OSI-affiliated Voices of Open Source published an article " The most popular licenses in every language in 2023 ", revealing licensing preferences in each programming language ecosystem and highlighting the impact of clear and standardized licenses on development The importance of the health of people, organizations, and the entire open source community.
The article points out that the MIT and Apache 2.0 licenses are the most common across different programming languages and package managers. The JavaScript community generally prefers the MIT license, and Python developers prefer Apache 2.0. The ISC license is popular in the JavaScript community for its simplicity and permissiveness. BSD licenses (including 3-Clause and 2-Clause) maintain stable but relatively low adoption rates. The GPL also has a certain influence, but it lags behind MIT and Apache 2.0.
Javascript (npm)
In the npm package manager for JavaScript, most components are licensed under the MIT license (53%), followed by Apache 2.0 (14.76%) and ISC (10.48%). The ISC license is issued by the Internet Systems Consortium, and although it is popular among JavaScript projects, it is not used much in other programming languages. A small number of projects had no license (8%) or no license/no declaration identified by SPDX (5.49%).
.NET (Nuget)
In the .NET package manager Nuget, the most worrying point is that most of its components either do not have licenses (26.76%) or are identified as "NOASSERTION" (31.95%). The proportions using MIT or Apache 2.0 licenses were 21.55% and 13.37% respectively.
Java (Maven)
The vast majority of components in Maven (Java's package manager) use the Apache 2.0 license (69.18%), and only 7.4% use MIT. In addition, the proportion of components classified as NOASSERTION is 14.75%.
Python (Pypi)
In Python's package manager Pypi, components under the MIT and Apache 2.0 licenses dominate, with 29.14% and 23.98% respectively. Components under BSD 2-Clause and GPL 3.0 account for 6.25% and 6.11% respectively, and a considerable number of components are not licensed (23.69%).
Ruby(Gem)
The vast majority of components in Gem (Ruby's package manager) use the MIT license (63.11%). Followed by Apache 2.0 and BSD 3-Clause licenses, accounting for 8.22% and 6.66% respectively.
PHP(Composer)
In Composer, the PHP package manager, the MIT license is very popular, accounting for 64.37%. Projects under BSD 3-Clause and Apache 2.0 accounted for 5.72% and 3.92% respectively.
Go
Apache 2.0 and MIT licenses dominate Go, with 32.49% and 20.1% respectively. A large proportion of Go components are unlicensed (29.67%).
Rust(Crate)
For crate (Rust package manager), projects using MIT and/or Apache 2.0 dominate, accounting for a combined 83.52%.
Overall, while there are already some mature license options on the market, there are still many open source components that do not specify a license or are marked as SPDX "NOASSERTION". The article points out that this ambiguity has led to a lot of uncertainty in the use of such components, which may hinder collaboration and create legal and security risks for developers.
Addressing the issue of unlicensed components is critical to the continued health of the open source community. Developers, organizations, and the entire community benefit from clear and standardized licensing. Not only does it facilitate collaboration, it also ensures legal compliance and protects contributors’ intellectual property. Additionally, it helps developers track potentially vulnerable components.