Tooling

OSS License Selection

Choosing an OSI-approved license — permissive, weak copyleft, strong copyleft — and the tools that help you pick.

The single most consequential decision in starting an open source project. Pair with Source-Available vs OSI/FSF for non-OSS-but-marketed-as-open licenses, License Relicensing Wave for the BSL/SSPL trend, and License Auditing Tools for compliance scanning.

Tools to help you pick (free)

  • ★ ★ choosealicense.com — GitHub-run; the canonical "I have 60 seconds, what license should I use?" guide. Free.
  • SPDX License List — free; machine-readable identifiers (e.g. MIT, Apache-2.0, GPL-3.0-or-later). Use SPDX IDs in package.json / pyproject.toml / SBOM.
  • OSI-approved licenses list — free; the source of truth for "is this OSS?" If a license isn't on this list, it isn't open source — full stop.
  • TLDR Legal — free; lay-language license summaries (handle with judgement; not legal advice).
  • GNU License Compatibility Matrix — free; FSF's view on which licenses combine cleanly with GPL.
  • MIT — shortest, friendliest; default for most JS / web / utility libraries.
  • Apache 2.0 — adds explicit patent grant + contributor terms; default for larger projects, foundations, anything corporate. Pick this over MIT when patent protection matters.
  • BSD-2-Clause / BSD-3-Clause — MIT-equivalent; 3-clause adds a no-endorsement clause.
  • ISC — shorter MIT (npm uses it).
  • 0BSD / MIT-0 — strips even attribution requirement; effectively public-domain-shaped but legally cleaner globally than the Unlicense.

Weak copyleft (libraries you want to stay open without forcing user code)

  • LGPL v2.1 / v3 — your library's source must stay open if modified, but apps that link to it can be closed. Tricky in static-linked / mobile / WebAssembly contexts.
  • MPL 2.0 (Mozilla) — file-level copyleft; modifications to MPL files stay open, but you can combine with proprietary code in the same product. Practical compromise.
  • EPL 2.0 (Eclipse) — similar shape; common in Java land.

Strong copyleft (the user must also share)

  • GPL v2 — Linux kernel uses this; widely understood.
  • GPL v3 — adds anti-tivoization + patent retaliation; many companies (notably Apple) avoid.
  • AGPL v3 — closes the "SaaS loophole" by triggering source-share over the network. Becoming common for "OSS, but I don't want AWS to host me without contributing" projects (Grafana before relicensing, MongoDB before SSPL, Mastodon, Nextcloud).

Public-domain shapes

  • CC0 — explicit public-domain dedication + fallback license; OSI-approved (since 2025-era discussions remain mixed; SPDX-recognized).
  • Unlicense — public-domain dedication; OSI-approved; less legally robust than CC0 globally.
  • WTFPL — flag as legally questionable; not recommended despite the meme.

Documentation / non-code (Creative Commons)

  • CC-BY 4.0 — attribution; default for docs and content.
  • CC-BY-SA 4.0 — share-alike; Wikipedia uses this.
  • CC-BY-NCnot OSS / not free-culture; non-commercial restriction breaks downstream reuse. Avoid unless you really mean it.

Source-available — NOT OSS (flagged)

The following are explicitly not OSI-approved; covered separately in Source-Available vs OSI/FSF:

  • BSL (Business Source License — HashiCorp, CockroachDB, Sentry)
  • SSPL (Server Side Public License — MongoDB, Elastic during 2021–24)
  • Functional Source License (FSL) — Sentry's 2023 launch.
  • Fair Source License, Elastic License v2, Confluent Community License.

If you are choosing a license for your own project and one of these is on your shortlist, be honest with users that your project is source-available, not open source.

Practical tips

  • Pick at project start. Relicensing later requires every contributor's permission (unless you have a CLA — see CLAs & DCO).
  • Use SPDX IDs everywhere"license": "Apache-2.0" in package.json, license = "MIT" in Cargo.toml.
  • One LICENSE file per repo at the root, exact text from the canonical source.
  • Add SPDX headers in source files (// SPDX-License-Identifier: Apache-2.0) — kernel-style.
  • Don't write a custom license. Lawyers will be unhappy and users will avoid your project.

Pick this if…

  • Default permissive, anything goes: MIT.
  • Default permissive + patent grant + corporate-friendly: Apache 2.0.
  • You want SaaS-share enforcement: AGPL v3.
  • A library you want to stay open without forcing apps: MPL 2.0.
  • Documentation / educational content: CC-BY 4.0.
  • You're tempted by BSL / SSPL / FSL: read Source-Available vs OSI/FSF first and be honest with users.