OSS License Selection
Choosing an OSI-approved license — permissive, weak copyleft, strong copyleft — and the tools that help you pick.
The single most consequential decision in starting an open source project. Pair with Source-Available vs OSI/FSF for non-OSS-but-marketed-as-open licenses, License Relicensing Wave for the BSL/SSPL trend, and License Auditing Tools for compliance scanning.
Tools to help you pick (free)
- ★ ★ choosealicense.com — GitHub-run; the canonical "I have 60 seconds, what license should I use?" guide. Free.
- ★ SPDX License List — free; machine-readable identifiers (e.g.
MIT,Apache-2.0,GPL-3.0-or-later). Use SPDX IDs inpackage.json/pyproject.toml/ SBOM. - ★ OSI-approved licenses list — free; the source of truth for "is this OSS?" If a license isn't on this list, it isn't open source — full stop.
- TLDR Legal — free; lay-language license summaries (handle with judgement; not legal advice).
- GNU License Compatibility Matrix — free; FSF's view on which licenses combine cleanly with GPL.
Permissive (most popular for libraries / SDKs)
- ★ MIT — shortest, friendliest; default for most JS / web / utility libraries.
- ★ Apache 2.0 — adds explicit patent grant + contributor terms; default for larger projects, foundations, anything corporate. Pick this over MIT when patent protection matters.
- BSD-2-Clause / BSD-3-Clause — MIT-equivalent; 3-clause adds a no-endorsement clause.
- ISC — shorter MIT (npm uses it).
- 0BSD / MIT-0 — strips even attribution requirement; effectively public-domain-shaped but legally cleaner globally than the Unlicense.
Weak copyleft (libraries you want to stay open without forcing user code)
- LGPL v2.1 / v3 — your library's source must stay open if modified, but apps that link to it can be closed. Tricky in static-linked / mobile / WebAssembly contexts.
- MPL 2.0 (Mozilla) — file-level copyleft; modifications to MPL files stay open, but you can combine with proprietary code in the same product. Practical compromise.
- EPL 2.0 (Eclipse) — similar shape; common in Java land.
Strong copyleft (the user must also share)
- GPL v2 — Linux kernel uses this; widely understood.
- GPL v3 — adds anti-tivoization + patent retaliation; many companies (notably Apple) avoid.
- ★ AGPL v3 — closes the "SaaS loophole" by triggering source-share over the network. Becoming common for "OSS, but I don't want AWS to host me without contributing" projects (Grafana before relicensing, MongoDB before SSPL, Mastodon, Nextcloud).
Public-domain shapes
- CC0 — explicit public-domain dedication + fallback license; OSI-approved (since 2025-era discussions remain mixed; SPDX-recognized).
- Unlicense — public-domain dedication; OSI-approved; less legally robust than CC0 globally.
- WTFPL — flag as legally questionable; not recommended despite the meme.
Documentation / non-code (Creative Commons)
- ★ CC-BY 4.0 — attribution; default for docs and content.
- CC-BY-SA 4.0 — share-alike; Wikipedia uses this.
- CC-BY-NC — not OSS / not free-culture; non-commercial restriction breaks downstream reuse. Avoid unless you really mean it.
Source-available — NOT OSS (flagged)
The following are explicitly not OSI-approved; covered separately in Source-Available vs OSI/FSF:
- BSL (Business Source License — HashiCorp, CockroachDB, Sentry)
- SSPL (Server Side Public License — MongoDB, Elastic during 2021–24)
- Functional Source License (FSL) — Sentry's 2023 launch.
- Fair Source License, Elastic License v2, Confluent Community License.
If you are choosing a license for your own project and one of these is on your shortlist, be honest with users that your project is source-available, not open source.
Practical tips
- Pick at project start. Relicensing later requires every contributor's permission (unless you have a CLA — see CLAs & DCO).
- Use SPDX IDs everywhere —
"license": "Apache-2.0"inpackage.json,license = "MIT"inCargo.toml. - One LICENSE file per repo at the root, exact text from the canonical source.
- Add SPDX headers in source files (
// SPDX-License-Identifier: Apache-2.0) — kernel-style. - Don't write a custom license. Lawyers will be unhappy and users will avoid your project.
Pick this if…
- Default permissive, anything goes: MIT.
- Default permissive + patent grant + corporate-friendly: Apache 2.0.
- You want SaaS-share enforcement: AGPL v3.
- A library you want to stay open without forcing apps: MPL 2.0.
- Documentation / educational content: CC-BY 4.0.
- You're tempted by BSL / SSPL / FSL: read Source-Available vs OSI/FSF first and be honest with users.