Back to lesson

FOSS Licensing Choices

Slide 1: FOSS Licensing Choices

On-screen

FOSS Licensing Choices

Licences: the Terms & Conditions developers actually need to read

Narration

Anna: This section sets up FOSS Licensing Choices. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides.
Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace?

Slide 2: Why licences matter

On-screen

Why licences matter

  • Define how code can be used, shared and monetised
  • Protect contributors and organisations from legal risk
  • Shape community expectations and collaboration norms
  • Without clarity, even a tiny JavaScript helper in your start-up could trigger a takedown notice
  • Licences are like relationship agreements—agree upfront so you are not lawyering up later

Narration

Why licensing matters for open-source
Free and open-source software (FOSS) licences translate community values into legally enforceable rules. Without them, collaboration would rely on vague goodwill and expose contributors to liability. Licences are what allow organisations to adopt community-built code with confidence, knowing the obligations they are accepting. They also give developers a say in how their work can be used commercially, redistributed or integrated into proprietary platforms.
Lack of clarity is risky. Something as small as copying an unlicensed JavaScript helper into your start-up's product can trigger a cease-and-desist or a demand to publish your whole codebase. Most licence disputes settle quietly, but the disruption, legal fees and damaged trust are real. Thinking about licensing early lets teams align technical strategy, community aspirations and compliance guardrails before launch day.
Remember: a licence is both a legal instrument and a social contract. Picking the right one signals whether you prioritise frictionless adoption, reciprocal sharing, commercial sustainability or a mix via dual-licensing. The rest of this module walks through how to make those trade-offs without losing sleep—or receiving surprise letters from law firms.

Slide 3: Permissive licences (MIT, Apache 2.0)

On-screen

Permissive licences (MIT, Apache 2.0)

  • Allow reuse with minimal obligations
  • Require attribution and licence notice retention
  • Favoured by start-ups, vendor platforms and integration partners
  • Example: React.js ships under MIT, empowering Facebook and thousands of companies to build proprietary apps
  • Apache 2.0 adds patent protection and retaliation clauses to calm enterprise risk teams

Narration

Permissive licences: flexibility with light obligations
What they grant and require
Permissive licences such as MIT, BSD and Apache 2.0 grant broad rights to use, modify and redistribute code with minimal restrictions. The non-negotiables are preserving copyright notices, including the licence text and avoiding liability claims against the authors. Apache 2.0 goes further by granting an explicit patent licence and a retaliation clause—if someone sues you for patent infringement over the project, they lose the right to use it. Some maintainers even publish small snippets or datasets under CC0 to effectively place them in the public domain where law allows, reducing friction for adopters.
Why companies flock to them
Because these licences allow closed-source derivatives, they are popular with start-ups building commercial services, vendor integration teams and digital agencies embedding open libraries into client solutions. Think of React.js: Facebook chose MIT so product teams across the globe could build proprietary apps without asking permission. For early-stage ventures, the low compliance overhead and patent protection make permissive licences feel like default safe bets.
The trade-off is reciprocity. You cannot force improvements back upstream, so sustaining momentum depends on community goodwill, a healthy governance model or, in some cases, parallel commercial offerings. Tools like choosealicense.com or GitHub’s repository settings can guide first-time maintainers through the fine print before they click “public”.

Slide 4: Copyleft licences (GPL family)

On-screen

Copyleft licences (GPL family)

  • Derivative works must remain open-source
  • Trigger "share alike" obligations on distribution of binaries
  • Common in infrastructure maintained by foundations and public agencies
  • Linux kernel's GPL ensures Android handset modifications were upstreamed for everyone
  • Think of it as a viral clause—openness spreads to everything it touches once you distribute
  • Scenario: ship a router with modified GPL firmware? You must publish matching source

Narration

Copyleft licences: reciprocity to sustain openness
Copyleft licences like GPLv3, LGPL and AGPL require that derivative works remain under the same licence when distributed. This “share alike” obligation is deliberate: it keeps improvements flowing back to the commons. Picture it like a viral clause—once your code touches GPL components and you ship it to customers, openness spreads to the whole bundle.
That does not mean every integration is doomed. The LGPL allows dynamic linking without relicensing your proprietary app, as long as users can relink to updated library versions. The AGPL closes the “software-as-a-service” loophole by treating network access as distribution. Android handset makers learned this the hard way: because the Linux kernel is GPLv2, device vendors must publish their modified source whenever they release a firmware image.
Copyleft rewards collaboration-heavy ecosystems such as public-sector platforms, civic tech or companies like Signal that want privacy features to remain inspectable. The key is operational discipline—track what licences flow into your builds, and brief stakeholders on when obligations trigger so surprises do not crop up the night before a launch.

Slide 5: Compatibility cheat sheet

On-screen

Compatibility cheat sheet

You use…Safe to combine withWatch-outs
MIT/BSDAlmost anythingPreserve attribution
Apache 2.0MIT, Apache, GPLv3Patent terms clash with GPLv2 only
GPLv3GPLv3 codePermissive code ok, but binaries must be GPL
AGPLAGPL projectsNetwork use counts as distribution

Narration

Anna: Compatibility cheat sheet focuses attention on a concrete part of the work. You use…Safe to combine withWatch-outs, MIT/BSDAlmost anythingPreserve attribution, and Apache 2.0MIT, Apache, GPLv3Patent terms clash with GPLv2 only.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: MIT/BSDAlmost anythingPreserve attribution; Apache 2.0MIT, Apache, GPLv3Patent terms clash with GPLv2 only; GPLv3GPLv3 codePermissive code ok, but binaries must be GPL.

Slide 6: Dual & multi-licensing

On-screen

Dual & multi-licensing

  • Projects like MySQL or Qt offer GPL for community and commercial licences for proprietary users
  • Enables sustainable funding while protecting openness goals
  • Be transparent about which features fall under each licence stream

Narration

Anna: Dual & multi-licensing focuses attention on a concrete part of the work. Projects like MySQL or Qt offer GPL for community and commercial licences for proprietary users, Enables sustainable funding while protecting openness goals, and Be transparent about which features fall under each licence stream.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Enables sustainable funding while protecting openness goals; Be transparent about which features fall under each licence stream.

Slide 7: Public domain & CC0

On-screen

Public domain & CC0

  • CC0 and Unlicense place work in public domain where legally possible
  • Useful for data sets, code snippets and government artefacts
  • Confirm local law recognition—some jurisdictions restrict abandoning copyright

Narration

Anna: Public domain & CC0 focuses attention on a concrete part of the work. CC0 and Unlicense place work in public domain where legally possible, Useful for data sets, code snippets and government artefacts, and Confirm local law recognition—some jurisdictions restrict abandoning copyright.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Useful for data sets, code snippets and government artefacts; Confirm local law recognition—some jurisdictions restrict abandoning copyright.

Slide 8: International considerations

On-screen

International considerations

  • Copyright terms, moral rights and patent scope differ across jurisdictions
  • EU database rights and Australian Crown copyright can complicate reuse
  • Global teams rely on OSI-approved texts to minimise surprises—document governing law in NOTICE files

Narration

Anna: International considerations focuses attention on a concrete part of the work. Copyright terms, moral rights and patent scope differ across jurisdictions, EU database rights and Australian Crown copyright can complicate reuse, and Global teams rely on OSI-approved texts to minimise surprises—document governing law in NOTICE files.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: EU database rights and Australian Crown copyright can complicate reuse; Global teams rely on OSI-approved texts to minimise surprises—document governing law in NOTICE files.

Slide 9: Contributor Licence Agreements (CLAs)

On-screen

Contributor Licence Agreements (CLAs)

  • Clarify that maintainers can relicense, defend or dual-license contributions
  • Individual vs corporate CLAs—ensure signatories have authority
  • Coordinate with Developer Certificate of Origin (DCO) processes for audit trails

Narration

Anna: Contributor Licence Agreements (CLAs) focuses attention on a concrete part of the work. Clarify that maintainers can relicense, defend or dual-license contributions, Individual vs corporate CLAs—ensure signatories have authority, and Coordinate with Developer Certificate of Origin (DCO) processes for audit trails.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Individual vs corporate CLAs—ensure signatories have authority; Coordinate with Developer Certificate of Origin (DCO) processes for audit trails.

Slide 10: Choosing for your context

On-screen

Choosing for your context

  • Align licence with business model, funding and compliance needs
  • Consider third-party code compatibility and patent clauses
  • Involve legal counsel, community tech-leads and product managers early
  • Quick flow: need maximum adoption? go permissive. Need reciprocity? pick copyleft. Need revenue + openness? explore dual licence.
  • Example: a government agency picks GPL to keep taxpayer-funded improvements public
  • Choosing a licence is like a roommate agreement—get it wrong and the dishes (or obligations) pile up fast

Narration

Matching licences to organisational strategy
Selecting a licence is a cross-functional decision. Start by mapping goals: are you optimising for adoption, reciprocity, revenue or community trust? An open-source program office (OSPO) can facilitate a quick decision flow—permissive for growth flywheels, copyleft for guaranteed sharing, dual-licensing when you need both community momentum and commercial income. Keep a simple compatibility matrix handy so you avoid mixing a GPLv2 dependency with Apache 2.0 code at the eleventh hour. Projects like MySQL and Qt famously combine GPL for community users with paid commercial terms for enterprises, while MongoDB’s shift to the Server Side Public License (SSPL) shows how licence changes can protect a cloud business model.
Walk through a scenario: a government agency builds a records platform. They want vendors to contribute back fixes funded by taxpayers, so the OSPO recommends GPLv3. Legal reviews how contributions will be accepted (via Developer Certificate of Origin plus a contributor licence agreement) and comms teams set expectations with suppliers. Documenting the rationale up front prevents heated debates three years later when a new contractor joins.
The human side matters too. Choosing a licence is like drafting a roommate agreement—if you skip the tough conversations about chores (obligations) and guests (governance), you will argue when mess appears. Bring in legal counsel, community tech-leads, security engineers and product managers early, agree on international implications (governing law, data sovereignty) and schedule regular reviews as your project grows.

Slide 11: Staying compliant

On-screen

Staying compliant

  • Maintain a bill of materials (SBOM) and automate scans
  • Document when you redistribute binaries, SaaS services or containers
  • Licence compliance is like flossing—tedious, but it avoids painful audits later
  • Tooling: GitHub’s licence picker and choosealicense.com guide first-time maintainers
  • Note cautionary tales—companies have paid settlements for ignoring GPL notices

Narration

Anna: Staying compliant focuses attention on a concrete part of the work. Maintain a bill of materials (SBOM) and automate scans, Document when you redistribute binaries, SaaS services or containers, and Licence compliance is like flossing—tedious, but it avoids painful audits later.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Document when you redistribute binaries, SaaS services or containers; Licence compliance is like flossing—tedious, but it avoids painful audits later; Tooling: GitHub’s licence picker and choosealicense.com guide first-time maintainers.

Slide 12: Career pathways & responsibilities

On-screen

Career pathways & responsibilities

  • Roles & ratios: OSPO managers, developer advocates and legal counsels (typically 1–2 OSPO staff per 50–80 engineers)
  • Typical seniority: mid-level engineers/lawyers stepping into governance after 5–7 years experience
  • Entry pathways: community contributors, compliance interns, dual STEM-law graduates and policy analysts rotating from procurement teams
  • Personality traits: detail-obsessed, diplomatic, values-driven collaborators who can translate legal nuance for technologists
  • Progression: OSPO analyst → manager → director/VP stewarding ecosystem strategy across the organisation
  • Case study: Signal keeps its GPL core open to ensure privacy protections stay inspectable—driving demand for specialised compliance engineers

Narration

Staying compliant in practice
Maintaining compliance requires disciplined processes. Developer advocates teach engineers how to attribute dependencies within documentation and user interfaces. Build engineers automate software bill of materials (SBOM) generation to prove which licences are in use, then wire scanners into CI so incompatible combinations fail fast. Licence compliance is a bit like flossing—boring when everything seems fine, but skipping it leads to painful audits later.
Record every redistribution moment: shipping binaries, publishing container images, even offering a SaaS endpoint that incorporates AGPL code. Keep source archives ready, bundle NOTICE files and track third-party attributions in release notes. Several high-profile companies have paid settlements for overlooking these basics, so treat “we’ll fix it post-launch” as a red flag. Tools like FOSSA, OSS Review Toolkit or GitHub’s dependency review can save hours once configured.
Finally, coordinate legal artifacts. Store signed contributor licence agreements (CLAs), Developer Certificate of Origin (DCO) acknowledgements and export-control assessments alongside your SBOM. That unified paper trail makes due diligence for clients, investors or acquirers straightforward—and shows professional maturity in handling open-source obligations.
Career pathways and talent profile
Open-source program office (OSPO) analysts usually sit inside digital governance or architecture teams and represent roughly 5–10% of the broader engineering operations headcount in large enterprises. Most step into the role after five to seven years in software engineering, developer advocacy or technology law, bringing credibility with both coders and legal stakeholders. Personality-wise they need to enjoy meticulous documentation, value fairness and possess the diplomacy to resolve conflicts between community expectations and commercial pressures.
Entry pathways range from community contributors who have earned maintainer trust, to compliance interns rotating through procurement, to dual STEM-law graduates hired into tech policy teams. From there, practitioners can progress to OSPO managers coordinating licence strategy across business units, and ultimately to director or VP titles responsible for ecosystem partnerships and ethical technology commitments.

Slide 13: Key takeaway

On-screen

Key takeaway

Intentional licence selection balances openness, obligations and long-term sustainability.

Narration

Key takeaway
Thoughtful licence selection is a strategic lever. It signals how you invite collaboration, protect contributors and align with Indigenous data sovereignty commitments when projects intersect with cultural knowledge. Teams that understand obligations around reciprocity, international law, CLAs and dual-licensing can design respectful contribution models and sustain long-term trust with communities, customers and partners.