AgentSkillsCN

open-source-licensing

在选择、使用或分发开源软件时,了解许可证义务。涵盖宽松许可证与Copyleft许可证、许可证兼容性、合规性义务,以及用于许可证审计的SCA工具。 适用范围:开源许可证、MIT、Apache、GPL、LGPL、MPL、BSD、Copyleft、宽松许可证、许可证兼容性、OSS合规、SBOM许可证审计、贡献者许可证协议、双重许可。 不适用范围:知识产权归属问题(使用知识产权技能)、自定义许可证制定(应咨询法律顾问)、软件专利分析(使用知识产权技能)。

SKILL.md
--- frontmatter
name: open-source-licensing
description: |
    Use when selecting, using, or distributing open-source software and understanding license obligations. Covers permissive vs copyleft licenses, license compatibility, compliance obligations, and SCA tools for license auditing.
    USE FOR: open-source licenses, MIT, Apache, GPL, LGPL, MPL, BSD, copyleft, permissive, license compatibility, OSS compliance, SBOM license auditing, contributor license agreements, dual licensing
    DO NOT USE FOR: IP ownership questions (use intellectual-property), creating custom licenses (consult legal counsel), software patent analysis (use intellectual-property)
license: MIT
metadata:
  displayName: "Open-Source Licensing"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Open-Source Licensing

Disclaimer: This skill provides general educational information about legal topics relevant to software development. It is not legal advice. Laws vary by jurisdiction and change frequently. Always consult a qualified attorney licensed in the relevant jurisdiction before making legal decisions for your organization.

Overview

Open-source software is the foundation of modern development, but every OSS component carries license obligations that can affect how you distribute your software. A single incompatible dependency can force you to relicense your product, release proprietary source code, or remove the component entirely. Understanding the spectrum of open-source licenses -- from permissive to strong copyleft -- is essential for any team that builds on open-source foundations.

License Categories

CategoryObligationsExamples
PermissiveMinimal: attribution, include license text, no warranty disclaimerMIT, Apache 2.0, BSD 2-Clause, BSD 3-Clause, ISC
Weak CopyleftModifications to the library must be shared under the same license, but you can link from proprietary codeLGPL 2.1, LGPL 3.0, MPL 2.0, EPL 2.0
Strong CopyleftDerivative works must use the same license -- this is the "viral" effectGPL 2.0, GPL 3.0, AGPL 3.0
Network CopyleftCopyleft is triggered even by network use (providing the software as a service) without traditional distributionAGPL 3.0

Common Licenses Quick Reference

LicensePermissionsConditionsLimitationsKey Risk
MITCommercial use, modification, distribution, private useInclude copyright notice and license textNo liability, no warrantyVery low -- one of the most permissive licenses
Apache 2.0Commercial use, modification, distribution, patent use, private useInclude copyright notice, license text, state changes, include NOTICE fileNo liability, no warranty, no trademark useLow -- includes explicit patent grant, which is an advantage
BSD 2-ClauseCommercial use, modification, distribution, private useInclude copyright notice and license textNo liability, no warrantyVery low -- similar to MIT
GPL 2.0Commercial use, modification, distribution, private useDisclose source, include license, same license for derivative worksNo liability, no warrantyHigh -- derivative works must be GPL 2.0, no patent grant
GPL 3.0Commercial use, modification, distribution, patent use, private useDisclose source, include license, same license for derivative works, no tivoizationNo liability, no warrantyHigh -- derivative works must be GPL 3.0, includes anti-tivoization and patent provisions
LGPL 2.1Commercial use, modification, distribution, private useDisclose source of library modifications, include license, allow relinkingNo liability, no warrantyMedium -- modifications to the library must be LGPL, but linking from proprietary code is permitted
LGPL 3.0Commercial use, modification, distribution, patent use, private useDisclose source of library modifications, include license, allow relinkingNo liability, no warrantyMedium -- similar to LGPL 2.1 with GPL 3.0 base terms
MPL 2.0Commercial use, modification, distribution, patent use, private useDisclose source of modified files, include licenseNo liability, no warranty, no trademark useMedium -- file-level copyleft; only modified files must remain MPL
AGPL 3.0Commercial use, modification, distribution, patent use, private useDisclose source (including over network), include license, same licenseNo liability, no warrantyVery high -- network use triggers source disclosure; affects SaaS products
BSL (Business Source License)Non-production use; converts to open-source after change dateCannot use in production without commercial license until change dateProduction use restrictedHigh -- not a true open-source license; restricts commercial use until a specified date

License Compatibility Matrix

The following table shows whether code under the Inbound (column) license can be included in a project distributed under the Outbound (row) license:

Outbound \ InboundMITApache 2.0LGPL 2.1MPL 2.0GPL 2.0GPL 3.0AGPL 3.0
MITYesNoNoNoNoNoNo
Apache 2.0YesYesNoNoNoNoNo
LGPL 2.1YesNoYesNoNoNoNo
MPL 2.0YesYesNoYesNoNoNo
GPL 2.0YesNoYesYesYesNoNo
GPL 3.0YesYesYesYesNoYesNo
AGPL 3.0YesYesYesYesNoYesYes

Key insight: GPL is one-directional. Permissive code can be included in GPL projects, but GPL code cannot be included in permissive projects. Code flows "upward" toward more restrictive licenses but never "downward."

Compliance Obligations by Distribution Type

Distribution MethodObligationExamples
SaaS (no distribution)Fewer obligations -- most licenses are not triggered because no binary or source is distributed. Exception: AGPL requires source disclosure even for network use.Web applications, API services, hosted platforms
Binary distributionMust fulfill all license terms including attribution, license inclusion, and source disclosure (for copyleft).Desktop applications, mobile apps, embedded firmware
Source distributionInclude license notices and copyright headers in all distributed source files. Maintain LICENSE and NOTICE files.Libraries, SDKs, open-source projects, npm/PyPI packages
Container imagesBinary distribution rules apply. Container images are considered binaries containing all bundled dependencies.Docker images, OCI images published to registries

License Auditing Tools

ToolWhat It Does
FOSSAAutomated license compliance and vulnerability scanning across multiple languages and package managers. Generates SBOM and license reports.
SnykIdentifies open-source license risks alongside security vulnerabilities. Supports policy-based license filtering.
Black Duck (Synopsys)Enterprise-grade SCA tool for license compliance, vulnerability management, and code audit for M&A due diligence.
LicenseeRuby-based tool that identifies the license of a project by examining LICENSE files. Used by GitHub for license detection.
license-checker (npm)Scans npm dependencies and reports the license for each package. Supports allow/deny lists for CI enforcement.
pip-licenses (Python)Lists licenses of installed Python packages. Supports output in CSV, JSON, and Markdown for integration into compliance workflows.
go-licensesScans Go module dependencies and reports licenses. Can check for disallowed licenses and export license notices.

Contributor License Agreements (CLA)

A Contributor License Agreement is a legal document that contributors sign before their code is accepted into a project. CLAs grant the project maintainer (or owning organization) certain rights over the contributed code, typically including:

  • The right to relicense the contribution.
  • A patent license for any patents the contributor holds that are embodied in the contribution.
  • A representation that the contributor has the right to make the contribution.

Why projects use CLAs: CLAs protect the project from future IP disputes and give the maintainer flexibility to change the project's license or offer commercial licensing without needing to contact every past contributor.

CLA vs DCO (Developer Certificate of Origin): A DCO is a lighter-weight alternative where contributors sign off (via Signed-off-by in commit messages) that they have the right to submit the code and agree to the project's license. The Linux kernel uses DCO. CLAs provide broader rights to the project maintainer, while DCOs simply certify the contributor's right to contribute under the existing license.

Dual Licensing

Dual licensing is a business model in which software is released under two licenses simultaneously:

  1. An open-source license (often a strong copyleft license like GPL or AGPL) that is free for open-source use.
  2. A commercial license that allows proprietary use without the copyleft obligations, typically for a fee.

This model enables companies to sustain open-source development through commercial revenue. Users who are comfortable with the copyleft terms use the software for free; users who need proprietary use purchase a commercial license.

Examples:

  • MySQL — Available under GPL and a commercial license from Oracle.
  • Qt — Available under LGPL/GPL and a commercial license from The Qt Company.
  • MongoDB — Moved from AGPL to SSPL (Server Side Public License), which imposes strong copyleft-like conditions on service providers, effectively encouraging commercial licensing.

Best Practices

  • Always consult qualified legal counsel for GPL compliance. The boundary between a "derivative work" and an independent work is legally nuanced. A licensed attorney can evaluate your specific linking, modification, and distribution patterns.
  • Maintain a software bill of materials (SBOM). Track every open-source component, its version, and its license. An up-to-date SBOM is the foundation of license compliance.
  • Integrate license scanning into your CI/CD pipeline. Automated tools catch license issues before they reach production. Configure allow/deny lists to block incompatible licenses at build time.
  • Establish an open-source policy for your organization. Define which licenses are approved, which require legal review, and which are prohibited. Communicate this policy to all developers.
  • Review license obligations before adopting any new dependency. A quick check before adding a library is far less costly than discovering an incompatibility after shipping.
  • Pay special attention to AGPL in SaaS environments. AGPL's network copyleft provision can require you to disclose the source code of your entire application if you use an AGPL component in a networked service.
  • Track license changes across dependency updates. Libraries can change their license between versions. Ensure your tooling alerts you when a dependency's license changes.
  • Contribute back to the open-source projects you depend on. Beyond legal compliance, contributing upstream strengthens the ecosystem and builds goodwill with the communities that power your product.