Open Source Licenses
It is possible to write and distribute software, with no license
whatsoever, but in the past decade it has become popular to attach to any
released software some sort of license, defining the
obligations of the person who downloads or modifies the software.
Software (or any other creative work) released with no strings whatsoever
(and, in particular, with an irrevocable termination of any creator rights
under copyright law) is said to be in the public domain.
One large category of public-domain works are those for which copyright
has lapsed; this category does not include any working software as
copyright has a substantial lifetime (70 years from the author's death, in
the United States). Perhaps some of Ada Lovelace's work for the Difference
Engine (in the 1840's) can be considered software (though it never ran on
anything); it is certainly now in the public domain. Alan Turing died in
1954; his work on programming does not enter the public domain until 2024.
There is some legal question whether an author even has the legal ability
to place his or her work irrevocably in the public domain, on the theory
that potential rights under copyright can never be terminated.
The GNU public license is the earliest, perhaps mostly because the GPL
tries to accomplish something legally tricky: it requires that any
modifications must remain as open source. When the GPL was first written,
people not concerned about this sort of thing would most likely use no
license at all.
We will, however, start with the MIT license, which is perhaps the
simplest. Here it is, from opensource.org/licenses/MIT:
Copyright <YEAR> <COPYRIGHT
Permission is hereby granted, free of charge,
to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission
notice shall be included in all copies or substantial portions of the
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH
THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The only restrictions are the inclusion of the copyright notice and the
waiver of liability. There is no rule that the source must be distributed;
the copyright notice can be included in the executable. This is not
spelled out explicitly however.
The waiver of liability might not be legally binding (though I am aware
of no cases where this has been contested, if the software was distributed
for free). You might think this odd, but the legal theory is that no
creator of a product can escape negligence liability simply with a waiver.
Were this not the case, nothing would stop vehicle manufacturers from
claiming they were not liable for poor design. It is easy to claim in
court that software errors are due to "negligence".
In 2009 the European Union proposed new laws on software that were
intended to make it harder for companies to escape liability for software
problems. The way the draft was worded, it appeared to make it impossible
for Open Source to escape such liability. However, the laws were
ultimately not adopted. Ironically, one version of the laws would have
made it possible for software vendors to require that customers waive
liability at the time the software was sold. Free software, not
being sold, could not benefit from such waivers.
The X Consortium added to the MIT license a paragraph restricting use of
the X Consortium name.
Software released under the MIT license can be:
- Used in commercial server-side systems
- Combined with other software into a system that is then sold
- Improved, and then sold as an improved version
People who see their open-source work as a contribution to society
sometimes have an issue with one or more of these. On the other hand, if
you want your software to be used, you may find that GPL-style
licenses are too restrictive.
Daniel Haxx wrote the cURL package and released it under the MIT license.
As a result, Haxx's email address appears in the license terms in odd
places. In-car sound systems, in particular, often incorporate cURL, and
so desperate users occasionally contact Haxx for help (daniel.haxx.se/blog/2016/11/14/i-have-toyota-corola):
I have Avalon 2016
Regarding the audio player, why there delay between audio and video when
connect throw Bluetooth and how to fix it.
Haxx appears to find this mildly entertaining. Sometimes it can be a
The original Berkeley Software Distribution of Unix came with the
original "four-clause" BSD license. The most common BSD license version
today is the following "three-clause" version (opensource.org/licenses/BSD-3-Clause):
Copyright <YEAR> <COPYRIGHT
Redistribution and use in source and binary
forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain
the above copyright notice, this list of conditions and the following
2. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the copyright holder
nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The waiver of liability is more elaborate. Binary distribution is
explicitly permitted, as is redistribution. The new clause is that the
names of the copyright holders (any of them, as each new contributor may
add his or her name) may not be used to promote the program.
It is not clear if the BSD license was originally understood to apply
cleanly to improvements added by others; the BSD group likely thought that
clause 3 above would apply only to them.
The original BSD license included a fourth clause:
All advertising materials mentioning features
or use of this software must display the following acknowledgement:
This product includes software developed by the
That actually is a fairly intrusive requirement, which is why
it went away.
The license from the Apache Software Foundation is a bit long to paste
in; here's the link: www.apache.org/licenses/LICENSE-2.0.
The part you paste in to the source files is shorter:
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain a
copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
The first section of the actual license includes a definition of multiple
The second section includes an authorization under copyright. This
authorization allows the creation of derivative works; that is, you can
modify the software.
Section three includes a new feature: each contributor must waive any patent
rights, or, more specifically, grant a free license to any users of the
software. The idea here is that if you have a patent, and release or
modify software under the Apache license, you cannot sue other users for
patent infringement. Even if those other users make further modifications
to the software. Here is the clause:
3. Grant of Patent License.
Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge,
royalty-free, irrevocable (except as stated in this section) patent
license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily
infringed by their Contribution(s) alone or by combination of their
Contribution(s) with the Work to which such Contribution(s) was submitted.
If You institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work or a
Contribution incorporated within the Work constitutes direct or
contributory patent infringement, then any patent licenses granted to You
under this License for that Work shall terminate as of the date such
litigation is filed.
The penalty for suing over patents, though (in the final sentence), is
that you lose any patent rights granted to you by other contributors. You
do not lose the right to use the software itself. And if a later
user adds a feature that causes the entire package to infringe on your
patents, you can sue.
In this post, hodlerlaw.com/2013/12/02/the-apache-license-version-2-0-and-the-anti-patent-treachery-clause,
J Hodler suggests that the Apache patent clause has symbolic significance
only. The real risks of patent litigation are from so-called
non-practicing entities -- companies that don't actually create anything,
and so don't use the Apache-licensed software in question, and large
companies (think IBM and Microsoft), who usually (though not always) also
avoid Apache-licensed software.
Section four spells out the requirements for redistributing the software.
This clause lets you redistribute for sale, but you must attach the
original license terms.
Section five says that any contributions by default have the same
license, but you are allowed to negotiate different
The GNU General Public License
This is the one that says that if you make changes, and you distribute
them, then they too must be open source.
Richard Stallman wrote the first version of the GPL in 1989. This was
followed in 1991 by GP v2. To allow the use of GPL libraries in non-free
projects, it was accompanied by the "Library GPL", or LGPLv2. GPLv3 was
released in 2007.
The actual texts of the licenses are here:
Here is the important GPL2 clause, that defines the copyleft
feature [here and elsewhere, all bold emphasis is added]
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on
the Program, and copy and
distribute such modifications or
work under the terms of Section 1
above, provided that you also meet
all of these conditions:
a) You must cause
the modified files to carry prominent notices
stating that you
changed the files and the date of any change.
must cause any work that you distribute or publish, that in
whole or in
part contains or is derived from the Program or any
to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the
modified program normally reads commands interactively
when run, you
must cause it, when started running for such
in the most ordinary way, to print or display an
including an appropriate copyright notice and a
notice that there
is no warranty (or else, saying that you provide
a warranty) and
that users may redistribute the program under
and telling the user how to view a copy of this
(Exception: if the Program itself is interactive but
does not normally
print such an announcement, your work based on
the Program is
not required to print an announcement.)
By way of explanation, the following clause also appears:
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
And this, which defines the legal nature of "copyleft":
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
As far as patents are concerned, GPLv2 states:
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all.
This clause means that, if for some external reason you cannot legally
distribute the source code (either due to patents or copyright or some
other reason), then you cannot distribute the binary either. Rms called
this the "liberty or death" clause.
Then there is the Library GPLv2. In the preamble it states:
The reason we have a separate public license for some libraries is that
they blur the distinction we usually make between modifying or adding to a
program and simply using it. Linking a program with a library, without
changing the library, is in some sense simply using the library, and is
analogous to running a utility program or application program. However, in
a textual and legal sense, the linked executable is a combined work, a
derivative of the original library, and the ordinary General Public License
treats it as such.
Because of this blurred distinction, using the ordinary General
Public License for libraries did not effectively promote software
sharing, because most developers did not use the libraries. We
concluded that weaker conditions might promote sharing better.
Here is the LGPL's Section 2 (left), side-by-side with the GPLv2 Section
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
| 2. You may modify
your copy or copies of the Program or any portion
of it, thus forming a work
based on the Program, and copy and
distribute such modifications
or work under the terms of Section 1
above, provided that you also
meet all of these conditions:
a) You must
cause the modified files to carry prominent notices
that you changed the files and the date of any change.
must cause any work that you distribute or publish, that in
in part contains or is derived from the Program or any
thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the
modified program normally reads commands interactively
you must cause it, when started running for such
use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
there is no warranty (or else, saying that you provide
and that users may redistribute the program under
conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive
normally print such an announcement, your work based on
is not required to print an announcement.)
Clause (d) appears to be an
effort to ensure that the LGPL can only in fact be used for libraries.
More specific library-related clauses are the following:
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library". Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
6. As an exception to the Sections above, you may also compile or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.
In version 3 of the GPL, the language is, overall, more readable. The
following clause is new:
No covered work shall be deemed part of an
effective technological measure under any applicable law fulfilling
obligations under article 11 of the WIPO copyright treaty adopted on 20
December 1996, or similar laws prohibiting or restricting circumvention of
In other words, you cannot use GPL-covered software as a basis for DRM.
Section 5 contains the copyleft feature:
- a) The work must carry prominent notices stating that you modified it,
and giving a relevant date.
- b) The work must carry prominent notices stating that it is released
under this License and any conditions added under section 7. This
requirement modifies the requirement in section 4 to “keep intact all
- c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This License
will therefore apply, along with any applicable section 7 additional
terms, to the whole of the work, and all its parts, regardless of how
they are packaged. This License gives no permission to
license the work in any other way, but it does not invalidate such
permission if you have separately received it.
- d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your work need
not make them do so.
Section 6 addresses distribution of binary code:
You may convey a covered work in object code
form under the terms of sections 4 and 5, provided that you also convey
the machine-readable Corresponding Source under the terms of this License,
in one of these ways:
Section 6 also addresses another issue, which Stallman calls "Tivoization".
TiVo built their DVR device with GNU/linux, and you can get their source
code modifications, but their hardware does not allow you to
install software with any further modifications made by you or others. The
license includes a definition of "User Product" that excludes, say,
for a User Product means any methods, procedures, authorization keys, or
other information required to install and execute modified versions of a
covered work in that User Product from a modified version of its
Corresponding Source. The information must suffice to ensure that the
continued functioning of the modified object code is in no case prevented
or interfered with solely because modification has been made.
If you convey an object code work
under this section in, or with, or specifically for use in, a User
Product, and the conveying occurs as part of a transaction in
which the right of possession and use of the User Product is transferred
to the recipient in perpetuity or for a fixed term (regardless of how the
transaction is characterized), the Corresponding Source conveyed
under this section must be accompanied by the Installation Information....
The requirement to provide Installation
Information does not include a requirement to continue
to provide support service, warranty, or updates for a work that has been
modified or installed by the recipient, or for the User Product in which
it has been modified or installed.
The apparent reason TiVo included this hardware lockdown was to
prevent users from grabbing and saving the recorded content in raw digital
Section 11 addresses patent claims by contributors:
Each contributor grants you a non-exclusive,
worldwide, royalty-free patent license under the contributor's essential
patent claims, to make, use, sell, offer for sale, import and otherwise
run, modify and propagate the contents of its contributor version.
Also this, in order to address the apparent licensing by Microsoft of
some of its patents to Novell only:
You [Novell -- pld] may not convey a covered
work if you are a party to an arrangement with a third party [MS -- pld]
that is in the business of distributing software, under which you make
payment to the third party based on the extent of your activity of
conveying the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
In 2005, Fortinet apparently used GPL-licensed code in ways that violated
the license. Ultimately they had to release source code for their FortiOS
In 2006 a German court upheld the validity of the GPL in a lawsuit
In 2007, developers of the GPL BusyBox package sued Monsoon, which
incorporated BusyBox but refused to release their modified source code.
Monsoon eventually settled, opening their source and paying unspecified
In 2013 a Hamburg court found that Fantec GmbH had violated the GPL in
the distribution of a game module that made use of netfilter.
In 2016 a German court dismissed kernel dev Christoph Hellwig's lawsuit
against VMware for GPL violation. Ultimately the court dismissed the case,
on the grounds that Hellwig could not identify the specific code sections
written by Hellwig that VMware had used.
In April 2017, California federal judge Jacqueline Corley ruled, in the
case Artifex v Hancom, that the GPL was binding even though Hancom never
signed anything. Artifex offered its Ghostscript pdf-rendering software on
both GPL and commercial licensing terms. Hancom used the GPL version,
modified it, violated the GPL, and tried to claim the GPL was non-binding.
See also copyleft.org/guide/comprehensive-gpl-guidepa3.html.
As one final observation, see Open
Source Software: An Open Door to Intellectual Property Liability. It
In the end, it may be less expensive to pay
more for commercial software, if only to purchase the benefit of the
indemnification that typically runs with the license.
But open-source licensing is not that hard to deal with. The intent is
usually very clear.
Karl Fogel, in Producing Open-Source
Software, lists the following as one common management myth:
If we open source this project, then we'll
have to release all our other stuff as open source too.
The roots of this myth come from misunderstandings of the GPL.
A weaker form of this myth, that is in fact a plausible if unlikely fear,
is that if code covered by the GPL sneaks into a project, then the project
becomes open source whether you wanted it to or not. But this has nothing
to do with choosing whether to be open source. So there's
nothing you can do about it, except to make it clear to your devs that all
code they submit to you they must have written themselves.
The Affero GPL
Way back in the last century, the so-called Application Service Provider
(ASP) loophole was known in theory: an ASP could take GPL-covered
software, modify it, and allow paying customers to use the modified
version on the ASP's own hardware. This would not trigger the
source-code-distribution requirement. Today, we would say an ASP is a
software-as-a-service (SaaS) provider or some other cloud provider.
In 2000, Henry Poole worked with rms to develop a response. Poole started
Affero as a web0services company in the following year; he wanted a
GPL-like license that would require other ASPs modifying his code to
distribute the source as well. The Affero GPL v1 (AGPLv1) was published in
2002. Along with the GPLv2 and GPLv3 were also issued corresponding
licenses AGPLv2 and AGPLv3.
Here is the key clause (13) from the AGPLv3:
Notwithstanding any other provision of this
License, if you modify the Program, your modified version must
prominently offer all users interacting with it remotely through a
computer network (if your version supports such interaction) an
opportunity to receive the Corresponding Source of your version
by providing access to the Corresponding Source from a network server at
no charge, through some standard or customary means of facilitating
copying of software. This Corresponding Source shall include the
Corresponding Source for any work covered by version 3 of the GNU General
Public License that is incorporated pursuant to the following paragraph.
One ambiguity of the AGPL is just who is a "user". A company licensing
your platform? Or an arbitrary customer or user of that company?
The Server-Side Public License
This was introduced by the MongoDB team in 2018. It is, in essence, the
GPLv3 plus the following clause:
If you make the functionality of the Program
or a modified version available to third parties as a service, you must
make the Service Source Code available via network download to everyone at
no charge, under the terms of this License.
The full license is at mongodb.com/licensing/server-side-public-license.
The situation was complicated by the fact that MongoDB can also be
commercially licensed. So the more common reality for MongoDB modifiers is
that they would be forced either to release their code or buy a commercial
license. Releasing the code makes sense for companies that are modifying
the MongoDB code, but some developers felt that the clause above applied even
if you made a MongoDB-based app available to users. As a result,
the SSPL has seen hard times, and MongoDB has backpedaled a bit.
The Commons Clause
This adds the following (from commonsclause.com):
Without limiting other conditions in the
License, the grant of rights under the License will not
include, and the License does not grant to you, the
right to Sell the Software.
For purposes of the foregoing, “Sell” means
practicing any or all of the rights granted to you under the License to
provide to third parties, for a fee or other consideration (including
without limitation fees for hosting or consulting/ support services
related to the Software), a product or service whose value derives,
entirely or substantially, from the functionality of the Software. Any
license notice or attribution required by the License must also include
this Commons Clause License Condition notice.
This is a very different approach to the same problem (the ASP-loophole
problem): if you offer the software as a service, you cannot charge money
for it. The Commons Clause, however, can be added to essentially any other
license (eg the "permissive" licenses MIT, BSD and Apache),
unlike the AGPL or the SSPL. If you want to sell the software, you can
license that separately. If you want to sell the use of your software on a
cloud platform, and don't want to get a commercial license, your other
option is to relicense the software on open terms, and allow your
customers to install it as an open-source product (or select it from a
list of pre-installed options). Since your modified software is still
free, you are not selling it.
Redis Labs was an early adopter of the Commons Clause. But, due to
significant misunderstandings, they backed off, and replaced the Commons
Clause with the Redis Source Available License. The core Redis is licensed
with BSD, but add-on modules from Redis are license with RSAL. See redislabs.com/community/licenses.
The basic RSAL feature is this:
Software protected by RSAL is designed to be
used as part of an application. We want to help and encourage people to
develop their own applications, but RSAL differentiates between a
“database product” and all other applications. RSAL defines a database
product as any of the following products or services: (a) databases, (b)
caching engines, (c) stream processing engines, (d) search engines, (e)
indexing engines or (f) ML/DL/AI serving engines.
If your application built with
RSAL-protected software is NOT a database product, RSAL defines it as
“your application,” and you can:
- Freely distribute the RSAL-protected software, as long as you
include the following notice on any copy you distribute: “This
software is subject to the terms of the Redis Source Available License
- Freely modify the RSAL-protected software, as long as your
modification is covered by the RSAL license.
- Freely use the RSAL-protected software, as long as it is not part of
a “database product” offered by a third party other than yourself or
But if your application is a "database product", the RSAL
license is not sufficient, and, basically, you have to pay Redis for a
For a contrarian view, see drewdevault.com/2018/08/22/Commons-clause-will-destroy-open-source.html.