The reuse and distribution of open-source software must be in compliance with its accompanying open-source license. In modern packaging ecosystems, maintaining such compliance is challenging because a package may have a complex multi-layered dependency graph with many packages, any of which may have an incompatible license. Although prior research ﬁnds that license incompatibilities are prevalent, empirical evidence is still scarce in some modern packaging ecosystems (e.g., PyPI). It also remains unclear how developers remediate the license incompatibilities in the dependency graphs of their packages (including direct and transitive dependencies), let alone any automated approaches.
To bridge this gap, we conduct a large-scale empirical study of license incompatibilities and their remediation practices in the PyPI ecosystem. We ﬁnd that 7.27% of the PyPI package releases have license incompatibilities and 61.3% of them are caused by transitive dependencies, causing challenges in their remediation; for remediation, developers can apply one of the ﬁve strategies: migration, removal, pinning versions, changing their own licenses, and negotiation. Inspired by our ﬁndings, we propose S ILENCE , an SMT-solver-based approach to recommend license incompat- ibility remediations with minimal costs in package dependency graph. Our evaluation shows that the remediations proposed by S ILENCE can match 19 historical real-world cases (except for migrations not covered by an existing knowledge base) and have been accepted by ﬁve popular PyPI packages whose developers were previously unaware of their license incompatibilities.