NuGet License Expressions, Explained
by Eric Seng, on Dec 20, 2021 10:32:00 AM
The case Artifex v. Hancom was a harsh lesson for the defendant. Unknowingly – or at least unintentionally – software with a GPL-3 license was distributed and profited off of, violating the license and resulting in litigation.
The moral, clearly, is to read the fine print of every license within an application, down to each NuGet package. This is a long process, however, if you don’t have a tool like ProGet to automate license blocking or vulnerability scanning.
We recommend any manager, team lead, or even CEO who can control a company or organization’s software licenses to study up on licenses found in NuGet packages, like MIT, Apache, and GPL-3. Not only that, the person should be able to recognize and access a license in a NuGet package.
This article is a quick explainer on the three types of open-source NuGet package license expressions and how to access them within a package so they can be vetted.
Three Types of NuGet License Expressions
In a NuGet package’s metadata (known as the .nuspec XML manifest file), there is the ‘licensing - expression’ property. A license can be ‘expressed’ in three ways: a special code called an “expression,” a file, or a URL.
An expression-type license is usually a Software Package Data Exchange (SPDX) identifier code. This code represents an already-written open source or free software license. Since this is just a code, you must investigate the license further – like by finding the code on the SPDX license list page and clicking through to see the license.
Some codes are simple like "MIT" or "IJG," but others can be complex if an author opts for a composite license. Codes can also change over time, resulting in versioned licenses (ex. Apache-1.0, Apace-1.1, and Apache-2.0).
Expression-type licenses look like the following in the .nuspec file:
A developer would typically use a file type when their license is proprietary or all around not standard (e.g. outside the SPDX domain).
File-type licenses look like the following in the .nuspec manifest file:
Finally, a URL-type license is a URL within the NuGet package’s metadata that leads to a page with the license. It’s possible the URL could lead to an SPDX license or a proprietary license.
URL licenses are subject to change, however, since the license is not embedded in the NuGet package. At anytime the URL author can change the license the URL links to. For example, a developer could download a package and confirm the URL leads to a Apache-1.1 license; the URL author can at any point change that URL to have a Apache-2.0 license, which the developer did not originally agree to.
It’s important to keep an original copy of a URL’s license, in case of any changes after downloading.
URL-type licenses look like following:
Stay Vigilant: Check Licenses
As miniscule as a NuGet Package may seem, it can have huge ramifications like Artifex v. Hancom. Due diligence is the first step in proactively setting your organization up for success.
Did you find this article helpful? Are you using NuGet to make your .NET packages? Learn how to optimize your NuGet in the Enterprise; sign up for our free NuGet guide: