Licensing Edit on github
For both using and releasing Open source Software, there is the challenge of understanding and respecting the licenses of your project dependencies. The purpose of this document is to outline what licenses to avoid, which ones you can freely use and which licenses comes with special requirements.
Summary
- Any dependency with a permissive license can be used
- For internal projects, Permissive, Strong and Weak Copyleft licensed code can be used
- For open source projects, Strong Copyleft licensed code cannot be used
- Make sure to investigate the specific terms of the weak copyleft licenses
- You cannot use AGPL or variants thereof licensed code anywhere
- You cannot use Commons Clause licensed code anywhere
- You cannot use unlicensed code anywhere
License overview
Overall there are 3 types of licenses which you can use:
3 types which you cannot use in any way:
Finally there are licenses which can be used on a case-by-case basis
This document is a general overview and does not represent legal advice. Always check the details of each license and if you are in doubt, get in touch with the Open Source Team.
If you wish to use a dependency with a license not listed in this guidance, please get in touch with the open source team for guidance.
Permissive licenses
Code dependency that you are free to use and change without limitations, but must include the license and copyright of the dependency.
Permissive licensed dependencies can be used without issues both for internal and for open source projects.
AFL, Apache, BSD, MIT, Ms-PL, ISC, PHP License, Blue Oak Model License, and many more
- You are free to: use commercially, modify, distribute and sublicense.
- You must include: copyright and license
- You cannot hold the author liable.
Weak copyleft licenses
Code dependency that you are free to use and change, but must include the source code, the license and copyright of the dependency, but only if you distribute the software. You can license your own code however you want, and you must only share the source code of the reciprocally licensed dependency.
Beware that each individual license has specific clauses, so check the individual license before use, generally speaking, weak copyleft licensed libraries can be used for internal and open source projects.
APSL, CDDL, CPL, EPL, IPL, MPL
- You are free to: use commercially, modify, distribute and sublicense.
- You must include: copyright, license, changelog, source code and install instructions
- You cannot hold the author liable or use authors trademarks
Strong Copyleft licenses
Code dependency that requires you to license all your code under the same license if you want to distribute it. If only used internally, you have no obligation to release neither source nor binary.
Dependency can therefore only be used for internal projects, not for projects which will be distributed outside of Zalando, such as open source projects.
BCL, GPL, LGPL, NPL, OSL, QPL and more
- You are free to: use commercially, modify and distribute
- You must include: copyright, license, source code, changelog, original source and install instructions
- You cannot hold the author liable or sublicense
- If distributed, you must license your code under the same license.
Code licensed under AGPL or variants thereof
These licenses trigger the copyleft provision even when it is not distributed. If code under these licenses is used to deliver a web-service such as Zalando.de, all code and code linked to the service must be licensed and distributed under a similar license.
Use of dependencies licensed under these licenses represents a big risk for Zalando, so even for projects which are not directly linked to any of our web services, it must not be used as the benefits compared to the risks are small.
Code licensed under AGPL, SSPL, RPL, EUPL and CPAL, may not be used at Zalando.
Guidance on Commons Clause and similar
The Commons Clause license is a new license being used as a wrapper around existing licenses such as the Apache or MIT license, and adds additional limits on commercial use of the software. The intent is to limit cloud providers to use the software, but the license language targets commercial use and monetization very broadly.
While Zalando is not a Cloud provider, it is a commercial endeavor and our use of the software we are adopt are without question commercial, this license is therefore not suitable for us for the following reasons:
-
The Commons Clause is not approved by OSI and is therefore not open source, furthermore the language of the license is unclear in regards to what is proper use, if in breach of this license, Zalando must publish all associated assets such as interfaces, build systems and modifications made under the same license.
-
We use and support open source under the belief that it is the freedom to use, modify and distribute which have enabled its success. The projects using these licenses still enjoy the full freedoms and benefits from open source, but at the same time limit the freedom of others use of their code - we do not wish to support this development.
Unlicensed code
Code that does not include a license or has no clear ownership cannot be used at Zalando.
As per standard copyright law, any code that is not explicitly licensed, is the property of the author and cannot be used without permission.
However if you wish to use a library that has no license, first of all check with the author to see if the license is simple not distributed with the source code. If the project author has not included a license open a pull request and suggest a license such as MIT.
Elastic license
Elastic License 2.0 is a non open source license used for products distributed by Elastic. It contains clauses to block cloud providers to offer Elastic products as managed services and to circumvent licensing. Before using any product licensed under Elastic License for a new use case, which might go against the licensing, you must have this usecase verified by Zalando Data & IT law. Already known and accepted use cases are:
- Using Elasticsearch as storage and index of internal data - this also includes using the index to power search of public facing sites
- Using Kibana as an internal dashboard
From Elastic Website: The Elastic License 2.0 applies to the distribution and the source code of all of the free and paid features of Elasticsearch and Kibana. The license allows the free right to use, modify, create derivative works, and redistribute, with three simple limitations:
- You may not provide the products to others as a managed service
- You may not circumvent the license key functionality or remove/obscure features protected by license keys
- You may not remove or obscure any licensing, copyright, or other notices