.3
13           pillar                  1.8.1
14        pkgconfig                  2.0.3
15              png                  0.1-8
16            purrr                  1.0.1
17             qpdf                  1.3.0
18               R6                  2.5.1
19             Rcpp                 1.0.10
20            rJava                  1.0-6
21            rlang                  1.1.0
22          stringi                 1.7.12
23          stringr                  1.5.0
24              sys                  3.4.1
25        tabulizer                  0.2.3
26    tabulizerjars                  1.0.1
27            Team1             0.0.0.9000
28           tibble                  3.2.0
29       tidyselect                  1.2.0
30       timechange                  0.2.0
31             utf8                  1.2.3
32            vctrs                  0.6.0
33            withr                  2.5.0

Which licenses are involved? Are all of these dependencies required? Elaborate. It looks like the MIT license was utilized. I can confirm this from the LICENSE.md file on the GitHub repo.

utils::packageDescription("Team1", fields="License")
[1] "MIT + file LICENSE"

There seems to be more dependencies than I recall, but perhaps these are dependencies of the libraries we utilized. I am not sure of the difference between $ondiskversion and $loadedversion. It appears that $ondiskversion contains versions for every package so I am assuming it is more accurate for determining the required dependencies.

head(pkg_deps$ondiskversion)
[1] "1.1"   "3.6.0" "0.4.3" "5.0.0" "1.1.0" "1.0.4"
head(pkg_deps$loadedversion)
[1] NA      "3.6.0" NA      NA      NA      NA     

Under which license should this blog post be published? Make sure that you are using an appropriate license. (You can change the current licenses with the help of commands from the use_license_XXX family in the usethis package)

As referenced in section 4.3.1 of Collin’s book, online books and blogs may be licensed under CC BY-NC-ND 3.0 US or CC BY-NC-SA 4.0. It may be useful to also include an MIT license for the code within this blog.

usethis::use_ccby_license()

Can I publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

When confronted with the above question, ChatGPT gave two – quite different – responses, as shown below. The main point in both responses is ‘your package may be considered derivative work’. At the specific problem of the package developed for Lab 3, what is your opinion about potential copyright infringements when releasing the package with an MIT license? Make sure to take the relevant passage in Colin Fay’s book under consideration.

The legal implications of publishing an R package on CRAN under an MIT license while having a dependency on a package that is licensed under GPL-3 are complex and can vary depending on the specific circumstances. It is always advisable to seek legal advice from a licensed attorney if you have any doubts or concerns about licensing issues.

However, in general, it is possible to publish an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3. This is because the MIT license is a permissive open-source license that allows for more flexibility in how the software can be used and distributed, and it is generally considered compatible with the GPL-3 license.

That being said, if your package depends on a GPL-3-licensed package, your package may be considered a derivative work and therefore subject to the terms of the GPL-3 license. This means that if you distribute your package, you may need to also distribute the source code for your package under the GPL-3 license or a compatible license, and you may need to ensure that the requirements of the GPL-3 license are met for the entire distribution, including any dependencies.

It is also worth noting that the R community has its own guidelines and recommendations for package licensing, and it is important to comply with these guidelines if you want to publish your package on CRAN. The CRAN Repository Policy states that packages should have a "permissive" or "GPL-compatible" license, but does not explicitly require that packages use the GPL license or any other specific license.

In summary, while it is possible to publish an R package on CRAN under an MIT license while having a dependency on a package that is licensed under GPL-3, it is important to understand the implications of the different licenses and to ensure that you comply with any applicable guidelines and recommendations from the R community.

After harping a bit on copyright infringement in general, ChatGPT changed its response to

Technically, you can publish an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3, but doing so would not be compliant with the terms of the GPL-3 license.

The GPL-3 license is a strong copyleft license that requires derivative works to be released under the same license. If your package depends on a GPL-3-licensed package, your package may be considered a derivative work and therefore must be licensed under the GPL-3 license or a compatible license.

The MIT license, on the other hand, is a permissive license that allows for more flexibility in how the software is used and distributed. However, it is not compatible with the GPL-3 license, and therefore cannot be used for derivative works of GPL-3-licensed software.

Publishing an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3 would be a licensing violation, and could potentially result in legal action or other consequences. It is important to comply with the licensing requirements of all dependencies in your package to avoid any legal issues.

The ‘harping’ questions:

  • Is it legal to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

  • Is it illegal to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

  • Is it a copyright infringement to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

  • Can I publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3 without infringing copyright?

Although sections 4.1.2 and 4.1.3 by Collin describe this situation, I found section 13.5.1 in R Packages by Hadley and Jenny to be more clear. ChatGPT definitely missed the mark on this one. In my opinion, depending on a package with GPL-3 in a package with a MIT license would be a violation of the GPL-3 license. I would be interested to learn if there is any legal precedent for this situation. Is there considerable consequences for violators or is infringement enforced in most cases? According to Hadley and Jenny, over 70% of R packages use copyleft licenses like GPL compared to only 20% using permissive licenses like MIT. I wonder if there are a few important foundation packages like dplyr that have a copyleft license which forces all other packages to utilize a more restrictive license.