Table of Contents
| Table of Contents |
|---|
This page provides an overview of tools and resources for selecting, checking and managing open-source software licences and their compatible use in software projects. The structured list and illustrations of licence relationships support GÉANT’s software development and licence compliance practices.
Core GÉANT Resources
- Software Licence Selection and Management in GÉANT – Main guidance on selecting, checking and managing OSS licences
- Open Source Licences Used in GÉANT – Descriptions and cheat sheet for GÉANT
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- FAQ – Software Licensing Practices
Supporting and Background Material
- OSS Licences and Licence Selection – Overview of licence types and concepts
| Table of Contents |
|---|
...
- Open Source Software Licences in GN4-3 and GN5-1 GÉANT Project: Current State and Recommendations whitepaper
- – GÉANT white paper
- Detailed Database of Licences – Excel sheets providing extensive data for licence comparison
Learning and Training Resources
GÉANT Courses and Workshops
- GÉANT
- Open Source Licensing and Compliance workshop
- , 17 February 2022 (recording and slides)
- Licence Dependencies Analysis with WhiteSource, 2 March 2022 (recording and slides , 5-6 April 2023GÉANT
- )
Open Source Software Licensing Workshop for Software Developers, 23–24 November 2022 (recording and slides??)
- Introduction to Open Source Licensing and Compliance workshop
- , 5–6 April 2023 (recording and slides , 17 February 2022
- Licence Analysis with WhiteSource webinar, 2 March 2022 (workshop recording)
- )
Infoshare: OSS Licensing and Licence Compliance Guidelines for Software Developers, 12 March 2024 (RECORDING COMING SOON, slides)
What is Free Software? - Infoshare: Boost Trust in Your Open Source Software – GÉANT Certificates, 27 November 2025 (COMING SOON,
- https:// www
- events. gnu
- geant.org/ philosophy/free-sw.en.html
- Guide to open source licenses, overall description, https://www.synopsys.com/blogs/software-security/open-source-licenses/
- Top lists
- Top open source licenses and legal risk for developers, top 20 categorised by risk, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/
Mend – Open Source Licenses in 2022: Trends and Predictions, https://www.mend.io/resources/blog/open-source-licenses-trends-and-predictions/
- event/1974/)
- Software Governance eAcademy Courses:
Authoritative Sources
FSF: Free Software Licences and Non-free Software Licences – Classification and GPL compatibility
- OSI: Licenses – Searchable list of approved licences
- OSI: Licence Review Archive – Record of approval discussions and rationale
- Software Package Data Exchange (SPDX): Specification and SPDX License List with standardised codes and texts
- Black Duck: Guide to Open Source Licenses – Overview of key licence types
- Mend: Top Open Source Licenses Explained Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
- University of Pittsburgh Library System –
- : Copyright and Intellectual Property Toolkit , https://pitt.libguides.com/copyright
- Mend – Open Source Licenses Explained, https://www.mend.io/resources/blog/open-source-licenses-explained/
- Free Software Foundation's free software licences and Non-free Software Licenses, classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
- Open Source Initiative (OSI) approved licenses
- By category, https://opensource.org/licenses/category
- Alphabetical https://opensource.org/licenses/alphabetical
Permissive and copyleft licences
(Based on materials from ORCRO)
Licence Selection and Comparison
- GitHub: Choosealicense.com: Choose an Open-Source License – Simple guidance on selecting OSS licences, with list of common licences and comparison appendix
- Interoperable Europe: Licensing Assistant – Find and Compare Software Licenses
- DejaCode: Licence Finder – Filter by category, text and characteristics (All, Permissive, Weak Copyleft, Strong Copyleft)
- Wikipedia: Comparison of Free and Open Source Software Licences with categorised lists (All, Permissive, Copyleft), “GPL (v3) compatibility” column of the Approvals table
- Creative Commons: Licence Chooser – Tools for selecting Creative Commons licences
NI4OS-Europe: License Clearance Tool (LCT) – Suggests suitable licences for open source and research outputs
tl;drLegal – Plain-language summaries of OSS licences, conditions, and limitations (helpful for quick comparison)
- FOSSA Blog – Articles on licence compliance, SBOMs, and licences (“Open Source Software Licenses 101” series)
Top Lists and Brief Comparisons
- Black Duck: Top Open Source Licenses and Legal Risk for Developers – Top 20 licences categorised by risk
- OSI: Top Open Source Licenses in 2024
Licence Compatibility
Overview of Permissive and Copyleft Licences
Based on materials from ORCRO:
Permissive licences have simple requirements such as crediting the original work, describing changes, and providing a disclaimer. Copyleft licences (reciprocal, protective, restrictive, or, derogatorily, viral) require Permissive licences have simple requirements – to credit original work, describe changes, provide a disclaimer, etc. Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works. If you use any Using components (libraries) with copyleft , you are obliged may oblige to make derived source code available, which may include the entire product /or project!.
- Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some
versions - variants require
including the - inclusion of disclaimer
- Apache 2.0 – requires notice of changes, grants a licence to patents unless
litigating and mentions preservation of - litigated, and preserves trademark rights
- Weak copyleft – file (
- or library )
- scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants patent use
of patents - ;
the - end
-user - users must be able to install
a - modified
version – it - versions; prohibits closed devices, DRM
or - , hardware encryption, or
patents - patent retaliation; compatible with
Apache2- Apache 2.0
- Strong copyleft – project scope
- GPL 2.0 –
often - widely used
- GPL 3.0 – grants
the use of patents, the end-user - patent use; users must be able to install modified software
, - ; compatible with Apache 2.0
- AGPL 3.0 (Affero) – network-protective: external use of modified
(!) - code requires its availability
– - ; network use
is a distribution of the software, modified source code must be available- counts as distribution
- Proprietary – typically
- restrict user rights and protect the commercial interests of copyright owners
Per-feature or tabular comparisons of licences and categorised lists
- Choose an open-source license, https://choosealicense.com/appendix/
- Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
- DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
- All, https://enterprise.dejacode.com/licenses/
- Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
- Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
- Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
- Wikipedia tables and classified lists
- GPL-compatible licences are listed in the 'GPL (v3) compatibility' column of the table at https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals
- Creative Commons – Can I combine material under different Creative Commons licenses in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work
Licence compatibility
GPL licences compatibility
- holders
GPL Licence Compatibility
This diagram illustrates compatibility relationships between different free software licences. Arrows are transitive and go from the licences of the components toward towards the licence of your project.
(From https://www.gnu.org/licenses/quick-guide-gplv3.htmlFrom GNU: Quick Guide to GPLv3 Compatibility)
Above, per the dotted line , indicates that “GPL 2 only” is not compatible with GPL “GPL 3”, but ”GPL “GPL 2 or later” is. A more detailed view with precisely stated licences:
(From David A. Wheeler, 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)On : FLOSS Licence Slide, SVG on Wikipedia)
- FSF: Frequently Asked Questions about the GNU Licenses – GPL licence family-related compliance and compatibility clarifications, GPL and LGPL Compatibility Matrix with detailed explanations
- AGPL compatibility:
- (L)GPL 3.0(+) components can be used in software under AGPL,
thanks - due to an explicit rule in GPL.
- Code under AGPL cannot be used in (L)GPL-licensed projects unless dual-licensed.
Special Requirements and Risk Handling in GPL Licences
Some licences prohibit or require certain practices or behaviours, which may lead to risks of legal threats. These should be addressed or mitigated.
Frequently used protective and permissive licenses | |||||||
AGPLv3 | GPLv3 | GPLv2.1 | LGPLv3 | LGPLv2.1 | MPL-2 | BSD | |
Yes | No | No | No | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Proprietization | Yes | Yes | Yes | Partial | Partial | Partial | No |
Granularity/reach | Project | Project | Project | Library | Library | File | N/A |
Trademark grant | Yes | Yes | ? | Yes | ? | No | No |
(From Wikipedia – Free-software licence)
EUPL 1.2 Compatibility
...
(From Interoperable Europe: EUPL – Licence Compatibility, Permissivity, Reciprocity and Interoperability)
Interoperable Europe matrices and guidance:
- Licence Compatibility, Permissivity, Reciprocity and Interoperability – General explanation and exception list
- Matrix of EUPL Compatible Open Source Licences – Mapping of in-licences to EUPL and out-licensing
- How to Use the EUPL (Primarily: What about compatibility issues?) – Guidance on components under EUPL with other licences
Relationship Between the Most Used Licences in GÉANT
The following graph provides a visual overview of most frequently used licences in GÉANT projects.
Dual and Multi-Licensing Guidance and Implications
- Dual and multi- licences
- licensing can help in avoiding
- avoid licence compatibility issues, which makes the use of components
- and make component use more flexible.
You
can may choose a licence compatible with
the one that used for your software.
But However, you cannot dual-
license licence your software
to match by matching some components with one licence, and others with another
licence. Licences of all used components must be compatible with all
of your licences
!.
“Or later” (often expressed as “+”)
licences variants imply
the applicability of
laterfuture, possibly
still non-
existingexistent, versions of
these those licences. This is sometimes
implied assumed unless
you explicitly
decline itdeclined.
Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL)
– EUPL comes with the full and exhaustive list…
Licence compatibility matrices or checkers
Joinup Licensing Assistant – Compatibility Checker, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker
; EUPL lists all licences it can be combined with.
Licence Compatibility Matrices and Checkers
...
In-licences (component licences of components) are in rows and out-licences are in columns:.
(From https://github.com/HansHammel/license-compatibility-checkerSource: GitHub – Licence Compatibility Checker)
Open Source Automation Development Lab (OSADL)
...
Matrix and
...
Rules
In-licences are in columns and , out-licences are in rows:.
(From https://events19.linuxfoundation.org/wp-content/uploads/2018/07/OSLS-2019-Fulfilling-Open-Source-license-obligations-Can-checklists-help.pdfSource: Meeker & von Wendorff, 2019, Fulfilling Open Source Licence Obligations: Can Checklists Help?)
More at the OSADL site:
- , www.
- General information (
- osadl.org
- Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
- Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
- Matrix, registration needed, https://www.osadl.org/fileadmin/checklists/matrix.html
GNU GPL licences compatibility
- Matrix of GPL licences with detailed explanations, https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility
EUPL 1.2
Licence Compatibility, Permissivity, Reciprocity and Interoperability, general explanation and exception list approach, https://joinup.ec.europa.eu/collection/eupl/licence-compatibility-permissivity-reciprocity-and-interoperability
Matrix of EUPL compatible open source licences, what in-licences can be out-licensed under EUPL, https://joinup.ec.europa.eu/collection/eupl/matrix-eupl-compatible-open-source-licences
How to use the EUPL (What about compatibility issues?), on use of components under EUPL with other licences, https://joinup.ec.europa.eu/collection/eupl/how-use-eupl#section-18
Creative Commons licences
- )
- Open Source Licence Checklists Overview
- Access to Raw Data about Individual Licences
- Compatibility Matrix and Raw Data (registration required, limited access)
- Licence Compliance Checklists – Detailed machine-readable checklists of licence obligations, prohibitions, compatibility and ancillary information, translating licence texts into actionable items (YOU MUST / YOU MUST NOT)
Creative Commons Licences Compatibility
- FAQ – Can I combine material under different Creative Commons licenses
- licences in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work
Risks of licences
Risk mitigation against potentially harmful legal threats or behaviours by free-software licences
...
Frequently used protective and permissive licenses
...
AGPLv3
...
GPLv3
...
GPLv2.1
...
LGPLv3
...
LGPLv2.1
...
MPL-2
...
BSD
...
...
Yes
...
No
...
No
...
No
...
No
...
No
...
No
...
...
Yes
...
Yes
...
No
...
Yes
...
No
...
No
...
No
...
...
Yes
...
Yes
...
No
...
Yes
...
No
...
No
...
No
...
Proprietization
...
Yes
...
Yes
...
Yes
...
Partial
...
Partial
...
Partial
...
No
...
Granularity / reach
...
Project
...
Project
...
Project
...
Library
...
Library
...
File
...
N/A
...
Trademark grant
...
Yes
...
Yes
...
?
...
Yes
...
?
...
No
...
No
Select two works to combine or remix. Find the first work’s licence in the top row and the second in the first column. If a check mark appears at their intersection, the works can be combined. Use the more restrictive licence (the one further right or lower in the table) for the resulting work.
(From Wiki/CC License Compatibility)
Software Composition Analysis (SCA and Software Inventory) Tools
Commercial SCA tools and services:
- Mend Platform SCA – Scans dependencies and provides risk-based licence assessment, Understanding Risk Score Attribution and License Analysis
- GitLab Ultimate – Provides an integrated compliance feature that includes security and OSS licence checks via frameworks, pipelines, policies, and audits
FOSSA – SCA tool for compliance and vulnerability management
Black Duck – Tool for licence and security analysis
JFrog Xray – Add-on for Artifactory that provides component analysis and compliance checking
Snyk – SCA and vulnerability scanning platform detecting code vulnerabilities and dependencies, also covering containers and infrastructure as code
Endor Labs – Tool for dependency management and risk assessment
OSS tools that perform SCA:
OSS Review Toolkit (ORT) – Tool for automated licence and compliance checks
- Pivotal: LicenseFinder – Extracts licence data from package managers for multiple languages
- pip-licenses – Project for listing package licences in Python environments
- FOSSology – OSS licence analysis platform, GitHub repository
QMSTR – Quartermaster – Toolchain and reporting framework under renewed development
ScanCode-Toolkit – Analysis of project artefacts for licences and credits
FASTEN Project / OSADL: License Compliance Verifier – Demonstrator using OSADL matrix and compatibility rules
EOSC-Synergy: SQAaaS (Software Quality Assurance as a Service) – Checks for the presence of a LICENSE file with an OSI-approved licence as a part of a more extensive quality analysis (including compliance with the OSI Open Source Definition)
MojoHaus License Maven Plugin – Introduction page, GitHub repository
Software Bill of Materials (SBOM) tools:
- Trivy – Generates SBOM
Parlay – Enriches an SBOM with third-party data
Syft – Generates SBOMs from container images and filesystems
Tern – Container analysis tool; generates SBOMs for container images and Docker files
- CycloneDX Tool Center – Marketplace of tools and solutions to optimize and secure the software supply chain
- Anchore Syft/Grype – SBOM generation and vulnerability analysis
- Ortelius – Microservice SBOM and dependency tracking
- DependencyTrack – Continuous monitoring of components and licences using SBOM input
Ideally, SCA and SBOM tools should be integrated into the CI/CD process/pipeline for continuous monitoring of dependencies and compliance.
GÉANT resources:
- GÉANT Software Composition Analysis – Information on Mend setup assistance and scan software review services provided by WP9T2
- Mend Short Guide for End Users
- Automated Mend Scans with Bamboo
Other guides and tool listss:
- Medium: Integrating SCA into the CI/CD Pipeline - A Step-by-Step Guide
- SPDX Community Tools – SPDX-related automation tools
Artefact Creation and Compliance Guides and Tools
- GÉANT
- Software Artefacts Checklist
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- Software Licence Selection and Management in GÉANT – Guidance on compliance and artefact preparation
- README creation tools
- Make a README – Single-template Markdown editor with explanations for writing README files
- Readme.so – Section-based templates and Markdown editor for creating structured READMEs
- Software Bill of Materials (SBOM) and dependency tools
- SBOM Adoption: In Support of Better License Compliance and Software Security Practices – Article on SBOM use for licence compliance and software security
- CycloneDX Guides and Resources – Guides on CycloneDX and supply chain risks
- ClearlyDefined – Community-cleared metadata for open source components (licence, source, attribution)
- Understand Your Dependencies – Google’s dependency and licence data explorer
- Other resources
- Google: Open Source Documentation – Detailed internal-style guidance on licence use and compliance
- REUSE Initiative (FSFE) – Embedding licence metadata in source code and documentation
Compliance Frameworks and Governance
- In GÉANT, Intellectual Property Rights (IPR) is managed by the IPR Coordinator in line with the GÉANT IPR Policy, with the support from the SLM team
- ISO/IEC 5230:2020 OpenChain – The full compliance specification text
- ISO/IEC 18974:2023 Open Source Security Assurance – Companion to OpenChain for integrating security controls.
- Linux Foundation: Open Compliance Program – Templates, processes, and documentation for compliance governance
- OSPO Alliance: Good Governance Initiative (GGI) – blueprint by European open source organisations to help implement corporate-wide open source policies, and set up OSPOs
- TODO Group: Guides – Practical OSPO and compliance guides used across large organisations
- OpenChain Project – Resources for open source compliance: the project’s main page and specification document, and OpenChain Reference Library with curated collection of policies, training material, and compliance checklists
- Open Source Program Offices (OSPOs)
Linux Foundation: Creating an Open Source Program – Guidance on establishing an OSPO
FOSSA: Building an Open Source Program Office (OSPO) – Blog post on setting up and managing an OSPO
EU Policy and Context
- Interoperable Europe Academy – Courses on interoperability, openness, and EUPL
- European Commission’s Open Source Observatory (OSOR) – Repository of public-sector OSS policies, studies, and licence analyses
- Open Source Strategy of the European Commission (2020–2023) (PDF) – EU-level OSS governance context
Advanced and Comparative Legal Resources
- Harvard Berkman Klein Center – Academic resources on law, governance, and society; publications on OSS, policy and licensing:
- Software Freedom Law Center (SFLC) Publications – Legal guides, white papers, and case studies on licensing and OSS compliance
- OpenForum Europe (OFE) – Research and policy recommendations on OSS, open standards, and digital infrastructure in Europe
(From https://en.wikipedia.org/wiki/Free-software_license)
Licence selection tools
- Choose an open-source license, https://choosealicense.com/
- Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
- Creative Commons (CC) licence chooser
Mend resources
- Understanding of licence data and compatibility in Mend, https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html
- More on Mend setup assistance, Mend scan analysis and other GÉANT software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews
Alternative software inventory tools
Ideally, compliance should be continuously monitored as a part of the build process.
- FOSSology, https://www.fossology.org/
- QMSTR (Quartermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
- Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
Useful commands, when in the repository folder:mvn clean install
~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../
- License Compliance Verifier (LCV), Demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance
Compliance methodology
- In GÉANT, IPR is managed by the IPR Coordinator
- OpenChain
- Start page, https://www.openchainproject.org/
- Specification, https://wiki.linuxfoundation.org/_media/openchain/openchainspec-current.pdf
Open Source Programs Office - https://www.linuxfoundation.org/tools/creating-an-open-source-program/ https://fossa.com/blog/building-open-source-program-office-ospo/