Skip to main content

Reference

Open-source license consequences

Practitioner-grade reference for the licenses analysts encounter most. For each: the obligations, where it's safe to use, and how teams typically violate it. Not legal advice — when in doubt, ask counsel.

Decision shorthand

  • Permissive (MIT, Apache-2, BSD, ISC) → safe for proprietary, SaaS, embedded. Just preserve attribution.
  • Weak copyleft (LGPL, MPL-2, EPL-2) → safe with discipline. Track which files you modify; prefer dynamic linking for LGPL.
  • Strong copyleft (GPL-2, GPL-3) → unsafe for proprietary distribution. Safe in pure-OSS or SaaS-only deployment.
  • Network copyleft (AGPL-3) → SaaS distribution triggers source disclosure. Most enterprises blanket-prohibit.
  • Source-available (BUSL, SSPL, Elastic-2) → not OSS. Treat as proprietary; track change-dates for BUSL converters.
  • Public-domain (CC0, 0BSD) → no obligations; 0BSD preferred for code where patent risk matters.

Common audit failures

  • Stripping license headers when minifying / transpiling JS bundles — Apache-2 NOTICE files in particular.
  • Static-linking LGPL / GPL libraries into a closed-source binary.
  • Treating SaaS as a copyleft loophole when an AGPL component is involved.
  • Treating BUSL or SSPL as open-source. Both are source-available — production use can require a paid contract.
  • Embedding GPL-3 in firmware that locks bootloader (anti-Tivoization breach).
  • Vendoring a fork without preserving the upstream license file.

Permissive· 6

MIT License

SPDX: MITPermissive

The most permissive widely used licence. Use, modify, distribute, sublicense — almost no obligations beyond preserving the copyright notice.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Compatible with proprietary products, SaaS, embedded shipping. The only common audit failure is forgetting attribution.

Patent grant · implicitNo network-use clause

Obligations

  • Include the original copyright notice and the permission notice in all copies / substantial portions of the software.

Common pitfalls

  • Forgetting to include the licence text when redistributing a minified or transpiled bundle.
  • Stripping author attributions in a 'NOTICES' rollup without preserving the underlying MIT text.

Apache License 2.0

SPDX: Apache-2.0Permissive

Permissive with explicit patent grant + retaliation clause. Preferred over MIT/BSD when patent risk matters.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Patent-grant clause means contributors can't sue you for patents covering their contributions. Pairs well with corporate compliance programs.

Patent grant · explicitNo network-use clause

Obligations

  • Preserve the LICENSE and NOTICE files from any modified source you redistribute.
  • State changes you made to the original files prominently.
  • Include attribution per the NOTICE file.

Common pitfalls

  • Failing to ship the NOTICE file with binary distributions.
  • Forgetting to mark modified files with a change notice.

BSD 3-Clause ("New BSD")

SPDX: BSD-3-ClausePermissive

MIT-equivalent permissions plus a no-endorsement clause: you can't use the original author's name to promote your derivative.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Safe everywhere; treat it as MIT plus a marketing-copy review step.

Patent grant · implicitNo network-use clause

Obligations

  • Reproduce the copyright notice in source.
  • Reproduce the notice + disclaimer in binary distributions.
  • Don't use contributor names to endorse your product without permission.

Common pitfalls

  • Marketing copy that name-drops a BSD-3 contributor as if they endorse you.
Used bypostgresql · go (stdlib) · freebsd · nginx (BSD-2)SPDX text →

BSD 2-Clause ("Simplified BSD")

SPDX: BSD-2-ClausePermissive

BSD-3 minus the no-endorsement clause. Functionally near-identical to MIT.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Use freely; preserve attribution.

Patent grant · implicitNo network-use clause

Obligations

  • Reproduce the copyright notice + disclaimer in source and binary.

Common pitfalls

  • Same as MIT — attribution drops in transpiled bundles.

ISC License

SPDX: ISCPermissive

Functionally equivalent to MIT with terser language. Default for many newer npm packages.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Treat as MIT.

Patent grant · implicitNo network-use clause

Obligations

  • Preserve the copyright + permission notice.

Common pitfalls

  • Same MIT-style attribution gap in build tooling.

BSD Zero Clause License

SPDX: 0BSDPermissive

No obligations at all — closer to public-domain dedication while remaining valid in jurisdictions that don't recognize PD.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

The most permissive viable license. No attribution required.

Patent grant · noneNo network-use clause

Public domain· 1

Creative Commons Zero v1.0 Universal

SPDX: CC0-1.0Public domain

Effective public-domain dedication. No copyright, no obligations. CC0 is generally considered safe but not patent-clear.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Safe; if you ship to a patent-sensitive market consider replacing with 0BSD / MIT.

Patent grant · noneNo network-use clause

Common pitfalls

  • Some lawyers treat CC0 as risky for code because its patent-grant story is weak — prefer 0BSD or MIT for code if patent risk matters.

Weak copyleft· 3

GNU Lesser General Public License 3.0

SPDX: LGPL-3.0-or-laterWeak copyleft

Library copyleft. You can dynamically link from a proprietary product without infecting it, but modifications to the library itself must be released under LGPL.

Proprietary product
Caution
SaaS / hosted
OK
Static link
Caution

Safe for SaaS (no distribution → no copyleft trigger). On-prem / shipped binaries: prefer dynamic linking; if static-linking, follow §6 of LGPL strictly.

Patent grant · explicitNo network-use clause

Obligations

  • Modifications to the LGPL'd library must be open-sourced under LGPL.
  • Distribute the LGPL library's source (or a written offer) with your product.
  • Allow end-users to relink the library — typically by dynamic linking, or shipping object files.
  • Preserve the copyright + LGPL notice.

Common pitfalls

  • Static-linking an LGPL library into a closed-source binary without providing the object files needed to relink.
  • Modifying the library and not publishing the changes when you ship.
  • Using on iOS where dynamic linking of third-party libs is restricted.
Used byglibc · qt (LGPL parts) · ffmpeg (LGPL build)SPDX text →

Mozilla Public License 2.0

SPDX: MPL-2.0Weak copyleft

File-level copyleft: only the files you modify need to be released under MPL. The rest of your codebase stays proprietary.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

MPL-2.0 is one of the most pragmatic copyleft licenses. Just track which files you actually modified.

Patent grant · explicitNo network-use clause

Obligations

  • Source for any MPL-licensed file you modify must be made available.
  • Preserve copyright notices.
  • Disclose recipients of the modified files where they can get the source.

Common pitfalls

  • Bundling an MPL file into a single-file build and forgetting to publish the modified file separately.
  • Mixing edits to MPL files with proprietary additions in the same file — analysts now have to split.

Eclipse Public License 2.0

SPDX: EPL-2.0Weak copyleft

File-level copyleft similar to MPL-2.0, but with an optional secondary-license clause that can compatibilize it with GPL.

Proprietary product
OK
SaaS / hosted
OK
Static link
OK

Manageable in proprietary products if you keep your modifications scoped to specific EPL files.

Patent grant · explicitNo network-use clause

Obligations

  • Source for modified EPL files must be available.
  • Preserve attribution.
  • Patent retaliation clause applies.

Common pitfalls

  • Treating it as fully GPL-compatible — only when the secondary-license clause is invoked.

Strong copyleft· 2

GNU General Public License 2.0

SPDX: GPL-2.0-or-laterStrong copyleft

Strong copyleft. Any work that 'derives from' the GPL'd code, when distributed, must itself be GPL — entire derivative work, source available.

Proprietary product
Avoid
SaaS / hosted
OK
Static link
Avoid

Avoid in proprietary on-prem / shipped products. SaaS is OK for GPL-2.0/3.0 because you don't 'distribute' the binary — but see AGPL for the SaaS gap. Note: GPL-2.0 has no explicit patent grant, GPL-3.0 does.

Patent grant · implicitNo network-use clause

Obligations

  • Any distributed binary built from / linked against GPL code must ship under GPL.
  • Provide source code (or written offer for 3 years) on distribution.
  • Preserve copyright + GPL notice; no further restrictions allowed.

Common pitfalls

  • Static-linking a GPL library into a closed-source product (Linksys / Cisco BusyBox cases).
  • 'But our customer is internal' — internal distribution to an external entity (even subsidiary, in some readings) can trigger.
  • Bundling GPL plugins via a static plugin loader rather than a shell-out / IPC boundary.

GNU General Public License 3.0

SPDX: GPL-3.0-or-laterStrong copyleft

GPL-2 plus explicit patent grant, anti-Tivoization clause, and DRM-circumvention safeguards. Same copyleft scope.

Proprietary product
Avoid
SaaS / hosted
OK
Static link
Avoid

Same as GPL-2 with stronger consumer-protection teeth. Avoid in shipped firmware unless your hardware is user-flashable.

Patent grant · explicitNo network-use clause

Obligations

  • All GPL-2 obligations.
  • Provide installation information ("anti-Tivoization") for user-modifiable consumer hardware.
  • Cannot use GPL'd code while imposing software patents on downstream users.

Common pitfalls

  • Shipping firmware that locks the bootloader against user-modified GPL'd code.
  • Mixing GPL-3 code into a GPL-2-only project (incompatible without explicit dual-license).

Network copyleft· 1

GNU Affero GPL 3.0

SPDX: AGPL-3.0-or-laterNetwork copyleft

GPL-3 plus the network-use clause — running modified code as a network service triggers the source-disclosure obligation, even without distributing binaries.

Proprietary product
Avoid
SaaS / hosted
Avoid
Static link
Avoid

Avoid for any proprietary or closed-source SaaS. Many large companies blanket-prohibit AGPL for this reason. Safe in fully open-source projects.

Patent grant · explicitNetwork-use clause

Obligations

  • All GPL-3 obligations.
  • Users interacting over a network with the modified service must be offered the corresponding source code.

Common pitfalls

  • Treating SaaS hosting as a 'no distribution' loophole — AGPL closes it.
  • Modifying an AGPL'd library inside a closed-source web app and not publishing the diff.
  • Using AGPL code in microservice glue, then having to open-source the entire service.
Used bymongodb (pre-2018 server) · iconic gnu utilities · minio (pre-2024) · mastodonSPDX text →

Source-available (not OSS)· 3

Business Source License 1.1

SPDX: BUSL-1.1Source-available (not OSS)

Source-available, NOT open-source. Free for non-production use; commercial use requires a paid licence; converts to a permissive licence after a 'change date' (typically 4 years).

Proprietary product
Avoid
SaaS / hosted
Avoid
Static link
Avoid

Treat as proprietary unless you have a paid licence. Track each component's individual change-date; they auto-relicense to a permissive licence on that date.

Patent grant · noneNo network-use clause

Obligations

  • Read the 'Additional Use Grant' carefully — vendor-specific.
  • Pay for production use during the source-available period.
  • Track the change-date; the codebase auto-converts to e.g. Apache-2.0 after that.

Common pitfalls

  • Assuming BUSL = open source. It is not. OSI does not approve it.
  • Using HashiCorp Terraform 1.6+, MariaDB MaxScale, or Sentry in production without a paid contract.
Used byterraform 1.6+ · vault 1.15+ · consul 1.17+ · mariadb maxscaleSPDX text →

Server Side Public License v1.0

SPDX: SSPL-1.0Source-available (not OSS)

Source-available, NOT OSI-approved. Modified AGPL where running a hosted service requires open-sourcing the entire stack (orchestration, monitoring, billing).

Proprietary product
Avoid
SaaS / hosted
Avoid
Static link
Avoid

Effectively closed for any commercial SaaS embedding. Many enterprises blanket-prohibit it. If you need MongoDB / Elastic / Redis, use the official managed offerings or fork from the last permissive version.

Patent grant · implicitNetwork-use clause

Obligations

  • Hosting an SSPL'd service forces you to release the surrounding service-management code under SSPL.

Common pitfalls

  • Used by MongoDB (post-2018), Elastic (pre-2024), Redis (post-2024). AWS, GCP, and major distros classify it as not-open-source and have stopped redistributing.
  • Internal-only deployment is technically allowed, but the trigger ('offering as a service to third parties') is broad.
Used bymongodb 4.0+ · elasticsearch 7.10+ (pre-2024) · redis 7.4+ (post-2024)SPDX text →

Elastic License 2.0

SPDX: Elastic-2.0Source-available (not OSS)

Source-available, no copyleft. Forbids: providing the software as a managed service, circumventing licence keys, removing licensing features.

Proprietary product
Caution
SaaS / hosted
Avoid
Static link
Caution

Fine for internal use; unsafe if your product is a hosted service that exposes the licensed software.

Patent grant · implicitNo network-use clause

Obligations

  • Read § 'Limitations'. Internal use is fine; reselling as a service is not.

Common pitfalls

  • Building a managed-Elasticsearch SaaS — explicitly prohibited.

Proprietary· 1

Proprietary / Custom EULA

SPDX: ProprietaryProprietary

All rights reserved. Use, redistribution, and modification gated by a per-vendor agreement. Read the contract.

Proprietary product
Caution
SaaS / hosted
Caution
Static link
Caution

Outcome depends entirely on the contract.

Patent grant · noneNo network-use clause

Obligations

  • Whatever the contract says. Track licence keys, seat limits, audit clauses.

Common pitfalls

  • Using vendored copies past licence expiry.
  • Failing audit because of seat-count drift in CI.
  • Embedding in a redistributed product without a redistribution rider.

Tooling adjacent to this

  • licenseclassifier — Google's tool for detecting license headers in source.
  • licensed — caches and verifies dependency licenses in CI.
  • OSS Review Toolkit — full SPDX scan + report.
  • REUSE — FSFE's spec for declaring per-file licenses cleanly.
  • For your own dependency tree: register an asset profile with packages — future versions can pull license data from OSV alongside vulns.

Not legal advice. Sourced from SPDX · choosealicense.com · OSI. Last reviewed by ZeroDayAttack maintainers — when in doubt, ask counsel.