Menu
Free Pack
Download BuildMaster Free Trial

NuGet License Expressions, Explained

by Eric Seng, on Dec 20, 2021 10:32:00 AM

The case Artifex v. Hancom was a harsh lesson for the defendant. Unknowingly – or at least unintentionally – software with a GPL-3 license was distributed and profited off of, violating the license and resulting in litigation.

The moral, clearly, is to read the fine print of every license within an application, down to each NuGet package. This is a long process, however, if you don’t have a tool like ProGet to automate license blocking or vulnerability scanning.

We recommend any manager, team lead, or even CEO who can control a company or organization’s software licenses to study up on licenses found in NuGet packages, like MIT, Apache, and GPL-3. Not only that, the person should be able to recognize and access a license in a NuGet package.

This article is a quick explainer on the three types of open-source NuGet package license expressions and how to access them within a package so they can be vetted.

Three Types of NuGet License Expressions

In a NuGet package’s metadata (known as the .nuspec XML manifest file), there is the ‘licensing - expression’ property. A license can be ‘expressed’ in three ways: a special code called an “expression,” a file, or a URL.

Expression

An expression-type license is usually a Software Package Data Exchange (SPDX) identifier code. This code represents an already-written open source or free software license. Since this is just a code, you must investigate the license further – like by finding the code on the SPDX license list page and clicking through to see the license.

Some codes are simple like "MIT" or "IJG," but others can be complex if an author opts for a composite license. Codes can also change over time, resulting in versioned licenses (ex. Apache-1.0, Apace-1.1, and Apache-2.0).

Expression-type licenses look like the following in the .nuspec file:

<license type="expression">MIT</license>

File

A file-type license is just a file found within a NuGet package’s metadata that can be open and read. The file is either in a .txt or .md format.

A developer would typically use a file type when their license is proprietary or all around not standard (e.g. outside the SPDX domain).

File-type licenses look like the following in the .nuspec manifest file:

<license type="file">LICENSE.txt</license>

URL

Finally, a URL-type license is a URL within the NuGet package’s metadata that leads to a page with the license. It’s possible the URL could lead to an SPDX license or a proprietary license.

URL licenses are subject to change, however, since the license is not embedded in the NuGet package. At anytime the URL author can change the license the URL links to. For example, a developer could download a package and confirm the URL leads to a Apache-1.1 license; the URL author can at any point change that URL to have a Apache-2.0 license, which the developer did not originally agree to.

It’s important to keep an original copy of a URL’s license, in case of any changes after downloading.  

URL-type licenses look like following:

<licenseUrl>license.com/license_agreement</licenseUrl>

Stay Vigilant: Check Licenses

As miniscule as a NuGet Package may seem, it can have huge ramifications like Artifex v. Hancom. Due diligence is the first step in proactively setting your organization up for success.

Others steps you can take are promoting authoring best practices to your developers, or setting up filters to avoid unwanted NuGet packages.


 

Did you find this article helpful? Are you using NuGet to make your .NET packages? Learn how to optimize your NuGet in the Enterprise; sign up for our free NuGet guide:

Topics:NuGetMicrosoft

Related Posts

About Inedo

Inedo is a software product company bringing you the "tech behind the tech."

Makers of Windows-first, enterprise DevOps tools BuildMaster CI/CD, ProGet private package management, and Otter IaC. Maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster, all with the people and technology you have right now.

Follow us on social media

Follow Inedo on YouTube Follow Inedo on Facebook Follow Inedo Twitter New call-to-action

Free e-books

Free CICD Book Free dotnet book free IaC book Jenkins CICD Guide