Table of Contents
| Table of Contents |
|---|
This page provides an overview of various tools and resources for selecting, checking and selecting managing open-source software licences and their compatibility.
Overall information and licence lists
- old_Software licence selection and management in GÉANT
- Important licences for licence selection
- Open Source Software Licences in GN4-3 and GN5-1 GÉANT Project: Current State and Recommendations whitepaper with a brief explanation of licence types and tables with 20 frequent licences (in GÉANT) in Appendix A
- Detailed database of licences – a set of sheets, with the first one providing an integral view of key licence characteristics
- Top open source licenses and legal risk for developers, top 20 categorised by risk, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/
Mend – Open Source Licenses in 2022: Trends and Predictions, https://www.mend.io/resources/blog/open-source-licenses-trends-and-predictions/
- Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
- University of Pittsburgh Library System – Copyright and Intellectual Property Toolkit, https://pitt.libguides.com/copyright
- Mend – Open Source Licenses Explained, https://www.mend.io/resources/blog/open-source-licenses-explained/
- Free Software Foundation's free software licences and Non-free Software Licenses, classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
- Open Source Initiative (OSI) approved licenses
- By category, https://opensource.org/licenses/category
- Alphabetical, https://opensource.org/licenses/alphabetical
Permissive and copyleft licences
(Based on materials from ORCRO)
Permissive licences have simple requirements – to credit original work, describe changes, provide a disclaimer, etc. Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works. If you use any components (libraries) with copyleft, you are obliged to make derived source code available, which may include the entire product/project!
- Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some versions require including the disclaimer
- Apache 2.0 – requires notice of changes, grants a license to patents unless litigating and mentions the preservation of trademark rights
- Weak copyleft – file (library) scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants the use of patents; the end-user must be able to install a modified version – it prohibits closed devices, DRM or hardware encryption or patents retaliation; compatible with Apache 2.0
- Strong copyleft – project scope
- GPL 2.0 – often used
- GPL 3.0 – grants the use of patents, the end-user must be able to install modified software, compatible with Apache 2.0
- AGPL 3.0 (Affero) – network protective: external use of modified(!) code requires its availability – network use is a distribution of the software, modified source code must be available
- Proprietary – these licences restrict user rights and protect the commercial interests of copyright owners
Per-feature or tabular comparisons of licences and categorised lists
- Choose an open-source license, https://choosealicense.com/appendix/
- Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
- DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
- All, https://enterprise.dejacode.com/licenses/
- Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
- Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
- Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
- Wikipedia tables and classified lists
- GPL-compatible licences are listed in the 'GPL (v3) compatibility' column of the table at https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals
- Creative Commons – Can I combine material under different Creative Commons licenses in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work
- The Appendix A of the whitepaper for GÉANT participants provides key characteristics of the 20 most frequently used software licences in GÉANT software projects.
Licence compatibility
GPL licences compatibility
Arrows are transitive and go from licences of the components toward the licence of your project
(From https://www.gnu.org/licenses/quick-guide-gplv3.html)
Above, per the dotted line, “GPL 2 only” is not compatible with GPL 3”, but ”GPL 2 or later” is. A more detailed view with precisely stated licences:
(From David A. Wheeler 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)
On AGPL compatibility:
- (L)GPL 3.0(+) components can be used in software under AGPL, thanks to an explicit rule in GPL
- Code under AGPL cannot be used in (L)GPL projects unless dual-licensed
Relationship between most used licences in GÉANT
Following is a graph of licences that are most frequently used in GÉANT projects that were scanned using the Mend tool. It is based on the two previous graphs.
Dual and multi-licensing
- Dual and multi-licences can help avoid licence compatibility issues, making the use of components more flexible.
- You can choose a licence compatible with the one used for your software. But you cannot dual-license your software to match some components with one licence and others with another. Licences of all used components must be compatible with all of your licences.
- “Or later”(often expressed as “+”) licence variants imply the applicability of later, possibly still non-existing, versions of these licences. This is sometimes implied unless you explicitly decline it.
- Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL), while EUPL comes with a full list of licences it can be combined with.
Licence compatibility matrices or checkers
Joinup Licensing Assistant – Compatibility Checker, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker
Licence Compatibility Checker software
In-licences (licences of components) are in rows and out-licences are in columns:
(Source: https://github.com/HansHammel/license-compatibility-checker)
Open Source Automation Development Lab (OSADL) matrix and rules
In-licences are in columns and out-licences are in rows:
(Source: Meeker, H., & von Wendorff, C. (2019). Fulfilling open source license obligations: Can checklists help?, https://events19.linuxfoundation.org/wp-content/uploads/2018/07/OSLS-2019-Fulfilling-Open-Source-license-obligations-Can-checklists-help.pdf)
More at
OSADL site, www.osadl.org
Open Source License Checklists Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
- Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
- Matrix, https://www.osadl.org/fileadmin/checklists/matrix.html (registration needed, currently restricted to project participants)
GNU GPL licences compatibility
- Matrix of GPL and LGPL licences with detailed explanations, https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility
EUPL 1.2
Licence Compatibility, Permissivity, Reciprocity and Interoperability, general explanation and exception list approach, https://joinup.ec.europa.eu/collection/eupl/licence-compatibility-permissivity-reciprocity-and-interoperability
Matrix of EUPL compatible open source licences, what in-licences can be out-licensed under EUPL, https://joinup.ec.europa.eu/collection/eupl/matrix-eupl-compatible-open-source-licences
How to use the EUPL (What about compatibility issues?), on the use of components under EUPL with other licences, https://joinup.ec.europa.eu/collection/eupl/how-use-eupl#section-18
Creative Commons licences
Can I combine material under different Creative Commons licenses in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work
Risks of licences
Risk mitigation against potentially harmful legal threats or behaviours by free-software licences
...
Frequently used protective and permissive licenses
...
AGPLv3
...
GPLv3
...
GPLv2.1
...
LGPLv3
...
LGPLv2.1
...
MPL-2
...
BSD
...
...
Yes
...
No
...
No
...
No
...
No
...
No
...
No
...
...
Yes
...
Yes
...
No
...
Yes
...
No
...
No
...
No
...
...
Yes
...
Yes
...
No
...
Yes
...
No
...
No
...
No
...
Proprietization
...
Yes
...
Yes
...
Yes
...
Partial
...
Partial
...
Partial
...
No
...
Granularity/reach
...
Project
...
Project
...
Project
...
Library
...
Library
...
File
...
N/A
...
Trademark grant
...
Yes
...
Yes
...
?
...
Yes
...
?
...
No
...
No
(Source: https://en.wikipedia.org/wiki/Free-software_license)
Mend resources
- Understanding of licence data and compatibility in Mend, https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html
- More on Mend setup assistance, Mend scan analysis and other GÉANT software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews
Other software composition analysis (SCA, software inventory) tools
Ideally, compliance should be continuously monitored as a part of the build process.
Commercial SCA tools and services:
- The GitLab Ultimate licence compliance feature, available with the GitLab Ultimate licence and integrated into the GitLab user interface, can be integrated into GitLab-managed CI/CD pipelines, https://docs.gitlab.com/ee/user/compliance/license_compliance/
- FOSSA Open Source License Compliance Manager and Open Source Vulnerability Scanner, https://fossa.com/product/open-source-license-compliance
- Black Duck Software Composition Analysis, https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html
- JFrog Xray, an add-on for Artifactory, https://jfrog.com/xray/
- Snyk, detecting and fixing code vulnerabilities, dependencies, containers, and infrastructure as code, https://snyk.io/
- Endor Labs, https://www.endorlabs.com/
OSS tools that perform SCA:
- ORT, https://github.com/oss-review-toolkit/ort
- Project in Python: Pytpip-licenses, https://pypi.org/project/pip-licenses/
- LicenseFinder from package manager data for projects in Ruby, Python, Node.js, Bower, Nuget, Golang, and Java, https://github.com/pivotal/LicenseFinder
- The SPDX SBOM Generator creates SPDX SBOMs from application package managers or build systems, https://github.com/opensbom-generator/spdx-sbom-generator
- The Tern SCA tool and Python library generate an SBOM for container images and Docker files, https://github.com/tern-tools/tern
- FOSSology, https://www.fossology.org/
- QMSTR (Quartermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
- Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
Useful commands, when in the repository folder:mvn clean install
~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../
- The License Compliance Verifier (LCV), demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance
- SQAaaS (Software Quality Assurance as a Service), checks for the presence of a LICENSE file with an OSI-approved licence as a part of a more extensive quality analysis (however, only compliance with the OSI Open Source Definition is required), https://sqaaas.eosc-synergy.eu/
- License Maven Plugin
Licence selection tools and resources
...
...
compatible use in software projects. The structured list and illustrations of licence relationships support GÉANT’s software development and licence compliance practices.
Core GÉANT Resources
- Software Licence Selection and Management in GÉANT – Main guidance on selecting, checking and managing OSS licences
- Open Source Licences Used in GÉANT – Descriptions and cheat sheet for GÉANT
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- FAQ – Software Licensing Practices
Supporting and Background Material
- OSS Licences and Licence Selection – Overview of licence types and concepts
- Open Source Software Licences in GN4-3 and GN5-1 GÉANT Project: Current State and Recommendations – GÉANT white paper
- Detailed Database of Licences – Excel sheets providing extensive data for licence comparison
Learning and Training Resources
GÉANT Courses and Workshops
- Open Source Licensing and Compliance, 17 February 2022 (recording and slides)
- Licence Dependencies Analysis with WhiteSource, 2 March 2022 (recording and slides)
Open Source Software Licensing Workshop for Software Developers, 23–24 November 2022 (recording and slides??)
- Introduction to Open Source Licensing and Compliance, 5–6 April 2023 (recording and slides)
Infoshare: OSS Licensing and Licence Compliance Guidelines for Software Developers, 12 March 2024 (RECORDING COMING SOON, slides)
- Infoshare: Boost Trust in Your Open Source Software – GÉANT Certificates, 27 November 2025 (COMING SOON, https://events.geant.org/event/1974/)
- Software Governance eAcademy Courses:
Authoritative Sources
FSF: Free Software Licences and Non-free Software Licences – Classification and GPL compatibility
- OSI: Licenses – Searchable list of approved licences
- OSI: Licence Review Archive – Record of approval discussions and rationale
- Software Package Data Exchange (SPDX): Specification and SPDX License List with standardised codes and texts
- Black Duck: Guide to Open Source Licenses – Overview of key licence types
- Mend: Top Open Source Licenses Explained
- University of Pittsburgh Library System: Copyright and Intellectual Property Toolkit
Licence Selection and Comparison
- GitHub: Choosealicense.com: Choose an Open-Source License – Simple guidance on selecting OSS licences, with list of common licences and comparison appendix
- Interoperable Europe: Licensing Assistant – Find and Compare Software Licenses
- DejaCode: Licence Finder – Filter by category, text and characteristics (All, Permissive, Weak Copyleft, Strong Copyleft)
- Wikipedia: Comparison of Free and Open Source Software Licences with categorised lists (All, Permissive, Copyleft), “GPL (v3) compatibility” column of the Approvals table
- Creative Commons: Licence Chooser – Tools for selecting Creative Commons licences
NI4OS-Europe: License Clearance Tool (LCT) – Suggests suitable licences for open source and research outputs
tl;drLegal – Plain-language summaries of OSS licences, conditions, and limitations (helpful for quick comparison)
- FOSSA Blog – Articles on licence compliance, SBOMs, and licences (“Open Source Software Licenses 101” series)
Top Lists and Brief Comparisons
- Black Duck: Top Open Source Licenses and Legal Risk for Developers – Top 20 licences categorised by risk
- OSI: Top Open Source Licenses in 2024
Licence Compatibility
Overview of Permissive and Copyleft Licences
Based on materials from ORCRO:
Permissive licences have simple requirements such as crediting the original work, describing changes, and providing a disclaimer. Copyleft licences (reciprocal, protective, restrictive, or, derogatorily, viral) require rights to be preserved in derivative works. Using components (libraries) with copyleft may oblige to make derived source code available, which may include the entire product or project.
- Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some variants require inclusion of disclaimer
- Apache 2.0 – requires notice of changes, grants a licence to patents unless litigated, and preserves trademark rights
- Weak copyleft – file or library scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants patent use; end users must be able to install modified versions; prohibits closed devices, DRM, hardware encryption, or patent retaliation; compatible with Apache 2.0
- Strong copyleft – project scope
- GPL 2.0 – widely used
- GPL 3.0 – grants patent use; users must be able to install modified software; compatible with Apache 2.0
- AGPL 3.0 (Affero) – network-protective: external use of modified code requires its availability; network use counts as distribution
- Proprietary – restrict user rights and protect the commercial interests of copyright holders
GPL Licence Compatibility
This diagram illustrates compatibility relationships between different free software licences. Arrows are transitive and go from the licences of components towards the licence of your project.
(From GNU: Quick Guide to GPLv3 Compatibility)
Above, the dotted line indicates that “GPL 2 only” is not compatible with “GPL 3”, but “GPL 2 or later” is.
(From David A. Wheeler, 2007: FLOSS Licence Slide, SVG on Wikipedia)
- FSF: Frequently Asked Questions about the GNU Licenses – GPL licence family-related compliance and compatibility clarifications, GPL and LGPL Compatibility Matrix with detailed explanations
- AGPL compatibility:
- (L)GPL 3.0(+) components can be used in software under AGPL, due to an explicit rule in GPL.
- Code under AGPL cannot be used in (L)GPL-licensed projects unless dual-licensed.
Special Requirements and Risk Handling in GPL Licences
Some licences prohibit or require certain practices or behaviours, which may lead to risks of legal threats. These should be addressed or mitigated.
Frequently used protective and permissive licenses | |||||||
AGPLv3 | GPLv3 | GPLv2.1 | LGPLv3 | LGPLv2.1 | MPL-2 | BSD | |
Yes | No | No | No | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Proprietization | Yes | Yes | Yes | Partial | Partial | Partial | No |
Granularity/reach | Project | Project | Project | Library | Library | File | N/A |
Trademark grant | Yes | Yes | ? | Yes | ? | No | No |
(From Wikipedia – Free-software licence)
EUPL 1.2 Compatibility
(From Interoperable Europe: EUPL – Licence Compatibility, Permissivity, Reciprocity and Interoperability)
Interoperable Europe matrices and guidance:
- Licence Compatibility, Permissivity, Reciprocity and Interoperability – General explanation and exception list
- Matrix of EUPL Compatible Open Source Licences – Mapping of in-licences to EUPL and out-licensing
- How to Use the EUPL (Primarily: What about compatibility issues?) – Guidance on components under EUPL with other licences
Relationship Between the Most Used Licences in GÉANT
The following graph provides a visual overview of most frequently used licences in GÉANT projects.
Dual and Multi-Licensing Guidance and Implications
- Dual and multi-licensing can help avoid licence compatibility issues, and make component use more flexible.
You may choose a licence compatible with that used for your software. However, you cannot dual-licence your software by matching some components with one licence, and others with another. Licences of all used components must be compatible with all your licences.
“Or later” (often expressed as “+”) variants imply applicability of future, possibly non-existent, versions of those licences. This is sometimes assumed unless explicitly declined.
Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL); EUPL lists all licences it can be combined with.
Licence Compatibility Matrices and Checkers
In-licences (component licences) are in rows and out-licences are in columns.
(Source: GitHub – Licence Compatibility Checker)
Open Source Automation Development Lab (OSADL) Matrix and Rules
In-licences are in columns, out-licences in rows.
(Source: Meeker & von Wendorff, 2019, Fulfilling Open Source Licence Obligations: Can Checklists Help?)
More at the OSADL site:
- General information (osadl.org)
- Open Source Licence Checklists Overview
- Access to Raw Data about Individual Licences
- Compatibility Matrix and Raw Data (registration required, limited access)
- Licence Compliance Checklists – Detailed machine-readable checklists of licence obligations, prohibitions, compatibility and ancillary information, translating licence texts into actionable items (YOU MUST / YOU MUST NOT)
Creative Commons Licences Compatibility
Select two works to combine or remix. Find the first work’s licence in the top row and the second in the first column. If a check mark appears at their intersection, the works can be combined. Use the more restrictive licence (the one further right or lower in the table) for the resulting work.
(From Wiki/CC License Compatibility)
Software Composition Analysis (SCA and Software Inventory) Tools
Commercial SCA tools and services:
- Mend Platform SCA – Scans dependencies and provides risk-based licence assessment, Understanding Risk Score Attribution and License Analysis
- GitLab Ultimate – Provides an integrated compliance feature that includes security and OSS licence checks via frameworks, pipelines, policies, and audits
FOSSA – SCA tool for compliance and vulnerability management
Black Duck – Tool for licence and security analysis
JFrog Xray – Add-on for Artifactory that provides component analysis and compliance checking
Snyk – SCA and vulnerability scanning platform detecting code vulnerabilities and dependencies, also covering containers and infrastructure as code
Endor Labs – Tool for dependency management and risk assessment
OSS tools that perform SCA:
OSS Review Toolkit (ORT) – Tool for automated licence and compliance checks
- Pivotal: LicenseFinder – Extracts licence data from package managers for multiple languages
- pip-licenses – Project for listing package licences in Python environments
- FOSSology – OSS licence analysis platform, GitHub repository
QMSTR – Quartermaster – Toolchain and reporting framework under renewed development
ScanCode-Toolkit – Analysis of project artefacts for licences and credits
FASTEN Project / OSADL: License Compliance Verifier – Demonstrator using OSADL matrix and compatibility rules
EOSC-Synergy: SQAaaS (Software Quality Assurance as a Service) – Checks for the presence of a LICENSE file with an OSI-approved licence as a part of a more extensive quality analysis (including compliance with the OSI Open Source Definition)
MojoHaus License Maven Plugin – Introduction page, GitHub repository
Software Bill of Materials (SBOM) tools:
- Trivy – Generates SBOM
Parlay – Enriches an SBOM with third-party data
Syft – Generates SBOMs from container images and filesystems
Tern – Container analysis tool; generates SBOMs for container images and Docker files
- CycloneDX Tool Center – Marketplace of tools and solutions to optimize and secure the software supply chain
- Anchore Syft/Grype – SBOM generation and vulnerability analysis
- Ortelius – Microservice SBOM and dependency tracking
- DependencyTrack – Continuous monitoring of components and licences using SBOM input
Ideally, SCA and SBOM tools should be integrated into the CI/CD process/pipeline for continuous monitoring of dependencies and compliance.
GÉANT resources:
- GÉANT Software Composition Analysis – Information on Mend setup assistance and scan software review services provided by WP9T2
- Mend Short Guide for End Users
- Automated Mend Scans with Bamboo
Other guides and tool listss:
- Medium: Integrating SCA into the CI/CD Pipeline - A Step-by-Step Guide
- SPDX Community Tools – SPDX-related automation tools
Artefact Creation and Compliance Guides and Tools
- GÉANT
- Software Artefacts Checklist
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- Software Licence Selection and Management in GÉANT – Guidance on compliance and artefact preparation
- README creation tools
- Make a README – Single-template Markdown editor with explanations for writing README files
- Readme.so – Section-based templates and Markdown editor for creating structured READMEs
- Software Bill of Materials (SBOM) and dependency tools
- SBOM Adoption: In Support of Better License Compliance and Software Security Practices – Article on SBOM use for licence compliance and software security
- CycloneDX Guides and Resources – Guides on CycloneDX and supply chain risks
- ClearlyDefined – Community-cleared metadata for open source components (licence, source, attribution)
- Understand Your Dependencies – Google’s dependency and licence data explorer
- Other resources
- Google: Open Source Documentation – Detailed internal-style guidance on licence use and compliance
- REUSE Initiative (FSFE) – Embedding licence metadata in source code and documentation
Compliance Frameworks and Governance
- In GÉANT, Intellectual Property Rights (IPR) is managed by the IPR Coordinator in line with the GÉANT IPR Policy, with the support from the SLM team
- ISO/IEC 5230:2020 OpenChain – The full compliance specification text
- ISO/IEC 18974:2023 Open Source Security Assurance – Companion to OpenChain for integrating security controls.
- Linux Foundation: Open Compliance Program – Templates, processes, and documentation for compliance governance
- OSPO Alliance: Good Governance Initiative (GGI) – blueprint by European open source organisations to help implement corporate-wide open source policies, and set up OSPOs
- TODO Group: Guides – Practical OSPO and compliance guides used across large organisations
- OpenChain Project – Resources for open source compliance: the project’s main page and specification document, and OpenChain Reference Library with curated collection of policies, training material, and compliance checklists
- Open Source Program Offices (OSPOs)
Linux Foundation: Creating an Open Source Program – Guidance on establishing an OSPO
FOSSA: Building an Open Source Program Office (OSPO) – Blog post on setting up and managing an OSPO
EU Policy and Context
- Interoperable Europe Academy – Courses on interoperability, openness, and EUPL
- European Commission’s Open Source Observatory (OSOR) – Repository of public-sector OSS policies, studies, and licence analyses
- Open Source Strategy of the European Commission (2020–2023) (PDF) – EU-level OSS governance context
Advanced and Comparative Legal Resources
- Harvard Berkman Klein Center – Academic resources on law, governance, and society; publications on OSS, policy and licensing:
- Software Freedom Law Center (SFLC) Publications – Legal guides, white papers, and case studies on licensing and OSS compliance
- OpenForum Europe (OFE) – Research and policy recommendations on OSS, open standards, and digital infrastructure in Europe
Compliance methodology
- In GÉANT, IPR is managed by the IPR Coordinator
- OpenChain
- Start page, https://www.openchainproject.org/
- Specification, https://wiki.linuxfoundation.org/_media/openchain/openchainspec-current.pdf
Open Source Programs Office - https://www.linuxfoundation.org/tools/creating-an-open-source-program/ https://fossa.com/blog/building-open-source-program-office-ospo/