-
Notifications
You must be signed in to change notification settings - Fork 1
#84_spike_acceptable_licenses
Andrew Davis
10/04/2019
A document listing some of the most common free and open source licenses and their interactions with other software, requirements created through their use an compatibilities.
See what we found out
Open Source initiative license page
Free software foundation license list page
Software Licenses are often long and complex and can have far reaching consequences for the rest of the project and must be taken into consideration when using libraries.
Open source licenses can be placed on a spectrum between permissive and copyleft. Permissive licenses can be sum up as anyone can use the code with the only requirement be not to sue the copyright holders and for a copy of the license to be included when distributing the software (whether binary or source form).
Copyleft licenses enforce source code remains open. When using a copyleft license they will typically require those distributing the software to make the source available under the same license to those receiving the binary or source code of the software.
How pervasive this becomes depends on the license, the AGPL for example requires anyone who can use the software via a network service. For example if your webserver is AGPL anyone who can request a page from it is entitled to its source code. Some licenses also consider that by using them you agree that your larger product is considered a derived work and thus the whole project must be made available under that license. Others are simpler and may simply have requirements on sharing those source files be made available without effecting the entire project.
As we are going with a microservice architecture, each service can be considered its own project and thus if using a library under a strict strong copyleft it should only effect that licensing of that microservice.
Some source code files will include copyright attributions to individuals or organizations and the year. Eg "Copyright FooBar corporation 2016". Unless the copyright has expired, ensure that these remain inside the files. It may also be a good idea if you modify these files to include an attribution to Swinburne eg "Copyright Swinburne University 2019"
BSD 2 clause,, BSD 3 clause
Tl;Dr: Use code with this license freely. The only requirement is we don't sue the copyright holders and provide a copy of the license with the software.
Use in project: Yes
BSD licenses are a family of permissive license coming from UC Berkley, originally with an attribution clause modern versions have removed them.
Examples of projects using this license: BSD operating systems, OpenSSH, portions of Googles Chromium project, Bionic (Android's libc implementation).
MIT
Tl;Dr: Use code with this license freely. The only requirement is we don't sue the copyright holders and provide a copy of the license with the software.
Use in project: Yes
MIT is a permissive license that came out of MIT. It is essentially identical to modern BSD licenses.
Examples of projects using this license: Visual studio codes source (binary is a different license), NodeJS, musl libc.
GPLv2, GPLv3
Tl;Dr: Strong copyleft. Anything that links with GPL code is considered a derived work under this license requiring the entire project be covered under the GPL.
Use in project: Yes, but consult first.
Anything that links either dynamically (at runtime), or statically (at compile time) is considered a derived work under this license requiring the entire project be covered under the GPL. This only matters though when distributing binaries or source of our software to third parties. So using GPL libraries on service touched over the network are fine.
There are different versions of the GPL which are incompatible with each other. Look carefully whether a license if GPLv2, GPLv2+ or GPLv3. GPLv2 and GPLv3 are incompatible. GPLv2+ can be combined with the GPLv3 or above should the Free software foundation release an amended version.
Use GPL with caution, if unsure see the Free Software Foundations license list for whether another license is compatible.
Examples of projects using this license: Linux (GPLv2), GCC (was GPLv2, now GPLv3), Git (GPLv2),GNU coreutils (was GPLv2 now GPLv3)
LGPLv 2, 2.1, 3
TL;Dr: If dynamically linked, the source code for -just- the library must be released upon redistribution. Keep reading for statically linked.
Use in project: Yes, but consult first.
A modified version of the GPL for use with libraries where linking to it won't make the project a derived work. Software dynamically linking to the library are not considered derived work. The library code must be made available under the LGPL upon redistribution of the binary or source code.
If statically linked you must release your entire project under the LGPL, OR you must provide the LGPL code and the object binaries of the non LGPL code with a way for a user to re-link it with a modified LGPL.
Examples of projects using this license: glibc, GTK, 7zip
AGPLv3
Tl;Dr: See GPL. Major change is those who can make use of the software over a network are entitled to the source code.
Use in project: Avoid, but can be used with caution. Consult first
See GPL. Main differences are, this license was created in response for the number of network hosted services and those wanting to ensure organizations using their code are required to provide it to their customers. Example, if you wrote a web server and licensed it under AGPL. Anyone that can make a request to your web server is entitled to a copy of the source code.
Examples of projects using this license: MongoDB (till late 2018), OwnCloud, Seafile, Lauchpad
Apache 2.0
Tl;Dr: Similar to MIT. Changes are it covers patents and doesn't allow use of trademarks or product names in your derived product.
Use in project: Yes
The Apache 2.0 license is similar to the MIT license but much more longly worded. It also includes sections on patents that you grant to those using your code and that they are revoked if you litigate against a copyright holder.
Examples of projects using this license: Apache web server, Apache Tomcat, Android (not including Linux or Bionic libc), IntelliJ IDEA, Subverson
MPLv2 Tl;Dr: File based copyleft. The source code for the files under the MPLv2 must be made available when redistributing the software and the greater work can be licensed however. With some exceptions.
Use in project: Yes.
MPLv2 allows the free use and distribution of source and binaries provided the original code is made available when redistributing the software in binary or source form. The license doesn't spread to the greater project and is on a file-by-file basis. The greater work of the project may be licensed under another license as long as the individual files remain available under the MPLv2. There are some exceptions best summed up
If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
Ie this is a clause to make it compatible with the GPL.
Examples of projects using this license: Firefox, Bugzilla, LibreOffice.
CDDL
Tl;Dr File based copyleft. The source code for the files under the CDDL must be made available when redistributing the software and the greater work can be licensed however. With some exceptions.
Use in project: Yes, with caution. Consult if also working with other copyleft code.
CDDL allows the free use and distribution of source and binaries provided the original code is made available when redistributing the software in binary or source form. The license doesn't spread to the greater project and is on a file-by-file basis. The greater work of the project may be licensed under another license as long as the individual files remain available under the CDDL. Unlike the MPLv2 it doesn't have a clause to allow exclusive distribution under a license of the greater work. This means the GPL is incompatible with the CDDL as it prevents additional restrictions, in this case continued redistribution of the files under the CDDL making it incompatible.
Examples of projects using this license: OpenSolaris/Illumos, OpenZFS, DTrace
Tracking the use of licenses throughout components is still a problem to be solved (See issue 95). And not all licenses are covered in this document and how they combine with each other.
If a permissive licenses use them freely, just remember to include a copy of the license in the in the directory of that component. When using copyleft licenses check their compatibility and think about the implications. If unsure consult with Andrew. If a library is under another license not covered here, do you research and add it and consult with Andrew (or just handball researching it to Andrew).
Mostly not a concern, just keep note of it. Eg MongoDB was AGPL
Example. The service requires a database and you have familiarity with MySQL. MySQL is licensed under GPL. Using GPL in this sense is without risk, as we aren't linking to it nor are we shipping it to a third party.
Example. The service requires a database and you select MongoDB under a version licensed as AGPL. We aren't linking to Mongo, so it won't effect the license of the service. However as it will be getting requests for someone making a request over a network, we would be required to supply the source to those who can talk to the service. Unless we fork this software and add our own contributions we can just provide a link to the distributions package.
About
Documents
-
AWS
-
Other
-
REST
-
Nectar
-
Rancher
-
ASP.NET
-
Data
-
Blockchains
-
Processes