Software Licensing Guides Series
- Software Licence Management
- Software Licence Selection and Management in GÉANT
- Open Source Licences Used in GÉANT
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- Software Artefacts Checklist
- FAQ – Software Licensing Practices
- OSS Licences and Licence Selection
- Reference Information about OSS Licences and Tools
- Glossary – Open Source Software and Licensing
Table of Contents
This page provides an overview of tools and resources for selecting, checking and managing open-source software licences and their compatible use in software projects. The structured list and illustrations of licence relationships support GÉANT’s software development and licence compliance practices.
Core GÉANT Resources
- Software Licence Selection and Management in GÉANT – Main guidance on selecting, checking and managing OSS licences
- Open Source Licences Used in GÉANT – Descriptions and cheat sheet for GÉANT
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- FAQ – Software Licensing Practices
Supporting and Background Material
- OSS Licences and Licence Selection – Overview of licence types and concepts
- Open Source Software Licences in GN4-3 and GN5-1 GÉANT Project: Current State and Recommendations – GÉANT white paper
- Detailed Database of Licences – Excel sheets providing extensive data for licence comparison
Learning and Training Resources
GÉANT Courses and Workshops
- Open Source Licensing and Compliance, 17 February 2022 (recording and slides)
- Licence Dependencies Analysis with WhiteSource, 2 March 2022 (recording and slides)
Open Source Software Licensing Workshop for Software Developers, 23–24 November 2022 (recording and slides??)
- Introduction to Open Source Licensing and Compliance, 5–6 April 2023 (recording and slides)
Infoshare: OSS Licensing and Licence Compliance Guidelines for Software Developers, 12 March 2024 (RECORDING COMING SOON, slides)
- Infoshare: Boost Trust in Your Open Source Software – GÉANT Certificates, 27 November 2025 (COMING SOON, https://events.geant.org/event/1974/)
- Software Governance eAcademy Courses:
Authoritative Sources
FSF: Free Software Licences and Non-free Software Licences – Classification and GPL compatibility
- OSI: Licenses – Searchable list of approved licences
- OSI: Licence Review Archive – Record of approval discussions and rationale
- Software Package Data Exchange (SPDX): Specification and SPDX License List with standardised codes and texts
- Black Duck: Guide to Open Source Licenses – Overview of key licence types
- Mend: Top Open Source Licenses Explained
- University of Pittsburgh Library System: Copyright and Intellectual Property Toolkit
Licence Selection and Comparison
- GitHub: Choosealicense.com: Choose an Open-Source License – Simple guidance on selecting OSS licences, with list of common licences and comparison appendix
- Interoperable Europe: Licensing Assistant – Find and Compare Software Licenses
- DejaCode: Licence Finder – Filter by category, text and characteristics (All, Permissive, Weak Copyleft, Strong Copyleft)
- Wikipedia: Comparison of Free and Open Source Software Licences with categorised lists (All, Permissive, Copyleft), “GPL (v3) compatibility” column of the Approvals table
- Creative Commons: Licence Chooser – Tools for selecting Creative Commons licences
NI4OS-Europe: License Clearance Tool (LCT) – Suggests suitable licences for open source and research outputs
tl;drLegal – Plain-language summaries of OSS licences, conditions, and limitations (helpful for quick comparison)
- FOSSA Blog – Articles on licence compliance, SBOMs, and licences (“Open Source Software Licenses 101” series)
Top Lists and Brief Comparisons
- Black Duck: Top Open Source Licenses and Legal Risk for Developers – Top 20 licences categorised by risk
- OSI: Top Open Source Licenses in 2024
Licence Compatibility
Overview of Permissive and Copyleft Licences
Based on materials from ORCRO:
Permissive licences have simple requirements such as crediting the original work, describing changes, and providing a disclaimer. Copyleft licences (reciprocal, protective, restrictive, or, derogatorily, viral) require rights to be preserved in derivative works. Using components (libraries) with copyleft may oblige to make derived source code available, which may include the entire product or project.
- Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some variants require inclusion of disclaimer
- Apache 2.0 – requires notice of changes, grants a licence to patents unless litigated, and preserves trademark rights
- Weak copyleft – file or library scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants patent use; end users must be able to install modified versions; prohibits closed devices, DRM, hardware encryption, or patent retaliation; compatible with Apache 2.0
- Strong copyleft – project scope
- GPL 2.0 – widely used
- GPL 3.0 – grants patent use; users must be able to install modified software; compatible with Apache 2.0
- AGPL 3.0 (Affero) – network-protective: external use of modified code requires its availability; network use counts as distribution
- Proprietary – restrict user rights and protect the commercial interests of copyright holders
GPL Licence Compatibility
This diagram illustrates compatibility relationships between different free software licences. Arrows are transitive and go from the licences of components towards the licence of your project.
(From GNU: Quick Guide to GPLv3 Compatibility)
Above, the dotted line indicates that “GPL 2 only” is not compatible with “GPL 3”, but “GPL 2 or later” is.
(From David A. Wheeler, 2007: FLOSS Licence Slide, SVG on Wikipedia)
- FSF: Frequently Asked Questions about the GNU Licenses – GPL licence family-related compliance and compatibility clarifications, GPL and LGPL Compatibility Matrix with detailed explanations
- AGPL compatibility:
- (L)GPL 3.0(+) components can be used in software under AGPL, due to an explicit rule in GPL.
- Code under AGPL cannot be used in (L)GPL-licensed projects unless dual-licensed.
Special Requirements and Risk Handling in GPL Licences
Some licences prohibit or require certain practices or behaviours, which may lead to risks of legal threats. These should be addressed or mitigated.
Frequently used protective and permissive licenses | |||||||
AGPLv3 | GPLv3 | GPLv2.1 | LGPLv3 | LGPLv2.1 | MPL-2 | BSD | |
Yes | No | No | No | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Proprietization | Yes | Yes | Yes | Partial | Partial | Partial | No |
Granularity/reach | Project | Project | Project | Library | Library | File | N/A |
Trademark grant | Yes | Yes | ? | Yes | ? | No | No |
(From Wikipedia – Free-software licence)
EUPL 1.2 Compatibility
(From Interoperable Europe: EUPL – Licence Compatibility, Permissivity, Reciprocity and Interoperability)
Interoperable Europe matrices and guidance:
- Licence Compatibility, Permissivity, Reciprocity and Interoperability – General explanation and exception list
- Matrix of EUPL Compatible Open Source Licences – Mapping of in-licences to EUPL and out-licensing
- How to Use the EUPL (Primarily: What about compatibility issues?) – Guidance on components under EUPL with other licences
Relationship Between the Most Used Licences in GÉANT
The following graph provides a visual overview of most frequently used licences in GÉANT projects.
Dual and Multi-Licensing Guidance and Implications
- Dual and multi-licensing can help avoid licence compatibility issues, and make component use more flexible.
You may choose a licence compatible with that used for your software. However, you cannot dual-licence your software by matching some components with one licence, and others with another. Licences of all used components must be compatible with all your licences.
“Or later” (often expressed as “+”) variants imply applicability of future, possibly non-existent, versions of those licences. This is sometimes assumed unless explicitly declined.
Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL); EUPL lists all licences it can be combined with.
Licence Compatibility Matrices and Checkers
In-licences (component licences) are in rows and out-licences are in columns.
(Source: GitHub – Licence Compatibility Checker)
Open Source Automation Development Lab (OSADL) Matrix and Rules
In-licences are in columns, out-licences in rows.
(Source: Meeker & von Wendorff, 2019, Fulfilling Open Source Licence Obligations: Can Checklists Help?)
More at the OSADL site:
- General information (osadl.org)
- Open Source Licence Checklists Overview
- Access to Raw Data about Individual Licences
- Compatibility Matrix and Raw Data (registration required, limited access)
- Licence Compliance Checklists – Detailed machine-readable checklists of licence obligations, prohibitions, compatibility and ancillary information, translating licence texts into actionable items (YOU MUST / YOU MUST NOT)
Creative Commons Licences Compatibility
Select two works to combine or remix. Find the first work’s licence in the top row and the second in the first column. If a check mark appears at their intersection, the works can be combined. Use the more restrictive licence (the one further right or lower in the table) for the resulting work.
(From Wiki/CC License Compatibility)
Software Composition Analysis (SCA and Software Inventory) Tools
Commercial SCA tools and services:
- Mend Platform SCA – Scans dependencies and provides risk-based licence assessment, Understanding Risk Score Attribution and License Analysis
- GitLab Ultimate – Provides an integrated compliance feature that includes security and OSS licence checks via frameworks, pipelines, policies, and audits
FOSSA – SCA tool for compliance and vulnerability management
Black Duck – Tool for licence and security analysis
JFrog Xray – Add-on for Artifactory that provides component analysis and compliance checking
Snyk – SCA and vulnerability scanning platform detecting code vulnerabilities and dependencies, also covering containers and infrastructure as code
Endor Labs – Tool for dependency management and risk assessment
OSS tools that perform SCA:
OSS Review Toolkit (ORT) – Tool for automated licence and compliance checks
- Pivotal: LicenseFinder – Extracts licence data from package managers for multiple languages
- pip-licenses – Project for listing package licences in Python environments
- FOSSology – OSS licence analysis platform, GitHub repository
QMSTR – Quartermaster – Toolchain and reporting framework under renewed development
ScanCode-Toolkit – Analysis of project artefacts for licences and credits
FASTEN Project / OSADL: License Compliance Verifier – Demonstrator using OSADL matrix and compatibility rules
EOSC-Synergy: SQAaaS (Software Quality Assurance as a Service) – Checks for the presence of a LICENSE file with an OSI-approved licence as a part of a more extensive quality analysis (including compliance with the OSI Open Source Definition)
MojoHaus License Maven Plugin – Introduction page, GitHub repository
Software Bill of Materials (SBOM) tools:
- Trivy – Generates SBOM
Parlay – Enriches an SBOM with third-party data
Syft – Generates SBOMs from container images and filesystems
Tern – Container analysis tool; generates SBOMs for container images and Docker files
- CycloneDX Tool Center – Marketplace of tools and solutions to optimize and secure the software supply chain
- Anchore Syft/Grype – SBOM generation and vulnerability analysis
- Ortelius – Microservice SBOM and dependency tracking
- DependencyTrack – Continuous monitoring of components and licences using SBOM input
Ideally, SCA and SBOM tools should be integrated into the CI/CD process/pipeline for continuous monitoring of dependencies and compliance.
GÉANT resources:
- GÉANT Software Composition Analysis – Information on Mend setup assistance and scan software review services provided by WP9T2
- Mend Short Guide for End Users
- Automated Mend Scans with Bamboo
Other guides and tool listss:
- Medium: Integrating SCA into the CI/CD Pipeline - A Step-by-Step Guide
- SPDX Community Tools – SPDX-related automation tools
Artefact Creation and Compliance Guides and Tools
- GÉANT
- Software Artefacts Checklist
- Templates and Examples for Software Project Artefacts (for GÉANT participants)
- Software Licence Selection and Management in GÉANT – 2025 Update – Guidance on compliance and artefact preparation
- README creation tools
- Make a README – Single-template Markdown editor with explanations for writing README files
- Readme.so – Section-based templates and Markdown editor for creating structured READMEs
- Software Bill of Materials (SBOM) and dependency tools
- SBOM Adoption: In Support of Better License Compliance and Software Security Practices – Article on SBOM use for licence compliance and software security
- CycloneDX Guides and Resources – Guides on CycloneDX and supply chain risks
- ClearlyDefined – Community-cleared metadata for open source components (licence, source, attribution)
- Understand Your Dependencies – Google’s dependency and licence data explorer
- Other resources
- Google: Open Source Documentation – Detailed internal-style guidance on licence use and compliance
- REUSE Initiative (FSFE) – Embedding licence metadata in source code and documentation
Compliance Frameworks and Governance
- In GÉANT, Intellectual Property Rights (IPR) is managed by the IPR Coordinator in line with the GÉANT IPR Policy, with the support from the SLM team
- ISO/IEC 5230:2020 OpenChain – The full compliance specification text
- ISO/IEC 18974:2023 Open Source Security Assurance – Companion to OpenChain for integrating security controls.
- Linux Foundation: Open Compliance Program – Templates, processes, and documentation for compliance governance
- OSPO Alliance: Good Governance Initiative (GGI) – blueprint by European open source organisations to help implement corporate-wide open source policies, and set up OSPOs
- TODO Group: Guides – Practical OSPO and compliance guides used across large organisations
- OpenChain Project – Resources for open source compliance: the project’s main page and specification document, and OpenChain Reference Library with curated collection of policies, training material, and compliance checklists
- Open Source Program Offices (OSPOs)
Linux Foundation: Creating an Open Source Program – Guidance on establishing an OSPO
FOSSA: Building an Open Source Program Office (OSPO) – Blog post on setting up and managing an OSPO
EU Policy and Context
- Interoperable Europe Academy – Courses on interoperability, openness, and EUPL
- European Commission’s Open Source Observatory (OSOR) – Repository of public-sector OSS policies, studies, and licence analyses
- Open Source Strategy of the European Commission (2020–2023) (PDF) – EU-level OSS governance context
Advanced and Comparative Legal Resources
- Harvard Berkman Klein Center – Academic resources on law, governance, and society; publications on OSS, policy and licensing:
- Software Freedom Law Center (SFLC) Publications – Legal guides, white papers, and case studies on licensing and OSS compliance
- OpenForum Europe (OFE) – Research and policy recommendations on OSS, open standards, and digital infrastructure in Europe