Click here to close now.


Apache Authors: Craig Lowell, Jim Scott, Liz McMillan, AppDynamics Blog, Dana Gardner

Related Topics: Open Source Cloud, Linux Containers, Eclipse, Release Management , Apache, OpenStack Journal

Open Source Cloud: Article

Which Open Source Software License Should I Use?

There are different considerations for every project

I've recently been involved in several discussions that are variations on, "Which open source or free software license should I choose for my project?" Here is my way of looking at the large and growing collection of licenses in the wild. First let's make sure we all understand that I Am Not A Lawyer. This is not legal advice. Depending upon your needs and your comfort with risk around your software, you'll want to confirm your legal choices with counsel in your jurisdiction.

The first and obvious consideration is whether or not the license is approved as an open source license by the Open Source Initiative (OSI). The OSI created the Open Source Definition in the late 1990s as a set of attributes that a software license must support to be considered "open source". Anyone can take a license to the OSI for debate and discussion and if approved as meeting the OSD, then the license is added to the canonical list.

While this seems an obvious place to start, I was recently surprised to discover a license called the "Clear BSD License." It attempts to clarify explicitly that patents are not being discussed in the license. It is not on the OSI list (while the New BSD and Simplified BSD licenses are) and is therefore not worth considering. Inventing new licenses as small derivatives of existing licenses is not helpful and creates costly legal busy work. There exists a broad collection of OSI-approved licenses today. These licenses cover millions of lines of software involved in billions of dollars in procurement. One would be hard pressed to describe a serious set of circumstances that isn't already covered by an OSI-approved license.

There are several big levers available when considering an open source license:

  • How much license reciprocity is required with respect to the software, modifications, and any derivatives someone develops?
  • What is said about patent licensing and litigation?
  • What legal jurisdiction covers the license?

The reciprocity issue is all about "copyleft" and whether or not using the software source code attaches the license to the modifications and derivatives, and whether the source code to those modifications and derivatives needs to be published.

On one end of the spectrum are licenses that have no copyleft requirements. These licenses essentially allow anyone to use the software in anyway without requiring much more than maintaining copyrights. Licenses that fall into this set include the New and Simplified BSD licenses, the MIT license, and the Apache 2.0 and Microsoft Permissive licenses.

There are a set of licenses that maintain a sense of copyleft around the software itself but support the use of the software in larger works of software which may contain software that is licensed differently (e.g. closed and proprietary). These licenses include the Eclipse Public License, the newer Mozilla Public License 2.0, and the Microsoft Reciprocal License.

On the other end of the copyleft spectrum are strong copyleft licenses. Software freedom is defined by the Free Software Foundation in terms of the freedoms a user of software must have. Strong copyleft supports software freedom. Many developers support software freedom, and demonstrate this support using one of the family of GPL licenses (GPL2.0, GPL3.0, and the Affero GPL3.0) as a way to ensure the strongest copyleft and strongest license attachment when the software in question is used in building and distributing other software.

Software patents weren't really an issue when software was beginning to be widely shared on the early Internet and so weren't mentioned in the early licenses. By the late 1990s, software patents were on the rise and corporate legal teams were becoming more involved in the writing of open source licenses as they became more involved with open source software and developing the open source foundations around evolving projects. The Apache 2.0 License, Mozilla Public License 2.0, Eclipse Public License, the newer GPL licenses, and both Microsoft licenses reflect this shift in language. Each license explicitly talks about patent licenses. Each license has language that covers patent litigation to varying degrees.

I mention legal jurisdiction in the big levers category because some licenses explicitly mention it and this can be a real show stopper for some people. For that reason alone I treat it as a Big Lever. (The Mozilla Public License 2.0 specifically tries to deal with jurisdiction as one of changes from the original MPL, as that was often a criticism of the earlier license.)

Other considerations in license choice include:

  • Are there project specific affinities?
  • History of the license and foundation/corporate/commercial involvement?

The "language" projects (Perl, PHP, Python) each have their own licenses (Artistic License 2.0, PHP License 3.0, and Python License 2.0 respectively). If you are working on a project that closely ties to a specific open source programming language community then you should obviously consider that community's license as the question of mixing modules and dependencies will be simplified with respect to open source license.

As software IP law has evolved and the Internet has become an enormous space for people to collaborate on software development, commercial organizations became involved. We have seen the creation of open source software foundations with specific licenses associated with them. Corporate legal teams have become involved in authoring open source licenses, and the language and structure of these licenses (e.g. terminology and definitions) reflects this involvement. Lawyers without a lot of experience in open source licenses may feel more comfortable reviewing these newer licenses.

So to recap, presuming that your primary motivation is to co-develop and collaborate on an open source project, in my way of looking at open source licenses your choices break down roughly as follows. (I'm keeping the discussion here to widely used licenses, and/or licenses where large commercial organizations with conservative counsel or neutral non-profit open source foundations had a hand in their creation.)

If you want to allow anyone to do anything at any time with the software, use the MIT or new (3-clause) BSD license, i.e. no copyleft and no discussion of patents. Both of these licenses came from the academic world, and both from a period of time where software patents were not a focus.

If you want to allow anyone to do anything with the software (so no copyleft), but feel something needs to be said about patents and license termination in the face of litigation, and/or you want a license that corporate counsel is more comfortable reading then look at either the Apache 2.0 license or possibly the Microsoft Permissive License. These licenses were written to continue to encourage a completely open sharing environment but were written with a more corporate view (note the structure and language), and both begin to cover patents with varying (and subtly different) degrees of patent retaliation built into them.

If you feel others should be able to build [possibly product] around your software, but want to ensure changes to the core software project itself remain open source (i.e. the changes must be published), you likely want to look to either the Eclipse Public License, the newer Mozilla Public License 2.0 or the Microsoft Reciprocal License. These are modern licenses developed from commercial/corporate perspectives supporting "weak" copyleft. [N.B. The EPL does name NY State as the jurisdiction.] Pay attention to patent statements in each.

If you are a firm supporter of software freedom or want to ensure that if your software source is used anywhere that the resulting derivatives are maximally published as open source ensuring software freedom then you should look to GPL2.0 or GPL3.0 depending upon your needs.

There are a couple of interesting side ideas I've come across in the open source licensing space as different projects wrestled with how best to create the "right" licensing for their software.

  • Many companies are concerned about their patent portfolios when creating open source projects. Google took an interesting approach to the problem when they released the WebM project. They chose the New BSD license and then created a very specific "Additional IP Rights Grant" to cover the patent language they needed.
  • It is the nature of IP law that the owner of the property can license it as many ways to as many people as they choose. This is why the Microsoft EULA for a personal copy of the Windows operating system is different from an Enterprise License Agreement and how MySQL AB developed a line of business around closed software licensing as well as their GPL-licensed project. In the early days (up through PHP3), the software from the PHP project was similarly "dual" licensed under both the GPL2.0 and an earlier PHP license to allow the software to be included in as many places as possible because the GPL was not directly compatible with the PHP license of the time.

I have deliberately not tried to create a table or decision tree for license choice here. I believe there are sufficient edges and nuances to license choice that it can never be properly "automated" with the licenses we have today that reflect their rich background of needs and history. There is always one more legal question of "what about the situation when ...?" Such questions will likely involve legal counsel and may be very jurisdiction sensitive.

Likewise, open source software licenses don't simply reflect a set of legal choices. In the early stage of an open source project when the author or authors are first publishing the software, the choice of license reflects as much of the social contract that is being made for the project as any legal requirements. It is the first governance document of the early possible community that comes into play long before formal governance, mission statements, and codes of conduct may be created around growing community.

Full text of all the licenses can be found on the Open Source Initiative at:

Excellent information on how to consider various software licenses in combination with the GPL can be found here:

If you need to get a lawyer up to speed, consider pointing them to:

More Stories By Stephen Walli

Stephen Walli has worked in the IT industry since 1980 as both customer and vendor. He is presently the technical director for the Outercurve Foundation.

Prior to this, he consulted on software business development and open source strategy, often working with partners like Initmarketing and InteropSystems. He organized the agenda, speakers and sponsors for the inaugural Beijing Open Source Software Forum as part of the 2007 Software Innovation Summit in Beijing. The development of the Chinese software market is an area of deep interest for him. He is a board director at eBox, and an advisor at Bitrock, Continuent, Ohloh (acquired by SourceForge in 2009), and TargetSource (each of which represents unique opportunities in the FOSS world). He was also the open-source-strategist-in-residence for Open Tuesday in Finland.

Stephen was Vice-president, Open Source Development Strategy at Optaros, Inc. through its initial 19 months. Prior to that he was a business development manager in the Windows Platform team at Microsoft working on community development, standards, and intellectual property concerns.

@ThingsExpo Stories
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
This week, the team assembled in NYC for @Cloud Expo 2015 and @ThingsExpo 2015. For the past four years, this has been a must-attend event for MetraTech. We were happy to once again join industry visionaries, colleagues, customers and even competitors to share and explore the ways in which the Internet of Things (IoT) will impact our industry. Over the course of the show, we discussed the types of challenges we will collectively need to solve to capitalize on the opportunity IoT presents.
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
SYS-CON Events announced today that Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, will keynote at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in high-performance, high-efficiency server, storage technology and green computing, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/Big Data, HPC and Embedded Systems worldwide. Supermi...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
The IoT market is on track to hit $7.1 trillion in 2020. The reality is that only a handful of companies are ready for this massive demand. There are a lot of barriers, paint points, traps, and hidden roadblocks. How can we deal with these issues and challenges? The paradigm has changed. Old-style ad-hoc trial-and-error ways will certainly lead you to the dead end. What is mandatory is an overarching and adaptive approach to effectively handle the rapid changes and exponential growth.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
The IoT is upon us, but today’s databases, built on 30-year-old math, require multiple platforms to create a single solution. Data demands of the IoT require Big Data systems that can handle ingest, transactions and analytics concurrently adapting to varied situations as they occur, with speed at scale. In his session at @ThingsExpo, Chad Jones, chief strategy officer at Deep Information Sciences, will look differently at IoT data so enterprises can fully leverage their IoT potential. He’ll share tips on how to speed up business initiatives, harness Big Data and remain one step ahead by apply...
There will be 20 billion IoT devices connected to the Internet soon. What if we could control these devices with our voice, mind, or gestures? What if we could teach these devices how to talk to each other? What if these devices could learn how to interact with us (and each other) to make our lives better? What if Jarvis was real? How can I gain these super powers? In his session at 17th Cloud Expo, Chris Matthieu, co-founder and CTO of Octoblu, will show you!
Developing software for the Internet of Things (IoT) comes with its own set of challenges. Security, privacy, and unified standards are a few key issues. In addition, each IoT product is comprised of at least three separate application components: the software embedded in the device, the backend big-data service, and the mobile application for the end user's controls. Each component is developed by a different team, using different technologies and practices, and deployed to a different stack/target - this makes the integration of these separate pipelines and the coordination of software upd...
As a company adopts a DevOps approach to software development, what are key things that both the Dev and Ops side of the business must keep in mind to ensure effective continuous delivery? In his session at DevOps Summit, Mark Hydar, Head of DevOps, Ericsson TV Platforms, will share best practices and provide helpful tips for Ops teams to adopt an open line of communication with the development side of the house to ensure success between the two sides.
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi's VP Business Development and Engineering, will explore the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context w...
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, will explore the current state of IoT connectivity and review key trends and technology requirements that will drive the Internet of Things from hype to reality.
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Nowadays, a large number of sensors and devices are connected to the network. Leading-edge IoT technologies integrate various types of sensor data to create a new value for several business decision scenarios. The transparent cloud is a model of a new IoT emergence service platform. Many service providers store and access various types of sensor data in order to create and find out new business values by integrating such data.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
There are so many tools and techniques for data analytics that even for a data scientist the choices, possible systems, and even the types of data can be daunting. In his session at @ThingsExpo, Chris Harrold, Global CTO for Big Data Solutions for EMC Corporation, will show how to perform a simple, but meaningful analysis of social sentiment data using freely available tools that take only minutes to download and install. Participants will get the download information, scripts, and complete end-to-end walkthrough of the analysis from start to finish. Participants will also be given the pract...
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, will introduce the technologies required for implementing these ideas and some early experiments performed in the Kurento open source software community in areas ...
Electric power utilities face relentless pressure on their financial performance, and reducing distribution grid losses is one of the last untapped opportunities to meet their business goals. Combining IoT-enabled sensors and cloud-based data analytics, utilities now are able to find, quantify and reduce losses faster – and with a smaller IT footprint. Solutions exist using Internet-enabled sensors deployed temporarily at strategic locations within the distribution grid to measure actual line loads.