Open source licensing should be easier to deal with now that open source has become the de facto way we build software applications. But if you’re like most enterprises, every time you add a new open source language, or even a library to your tech stack, you’ll most likely be hit with yet another legal roadblock in the form of legal reviews by your organization.
The problem lies in the fundamental dichotomy about open source: it’s free to use but not necessarily risk-free to redistribute. Depending on the license, the way you’ve incorporated the open source code into your code base, and how the final product will be used, you could be:
- Scot-free
- Obligated to reveal your code base, or
- Sued
Cue the lawyers.
Unfortunately, open source licenses come in all shapes and sizes, with more being added all the time. The following table offers a simplified view of the current landscape from the point of view of a developer creating a commercial product:
TITLE | LICENSE | SHOULD I USE IT? |
---|---|---|
No License | None | More commonly known as “that code I copied from StackOverflow.” Unfortunately, without a license, the code is copyrighted by default. Don’t use it. |
Public Domain | Permissive | Use it! This is one of those rare cases where “free” is actually free. |
GPL License | Copyleft | Stay away if you’re working on a commercial product, since you’ll need to share your code base with the community. |
AGPL LIcense | Copyleft | Like GPL, but recommended for network apps. Do not use with commercial products for the reason given above. |
LGPL License | Mostly Copyleft | The simple answer is “do not use with commercial products” since you’ll need to share your code base with the community. |
MIT License | Permissive | Fair game. Just make sure you distribute a copy of the MIT license terms and the copyright notice with your final product. |
BSD-like Licenses | Permissive | Includes BSD, BSD 2 and BSD 3 licenses, all of which are good to use as long as you make sure to include the BSD license and copyright notice. |
Eclipse Public | Mostly Copyleft | Similar to GPL, it requires source code disclosure and therefore shouldn’t be used if you’re working on a commercial product. |
Apache 2 License | Permissive | Fair game, but requires a bunch of hoop jumping. Make sure you include the copyright, license and any notices, as well as state any changes you made to the original code. |
Microsoft Public | Permissive | Fair game. Just make sure you distribute a copy of the license terms and the copyright notice with your final product. |
Mozilla 2 Public | Copyleft | Similar to GPL, it requires source code disclosure and therefore shouldn’t be used if you’re working on a commercial product. |
Some caveats:
- The above recommendations are guidelines, not legal advice – use your own judgement.
- In some cases, certain licenses can be incompatible with others (eg., Eclipse and GPL)
- Open source licenses do get revised. Newer versions may be more or less restrictive than their predecessors. User beware.
At the end of the day, it may still be worth paying a lawyer to get involved. Open source litigation is on the rise, and you don’t want to be on the receiving end of a lawsuit. Your only other recourse is to purchase litigation insurance, most commonly known as “indemnification” from a commercial open source vendor.
The ActiveState Platform provides indemnification provisions as an option for Enterprise Tier customers worried about delays in the software development process caused by legal reviews. The intent of the legal coverage for indemnification means that the lawyers no longer need get involved in your open source decisions, allowing you to get to market sooner.
- For more information on the indemnification provided by the ActiveState Platform, read our License Indemnification datasheet
For more information on open source licenses and the risks involved in their usage, read our License to Code white paper.