An analysis of the licenses used by 75+ Open Source projects across 35 companies
Facebook is nearly alone in their usage of BSD-3 + strong patent retaliation
TL;DR: I analysed 75+ popular Open Source projects (6000+ stars and above) from ~35 companies, and concluded that Facebook is an exception within the Open Source space. The only other company using the same license model I found is Palantir.
“Maybe Facebook is an innovator?”, you could argue. Maybe they are ahead of the game? I’m not so sure. Why?
Update 22nd August 15.10 BST —I wrote another post covering concepts and rationale, including licensing, ASLv2, MPL, OSS contributions, community kindly, etc. Here it is:
Facebook introduced their BSD-3 + patents license 3 years ago
Exactly in October 2014.
Yet no other player in the industry (apart from Palantir) has joined them yet — or at least I wasn’t able to find them.
Notwithstanding, Facebook claims the following in their “Explaining React’s license” article:
We believe that if this license were widely adopted, it could actually reduce meritless litigation for all adopters, and we want to work with others to explore this possibility.
If it really is so wonderful and solves a major headache in the industry — and their purposes are so noble — it begs to ask the question:
“How come almost nobody else in Silicon Valley has followed suit yet?”
Perhaps they will now, with all the attention this issue is bringing. I don’t know.
Scroll below for the data.
Additional points I’d like to make before I give you the data
My previous article received lots of positive feedback — and some backlash from mainly React users. Note that I’m a backend and distributed systems engineer, so I’m neutral with regards to frontend frameworks, and hold no vested interest.
- They claim that Facebook doesn’t hold any patents (yet) whose grant they could revoke, hence in their eyes there is no threat. But do they know if there are any patent filings in the work? This license contains a legal provision that is permanently in force for as long as you use React. Not just today.
- Do we, software engineers, pick our stack based on status quo? Or do we pick future-proof stacks? Maybe there is no patent today, but there could be tomorrow, right?
- They argue that if large companies like Amazon are using React, their startups are also safe. Except that they miss one key point: Amazon has enough manpower to quickly migrate away from React, if need be. They probably also hold a patent arsenal against Facebook ready to attack if the time comes.
- Pertaining to the above, their lawyers could have evaluated the risks and determined the license was not enforceable by Facebook. But, does this license embody the true spirit and nature of Open Source? Should companies piggyback on the success of Open Source projects like React to enforce patent restrictions on adopters?
- Moreover, if the terms are not enforceable, and everybody apparently knows that, why is Facebook so adamant about keeping this license untouched, instead of migrating to a less conflictive one?
- Is this harmful to communities and the overall OSS ecosystem, like I explained in my previous article?
Next, I give you the data.
List of companies and projects grouped by the type of Open Source licenses they use
BSD-3 + strong patent retaliation
Apache Software License v2
- Google => Kubernetes (license), Gson (license), Guava (license).
- Apple => Swift (license).
- Github => Atom (license).
- Alibaba => Fastjson (license), Dubbo (license).
- LinkedIn => Pinot (license), Qark (license).
- Elastic => Elasticsearch (license), Kibana (license), Logstash (license).
- Facebook => some projects like: Buck (license), RocksDB (license).
- Microsoft => Typescript (license), RxJS (license).
- Adobe => snap.svg (license), Balance-text (license).
- Square => Retrofit (license), OkHttp (license).
- Airbnb => Aerosolve (license), Lottie (license).
- Netflix => Hystrix (license), Falcor (license).
- Twitter => Finagle (license), Heron (license).
- VMware => Harbor (license).
- JetBrains => Kotlin (license).
- Docker => Docker/Moby (license), Compose (license), Swarm (license).
- Hyperledger => Fabric (license).
- SpringSource => Spring Framework (license).
- The New York Times => Gizmo (license), Kyt (license).
- Prometheus => Prometheus (license).
- CoreOS => etcd (license).
- MongoDB Inc. => drivers (reference).
MIT License
- Google => Angular (license).
- IBM => Loopback (license).
- Github => Fetch (license).
- Uber => Jaeger (license), Ringpop (license).
- Microsoft => Visual Studio Code (license), .NET (license).
- Airbnb => Enzyme (license), Hypernova (license).
- Twitter => Bootstrap (license), Typeahead.js (license).
- Zeit => Hyper (license), Micro (license), Next.js (license).
- Segment => Nightmare (license).
- HubSpot => Pace (license).
- Etsy => Statsd (license), Hound (license).
- Shopify => Dashing (license), Sarama (license).
Continue reading the follow-up
22nd August 2017: I received a lot of feedback and questions — so I consolidated my responses in a new post. I also state some questions that I believe Facebook should answer. I highly encourage you to read this post.
Moreover, if you haven’t read the original article yet, here it is.
If you enjoyed this article, please recommend it on Medium (clap/heart it!), and share it on Twitter, LinkedIn, etc.
