Glossary – Open Source Software and Licensing

Software Licensing Guides Series

This work is licensed under CC BY-SA 4.0

As the term “licence” (and its US counterpart “license”) is extensively used in the below descriptions, it is not cross-referenced. Other frequently used terms include copyright, source code, distribution, compliance, dependency, and OSS.

0BSD – Zero-Clause BSD: Public domain-equivalent permissive licence that does not require attribution, and is often preferred over CC0 for software due to specific legal wording regarding code.
AGPL – GNU Affero General Public License: Strong copyleft licence requiring source code disclosure to all users, even for networked or remote use (e.g. as a service), thereby closing the cloud gap.
Apache License: Permissive licence with patent protection, a patent retaliation clause, and patent grant for licensees. It requires a NOTICE file for attribution.
Artistic License: Permissive licence originating from the Perl ecosystem; version 2 clarifies terms and has compatibility with GPL.
Attribution: Notice required by some licences (e.g. Apache, CC BY, and BSD) to preserve credit to original authors and contributors, reproduce the copyright statement, and indicate modifications.
AUTHORS File: Lists original authors and primary contributors for attribution and historical reference; contributor identities can be linked to emails or ORCID identifiers.
Binaries: Compiled executable files and other binary resources, as opposed to source code. In proprietary software, only the binaries are typically distributed.
BSD License: Berkeley Software Distribution family of permissive licences with minimal distribution conditions, requiring retention of attribution notices.
CC – Creative Commons: Family of licences (CC BY, CC BY-NC, CC BY-NC-SA, CC BY-ND, and CC BY-SA) and the CC0 public-domain dedication for content, documentation artefacts, manuals, diagrams, and other materials that are not software.
CC0 – Creative Commons Zero: Public-domain dedication waiving copyright and related rights. It includes a fallback permissive licence for jurisdictions where waivers of copyright or moral rights are not recognised, ensuring global usability of works.
CC BY – Creative Commons Attribution: Licence allowing reuse and modification, including commercial use, with mandatory attribution and no restrictions on derivatives.
CC BY-NC – Creative Commons Attribution-NonCommercial: Like CC BY but prohibiting commercial use; not an OSS licence due to usage restriction.
CC BY-NC-SA – Creative Commons Attribution-NonCommercial-ShareAlike: Like CC BY-NC but requiring derivatives to use identical terms; copyleft equivalent with usage restriction.
CC BY-ND – Creative Commons Attribution-NoDerivatives: Licence permitting distribution and commercial use, with attribution, but forbidding distribution of modified versions.
CC BY-SA – Creative Commons Attribution-ShareAlike: Strong copyleft licence for content, requiring attribution and mandating that derivatives be distributed under identical terms. Similar to the GPL, but generally not compatible with software licences unless a specific compatibility clause (in version 4.0 for GPL 3.0) is invoked.
CDDL – Common Development and Distribution License: Weak copyleft licence, mainly used for Java projects. It allows linking with proprietary software, but is not compatible with the GPL.
CHANGELOG File / Changelog / Change Log: Record of notable changes between releases, relevant for licence compliance. Often written in Markdown, with entries following semantic versioning to indicate release levels and changes. See HISTORY File.
CI – Continuous Integration: Automated build and test process for software changes. It often integrates SCA and other tools, providing immediate feedback on dependencies with vulnerabilities and licence compliance.
CI/CD – Continuous Integration / Continuous Delivery: Automated pipeline covering CI, testing, and delivery of software to production or release environments. SCA can be applied to catch issues prior to deployment or release.
CLA File – Contributor License Agreement: Agreement granting rights to use, modify, and manage contributions; may include copyright transfer or sublicensing rights, and often requires signature.
Closed Source Software: Software distributed without source code access or modification rights, unlike OSS or source-available software.
Cloud Gap / SaaS Loophole / ASP Loophole: Situation where accessing software as a service over a network (remote use) avoids triggering strong copyleft obligations, as it is not physically distributed. This allows service providers to modify OSS and offer it as a service without releasing source code. This is addressed by network-protective licences like the AGPL.
CODE_OF_CONDUCT File / Code of Conduct: Document establishing standards for social and professional behaviour to ensure a safe, inclusive environment for all community participants. Unlike the CONTRIBUTING file’s focus on technical aspects of contribution, this governs social rules and conduct regarding etiquette and interaction.
Commercial Licence: Licence granting rights to use, modify, or distribute software for commercial purposes, often under restrictive proprietary software terms, and typically requiring payment or authorisation. These licences typically define usage restrictions not found in OSS licences.
Commercial Software: Software sold or licensed for profit, typically under a commercial licence or other restrictive proprietary software terms. It may involve trademarks or follow an Open Core model, where proprietary features are built atop community OSS through dual and multi-licensing.
Compatibility: A shorthand for licence compatibility, which is the ability to combine or distribute software under different licences without violating their terms. For example, using MIT components within a GPL project, or Apache 2.0 code with GPL 3.0 as out-licence, require applying GPL to the combined work. It can be enhanced through dual and multi-licensing.
Compliance: Adherence to licence, patent, and security requirements. Requires maintaining compatibility and compliance artefacts. It may include notice retention and source code provision. Often guided by standards like OpenChain. Reviews may trigger remediation.
Compliance Artefacts: Documentation artefacts or files required for licence adherence, such as LICENSE, NOTICE, and COPYRIGHT files. They include notice retention obligations to preserve copyright and licence notices in distributions.
CONTRIBUTING File: Describes the process, rules, and technical standards (e.g. coding conventions, testing requirements, and bug reporting) for contributions. It is distinct from the CODE_OF_CONDUCT file, which governs social behaviour. It also references legal conditions, such as copyright transfer via a CLA or DCO.
Contribution: Any source code or documentation artefacts submitted to a project, typically governed by a CLA or DCO, forming part of the project’s copyright and licensing framework while respecting the contributor’s moral rights. See Upstream.
CONTRIBUTORS File: Lists contributors; less common than AUTHORS file, and used in large community-driven projects.
COPYING File: Traditional GNU-style filename, signalling adherence to traditional free software conventions. It is used to store the full text of the licence, usually the GPL, and is an equivalent to LICENSE file.
Copyleft: Licensing principle requiring derivatives to remain under the same or a compatible licence, ensuring software freedom (e.g. GPL, AGPL). This is based on the principle of reciprocity.
Copyright: Legal IP protection granting exclusive rights to reproduce, distribute, and modify a work. It covers the source code, not the underlying ideas or functionality. Most OSS licences are based on copyright, which is distinct from a creator’s moral rights.
COPYRIGHT File: Lists copyright holders and years, providing a clear ownership record, often with related legal notices, such as a warranty disclaimer.
Copyright Holder: Individual or entity owning exclusive rights to a work and granting permissions via a licence, typically identified in the COPYRIGHT file. See Copyright.
CVE – Common Vulnerabilities and Exposures: System for referencing specific security vulnerabilities. SCA tools map dependencies to CVE lists to assess risk.
DCO – Developer Certificate of Origin: Lightweight alternative to a CLA, confirmed by a contributor’s “Signed-off-by” line in source code commits.
Defensive Termination: Licence clause serving as a deterrent against patent trolling by automatically terminating a licensee’s rights if they initiate patent litigation against the project or its contributors. See Patent Retaliation Clause.
Dependency: External component, library, or source code used by software, including both direct and transitive dependencies. Each typically carries an in-licence, and should be recorded in the dependency inventory or SBOM.
Dependency Inventory: Human-readable list of dependencies such as external libraries, frameworks, or essential tools, with versions and licences, often forming the basis for an SBOM.
Derivative / Derivative Work: Work based on or incorporating an existing copyrighted work, including modified versions. Under copyleft, it must use the same or a compatible licence, whereas licences like CC BY-ND explicitly prohibit modifications.
Direct Dependency: Library or component explicitly requested by the source code (e.g. listed in “package.json” or “requirements.txt”), as opposed to a transitive dependency which is pulled in by another dependency.
Distribution: Providing software to third parties, triggering licence compliance obligations such as providing source code or maintaining notice retention.
Documentation Artefacts: Technical or user-facing documents distributed with software, such as README, LICENSE, NOTICE, CHANGELOG, and CONTRIBUTING files, typically following the software’s licence. Some are covered by a documentation licence, which may differ from the software licence applied to the code.
Documentation Licence: Licence covering non-code and often separate materials, such as manuals, diagrams, presentations, tutorials, wikis, or multimedia. Projects often use Creative Commons licences (e.g. CC BY or CC BY-SA) to facilitate sharing, updating, and translation.
Downstream: Any project, organisation, or user that consumes, integrates, or distributes software from an upstream source. Downstream users inherit the compliance obligations defined by the out-licence of upstream software.
Dual and Multi-Licensing: Distribution under alternative licences (e.g. GPL and commercial licence), including use of a secondary licence, allowing licensees to choose which applies. This in-licence must be compatible with the out-licence or subsuming licence. It enables offering software as strong copyleft, and as proprietary software to commercial vendors.
Dynamic Linking: Linking external libraries at runtime rather than copying code into the executable. Critical for compliance with LGPL, as it simply allows the main application to remain proprietary software.
Elastic License: Source-available licence prohibiting offering the software as a managed service, and bypassing key protections; this usage restriction makes it an exemplary fauxpen.
EPL – Eclipse Public License: Business-friendly weak copyleft licence that applies copyleft terms only to the file level, allowing proprietary software to link to the source code under it, but incompatible with the GPL.
EULA – End User Licence Agreement: Proprietary software licence defining rights and restrictions by which an end user may access and use the software.
EUPL – European Union Public Licence: EU-approved copyleft licence designed for interoperability, compatible with various OSS licences like the GPL.
FAIR: Findability, Accessibility, Interoperability, and Reusability; a set of guiding principles to improve data management in open science. In software, supported by elaborated documentation artefacts and the REUSE specification.
Fauxpen: Software or licence presented as OSS but effectively controlled by the vendor, restricting true OSS freedoms (e.g. Elastic License or SSPL).
Fork: Divergent development path based on a specific version of a project; often used to continue work from the last OSS version in response to relicensing to a proprietary software licence, or to prepare an upstream contribution back to the original project.
FOSS – Free and Open Source Software / FLOSS: Software meeting free software criteria set by the FSF; FOSS licences are a subset of OSS licences. In FLOSS, L stands for libre to emphasise freedom rather than price.
Free Software: Software that respects users’ essential freedoms, as defined by the FSF: the freedom to run the program for any purpose, to study and change the source code, and to distribute copies (original or modified). It is “Free” in FOSS and “Libre” in FLOSS, emphasising liberty over price.
Freeware: Proprietary software available at no cost, but without the freedoms to modify or distribute source code inherent to free software or OSS.
FSF – Free Software Foundation: Organisation maintaining GNU and the free software definition, advocating for user freedoms, and publishing the GPL family of licences.
FSFE – Free Software Foundation Europe: Sister organisation of the FSF, promoting free software in Europe, and driving the REUSE initiative to standardise licensing information in source code.
GNU – “GNU’s Not Unix”: Project behind the GPL family of licences and a precursor to the Linux operating system, initiated by the FSF to develop a complete free software operating system.
GPL – GNU General Public License: Strong copyleft licence requiring derivatives to use the same licence. Versions 2.0 and 3.0 are not mutually compatible. The latter addresses the IoT gap.
GSC – GÉANT Software Catalogue: Catalogue of GÉANT software. Used by the LT for SLM and to track software assets and licence status.
HISTORY File: Equivalent to a CHANGELOG file, used mainly in older Unix, BSD, or GNU projects to track changes over time.
In-Licence / Inbound Licence: Licence of external components, libraries, or dependencies incorporated into a project, typically recorded in a dependency inventory or SBOM.
IoT Gap / Tivoisation: Incorporating OSS into hardware while using technical measures like digital signatures or hardware locks to prevent users from running modified versions on that device. It is addressed and prohibited by GPL 3.0.
IP – Intellectual Property: Creations of the mind protected by law through copyright, patents, trademarks, and design rights. A licence specifies how others may use such protected works.
IPR – Intellectual Property Rights: Legal rights over intangible creations, including copyright, patents, trademarks, and trade secrets. Effective SLM requires distinguishing between these rights, particularly when managing sideground IPR and dependencies.
IPR Coordinator: Role managing intellectual property rights and licence compliance, ensuring software projects follow the organisation’s IPR Policy for licence, IP, and contribution management.
IPR Policy: Policy governing intellectual property rights, guiding licence selection and organisational compliance standards.
ISC License: Simplified permissive licence created by the Internet Software Consortium (now Internet Systems Consortium). It allows unlimited commercial use, modification, and distribution provided the copyright notice and warranty disclaimer are preserved.
ISO – International Organization for Standardization: Organisation developing international standards, such as OpenChain, including the OpenChain specification for open source licence compliance and quality management.
LGPL – GNU Lesser General Public License: Weak copyleft licence permitting dynamic linking with differently licensed or proprietary software. Static linking is allowed if the user receives the source code and information required to rebuild the work with a modified version of the library.
Licence: Legal instrument granting permissions to use, modify, or distribute copyrighted or patented software. It sets obligations like attribution or source code provision for the licensee, without transferring ownership from the copyright holder. The US spelling and the verb in both UK and US English is license, which also appears in licence names and acronyms.
LICENSE File: File containing the full licence text, essential for legal compliance and distribution. See COPYING File.
Licensee: Individual or organisation granted specific rights to use or modify software under the terms of a licence.
Licensing: Governance of licence permissions, obligations, compliance artefacts, and dependency management; also granting permission to use intellectual property.
LT – Licensing Team: GÉANT team in charge of SLM, coordinating software licensing, compliance, and governance.
MIT License / X11 License: Simple permissive licence requiring attribution and notice retention, widely used for its brevity and compatibility.
Moral Rights: Personal, often non-transferable rights of creators to be named as the author (attribution), and to object to derogatory treatment of their work. These rights persist even if copyright is transferred to another entity.
MPL – Mozilla Public License: Weak copyleft licence permitting file-level mixing by treating source code files as individual copyright units. Modifications to files under MPL must remain under it, but files under other licences can be compiled together with them into a single binary.
Network-Protective Licence: Strong copyleft licences (such as the AGPL or SSPL) designed to close the cloud gap by treating use over a network (remote use) as distribution. This triggers the requirement to disclose the modified source code.
NOTICE File: File containing mandatory acknowledgements, attributions, and other licence-related notices required by out-licence and dependencies.
Notice Retention: Requirement to preserve copyright, licence texts, and attribution notices in all (re)distributions of the software.
Open Core: Business model where core functionality is OSS, while add-ons with advanced features (enterprise security, monitoring) are proprietary software or source-available software.
OpenChain: ISO/IEC standard for managing OSS in supply chains, providing guidelines for licence compliance, defining a core curriculum for OSS practices, and specifying conformance requirements for organisations.
ORCID – Open Researcher and Contributor ID: Persistent digital identifier uniquely distinguishing researchers and contributors. Often included in the AUTHORS file and CONTRIBUTORS file.
OSI – Open Source Initiative: Non-profit organisation that promotes OSS and manages the Open Source Definition (OSD). Licences are generally considered open source only if they have been approved by the OSI.
OSPO – Open Source Program Office: Unit managing OSS strategy, compliance, and engagement. In GÉANT, the IPR Coordinator oversees IP and compliance, while the LT implements day-to-day SLM processes.
OSS – Open Source Software: Software under licences recognised by the OSI or FSF that grant rights to use, modify, and distribute source code. It is often referred to as FOSS (or FLOSS) to explicitly include free software principles. Usage of software and licences is guided by an organisation’s IPR Policy, while an OSPO may promote adoption and manage strategy, contribution policies, and compliance.
Out-Licence / Outbound Licence: Licence applied to distributed software, which may differ from the in-licences of its dependencies. It defines the terms under which the downstream user can use the software.
Patent: Legal protection for inventions, designs, or processes, preventing unauthorised use or distribution for a fixed term. In OSS, patents are addressed via patent grants and retaliation clauses. In software, patents protect functionality or process, while copyright protects source code.
Patent Grant: Permission to use patents associated with the software and its contributions, typically covering rights held by contributors. This provision is designed to reduce legal uncertainty for users and distributors.
Patent Retaliation Clause: Licence term that serves as a defensive termination mechanism, revoking a licensee’s rights and the patent grant if they initiate patent litigation against the project or its contributors, also deterring patent trolling (e.g. Apache License).
Patent Trolling: Asserting patents to obtain fees or settlements; addressed in some licences through patent retaliation clauses.
Permissive Licence: Licence allowing use, modification, and distribution with minimal obligations, such as preserving copyright and licence text, and without imposing the same licence on derivatives (e.g. MIT, BSD, Apache, ISC, Artistic, and PSFL). These generally allow sublicensing without requiring a CLA.
Proprietary Software: Software distributed under highly restrictive terms (often in an EULA) limiting access, modification, or distribution, and typically sold as closed source software. It may involve trademarks, and be distributed as commercial software, freeware, or shareware.
PSFL – Python Software Foundation License / Python License: Permissive licences governing the Python interpreter and standard library, and granting broad rights to use, modify, and distribute Python with minimal conditions that include a notice and disclaimer requirement.
Public Domain: Works not protected by copyright, patent, or moral rights, due to expiration of IP protection or explicit waiver by the rights holder (e.g. via CC0 or Unlicense). In jurisdictions not recognising waivers, fallback permissive licences like 0BSD, Unlicense, or MIT-0 can be used.
README File: Documentation artefact providing an overview of a project, installation, and usage; typically written in Markdown to ensure clear formatting and readability.
Reciprocity: Principle requiring that rights granted under a licence (e.g. copyleft) must be extended to derivatives or distributed versions.
Relicensing: Changing a licence of existing software, often to improve compatibility or for commercial reasons; must comply with original licence or contributor consent. Relicensing to a fauxpen or commercial licence often results in a fork.
Remediation: Process of resolving identified issues in a software project, such as updating outdated dependencies with vulnerabilities, replacing incompatible licences or correcting missing notices, to restore compliance and reduce security or legal risk.
Remote Use: Use of software over a network (e.g. Software as a Service), rather than running a local copy. In standard copyleft licences, this does not trigger distribution obligations, whereas network-protective licences (like AGPL) treat this interaction as a trigger for source code disclosure.
REUSE: FSFE initiative defining standardised file headers, licence text and copyright notice placement, and metadata for automated compliance, aligning with FAIR principles through improved accessibility and interoperability of licensing information.
SBOM – Software Bill of Materials: Machine-readable dependency inventory of components and their licences, including transitive dependencies, often in SPDX or CycloneDX format, and with semantic versioning and provenance. It supports compliance, risk assessment, and FAIR principles by improving the findability and reusability of information.
SCA – Software Composition Analysis: Automated detection of dependencies, licences, and vulnerabilities (often using CVE identifiers) to support compliance, risk assessment, and remediation. Tools may be integrated into CI or CI/CD and include snippet detection and snippet matching.
Secondary Licence: Alternative licence permitted by a primary licence to facilitate compatibility with other open source licences.
Semantic Versioning: Standardised versioning scheme using MAJOR.MINOR.PATCH notation to communicate the scope of changes in software releases. Used in SBOM and CHANGELOG files.
Shareware: Proprietary software provided initially for free (often as a trial) with the expectation that the user will pay for continued use; distinctly different from OSS.
Sideground IPR: Intellectual property rights of third-party dependencies, or other copyrighted work incorporated into a project, requiring proper handling to ensure licence compliance.
SLA – Software Licence Analysis: Assessment of licensing in software projects within SLM involving the identification and review of applicable licences, their compatibility, and compliance artefacts to ensure compliance. It is distinct from the common acronym for “Service Level Agreement.”
SLM – Software and Licence Management: GÉANT subtask supported by the LT, relying on the GSC for software and access to compliance artefacts, and using SLA to assess compliance and risks.
Snippet Detection: Scanning source code during SCA to find short, often modified, fragments copied from external sources, by checking code fingerprints. This facilitates the detection of potentially undocumented or questionable code lacking attribution or licence acknowledgement, and is usually followed by snippet matching.
Snippet Matching: Verification of fragments identified during snippet detection by comparing them against a database of known source code to determine each snippet’s origin, licence, and degree of similarity to assess potential copyright infringement and compliance risk, guiding remediation.
Source Code: Human-readable form of software that is often compiled into binaries. It is the primary IP asset protected by copyright, and required for OSS status.
Source-Available: Licence or software with viewable source code that lacks full OSS freedoms due to restrictive terms (e.g. Elastic License, SSPL). Unlike Closed Source Software, the code is viewable and often modifiable, but the licence is fauxpen or contains usage restrictions that prevent it from being classified as OSS or FOSS.
SPDX – Software Package Data Exchange: Standard for machine-readable licence and component metadata, including standard identifiers (e.g. MIT, Apache-2.0, and BSD-3-Clause). It is widely used in SBOMs and REUSE headers for automated compliance checks.
SSPL – Server Side Public License: Network-protective, strong copyleft, and source-available licence requiring release of service management layer source code when providing a service. Its additional obligations on the surrounding service stack make it fauxpen.
Static Linking: Copying library code directly into the main executable binary. For weak copyleft licences like LGPL, this may trigger obligations to provide object code or source code to allow relinking.
Strong Copyleft: Licensing model requiring derivatives to remain under the same terms or licence (e.g. GPL, AGPL, EUPL, and CC BY-SA). SSPL is a strong copyleft source-available licence.
Sublicensing: Allowing a licensee to pass on certain rights to a third party without transferring copyright or changing licence terms; permissive licences allow it, copyleft licences restrict it to the same terms, and commercial licences usually forbid it.
Subsuming Licence: Licence that governs a combined work when incorporated dependencies impose conditions on the whole, similar to an out-licence but not necessarily implying distribution. “Subsuming into” means incorporating one work into a larger one so it becomes subject to that subsuming licence.
Trademark: Legally protected sign, name, logo, symbol, design, or other identifying mark distinguishing goods or services from those of others. In OSS, trademarks protect the identity and brand of the project, which is a form of IP separate from the code’s copyright.
Transitive Dependency: Dependency of a dependency, as opposed to a direct dependency listed in the project configuration. Their tracking is essential for SCA, SBOM accuracy, and licence compliance, as they may bring additional in-licences.
Unlicense: Text used to dedicate a work to the public domain by waiving all copyright and related rights. It includes a fallback permissive licence for jurisdictions where copyright or moral rights cannot be legally abandoned.
Upstream: Original project or repository from which source code is derived or consumed. Downstream projects build upon it or distribute its code, potentially triggering licence obligations and compliance requirements. Upstream contributions provide fixes, enhancements, or new features back to the original source to benefit all users.
Usage Restriction: Licence term limiting certain uses of the software, including military, nuclear, surveillance, or business models. Such restrictions (e.g. preventing commercial software distribution or remote use as a service) prevent a licence from qualifying as OSS or FOSS.
Vulnerability: Security flaw in software code that can be exploited to cause harm, compromise data, or gain unauthorised access. SCA tools identify known vulnerabilities in dependencies (often mapping them to CVE lists) and flag them for remediation.
Warranty Disclaimer: Clause stating that the software is provided “as is” without guarantees of fitness or quality. It protects the copyright holder and contributors from liability and is typically included in the LICENSE file or COPYRIGHT file.
Weak Copyleft: Copyleft scheme used by LGPL, MPL, EPL, and CDDL, where the obligation to share modifications applies only to the specific source code files or libraries, not the entire application. This allows linking with differently licensed or proprietary software.

Space shortcuts

Page tree