The license of any external artifact (open-source or commercial) must be examined before introducing that external artifact into organization assets. The examination must determine the cost of compliance with terms of the license and any impairment to proprietary artifact.
Intellectual properties are key assets of an organization. Every development group should protect its intellectual property and respect the intellectual property of others.
This policy applies to all licensed artifacts, regardless of the method of procurement. Downloadable artifact requires the same level of review as artifacts acquired from commercial sources in a formal contracting process.
- Employees must not use intellectual property from prior employers or engagements.
- Employees must not use non-organization intellectual property covered by a non-disclosure agreement.
Common uses of Open Source. Many open source licenses have restrictions on the use of the licensed artifact:
- Some licenses restrict use with proprietary software.
- Some licenses require publication of any modifications and the source code of all derived work.
- Some licenses create exceptions for use of libraries.
Any transfer of an artifact that enables others to make a copy of that artifact. Transferring any artifacts to an on-premise device is conveyance. Any artifact running inside a web browser or email client are also conveyed artifacts.
Linked usage occurs when artifacts are combined into the product at runtime. This includes classes linked from the classpath or shared objects from a dynamic library.
Network usage clauses extend the concept of conveyance to any remotely provided service. Any cloud service is considered network usage.
Internal usage occurs when artifacts are neither transferred external to organization nor used to provide a service to customers.
The Open Source Initiative evaluates and categorizes open source licenses. A further classification of OSI’s Licenses that are popular, widely used, or with strong communities from most restrictive to least restrictive is: viral, dynamic linking, permissive.
A "copyleft" license requires the use of the same "copyleft" license by any derived work that is "conveyed" to a customer. This class of viral licenses require source code disclosure of any derived works. Dependency use of this class of license is may be damaging to Organization intellectual property.
A "copyleft" license with an exception to allow proprietary software to link the artifact as delivered into the product. With this exception, dependent libraries (or jars) can be used without triggering the viral license requirement.
Permissive licenses allow the use of the licensed artifact for any purpose or use. These license usually disclaim any liability resulting from the use of that artifact.
In the following table, reviewed licenses are marked as being acceptable (✓) or not acceptable (✗) for common uses based upon their virality.
Internal | Network | Linked | Conveyed | |
---|---|---|---|---|
Apache License 2.0 | ✓ | ✓ | ✓ | ✓ |
BSD "New" or "Revised" license | ✓ | ✓ | ✓ | ✓ |
"FreeBSD" license | ✓ | ✓ | ✓ | ✓ |
Common Development and Distribution License | ✓ | ✓ | ✓ | ✓ |
Eclipse Public License | ✓ | ✓ | ✓ | ✓ |
GNU General Public License | ✓ | ✓ | ✗ | ✗ |
GNU Affero General Public License | ✓ | ✗ | ✗ | ✗ |
"Lesser" General Public License | ✓ | ✓ | ✓ | ✗ |
MIT license | ✓ | ✓ | ✓ | ✓ |
Mozilla Public License 2.0 | ✓ | ✓ | ✓ | ✓ |
Oracle Binary Code License | ✓ | ✓ | ✓ | ✗ |
No explicit license | ✗ | ✗ | ✗ | ✗ |
Artifacts without an explicit licence or release grant is implicitly copyrighted material. Artifacts without license cannot be used.
This work is licensed under a Creative Commons Attribution 4.0 International License.