License Categories | Copyleft | Permissive | Compliance | Attribution | Distribution Rights
This Open Source License Compliance Guide effective [Date] for [Project] governs use/distribution of open-source software. Legal Framework: Open Source Definition (OSD), GPL v3 (Copyleft), MIT License (Permissive), Apache 2.0 (Permissive + IP Protection), US Copyright Fair Use 17 USC §107.
1.1 Copyleft Licenses (INFECTIOUS): Per GPL v3 §5:
☑ GPL v2/v3: Source code must be disclosed + same license for derivatives
☑ AGPL v3: Applies to network services (disclosure even for cloud use per §13)
☑ Obligation: If you modify/distribute, ENTIRE product must be GPL (viral clause per §2(b))
☑ Attribution: Must retain copyright notices, license text (§4(a))
☑ Warranty Disclaimer: No warranty provided (per §15 + §16)
1.2 Permissive Licenses (NON-VIRAL): Per MIT License:
☑ MIT/BSD/Apache: Can use in commercial products (no open-source requirement)
☑ Obligation: Retain copyright + license notice only
☑ Attribution: Include copy of MIT text (minimal)
☑ Modification: Allowed without re-licensing (unlike GPL per GPL FAQ)
1.3 MIXED LICENSE PROJECTS: If project uses multiple licenses per OSD §9 (License Compatibility):
• Most restrictive applies (typically GPL if any GPL component used)
• Document each component's license (REQUIRED per SPDX License List)
• Run license compatibility check (tools: FOSSA, Black Duck)
2.1 Dependency Management: When including third-party open-source per OSD §5 (No Discrimination):
• Identify ALL dependencies (direct + transitive)
• Document: License, copyright holder, version per SPDX format
• Maintain: License compliance file (LICENSE.txt / LICENSES/ folder)
• Tools: SBOM (Software Bill of Materials) per NTIA Minimum Elements
2.2 Attribution Requirements: For each OSS component per GPL §4(a):
☑ Retain original copyright notices (do NOT remove per §4(a))
☑ Include license file (verbatim copy required)
☑ Provide download link (source access per §6)
☑ Note modifications (if you changed code, per §5(a))
2.3 Source Code Availability (REQUIRED): Per GPL §6 (Conveyance of Source Code):
• GPL: Must provide source code (machine-readable per §6(a)) or written offer
• Apache 2.0: Source available if distributed in binary form per §3
• Typical: GitHub link + archive (tar.gz, zip) for releases
3.1 GPL Derivative (COPYLEFT): If your product contains GPL code per GPL §2:
☑ MUST release entire product as open-source (same license per §2(b))
☑ Cannot sell proprietary version (copyleft applies to derivative per §2(b))
☑ Must provide source code to users (per §6)
☑ Users have rights: modify, distribute, use freely (per §1-3)
3.2 Permissive (COMMERCIAL-FRIENDLY): If MIT/Apache/BSD code used per MIT License:
☑ CAN release as proprietary (no open-source requirement)
☑ CAN commercialize without source disclosure
☑ MUST retain copyright/license notice only
☑ Recommended: NOTICE file with all licenses (best practice)
3.3 Linking & Distribution: Per GPL FAQ (Linking):
• Static linking (code included): Subject to GPL per §2
• Dynamic linking (shared library): May allow proprietary use (interpretation disputed)
• AGPL applies even to network service use (per §13)
4.1 Before Distribution: Verify compliance per OSD:
☐ All OSS licenses identified (SBOM prepared)
☐ License compatibility confirmed (check matrix)
☐ Copyright notices retained (all files)
☐ License texts included (LICENSE / LICENSES folder)
☐ Attribution file created (CONTRIBUTORS.md)
☐ Source code accessible (GitHub, archive)
☐ License headers in code files (per license requirements)
4.2 Enforcement (REAL RISK): Violations subject to enforcement per GPL §7 (No Additional Restrictions):
• Copyright holders can sue for infringement (statutory damages per 17 USC §504)
• BSA (Business Software Alliance) enforces on behalf of holders
• Injunctions common (cease distribution per copyright law)
• Recent cases: Hellaware (GPL violation), VMware (AGPL enforcement)
4.3 Common Violations:
✗ Removing copyright notices (violation per §4)
✗ Not providing source code (GPL §6)
✗ Claiming proprietary on GPL code
✗ Ignoring AGPL network service requirement (§13)
5.1 GPL v3 Scope: Applies to distribution/installation per §2:
• Binary distribution: Must offer source code (per §6)
• Modification: Must license derivative works under GPL (per §2(b))
• Exception: Private use (no distribution = no obligation per §1)
5.2 AGPL v3 Scope: EXTENDS to network services per §13:
• Even if NOT distributed, AGPL applies if software runs over network
• SaaS providers must disclose source to users (§13)
• Cloud hosting triggers disclosure (major impact for businesses)
5.3 Proprietary vs Open-Source: Key decision per GNU: Choosing Licenses:
• If using GPL code: Must go open-source (or don't use it)
• If using MIT/Apache: Can stay proprietary (recommend NOTICE file)
• AGPL: Risky for web services (disclose requirement)
Law: Open Source licenses governed by copyright law (17 USC for US, UrhG for Germany) | Disputes: Copyright infringement claims in federal court
Disclaimer: This is compliance guidance, not legal advice. Consult counsel for specific license interpretation.