Updated Oct 16, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
There are two major types of open-source licenses: copyleft and permissive. In this article, we’ll compare these two types of licenses, and also take a look at examples of each.
Copyleft and permissive licenses: what’s the difference?
Both copyleft and permissive licenses allow developers to copy, modify, and redistribute code (derivative or otherwise) freely. The most important difference between the two, however, lies in how each approaches copyright privileges.
While permissive licenses allow developers to include their own copyright statements, copyleft licenses provide no such privilege. Instead, copyleft license rules require all derivative works to be subject to the original license. This means that developers cannot make patent or copyright claims on the original software.
According to research by White Source, the most popular permissive licenses are MIT and Apache 2.0, with BSD in a distant third place. The GNU GPLv3 is the most popular copyleft license but is steadily losing market share compared to permissive licenses.
The MIT open-source license is permissive in nature and also one of the simplest. It basically allows developers to modify or re-calibrate source code according to their preferences.
The MIT license always includes a copyright statement and a disclaimer, which explains that the software is provided “as is” and that copyright holders will not be held liable for any claims or liabilities.
Holders of the MIT license can produce, without restrictions, any derivative works from the original software and even reap commercial benefits from the sale of the secondary product.
The MIT license is GPL-compatible, but unlike the traditionally restrictive GPL, it isn’t viral. This means that developers can modify the original code without “infecting” the resultant derivative code with the original license.
Apache 2.0 License
This license was released in 2004, replacing the original Apache version 1.1. Like the modified BSD and MIT licenses, the Apache 2.0 is permissive in nature.
The Apache 2.0 version clearly defines what constitutes legal entities, derivative works, and contributions. It also explicitly specifies the terms surrounding the grant of patent rights, which is absent in the BSD, Apache v1.1, and MIT licenses. Notably, in the event that litigation for patent infringement is pursued against any entity, all patent licenses granted to developers under Apache 2.0 will be discontinued as of the date litigation is filed.
The Apache 2.0 license also has strict rules pertaining to redistribution rights. It specifically requires recipients of any derivative work to be provided a copy of the Apache 2.0 license. Most notably, developers must provide unequivocal statements verifying that files have been modified. The source form of any derivative work must also retain all copyright, patent, and attribution notices from the source form of the original software.
Finally, if the original work includes attribution notices (within a NOTICE text file), developers must ensure that derivative works also include the NOTICE file. Developers include their own attribution notices and copyright statements with said file. As stated, the newly modified BSD licenses do not address patent rights issues; so, the Apache 2.0’s clearly defined rules regarding patent and redistribution rights are clearly unique in their nature.
BSD License or 3-Clause BSD License
These permissive open-source licenses are similar to the MIT license, with a small but important difference: while they include the same copyright and disclaimer notices, they also provide an extra non-attribution clause that protects the original creator of the software. This clause is informally known as the “non-endorsement clause.” It requires developers to obtain express permission before using the original name of the creator to promote derivative products.
The 3-clause BSD also requires redistributions in binary form to include the original copyright notice, disclaimer, and list of required conditions.
Essentially, the 3-Clause BSD license is a new modification of the original 4-clause BSD license. In the 3-Clause BSD, the “advertising clause” is left out, which required all advertisements mentioning the use of the software to acknowledge the authorship of UCLA Berkeley and its contributors.
This “advertising clause” made the attribution compliance process a cumbersome one and eventually caused the 4-clause BSD license to become incompatible with the GNU GPL. On July 22, 1999, the clause was rescinded. To date, the 2-clause and 3-clause BSD licenses omit the “advertising clause,” making them compatible with GPL.
The simplified 2-Clause BSD license omits the “advertising clause” (from the original 4-clause BSD) and the “non-endorsement clause” from the 3-clause BSD license. Notably, the Net BSD Project (which involves a Berkeley-designed Unix-like operating system) utilizes the 2-clause BSD license.
GPLv3 Open Source Licenses
The GPL (General Public License) is the most popular copyleft license. The FSF (Free Software Foundation) works to ensure that GPL protects the freedom of all users to modify and distribute code as they see fit.
The GPL is based on four freedoms: the freedom to use the source code for any purpose, the freedom to make modifications, the freedom to share the source code with anyone, and the freedom to share changes.
Contrary to public opinion, GPL does not prohibit users from selling derivative works that are based on the original source code; it merely requires source code to be freely available to anyone who wants it. This is the “reciprocity obligation.”
To date, the GPLv3 replaces the GPLv2. Most notably, the GPLv3 is now compatible with other licenses, such as the Apache 2.0.
According to the FSF, the GPLv3 also protects its users in three ways that distinguish it from other open-source licenses:
- First, it prohibits source code manipulations, preventing end-users from making modifications.
- Second, the GPLv3 complies with the tenets of international laws such as the Digital Millennium Copyright Act and the European Union Copyright Directive. This makes it easier for foreign developers to use the license outside the United States.
- Third, the new GPLv3 prevents corporations like Microsoft from infringing on patent rights. And it avoids collecting royalties for the use of free software.
To date, the FSF has also released the Affero GPL, which facilitates programs running on servers, and the LGPL (Lesser General Public License), a more permissive form of the GPLv3.
Managing the open-source licenses in your project
It seems like every open-source library has its own different type of license. When you are developing an application with hundreds of libraries, tracking the required licenses can become a headache. But accurate license management is critical to avoid potential legal issues. A Source Code Analysis tool (SCA) like Kiuwan Insights is essential.
Kiuwan Insights helps you manage the open-source libraries in projects quickly and easily. With just a couple of clicks, you can generate an accurate inventory of the components used during builds or in applications. You’ll get detailed information about your open source components, including:
- What licenses are required
- Whether any components are obsolete or unused
- Whether there are any security risks involved in their usage.
Reduce the risk incurred by using open-source components. Try Kiuwan Insights for free today here.
Recommended Reading: 5 Reasons Why Open Source is Good for Your Company