Software teams bring open source into products for the same reasons every engineer does: speed, quality, community, and a shorter path to value. The license attached to that code, however, sets the rules for how you can use it. It acts like a contract that ships with the library. Most organizations realize this only when a release candidate is stuck in legal review, or worse, when a customer’s security questionnaire lands with twenty questions about GPL and SBOMs. With a bit of structure, you can reap the benefits of open source without running into avoidable risk.
Why licenses are not just legal fine print
An open source license is the permission slip that turns copyrighted code into something you can copy, modify, and redistribute. Without a license, the default law grants you none of those rights. Licenses also allocate obligations: give credit, publish changes, offer source code under certain conditions, avoid using trademarks in misleading ways. When your business ships a product or service, how you combine open source components affects whether you trigger those obligations. Some licenses propagate to your larger codebase, some stay confined to the component itself.
I have watched strong teams lose weeks on release schedules because a single transitive dependency pulled in a copyleft license they did not plan for. I have also seen companies overreact and ban half the ecosystem, slowing delivery for little gain. The practical path sits between those extremes: understand the license families, map them to your distribution model, and put repeatable controls in place.
The major families of open source licenses
Although there are dozens of OSI-approved licenses, most code you will encounter falls into a handful of families. The differences matter, especially if you distribute software to customers.
Permissive licenses keep obligations minimal. They allow broad use, including in proprietary products, as long as you include attribution and preserve notices. The most common are MIT, BSD (2-clause and 3-clause), and Apache License 2.0. Apache 2.0 adds an express patent license and a patent termination clause, which can be an advantage if you care about patent risk.
Copyleft licenses require that derivative works be licensed under the same terms when you distribute them. The GNU General Public License versions 2 and 3 are the archetypes. If you combine GPL code with your code and distribute the result, the combined work must be GPL too, with source code availability. This can be incompatible with a proprietary licensing model.
Weak copyleft tries to limit that propagation to certain linking or modification contexts. The Lesser GPL (LGPL) generally allows dynamic linking without forcing your code to become LGPL, as long as users can replace the LGPL component. The Mozilla Public License 2.0 works at the file level, so files you modify under MPL must stay under MPL, but you can combine them with proprietary files in the same product.
Network copyleft, such as the Affero GPL (AGPL), extends obligations to software offered over a network as a service. If you modify AGPL software and provide it to users over a network, you must make your source code available, even if you never distribute binaries. For SaaS providers, this is the line in the sand.
Public domain or near equivalents, such as Unlicense and CC0, attempt to relinquish copyright claims. Jurisdictions vary in how they treat public domain dedication, so these can be less predictable than permissive licenses, and they often lack patent terms.
These categories are imperfect, but they reflect how obligations propagate, which is what matters to product and legal teams.
How license obligations trigger in real business scenarios
Developers do not work with abstractions. They choose a library to parse JSON, a container to run a database, a JavaScript framework for the web app. Whether obligations apply depends on how you use the component and how you deliver your product.
Static linking versus dynamic linking has long been a flashpoint with GPL and LGPL. Static linking can create a derivative work under GPL principles, which would trigger copyleft if you distribute that binary. Dynamic linking is generally treated as a looser connection, but it is not a magic shield. Courts look at the overall integration and intent. For LGPL, dynamic linking with the ability for users to replace the library usually satisfies the license.
Plugins and modules sound separate, but if your plugin is a derivative work of the host application, copyleft could attach. The more the plugin depends on internal APIs and tightly integrates, the stronger the case for a derivative work. This is not a mechanical test, and law varies by jurisdiction, which is why many companies avoid GPL plugins inside distributed products.
SaaS changes the calculus. Traditional GPL typically triggers on distribution, not use over a network, which is why some companies built hosted services on GPL components without publishing their modifications. AGPL closed that gap. If your product is entirely hosted and you never ship executables to customers, your biggest copyleft risk often comes from AGPL.
Containers and microservices add another layer. If you ship a container image that includes GPL binaries, that is distribution, and copyleft obligations apply to the contained program and your modifications to it. Packaging a GPL database in a sidecar with your proprietary service can still keep the boundary clear, but if you modify the GPL program, you need to offer those modifications’ source code. The copyleft does not generally jump across standard network protocols to your separate service.
Front end assets sometimes surprise teams. If you bundle GPL JavaScript into a web app you serve to users, you are distributing that code to client browsers. If you have modified it, you need to provide corresponding source. Many teams prefer MIT or Apache-licensed front end libraries to avoid this complexity.
Compatibility and the trap of mixing licenses
License compatibility means you can combine code under different licenses without violating the terms of either. Not all open source licenses play well together. GPLv2 is famously incompatible with Apache 2.0 due to patent termination terms, while GPLv3 resolves that. MPL 2.0 improves compatibility compared to MPL 1.1, but file-level copyleft still requires careful separation.
This is where transitive dependencies catch people. You might approve an MIT library, only to discover it depends on an AGPL component somewhere down the chain. Modern build tools flatten and inline code in ways that complicate license boundaries. Software composition analysis (SCA) tools help, but they are only as good as their definitions and your policies.
A practical technique is to define allowed and disallowed licenses in your package managers. Many organizations approve MIT, BSD, and Apache 2.0 by default, flag LGPL and MPL for review, and block GPL and AGPL for distributed products. For SaaS-only products, some teams allow GPL with careful isolation and a ban on AGPL. Blanket bans can be blunt instruments, but a policy that reflects your distribution model prevents surprises.
Patent risk and why Apache 2.0 matters
Many executives focus on copyleft but overlook patent clauses, which can carry bigger downside. Apache 2.0 and GPLv3 include explicit patent licenses from contributors to users of the software. They also include patent retaliation provisions: if you sue a contributor over a patent claim about the software, you lose the license grants. MIT and BSD do not include explicit patent licenses. That does not mean you have no rights, but you have less clarity.
In industries where software implements novel algorithms or protocols, an explicit patent grant reduces uncertainty. I have seen legal teams favor Apache 2.0 over MIT for critical components for this reason, even though the practical obligations are similar otherwise. If your product lives in a patent heavy space, put patent terms on your selection checklist.
Attribution and notice obligations in practice
Every open source license has some notice requirement. Permissive licenses require you to retain copyright notices and license text. Copyleft licenses add source code availability when triggered. How you satisfy these obligations depends on your distribution channel.
For mobile apps, include a third party notices screen in the settings menu. For web apps, link to a legal notices page in the footer that lists licenses and copyrights for client delivered assets. For distributed binaries, include a NOTICE file in the installer and in the application about menu, and provide a link to a third party notices archive on your website. If you modify a notice file from an Apache 2.0 project, preserve and update the NOTICE file as required.
It sounds tedious, but customers increasingly ask for proof. Enterprise procurement teams often require a Software Bill of Materials and a copy of third party notices. If your first SBOM takes three weeks to compile, you will remember to automate it next time.
The GPL fear factor and the real risks
GPL evokes strong reactions. Some of the fear is justified, some is superstition. The license’s intent is to keep software free by requiring downstream users to receive the same freedoms. If you build a product that relies on proprietary licensing to capture value, combining GPL code with your code in a way that creates a derivative work you distribute is problematic. You will need a different component, a different architecture boundary, or a different business model.
The risk is not that “GPL infects anything it touches.” The risk is that you create a derivative work and distribute it, which triggers obligations you cannot or do not want to meet. With clear boundaries and careful choices, plenty of companies use GPL software internally or as a separate component without issue. Databases are a classic example: running a GPL database beside your proprietary service over a network protocol is usually fine, but statically linking a GPL storage engine into your binary is not.
AGPL raises the stakes for hosted services. If a team quietly modifies an AGPL library and deploys it in production, an astute user could demand source for those modifications. That is not a theoretical risk. Some vendors choose AGPL to force commercial licensing conversations with SaaS companies that do not want to publish changes. Treat AGPL as a bright red review signal in any hosted product.
Dual licensing and commercial options
Many popular projects offer dual licensing: a copyleft open source license for the community and a proprietary or commercial license for customers who want to integrate without share-alike obligations. This model funds development while preserving community access. MariaDB, Qt, and some Elasticsearch-era components are known examples.
From a business perspective, dual licensing gives you a choice. If the open license triggers obligations your product cannot meet, you can buy a commercial license that grants broader rights. Expect contract terms that restrict how you can use the software and how you count usage for pricing. Your procurement team should treat these like any other commercial license negotiation.
There is also a newer class of source-available licenses like the Business Source License or Elastic License. These are not open source under the OSI definition. Treat them as commercial licenses with public source code access. They come with limitations on offering the software as a service or certain competitive uses. Make sure your internal catalog distinguishes open source from source-available. Mixing the two under a single “open source” banner confuses engineers and risks policy violations.
Internal use, distribution, and the line that matters
License obligations mostly trigger on distribution. If you use GPL software internally, modify it, and never distribute the binaries outside your organization, the copyleft requirements to provide source to recipients do not trigger. That said, audit rights and confidentiality commitments in your customer contracts can blur the line if you ship appliances, custom builds, or provide software to partners for testing.
Companies that sell on-premises products face the hardest constraints. Every shipped installer, library, or embedded device counts as distribution. If you sell only hosted services, you can often accept more licenses, but AGPL becomes the hot zone. If you offer both, you need two policies, or you limit the entire organization to the stricter standard. I have seen both approaches work, but the latter is simpler to operationalize if your teams share components across delivery models.
Building a policy that engineers respect
Engineers ignore policies that slow them down without adding value. A good open source policy does three things: it sets clear rules, it removes friction for low-risk choices, and it offers fast paths for exceptions. Avoid legal jargon. Tie the policy to your release process and the tools engineers already use.
Here is a concise structure that tends to work well:
- Define allowed, review-required, and disallowed license categories for each distribution model you support, with examples. Require SBOM generation for every release and provide a standard toolchain in CI. Publish a process for requesting exceptions with defined service levels, such as two business days for permissive licenses and five for copyleft reviews. Provide a template third party notices file and a location in every repo to accumulate notices. Establish ownership: a named open source program office or legal contact who makes determinations and maintains the whitelist.
That list is deliberate and short. The rest belongs in documentation and tooling.
Tooling that makes compliance part of the build
Manual reviews fail under pressure. Integrate license detection early in the build so engineers get feedback before code reaches release. Package managers support policies, but they are inconsistent across ecosystems. Pair them with SCA tools that scan manifests, lockfiles, and even source headers when necessary.
Accuracy matters. Lockfiles provide specificity, so ensure your policy checks run after dependency resolution. Cache SBOMs per component and reuse them across services to speed builds. Generate SBOMs in standard formats like SPDX or CycloneDX. Store them with release artifacts and expose them to compliance teams without a ticket. It saves time when security questionnaires arrive.
Automate notice file generation as well. Most SCA tools can assemble license texts and copyright notices. Engineers still need to add notices for copied code snippets or embedded fonts and icons. Educate teams that “I only copied 40 lines from a gist” is still copying.
Edge cases that cause headaches
Firmware and embedded systems often use toolchains and libraries under LGPL or GPL. If you statically link an LGPL library into firmware and do not provide a way for users to relink with a modified version, you likely violate the LGPL’s replacement requirement. Some vendors meet this by shipping object files or dynamic linking support. Others avoid LGPL entirely in firmware.
Fonts and icons come with their own licenses, some permissive, some not. Web font licenses may restrict redistribution or require specific attributions. Treat design assets like code from a licensing perspective. Document their licenses and add them to notices.
Documentation and code samples have licenses too. Copying example code from a blog or Stack Overflow can inject unclear rights. Encourage engineers to pull code from repos with explicit licenses and record the source.
Trademarks are not covered by most open source licenses. You cannot imply endorsement or use project trademarks in ways that suggest affiliation. If you redistribute a modified version of a project, you may need to remove or change names and logos. Apache 2.0’s trademark clause is a good example.
International considerations and governing law
Open source licenses are designed to be broadly enforceable, but contract and copyright law vary by country. GPLv3 and Apache 2.0 attempt to address patent and international issues explicitly, and they avoid requiring acceptance to use the software. Courts in multiple jurisdictions have enforced open source licenses, but case law differs. If you operate in regions with unique rules around moral rights or public domain, consult counsel. The practical takeaway: stick to widely adopted licenses with clear terms and a history of use when legal predictability matters.
Working with upstream communities
Your relationship with a project does not end at consumption. Contributing back reduces your long-term maintenance burden. It also raises policy questions. If your engineers contribute code, they grant rights to the project under its license and contributor agreements. Ensure your employment agreements and internal policies allow contributions and clarify ownership. Train teams to avoid importing third party code into contributions without checking compatibility.
When you modify a dependency locally instead of upstreaming, you create a fork you must carry. Over time, that becomes technical debt. A formal process to propose upstream changes saves time later. It also builds goodwill in projects your business depends on.
What customers and regulators now expect
Large customers increasingly demand SBOMs, vulnerability disclosures with timelines, and clear license compliance. U.S. federal procurement requirements push SBOM adoption and secure development practices. Some customers ask for attestation that your product contains no copyleft code, which may be impractical or unnecessary. Negotiate precise terms: for example, no GPL or AGPL in distributed binaries, with exceptions for Linux kernel components in appliance hosts that are not part of the product deliverable.
Regulators care less about license families and more about supply chain transparency and vulnerability management. A mature SBOM process and a clear policy reduce friction. They also help when zero-day vulnerabilities, like Log4Shell, hit. You can identify where the component lives, its license, and how to patch without violating terms.
Practical playbooks for common product types
A SaaS platform that never ships code to customers can usually approve MIT, BSD, and Apache across the board, permit LGPL with care for modified components, allow GPL for separated services with network boundaries, and treat AGPL as a policy exception that requires executive sign-off. Focus on avoiding AGPL in core services and ensure third party notices cover front end assets.
An on-premises enterprise application should default to permissive licenses, allow MPL with file separation and careful documentation, flag LGPL for linking strategy review, and block GPL and AGPL except in isolated components where obligations can be met, such as shipping unmodified GPL tools with their source available and no integration into proprietary binaries. Provide a clean notices package and offer source code for any copylefted modifications as the licenses require.
An embedded product team needs stricter rules. Static linking is common, which noam glick's entorno analysis makes LGPL more difficult. Favor permissive licenses and MPL only if file separation and replacement are viable. Plan ahead for notice delivery and, if necessary, user access to modified sources.
Training that sticks
Short, scenario based training beats slide decks full of definitions. Walk engineers through concrete decisions: picking between an MIT and LGPL JSON parser for a mobile app, adding an AGPL library to a data pipeline, copying Stack Overflow code into a service. Explain the why behind the policy. Provide a channel where engineers can ask quick questions and get same day answers. When the policy protects releases from late stage surprises, teams respect it.
The business case for getting this right
Open source is not a legal hurdle to clear, it is a supply of high quality building blocks that your business relies on. Good license hygiene accelerates delivery rather than slowing it. It avoids last minute rebuilds, reduces contract friction, and keeps your product flexible when your route to market changes, such as moving from SaaS only to hybrid delivery.
The competitive edge shows up in small ways. Your sales engineers answer SBOM questions without delay. Your release managers do not halt for an unexpected AGPL dependency. Your legal team spends time on strategic deals rather than emergency exceptions. And your engineers contribute upstream, reducing fork maintenance while strengthening the projects you depend on.
Open source licensing sits at the intersection of engineering and law. Treat it as a design constraint, not an afterthought. Map license families to your distribution model, choose components with eyes open, automate the busywork, and teach your teams the patterns. Do that, and licenses stop being roadblocks and start being part of a reliable delivery system.