FOSS-chain: using blockchain for Open Source Software license compliance

Open Source Software (OSS) is widely used and carries licenses that indicate the terms under which the software is provided for use, also specifying modification and distribution rules. Ensuring that users are respecting OSS license terms when creating derivative works is a complex process. Compliance issues arising from incompatibilities among licenses may lead to legal disputes. At the same time, the blockchain technology with immutable entries offers a mechanism to provide transparency when it comes to licensing and ensure software changes are recorded. In this work, we are introducing an integration of blockchain and license management when creating derivative works, in order to tackle the issue of OSS license compatibility. We have designed, implemented and performed a preliminary evaluation of FOSS-chain, a web platform that uses blockchain and automates the license compliance process, covering 14 OSS licenses. We have evaluated the initial prototype version of the FOSS-chain platform via a small scale user study. Our preliminary results are promising, demonstrating the potential of the platform for adaptation on realistic software systems.

💡 Research Summary

The paper addresses the growing challenge of open‑source software (OSS) license compatibility, which can lead to legal disputes when developers create derivative works. Existing solutions such as Software Composition Analysis (SCA) tools mainly perform post‑hoc scanning of source code and do not provide real‑time enforcement of licensing rules. To overcome this limitation, the authors propose FOSS‑chain, a web‑based platform that integrates blockchain technology and smart contracts to automate OSS license compliance.

FOSS‑chain supports fourteen widely used OSI‑approved licenses (including MIT, Apache‑2.0, GPL‑3.0, LGPL‑2.1, BSD variants, etc.). The core architecture relies on Ethereum‑compatible smart contracts. When a user downloads a project, a “DownloadAgreement” contract records the user’s acceptance of the original license and generates a SHA‑256 hash for every function in the source code (supported languages: C, Java, Python). These function‑level hashes uniquely identify code fragments and are stored immutably on the blockchain.

When the same user later uploads a new project that may be a derivative of previously downloaded code, the backend extracts function hashes from the uploaded source and queries the blockchain for matches. If a match is found, the system retrieves the license associated with the original code and runs a compatibility check against the license declared for the new upload using a pre‑defined license‑compatibility matrix derived from prior research. If the licenses are compatible, the upload is approved and the new project’s metadata and license information are recorded on-chain via a “LicenseManager” contract. If incompatibility is detected (e.g., attempting to re‑license GPL code under a non‑compatible permissive license), the user receives an immediate notification and the upload is blocked.

The platform’s user interface allows registration, project search, download, and upload. All interactions that affect licensing are mediated by smart contracts, guaranteeing transparency, auditability, and tamper‑resistance. The authors implemented a prototype and conducted a small‑scale user study with twelve participants of mixed technical backgrounds. Survey results indicated high perceived usefulness (average 4.2/5) and ease of use, while also highlighting concerns about transaction costs (gas fees), latency, and the accuracy of function‑level hash detection based on regular‑expression parsing.

Key contributions are: (1) introducing a blockchain‑based smart‑contract architecture that immutably records license agreements and code usage, (2) employing function‑level hashing to detect code reuse and enforce license compatibility automatically, and (3) delivering a functional web platform that demonstrates feasibility through an initial user evaluation.

Limitations include reliance on regular expressions for function extraction (which may miss complex language constructs), support for only three programming languages, and the overhead of using a public blockchain. The authors suggest future work such as extending language support, integrating more sophisticated static analysis tools, adopting private or layer‑2 blockchain solutions to reduce costs, and automating updates to the license‑compatibility matrix.

In conclusion, FOSS‑chain represents an early but practical attempt to shift OSS license compliance from reactive audits to proactive enforcement, leveraging blockchain’s immutability and smart contracts to reduce legal risk and improve transparency in the OSS ecosystem.