Hey everyone, I'm curious about how the legal landscape looks regarding copyleft licenses, especially when it comes to dependencies in libraries. Hypothetically speaking, if I'm distributing code under a copyleft license, does that mean I need to ensure all of my dependencies, as well as their dependencies, comply with that license every time there's an update? This seems like it could require a lot of effort, especially with updates happening frequently. I've mostly just checked the licenses of the libraries I've added and felt fine with that, especially if GitHub shows MIT or something similar. Am I overthinking this, or is there some sort of tool or process that makes this manageably efficient?
6 Answers
You can set up checks in your CI pipeline to fail if any licenses that don't meet your criteria come up. There are both free tools and paid options like Snyk to help manage this process.
Black Duck is a tool specifically for scanning these types of dependencies and licenses, if you're looking for something to help manage this issue without having to do all the checking manually.
In theory, if you copy the copyleft license properly, it should remain at the top level. However, if you do use something with a copyleft license, you can't hide it by using other means. That's how most of us try to operate fairly.
Keeping your dependency graph as simple and small as possible might be the best approach here. It reduces the potential complications with these licenses.
You're definitely not alone in thinking about this—most people tend to ignore those deep dependencies. It's tempting to just keep going as long as the risk seems shared and manageable.
It really matters when you get sued! Some organizations ask for a Software Bill of Materials (SBOM) that details every single dependency. You might not think about it until legal issues pop up, but those can become serious fast if a violation is discovered.
We don't want to wait for a lawsuit either, so we scan our SBOM every time we build. It’s a pain because it checks everything regardless of whether the dependencies have changed, which can really slow things down.
Right? I guess the fewer of us who get caught, the better! But I'd be interested to see if others feel the same way.