Use JSON? Well you'd better not be Evil.

March 12, 2012 By Brian Fox

3 minute read time

Here’s a license for a library you probably use right now. Notice the clause I circled in an alarmist shade of red:

If you saw this license flagged in a Nexus RHC report it might make you stop, chuckle a bit. “Right, don’t be Evil clause. Ok, whatever.” But, remember, you are a developer, not a lawyer.

A lawyer sees that clause and they have to take it very seriously. You see, lawyers usually don’t have a sense of humor when it comes to the law, and they can’t ignore something in a license. A license is just that, a legal document, everything in it must be taken at face value.

Assuming you take the law seriously, there are two things about this license:

  1. Compliance is impossible. A distinction between Good and Evil is barely possible within strictly defined cultural contexts, but coming up with a universal definition of Good and Evil is impossible within the confines of international law. You could try, but you would need to employ the services of a committee including philosophers and scholars familiar with the descriptive meta-ethics who could render opinions on the software that incorporates this library. You have some specialists on meta-ethics on staff, right?
  2. This isn’t even Open Source. The Open Source Initiative has a criteria for open source licenses here: http://opensource.org/docs/osd - The Open Source Definition. Clause #6 is “No Discrimination Against Fields of Endeavor” - The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. Forget the definition of Evil, you can't restrict fields of endeavor.

So if this license isn’t an open source license, what is it? That’s a good question. Is it unenforceable? Does the clause invalidate the standard MIT license it is contained in? I can't answer these questions for you, I'm not a lawyer. I'd only trust a lawyer familiar with your approach to software development and your distribution footprint to render an opinion.

But, the most important thing I take away from this license is that this additional clause adds an unnecessary complication... one that many people don't even know is lurking in their dependency tree. If it were just a stock MIT license, you wouldn't have to pay a legal professional to take time to evaluate it, it would show up in Sonatype Insight as a standard license, but at least Insight and the Nexus Repository Health Check would alert you to the presence of this obscure obligation.

What license is this? JSON.org has this clause embedded in a standard MIT license: http://www.json.org/license.html Do you use JSON in your systems today? Have fun explaining the “Don’t be Evil” clause to your in-house counsel.

Tags: Nexus Repo Reel, Sonatype Says, AppSec Spotlight

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.