Legal Details of Licenses

All that legal stuff…
Author

Marie Hardt

Published

March 9, 2023

Frontmatter check Render rmarkdown

Prompt:

The DESCRIPTION file of a package contains the package’s meta information. Most of the fields in this file are quite straight forward: author, version number, and a short package description. When you call library(help="<package name>") for package <package name> you can see the contents of the DESCRIPTION file for that package (and some parts of the NAMESPACE file).

Read through Colin Fay’s (short) book on Licensing R

Write a blog post addressing the following questions:

Under what license does R operate? What is the license for ggplot2?

After running license(), I learned that R primarily operates under GPL-2 and GPL-3 while some header files operate under LGPL-2.1. Calling library(help = "ggplot2") shows that the ggplot2 package uses the MIT license.

What are the dependencies of the package you made?

Read through chapter 5.2 of Licensing R. Combine and adjust the code pieces to create the dependencies for a package that is on github rather than CRAN. (Don’t forget about the package desc.) What dependencies does the package have that you created for Lab-3? Which licenses are involved? Are all of these dependencies required? Elaborate.

The current listed dependencies of my Lab 3 team’s TwoTeam4 package (and their licenses) are

  • R (GPL-2 and GPL-3 while some header files operate under LGPL-2)

  • dplyr (MIT)

  • lubridate (GPL-2 | GPL-3)

  • readr (MIT)

  • purrr (MIT)

  • stringr (MIT)

  • tabulizer (MIT)

We do need all of these dependencies in our package because the functions we created within our package call functions from the dependencies.

If we run the following code, we can see that our TwoTeam4 package has more dependencies than we listed. This more extensive list of dependencies includes dependencies of our dependencies. We can find the licenses for all of these packages using utils::packageDescription("<package_name>", field = "License").

library(pkgnet)
library(TwoTeam4)
team_depends <- DependencyReporter$new()$set_package("TwoTeam4")$nodes$node

The more extensive list of dependencies (and their licenses) includes

  • R6 (MIT)

  • bit (GPL-2 | GPL-3)

  • bit64 (GPL-2 | GPL-3)

  • cli (MIT)

  • clipr (GPL-3)

  • crayon (MIT)

  • dplyr (MIT)

  • ellipsis (MIT)

  • fansi (GPL-2 | GPL-3)

  • generics (MIT)

  • glue (MIT)

  • grDevices (Part of R and thus probably GPL-2 and GPL-3)

  • graphics (Part of R and thus probably GPL-2 and GPL-3)

  • hms (MIT)

  • lifecycle (MIT)

  • lubridate (GPL >=2)

  • magrittr (MIT)

  • methods (Part of R and thus probably GPL-2 and GPL-3)

  • pillar (MIT)

  • pkgconfig (MIT)

  • png (GPL-2 | GPL-3)

  • purrr (MIT)

  • rJava (LGPL-2.1)

  • readr (MIT)

  • rlang (MIT)

  • stats (Part of R and thus probably GPL-2 and GPL-3)

  • stringi (custom LICENSE)

  • stringr (MIT)

  • tabulizer (MIT)

  • tabulizerjars (MIT)

  • tibble (MIT)

  • tidyselect (MIT)

  • timechange (GPL-3)

  • tools (Part of R and thus probably GPL-2 and GPL-3)

  • tzdb (MIT)

  • utf8 (Apache License (== 2.0)

  • utils (Part of R and thus probably GPL-2 and GPL-3)

  • vctrs (MIT)

  • vroom (MIT)

  • withr (MIT)

Under which license should this blog post be published? Make sure that you are using an appropriate license. (You can change the current licenses with the help of commands from the use_license_XXX family in the usethis package)

After reading the examples in chapter 4 of Licensing R, I chose to use a CC-BY-4.0 license for this blog post.

Can I publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

When confronted with the above question, ChatGPT gave two – quite different – responses, as shown below. The main point in both responses is ‘your package may be considered derivative work’. At the specific problem of the package developed for Lab 3, what is your opinion about potential copyright infringements when releasing the package with an MIT license? Make sure to take the relevant passage in Colin Fay’s book under consideration.

The legal implications of publishing an R package on CRAN under an MIT license while having a dependency on a package that is licensed under GPL-3 are complex and can vary depending on the specific circumstances. It is always advisable to seek legal advice from a licensed attorney if you have any doubts or concerns about licensing issues.

However, in general, it is possible to publish an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3. This is because the MIT license is a permissive open-source license that allows for more flexibility in how the software can be used and distributed, and it is generally considered compatible with the GPL-3 license.

That being said, if your package depends on a GPL-3-licensed package, your package may be considered a derivative work and therefore subject to the terms of the GPL-3 license. This means that if you distribute your package, you may need to also distribute the source code for your package under the GPL-3 license or a compatible license, and you may need to ensure that the requirements of the GPL-3 license are met for the entire distribution, including any dependencies.

It is also worth noting that the R community has its own guidelines and recommendations for package licensing, and it is important to comply with these guidelines if you want to publish your package on CRAN. The CRAN Repository Policy states that packages should have a "permissive" or "GPL-compatible" license, but does not explicitly require that packages use the GPL license or any other specific license.

In summary, while it is possible to publish an R package on CRAN under an MIT license while having a dependency on a package that is licensed under GPL-3, it is important to understand the implications of the different licenses and to ensure that you comply with any applicable guidelines and recommendations from the R community.

After harping a bit on copyright infringement in general, ChatGPT changed its response to

Technically, you can publish an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3, but doing so would not be compliant with the terms of the GPL-3 license.

The GPL-3 license is a strong copyleft license that requires derivative works to be released under the same license. If your package depends on a GPL-3-licensed package, your package may be considered a derivative work and therefore must be licensed under the GPL-3 license or a compatible license.

The MIT license, on the other hand, is a permissive license that allows for more flexibility in how the software is used and distributed. However, it is not compatible with the GPL-3 license, and therefore cannot be used for derivative works of GPL-3-licensed software.

Publishing an R package on CRAN under an MIT license when you have a dependency on a package that is licensed under GPL-3 would be a licensing violation, and could potentially result in legal action or other consequences. It is important to comply with the licensing requirements of all dependencies in your package to avoid any legal issues.

The ‘harping’ questions:

  • Is it legal to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

I think so.

  • Is it illegal to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

I don’t think so.

  • Is it a copyright infringement to publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3?

I don’t think so.

  • Can I publish an R package on CRAN under an MIT license when I have a dependency on a package that is licensed under GPL-3 without infringing copyright?

I think so.

We can consider the readr package as an example of the above issues. The readr package imports the clipr package and thus has the clipr package as a dependency. The clipr package is released under GPL-3 while readr is released under the MIT license. I assume that the developers of a tidyverse package like readr made sure that there are no legal issues or copyright infringement issues that could arise when including a package with the GPL-3 license as a dependency to a package that uses the MIT license. Hence, if readr can be published on CRAN under the MIT license while having a dependency on a package under the GPL-3 license, it seems reasonable that other packages in similar situations should also be able to be published on CRAN without repercussions.

In chapter 3 of Licensing R, David Fay notes that all derivative works of GPL licensed works need to be released under a GPL-compatible license. Later in chapter 3, I learned that the MIT license is GPL-compatible. This makes it seem like there is nothing wrong with releasing a package under the MIT license when it has a dependency on a GPL licensed package. To be even more on the safe side, you should also make the source code of your MIT-licensed package available in a GPL-compliant way.

I was interested in the topic of licensing R packages, so I did some further research and came across R Packages (2e) by Hadley Wickham and Jenny Bryan. In [section 13.6]{https://r-pkgs.org/license.html} of R Packages (2e), the authors note that in their opinion, the license of your R package and the licenses of R packages whose exported functions you use via Imports or Suggests don’t have to match. Based on my reading of chapter 4 in David Fay’s Licensing R, I would argue that there is at least one case where you have to be careful about license matching. Suppose that the license of one of your package’s dependencies does not allow for commercial use. If you intend that your R package can be used in a commercial setting, you should find another way to implement your code that does not use the dependency with a restrictive license.

In the case of my lab 3 team’s TwoTeam4 package, I think we would be able to publish it on CRAN under an MIT license even though some of its dependencies are GPL licensed.The package needs some cleaning up first, though. I would also like to check into the rJava package’s LGPL-2.1 license, the stringi package’s custom license, and the utf8 package’s Apache license just to be safe.

Submission

Write answers to the questions directly into the file README.Rmd. Push the blog post to your blog-7 repo. Make sure that all of the checks are passing.