Overall information and licence lists

GÉANT Open Source Licensing and Compliance workshop slides, https://e-academy.geant.org/moodle/mod/resource/view.php?id=2869
What is Free Software? https://www.gnu.org/philosophy/free-sw.en.html
Guide to open source licenses, https://www.synopsys.com/blogs/software-security/open-source-licenses/
Top open source licenses and legal risk for developers, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/
Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
University of Pittsburgh Library System – Copyright and Intellectual Property Toolkit, https://pitt.libguides.com/copyright
WhiteSource – Open Source Licenses Explained, https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-explained/
Free Software Foundation's free software licences and Non-free Software Licenses, classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
Open Source Initiative (OSI) approved licenses
- By category, https://opensource.org/licenses/category
- Alphabetical https://opensource.org/licenses/alphabetical

Permissive and copyleft licenses

GEANT Software Development Support > Reference information about OSS licences and tools > image2022-2-23_16-15-26.png

Permissive licences have simple requirements – to credit original work, describe changes, provide disclaimer…
Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works
If you use any components (libraries) with copyleft, you are obliged to make derived source code available, which may include the entire product/project!
Permissive – do anything
- MIT – short and simple
- ISC (OpenBSD) – further shortened equivalent
- BSD – some versions require to include the disclaimer
- Apache 2.0 – requires notice of changes, grants licence to patents unless litigating and mentions preservation of trademark rights
Weak copyleft – file (library) scope
- MPL 2.0 – simple, allows static linking and licence variants with additional terms
- LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
- LGPL 3.0 – grants use of patents; the end-user must be able to install a modified version – it prohibits closed devices, DRM or hardware encryption or patents retaliation; compatible with Apache2.0
Strong copyleft – project scope
- GPL 2.0 – often used
- GPL 3.0 – grants use of patents, the end-user must be able to install modified software, compatible with Apache2.0
- AGPL 3.0 (Affero) – network protective: external use of modified(!) code requires its availability – network use is a distribution of the software, modified source code must be available
Proprietary – typically restrict user rights and protect commercial interests of copyright owners

Per-feature or tabular comparisons of licences and categorised lists

Choose an open-source license, https://choosealicense.com/appendix/
Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
- All, https://enterprise.dejacode.com/licenses/
- Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
- Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
- Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
Wikipedia tables and classified lists
GPL compatible licenses are listed in the 'GPL (v3) compatibility' column of the table in https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals

Licence compatibility

GPL licences compatibility

A chart illustrating compatibility relationships between different free software licenses. For details, see the FSF's license list page.

(From https://www.gnu.org/licenses/quick-guide-gplv3.html)

Arrows are transitive and go from licences of the components toward the one of your project
Dotted line – “GPL 2 only” is not compatible with GPL 3”, but ”GPL 2 or later” is
AGPL
- (L)GPL 3.0(+) components can be used, thanks to an explicit GPL rule
- Code under AGPL cannot be used in (L)GPL projects unless dual-licensed

A more detailed view with precisely stated licences:

Floss license slide, showing connections from public domain to MIT, MIT to BSD-new, BSD-new to Apache and various versions of LGPL, LGPL to GPL, and GPL version 3 to Affero GPL version 3

(From David A. Wheeler 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)

Dual and multi-licensing

Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
You can choose a licence compatible with the one used for your software. But you cannot dual-licence your software to match some components with one and others with another licence. Licences of all used components must be compatible with all of your licences!
“Or later”(often as “+”) licenses variants just imply the applicability of later, possibly still non-existing, versions of these licences. This is sometimes implied unless you explicitly decline it.
Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL) – EUPL comes with the full and exhaustive list…

License compatibility matrices or checkers

Joinup Licensing Assistant, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker

License Compatibility Checker software

In-licences (licences of components) are in rows, out-licences in columns:

Licences

(From https://github.com/HansHammel/license-compatibility-checker)

Open Source Automation Development Lab (OSADL) matrix and rules

In-licences are in columns, out-licences in rows:

GEANT Software Development Support > Reference information about OSS licences and tools > image2022-2-23_16-23-56.png

(From https://events19.linuxfoundation.org/wp-content/uploads/2018/07/OSLS-2019-Fulfilling-Open-Source-license-obligations-Can-checklists-help.pdf)

More at

OSADL site, www.osadl.org
Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
Matrix, registration needed, https://www.osadl.org/fileadmin/checklists/matrix.html

Risks of permissive licences

Risk mitigation against potentially harmful legal threats or behaviours by free-software licenses

Frequently used protective and permissive licenses
	AGPLv3	GPLv3	GPLv2.1	LGPLv3	LGPLv2.1	MPL-2	BSD
SaaS/cloud	Yes	No	No	No	No	No	No
Tivoization	Yes	Yes	No	Yes	No	No	No
Patent trolling	Yes	Yes	No	Yes	No	No	No
Proprietization	Yes	Yes	Yes	Partial	Partial	Partial	No
Granularity / reach	Project	Project	Project	Library	Library	File	N/A
Trademark grant	Yes	Yes	?	Yes	?	No	No

(From https://en.wikipedia.org/wiki/Free-software_license)

Licence selection tools

Choose an open-source license, https://choosealicense.com/
Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
Creative Commons (CC) licence chooser
- https://creativecommons.org/choose/
- https://chooser-beta.creativecommons.org/

WhiteSource resources

Understanding of licence data and compatibility in WhiteSource, https://whitesource.atlassian.net/wiki/spaces/WD/pages/483786970/Understanding+Risk+Score+Attribution+and+License+Analysis
More on WhiteSource setup assistance, WhiteSource scan analysis and other GÉANT software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews

Alternative software inventory tools

Ideally, compliance should be continuously monitored as a part of the build process.

FOSSology, https://www.fossology.org/
QMSTR (Quortermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
Useful commands, when in the repository folder:
```
mvn clean install
~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../
```

License Compliance Verifier (LCV), Demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance

Compliance methodology

In GÉANT, IPR is managed by the IPR Coordinator
OpenChain, start from https://www.openchainproject.org/
Open Source Programs Office
- https://www.linuxfoundation.org/tools/creating-an-open-source-program/
- https://fossa.com/blog/building-open-source-program-office-ospo/