GitHub has become one of the most important places for open source software developers to publish code and collaborate on projects. But, ironically, most projects hosted publicly on GitHub aren't open source, at least according to the letter of open source law.
Aaron Williamson, a lawyer specializing in open source issues, analyzed over 1.7 million public GitHub code repositories earlier this year, and of these, only 14.9 percent had clearly specified an open source license, as reported by The Register.
Developers sharing code publicly on GitHub agree to a terms of service that allows other users to view and copy code, but if a license isn't explicitly chosen, other developers won't have the right to actually change or redistribute the code. According to the definition set by the Open Source Initiative (OSI), a license isn't considered open source unless it grants users permission to not just view source code but also modify code and distribute their changes.
GitHub, however, is taking steps to address the issue. Users are now prompted to select an OSI approved open source license when they create a new code repository on the service. Users aren't forced to select a license, but if they select "No License," they'll get a warning explaining that "nobody else may reproduce, distribute, or create derivative works from your work. This might not be what you intend."
The change is a huge reversal for GitHub, says James Governor, co-founder of the IT industry analysis firm RedMonk. "Something they said was unnecessary and not their role, is now apparently necessary, and part of their role," he says. "Pragmatism wins. Customers win. But 22 year old software developers may be confused."
To reduce confusion, GitHub prompts developers to select only from a small list of licenses, and has built a site called choosealicense.com to explain the differences between them.
Williamson thinks the change is a good thing, but he isn't sold on the execution. "Just including the option will encourage developers to consider licensing from the outset of their projects, and leave fewer new projects in license limbo," he says. But he also says that GitHub's education program is too simplistic.
"With such a short list, their choices can't help but appear rather political: MIT over BSD, GPLv2 over v3 (or AGPL), and an emphasis on permissive licenses," he says. GitHub includes links to a few other licenses, but it's still a short list relative to the myriad options available. "Community organizations like the Free Software Foundation, the Open Source Initiative, and the Software Freedom Law Center have been working to educate developers about the available license choices for a long time; if GitHub wants to get involved in license education, it should consider reaching out to these organizations and to the community."
By "permissive licensing," Williamson is referring to software licenses, such as the MIT, BSD and Apache licenses that allow developers and companies to include open source code in non-open source products. This stands in contrast to "copyleft" licenses, such as the GPL and AGPL, which require developers to release any changes they make to the code under the same license. GitHub's emphasis on permissive licensing likely reflects a general shift towards these licenses in the open source community.
And there's another challenge for opens source licensing. "Of course, while this is a good step toward improving license disclosure among GitHub projects, it won't guarantee accuracy," says Williamson. For example, it's possible that not every piece of code used in an open source project will use the same license. For instance, a project using an MIT license may include some code from a different project that used an Apache license. The use of multiple licenses needs to be communicated to developers that want to modify and redistribute the project. But Williamson notes that this problem isn't specific to GitHub, anyone incorporating open source code from other projects has to deal with this.
Regardless, this is a step in the right direction for GitHub.
