Open Source Licenses: Choose the Right One for Your Project
Why Licenses Matter
Without a license, code is under exclusive copyright by default — no one can legally use, modify, or distribute it. This is the single most common mistake made by new open source projects, and it effectively makes the project unusable by the community it hopes to attract. A license grants permission to others and sets the terms under which they can interact with your work. Choosing the right license is the most important legal decision for your project and affects adoption, contribution patterns, and commercial use for its entire lifespan. The Open Source Initiative maintains a list of over 100 OSI-approved licenses. Fortunately, most projects can choose from a small handful of widely used licenses that cover the vast majority of use cases.
License Categories
Licenses fall into three broad categories with very different practical effects. Public domain licenses like CC0 and the Unlicense dedicate code to the public domain with no restrictions. Permissive licenses like MIT, Apache 2.0, and BSD require only attribution and allow users to incorporate code into proprietary products without sharing modifications. Copyleft licenses require that derivative works be distributed under the same license terms. Weak copyleft (LGPL, MPL) allows linking from non-open code. Strong copyleft (GPL, AGPL) requires the entire derivative work to be open.
Popular Licenses Explained
MIT License
The MIT License is the simplest and most popular. It allows any use with attribution. Over 60 percent of GitHub repositories use MIT. Best for libraries and projects where maximum adoption is the goal. Its main limitation is the lack of a patent grant, which means contributors do not explicitly grant patent rights to users of the code.
Apache License 2.0
Apache 2.0 is permissive with an explicit patent grant clause protecting contributors and users from patent litigation. It includes an anti-trademark clause preventing misuse of project names and logos. Used by Google, Meta, and the Apache Software Foundation. Choose this when patent protection is a concern or when your project is developed by a corporation that wants to protect its contributors from patent claims.
GNU General Public License v3
GPL v3 is strong copyleft. Derivative works must be distributed under GPL v3 with complete source code. Includes patent protection and anti-Tivoization provisions that prevent hardware manufacturers from blocking modifications on devices. The Linux kernel uses GPL v2. WordPress uses GPL v2. Choose GPL when your goal is ensuring modifications stay open source and you want to build a community around shared improvements.
BSD Licenses
BSD 2-Clause and 3-Clause are permissive licenses similar to MIT. The 3-Clause version includes a non-endorsement clause prohibiting the use of project contributors’ names to promote derived products. BSD 2-Clause drops this restriction.
Mozilla Public License 2.0
MPL 2.0 is a weak copyleft license. Modified files must be shared under MPL, but larger works can combine MPL code with proprietary code under different licenses. This makes it popular for libraries that want to stay open while being usable by commercial projects.
GNU Lesser General Public License
LGPL allows proprietary code to link against LGPL-licensed libraries without requiring the proprietary code to be open source. Changes to the library itself must remain under LGPL. This is ideal for libraries like glibc and GCC runtime libraries.
How to Choose a License
Use choosealicense.com. For permissive with maximum adoption: MIT. For permissive with patent protection: Apache 2.0. For copyleft: GPL v3 for software, AGPL v3 for network services. For libraries usable by proprietary projects: LGPL or MIT. Choose a license early and include it from the first commit. Changing a license after contributions requires consent from all contributors, so picking correctly at the start saves enormous legal headache later.
Decision Table
| Goal | Recommended License |
|---|---|
| Maximum adoption, simple | MIT |
| Patent protection | Apache 2.0 |
| Ensure modifications stay open | GPL v3 |
| Network services copyleft | AGPL v3 |
| Library usable by proprietary | LGPL or MIT |
| Public domain dedication | CC0 or Unlicense |
License Compliance
Display the full license text in a LICENSE file. Include copyright notices as required by the license terms. Track all dependencies and their licenses using automated tools like FOSSA, Black Duck, or the Open Source Review Toolkit. Ensure proprietary code does not combine with copyleft code in triggering ways — this means understanding the difference between linking, aggregation, and derivative works. The OpenChain project provides an ISO-certified standard for compliance processes, and many enterprises now require OpenChain certification from their software suppliers.
Automated Dependency Scanning
Set up license checks in your CI pipeline using tools like FOSSA, Snyk, or GitHub’s dependency graph. These tools scan your dependencies, identify their licenses, and flag incompatibilities before they reach production. Configure them to fail builds when a disallowed license is detected, preventing compliance issues from reaching deployed code.
Dual Licensing
Some projects offer code under both GPL and a commercial license. This enables open source use while charging proprietary users for the right to keep their modifications closed. Dual licensing requires the project to hold copyright to all code, which necessitates Contributor License Agreements from every contributor. MySQL, Qt, and MongoDB use dual licensing to build sustainable businesses around open source software.
License Compatibility
GPL v2 and Apache 2.0 are incompatible — code licensed under both cannot be combined in a single work. MIT and Apache 2.0 are compatible. GPL v3 and Apache 2.0 are compatible. LGPL can be linked from non-GPL code. The SPDX License List provides compatibility information for all common combinations. When combining code from multiple sources, verify that each license’s requirements can be simultaneously satisfied.
SPDX Identifiers
The SPDX standard provides short identifiers for licenses, such as MIT, Apache-2.0, and GPL-3.0-only. Including these identifiers in your project metadata makes automated compliance tooling more reliable. Most package managers now support SPDX identifiers in their metadata formats.
Creative Commons for Documentation
Creative Commons licenses are designed for creative works, not software. CC BY-SA is the most common for documentation, requiring attribution and sharing modifications under the same terms. CC0 functions as a public domain dedication. Avoid CC-NC for open source documentation, as the non-commercial restriction makes it incompatible with many distributions and commercial use.
Architecture Decision Records
Architecture Decision Records (ADRs) document significant architectural decisions and their rationale. Each ADR captures: the context (why the decision was needed), the decision (what was chosen), the alternatives considered (what was rejected and why), and the consequences (tradeoffs and implications). ADRs are stored in version control alongside the code, creating a historical record of design evolution. Benefits include: onboarding new team members faster, preventing repeated debates about past decisions, and providing rationale for future architects questioning why things are the way they are. Start an ADR repository with a lightweight template. Write ADRs for significant decisions that affect system architecture, technology choices, or design patterns. Review ADRs as a team before implementation.
Conway’s Law in Practice
Conway’s Law states that organizations design systems that mirror their communication structures. Teams that communicate frequently will produce tightly coupled components. Teams that communicate infrequently will produce loosely coupled components that communicate through well-defined interfaces. Use this law deliberately: align team boundaries with service boundaries (inverse Conway maneuver). If you want microservices, structure your teams around services. If you want a monolith, have one team. The organization chart and the architecture diagram should be congruent.
FAQ
Can I change my project’s license after publishing? Yes if you own all the code. If others have contributed, you need their consent. Starting with a permissive license makes future changes easier because you can relicense your own contributions without needing approval from every contributor.
What happens if I use GPL code in a closed-source project? You violate the GPL and can be sued. The GPL requires derivative works to be distributed under the GPL with source code. Commercial lawsuits over GPL violations are common, with awards often including legal fees.
Do I need to register an open source license? No. Open source licenses are self-executing. Include the license text in your repository and your code is licensed. No registration or government filing is required.
Which license maximizes adoption? The MIT License. It is the most familiar, shortest, and imposes the fewest restrictions on users. Projects seeking the widest possible adoption almost always choose MIT.
What is a Contributor License Agreement? A CLA gives the project owner additional rights beyond what the license grants, typically allowing relicensing or dual licensing. The Apache CLA and Google CLA are widely used templates.
Can I use code under any OSI-approved license? Yes, but you must comply with the license terms. Some OSI-approved licenses have restrictions that may conflict with your use case, so always read the full terms.
Related: Starting Open Source Project | Open Source in Business | Open Source Guide
Related Concepts and Further Reading
Understanding open source licenses requires familiarity with several interconnected ideas and principles that together form a complete picture. Exploring these related concepts deepens your knowledge and provides context that makes the core material more meaningful and applicable. Each concept builds on the others, creating a web of understanding that supports deeper learning and practical application. Taking time to explore how these elements connect reveals patterns that accelerate comprehension and retention of new information.
The relationship between open source licenses and adjacent fields is worth particular attention. Many of the most important insights emerge at the boundaries between disciplines, where ideas from different areas combine to create new approaches and solutions that neither field could produce alone. Exploring these connections pays dividends in both breadth and depth of understanding, revealing patterns and principles that might otherwise remain hidden from view. Cross-disciplinary knowledge is increasingly valued as problems become more complex and interconnected.
For those looking to go beyond introductory material, several excellent resources provide deeper treatment of specific aspects of open source licenses. Academic journals, industry publications, authoritative reference works, and online courses each offer different perspectives and levels of detail. The key is to match your reading to your current learning goals and build knowledge progressively, focusing on quality over quantity in your study materials. A well-chosen resource that matches your current level is worth more than dozens of resources that are too basic or too advanced.