Overall information and licence lists
- GÉANT Open Source Licensing and Compliance workshop slides, https://e-academy.geant.org/moodle/mod/resource/view.php?id=2869
What is Free Software? https://www.gnu.org/philosophy/free-sw.en.html
- Guide to open source licenses, https://www.synopsys.com/blogs/software-security/open-source-licenses/
- Top open source licenses and legal risk for developers, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/
- Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
- University of Pittsburgh Library System – Copyright and Intellectual Property Toolkit, https://pitt.libguides.com/copyright
- WhiteSource – Open Source Licenses Explained, https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-explained/
- Free Software Foundation's free software licences and Non-free Software Licenses, classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
- Open Source Initiative (OSI) approved licenses
- By category, https://opensource.org/licenses/category
- Alphabetical https://opensource.org/licenses/alphabetical
Permissive and copyleft licenses
- Permissive licences have simple requirements – to credit original work, describe changes, provide disclaimer…
- Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works
- If you use any components (libraries) with copyleft, you are obliged to make derived source code available, which may include the entire product/project!
- Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some versions require to include the disclaimer
- Apache 2.0 – requires notice of changes, grants licence to patents unless litigating and mentions preservation of trademark rights
- Weak copyleft – file (library) scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants use of patents; the end-user must be able to install a modified version – it prohibits closed devices, DRM or hardware encryption or patents retaliation; compatible with Apache2.0
- Strong copyleft – project scope
- GPL 2.0 – often used
- GPL 3.0 – grants use of patents, the end-user must be able to install modified software, compatible with Apache2.0
- AGPL 3.0 (Affero) – network protective: external use of modified(!) code requires its availability – network use is a distribution of the software, modified source code must be available
- Proprietary – typically restrict user rights and protect commercial interests of copyright owners
Per-feature or tabular comparisons of licences and categorised lists
- Choose an open-source license, https://choosealicense.com/appendix/
- Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
- DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
- All, https://enterprise.dejacode.com/licenses/
- Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
- Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
- Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
- Wikipedia tables and classified lists
- GPL compatible licenses are listed in the 'GPL (v3) compatibility' column of the table in https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals
Licence compatibility
GPL licences compatibility
Arrows are transitive and go from licences of the components toward the one of your project
(From https://www.gnu.org/licenses/quick-guide-gplv3.html)
Above, dotted line – “GPL 2 only” is not compatible with GPL 3”, but ”GPL 2 or later” is. A more detailed view with precisely stated licences:
(From David A. Wheeler 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)
On AGPL compatibility:
- (L)GPL 3.0(+) components can be used in software under AGPL, thanks to an explicit rule in GPL
- Code under AGPL cannot be used in (L)GPL projects unless dual-licensed
Dual and multi-licensing
- Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
- Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
- You can choose a licence compatible with the one used for your software. But you cannot dual-licence your software to match some components with one and others with another licence. Licences of all used components must be compatible with all of your licences!
- “Or later”(often as “+”) licenses variants just imply the applicability of later, possibly still non-existing, versions of these licences. This is sometimes implied unless you explicitly decline it.
- Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL) – EUPL comes with the full and exhaustive list…
License compatibility matrices or checkers
Joinup Licensing Assistant, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker
License Compatibility Checker software
In-licences (licences of components) are in rows, out-licences in columns:
(From https://github.com/HansHammel/license-compatibility-checker)
Open Source Automation Development Lab (OSADL) matrix and rules
In-licences are in columns, out-licences in rows:
More at
OSADL site, www.osadl.org
- Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
- Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
- Matrix, registration needed, https://www.osadl.org/fileadmin/checklists/matrix.html
GNU GPL licences compatibility
- Matrix of GPL licences with detailed explanations, https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility
EUPL 1.2
- General explanation, https://joinup.ec.europa.eu/collection/eupl/licence-compatibility-permissivity-reciprocity-and-interoperability
- What in-licences can be out-licensed under EUPL, https://joinup.ec.europa.eu/collection/eupl/matrix-eupl-compatible-open-source-licences
- When components are under EUPL, https://joinup.ec.europa.eu/collection/eupl/how-use-eupl#section-18
Creative Commons licences
Risks of permissive licences
Risk mitigation against potentially harmful legal threats or behaviours by free-software licenses
Frequently used protective and permissive licenses | |||||||
AGPLv3 | GPLv3 | GPLv2.1 | LGPLv3 | LGPLv2.1 | MPL-2 | BSD | |
Yes | No | No | No | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Yes | Yes | No | Yes | No | No | No | |
Proprietization | Yes | Yes | Yes | Partial | Partial | Partial | No |
Granularity / reach | Project | Project | Project | Library | Library | File | N/A |
Trademark grant | Yes | Yes | ? | Yes | ? | No | No |
(From https://en.wikipedia.org/wiki/Free-software_license)
Licence selection tools
- Choose an open-source license, https://choosealicense.com/
- Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
- Creative Commons (CC) licence chooser
WhiteSource resources
- Understanding of licence data and compatibility in WhiteSource, https://whitesource.atlassian.net/wiki/spaces/WD/pages/483786970/Understanding+Risk+Score+Attribution+and+License+Analysis
- More on WhiteSource setup assistance, WhiteSource scan analysis and other GÉANT software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews
Alternative software inventory tools
Ideally, compliance should be continuously monitored as a part of the build process.
- FOSSology, https://www.fossology.org/
- QMSTR (Quortermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
- Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
Useful commands, when in the repository folder:mvn clean install
~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../
- License Compliance Verifier (LCV), Demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance
Compliance methodology
- In GÉANT, IPR is managed by the IPR Coordinator
- OpenChain, start from https://www.openchainproject.org/
- Open Source Programs Office