Understanding Open Source License Categories

Open source licenses fall into several categories, each with different obligations and restrictions. Permissive licenses like MIT, Apache 2.0, and BSD variants allow extensive freedom to use, modify, and distribute software with minimal requirements—typically just attribution. These licenses enable proprietary use and are generally considered business-friendly. However, even permissive licenses require compliance with their terms, and attribution requirements can accumulate complexity in projects with hundreds of dependencies.

Copyleft licenses, including GPL, LGPL, and AGPL variants, require derivative works to be distributed under the same license terms. The GPL v3 adds patent grants and anti-tivoization clauses that further complicate compliance. Strong copyleft licenses like GPL can require entire applications to be open-sourced if not properly isolated. Weak copyleft licenses like LGPL allow proprietary use if properly linked. The AGPL extends copyleft to network services, potentially affecting SaaS applications. Understanding these distinctions is crucial for compliance.

Creative Commons, public domain dedications, and specialized licenses add further complexity. Some licenses appear permissive but contain subtle restrictions—the JSON license includes the controversial "shall be used for Good, not Evil" clause. Others like WTFPL appear to grant unlimited freedom but lack legal clarity. Proprietary licenses mixed with open source create additional challenges. Each license type requires different compliance strategies and poses unique risks that SCA tools must address.