Overall information and licence lists

• GÉANT Open Source Licensing and Compliance workshop slides, https://e-academy.geant.org/moodle/mod/resource/view.php?id=2869

• What is Free Software?, https://www.gnu.org/philosophy/free-sw.en.html

• Guide to open source licenses, https://www.synopsys.com/blogs/software-security/open-source-licenses/
• Top open source licenses and legal risk for developers, https://www.synopsys.com/blogs/software-security/top-open-source-licenses/
• Standardised SPDX licence codes and licence texts, https://spdx.org/licenses/
• University of Pittsburgh Library System – Copyright and Intellectual Property Toolkit, https://pitt.libguides.com/copyright
• WhiteSource – Open Source Licenses Explained, https://www.whitesourcesoftware.com/resources/blog/open-source-licenses-explained/
• Free Software Foundation's free software licences and Non-free Software Licenses – classified individual licences and their compatibility with GPL, https://www.gnu.org/licenses/license-list.html
• Open Source Initiative (OSI) approved licenses
  • By category, https://opensource.org/licenses/category
  • Alphabetical https://opensource.org/licenses/alphabetical

Permissive and copyleft licenses

• Permissive licences have simple requirements – to credit original work, describe changes, provide disclaimer…
• Copyleft licences (“reciprocal”, “protective”, “restrictive”, derogatory: “viral”) require the rights to be preserved in derivative works
• If you use any components (libraries) with copyleft, you are obliged to make derived source code available, which may include the entire product/project!
• Permissive – do anything
  • MIT – short and simple
  • ISC (OpenBSD) – further shortened equivalent
  • BSD – some versions require to include the disclaimer
  • Apache 2.0 – requires notice of changes, grants licence to patents unless litigating and mentions preservation of trademark rights
• Weak copyleft – file (library) scope
  • MPL 2.0 – simple, allows static linking and licence variants with additional terms
  • LGPL 2.1 – cleaned text of LGPL 2.0, allows dynamic linking without enforcing copyleft
  • LGPL 3.0 – grants use of patents; the end-user must be able to install a modified version – it prohibits closed devices, DRM or hardware encryption or patents retaliation; compatible with Apache2.0
• Strong copyleft – project scope
  • GPL 2.0 – often used
  • GPL 3.0 – grants use of patents, the end-user must be able to install modified software, compatible with Apache2.0
  • AGPL 3.0 (Affero) – network protective: external use of modified(!) code requires its availability – network use is a distribution of the software, modified source code must be available
• Proprietary – typically restrict user rights and protect commercial interests of copyright owners

Tabular or per-feature comparisons of licences and categorised lists

• Choose an open-source license, https://choosealicense.com/appendix/
• Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
• DejaCode licence finder; it can filter by one or several categories, licence text and a few key characteristics
  • All, https://enterprise.dejacode.com/licenses/
  • Permissive, https://enterprise.dejacode.com/licenses/?sort=name&category=Permissive
  • Weak copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft+Limited
  • Strong copyleft, https://enterprise.dejacode.com/licenses/?sort=name&category=Copyleft
• Wikipedia tables and classified lists
  
  • All, https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences
  • Permissive, https://en.wikipedia.org/wiki/Category:Permissive_software_licenses
  • Copyleft, https://en.wikipedia.org/wiki/Category:Copyleft_software_licenses
• GPL compatible licenses are listed in the 'GPL (v3) compatibility' column of the table in https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licences#Approvals

Licence compatibility

GPL licences compatibility

(From https://www.gnu.org/licenses/quick-guide-gplv3.html)

• Arrows are transitive and go from licences of the components toward the one of your project
• Dotted line – “GPL 2 only” is not compatible with GPL 3”, but ”GPL 2 or later” is
• AGPL
  • (L)GPL 3.0(+) components can be used, thanks to an explicit GPL rule
  • Code under AGPL cannot be used in (L)GPL projects unless dual-licensed

A more detailed view with precisely stated licences:

(From David A. Wheeler 2007, https://web.archive.org/web/20210101030518/https://dwheeler.com/essays/floss-license-slide.html, SVG variant: https://en.wikipedia.org/wiki/License_compatibility#/media/File:Floss-license-slide-image.svg)

Dual and multi-licensing

• Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
• Dual and multi-licences help in avoiding licence compatibility issues, which makes the use of components more flexible
• You can choose a licence compatible with the one used for your software. But you cannot dual-licence your software to match some components with one and others with another licence. Licences of all used components must be compatible with all of your licences!
• “Or later”(often as “+”) licenses variants just imply the applicability of later, possibly still non-existing, versions of these licences. This is sometimes implied unless you explicitly decline it.
• Some licences include automatic relicensing (MPL 2.0, EUPL 1.2, CeCILL) – EUPL comes with the full and exhaustive list…

License compatibility matrices or checkers

Joinup Licensing Assistant, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-compatibility-checker

License Compatibility Checker software

In-licences (licences of components) are in rows, out-licences in columns:

(From https://github.com/HansHammel/license-compatibility-checker)

Open Source Automation Development Lab (OSADL) matrix and rules

In-licences are in columns, out-licences in rows:

(From https://events19.linuxfoundation.org/wp-content/uploads/2018/07/OSLS-2019-Fulfilling-Open-Source-license-obligations-Can-checklists-help.pdf)

More at

• OSADL site, www.osadl.org

• Overview, https://www.osadl.org/Open-Source-License-Checklists.oss-compliance-lists.0.html
• Raw data about individual licences, https://www.osadl.org/Access-to-raw-data.oss-compliance-raw-data-access.0.html
• Matrix, registration needed, https://www.osadl.org/fileadmin/checklists/matrix.html

GNU GPL licences compatibility 

• Matrix of GPL licences with detailed explanations, https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility

EUPL 1.2

• General explanation, https://joinup.ec.europa.eu/collection/eupl/licence-compatibility-permissivity-reciprocity-and-interoperability
• What in-licences can be out-licensed under EUPL, https://joinup.ec.europa.eu/collection/eupl/matrix-eupl-compatible-open-source-licences –
• When components are under EUPL, https://joinup.ec.europa.eu/collection/eupl/how-use-eupl#section-18 –

Creative Commons licences

• https://creativecommons.org/faq/#can-i-combine-material-under-different-creative-commons-licenses-in-my-work

Risks of permissive licences

Risk mitigation against potentially harmful legal threats or behaviours by free-software licenses

(From https://en.wikipedia.org/wiki/Free-software_license)

Licence selection tools

• Choose an open-source license, https://choosealicense.com/
• Joinup Licensing Assistant – Find and compare software licenses, https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses
• Creative Commons (CC) licence chooser
  • https://creativecommons.org/choose/
  • https://chooser-beta.creativecommons.org/

WhiteSource resources

Understanding of licence data and compatibility in WhiteSource

https://whitesource.atlassian.net/wiki/spaces/WD/pages/483786970/Understanding+Risk+Score+Attribution+and+License+Analysis

More on WhiteSource setup assistance, WhiteSource scan analysis and other software review services provided by WP9T2: https://wiki.geant.org/display/GSD/Software+Reviews

Alternative software inventory tools

Ideally, compliance should be continuously monitored as a part of the build process.

• FOSSology, https://www.fossology.org/
• QMSTR (Quortermaster), toolchain and reports – it was stalled, now back to progress, https://qmstr.org/
• Scancode-Toolkit, https://github.com/nexB/scancode-toolkit
  Useful commands, when in the repository folder:

  mvn clean install
  ~/scancode-toolkit<VERSION>/scancode -cl -n 10 --csv scan-out .csv ../

• License Compliance Verifier (LCV), Demonstrator based on a subset of the compatibility rules from the Open Source Automation Development Lab (OSADL) matrix, https://github.com/fasten-project/fasten/wiki/License-compliance

Compliance methodology

• GÉANT IPR and OSS governance, In GÉANT, IPR is managed by the IPR Coordinator
• OpenChain, start from https://www.openchainproject.org/
• Open Source Programs Office
  • https://www.linuxfoundation.org/tools/creating-an-open-source-program/
  • https://fossa.com/blog/building-open-source-program-office-ospo/