Open source license compliance
OH-pen sors LY-sens kum-PLY-uns
The practice of tracking and fulfilling the legal obligations of all open source software used in a product.
Open source license compliance means tracking every open source component in your product and fulfilling the legal obligations of each license. Most software products use hundreds of open source packages. Each one has a license. Each license has requirements.
The practical challenge is visibility. A typical Node.js project has 500+ transitive dependencies. Do you know the license for each one? Are any GPL? Do you have a process for reviewing new dependencies before they are added? Permissive licenses like MIT and Apache are low risk, but copyleft licenses require careful attention.
Companies manage this with software composition analysis (SCA) tools like Snyk, FOSSA, or WhiteSource. These tools scan your dependency tree, identify licenses, flag conflicts, and generate the attribution notices required by permissive licenses. Enterprise customers and acquirers expect you to have a handle on this. During due diligence, one GPL dependency in a proprietary product can derail an acquisition.
Examples
A company adds a license check to their CI pipeline.
The pipeline runs FOSSA on every pull request. If a developer adds a dependency with a GPL or SSPL license, the build fails with a warning. The legal team must approve exceptions.
An acquirer audits a target's open source usage.
Due diligence reveals 800 open source dependencies. 795 are MIT or Apache. Three are LGPL, which is manageable. Two are GPL. The acquirer's legal team flags the GPL packages for review to assess whether they contaminate the proprietary codebase.
A company generates a third-party license notice.
The product ships with a NOTICES file listing every open source component, its license, and the required attribution. This is automatically generated from the SCA tool and included in every release.
Frequently asked questions
What happens if you violate an open source license?
Consequences range from cease-and-desist letters to lawsuits. The Software Freedom Conservancy and Free Software Foundation actively enforce GPL compliance. Penalties can include injunctions, damages, and being forced to release your source code.
Which open source licenses are safe for commercial use?
MIT, Apache 2.0, BSD, and ISC are the safest. They are permissive and require only attribution. LGPL is manageable with dynamic linking. GPL, AGPL, SSPL, and BSL all have restrictions that require careful legal review before use in commercial products.
Related terms
A permissive open source license that allows anyone to use, modify, and distribute the software with minimal restrictions.
A permissive open source license that includes an explicit patent grant and requires attribution for modifications.
A copyleft open source license that requires derivative works to also be distributed under the GPL.
A source-available license that restricts commercial use for a set period before converting to a fully open source license.
A source-available license that requires anyone offering the software as a service to open source their entire stack.
A legal agreement that contributors sign before submitting code to a project, granting the project certain rights over their contributions.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.