Overall information and licence lists

• Open Source Software Licences in GN4-3 and GN5-1 GÉANT Project: Current State and Recommendations whitepaper

• GÉANT Open Source Licensing and Compliance workshop recording and slides, 5-6 April 2023
• GÉANT Introduction to Open Source Licensing and Compliance workshop recording and slides, 17 February 2022
• Licence Analysis with WhiteSource webinar, 2 March 2022 (workshop recording)

• What is Free Software? https://www.gnu.org/philosophy/free-sw.en.html

• Guide to open source licenses, overall description, https://www.synopsys.com/blogs/software-security/open-source-licenses/
• Top lists
  • Top open source licenses and legal risk for developers, top 20 categorised by risk, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/

  • Mend – Open Source Licenses in 2022: Trends and Predictions, https://www.mend.io/resources/blog/open-source-licenses-trends-and-predictions/

• Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
• University of Pittsburgh Library System – Copyright and Intellectual Property Toolkit, https://pitt.libguides.com/copyright
• Mend – Open Source Licenses Explained, https://www.mend.io/resources/blog/open-source-licenses-explained/
• Free Software Foundation's free software licences and Non-free Software Licenses, classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
• Open Source Initiative (OSI) approved licenses
  • By category, https://opensource.org/licenses/category
  • Alphabetical https://opensource.org/licenses/alphabetical

Permissive and copyleft licences

(Based on materials from ORCRO)

Permissive licences have simple requirements – to credit original work, describe changes, provide a disclaimer, etc. Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works. If you use any components (libraries) with copyleft, you are obliged to make derived source code available, which may include the entire product/project!

• Permissive – do anything
  • MIT – short and simple
  • ISC (OpenBSD) – further shortened equivalent
  • BSD – some versions require including the disclaimer
  • Apache 2.0 – requires notice of changes, grants licence to patents unless litigating and mentions preservation of trademark rights
• Weak copyleft – file (library) scope
  • MPL 2.0 – simple, allows static linking and licence variants with additional terms
  • LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
  • LGPL 3.0 – grants use of patents; the end-user must be able to install a modified version – it prohibits closed devices, DRM or hardware encryption or patents retaliation; compatible with Apache2.0
• Strong copyleft – project scope
  • GPL 2.0 – often used
  • GPL 3.0 – grants the use of patents, the end-user must be able to install modified software, compatible with Apache 2.0
  • AGPL 3.0 (Affero) – network protective: external use of modified(!) code requires its availability – network use is a distribution of the software, modified source code must be available
• Proprietary – typically restrict user rights and protect commercial interests of copyright owners

Per-feature or tabular comparisons of licences and categorised lists

• Choose an open-source license, https://choosealicense.com/appendix/
• Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
• DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
  • All, https://enterprise.dejacode.com/licenses/
  • Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
  • Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
  • Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
• Wikipedia tables and classified lists
  
  • All, https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences
  • Permissive, https://en.wikipedia.org/wiki/Category:Permissive_software_licenses
  • Copyleft, https://en.wikipedia.org/wiki/Category:Copyleft_software_licenses
• GPL-compatible licences are listed in the 'GPL (v3) compatibility' column of the table at https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals
• Creative Commons – Can I combine material under different Creative Commons licenses in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work

Licence compatibility

GPL licences compatibility

Arrows are transitive and go from licences of the components toward the licence of your project

(From https://www.gnu.org/licenses/quick-guide-gplv3.html)

Above, per the dotted line, “GPL 2 only” is not compatible with GPL 3”, but ”GPL 2 or later” is. A more detailed view with precisely stated licences:

(From David A. Wheeler 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)

On AGPL compatibility:

• (L)GPL 3.0(+) components can be used in software under AGPL, thanks to an explicit rule in GPL
• Code under AGPL cannot be used in (L)GPL projects unless dual-licensed

Dual and multi-licensing

• Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
• You can choose a licence compatible with the one used for your software. But you cannot dual-license your software to match some components with one and others with another licence. Licences of all used components must be compatible with all of your licences!
• “Or later”(often as “+”) licences variants imply the applicability of later, possibly still non-existing, versions of these licences. This is sometimes implied unless you explicitly decline it.
• Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL) – EUPL comes with the full and exhaustive list…

Licence compatibility matrices or checkers

Joinup Licensing Assistant – Compatibility Checker, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker

Licence Compatibility Checker software

In-licences (licences of components) are in rows and out-licences are in columns:

(From https://github.com/HansHammel/license-compatibility-checker)

Open Source Automation Development Lab (OSADL) matrix and rules

In-licences are in columns and out-licences are in rows:

(From https://events19.linuxfoundation.org/wp-content/uploads/2018/07/OSLS-2019-Fulfilling-Open-Source-license-obligations-Can-checklists-help.pdf)

More at

• OSADL site, www.osadl.org

• Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
• Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
• Matrix, registration needed, https://www.osadl.org/fileadmin/checklists/matrix.html

GNU GPL licences compatibility 

• Matrix of GPL licences with detailed explanations, https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility

EUPL 1.2

• Licence Compatibility, Permissivity, Reciprocity and Interoperability, general explanation and exception list approach, https://joinup.ec.europa.eu/collection/eupl/licence-compatibility-permissivity-reciprocity-and-interoperability

• Matrix of EUPL compatible open source licences, what in-licences can be out-licensed under EUPL, https://joinup.ec.europa.eu/collection/eupl/matrix-eupl-compatible-open-source-licences

• How to use the EUPL (What about compatibility issues?), on use of components under EUPL with other licences, https://joinup.ec.europa.eu/collection/eupl/how-use-eupl#section-18

Creative Commons licences

• Can I combine material under different Creative Commons licenses in my work? https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work

Risks of licences

Risk mitigation against potentially harmful legal threats or behaviours by free-software licences

(From https://en.wikipedia.org/wiki/Free-software_license)

Licence selection tools

• Choose an open-source license, https://choosealicense.com/
• Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
• Creative Commons (CC) licence chooser
  • https://creativecommons.org/choose/
  • https://chooser-beta.creativecommons.org/

Mend resources

• Understanding of licence data and compatibility in Mend, https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html
• More on Mend setup assistance, Mend scan analysis and other GÉANT software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews

Alternative software inventory tools

Ideally, compliance should be continuously monitored as a part of the build process.

• FOSSology, https://www.fossology.org/
• QMSTR (Quartermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
• Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
  Useful commands, when in the repository folder:

  mvn clean install
  ~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../

• License Compliance Verifier (LCV), Demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance

Compliance methodology

• In GÉANT, IPR is managed by the IPR Coordinator
• OpenChain
  • Start page, https://www.openchainproject.org/
  • Specification, https://wiki.linuxfoundation.org/_media/openchain/openchainspec-current.pdf
• Open Source Programs Office
  • https://www.linuxfoundation.org/tools/creating-an-open-source-program/
  • https://fossa.com/blog/building-open-source-program-office-ospo/