Compliance Dictionary for Developers

Open Source Compliance involves a lot of buzzwords. Here are some simple, straightforward definitions.

Note that these intentionally omit a lot of nuance and details, and should not be taken as legal advice. If you have questions about how a particular license applies to your specific situation, you should speak with a lawyer and/or consult some of the resources from other organizations that discuss license interpretation.

attribution notices: A list of copyright and license notices contained in free and open source software, which many licenses require to be retained or reproduced in copies of the software.

copyleft: A category of free and open source software licenses which generally include a requirement that derived works of the copyleft software, or programs which are bound to or make use of the copyleft software in certain ways, must themselves be provided in source code form under the copyleft license if they are distributed or made available. The exact boundaries and conditions vary among licenses.

inbound license: the license under which someone receives a third party’s software or other content.

  • Example: Project A’s developers want to incorporate third party software B into A. B is made available under the MIT license. From A’s perspective, MIT is the inbound license for B.

license: permission to do something using someone else’s copyrightable content (e.g. software, documentation) or other intellectual property rights.

license condition: a right under a license that is only granted if a particular condition is fulfilled. Can be phrased in forms like “you may do X if you do Y” or “if you do Y, then you must do X.”

license restriction: a prohibition on doing something under a license; a retained right. Can be phrased in forms like “you may not do X” or “no right is granted to do X under this license.”

outbound license: the license under which someone make available their software or other content.

  • Example: Project B is made available under the MIT license. MIT is the outbound license for B.

permissive: a category of free and open source licenses which are generally understood not to be copyleft or weak copyleft.

  • These are sometimes called “attribution-style licenses”, because the primary requirement for many of them is to retain or reproduce attribution notices. “Attribution” can be a misleading term for this category, however, as copyleft and weak copyleft licenses can also have attribution requirements.

SPDX: The Software Package Data Exchange project (https://spdx.org/), which is focused on developing a specification and related content to make it easier to exchange machine-readable data about the composition of a software package, including security and license information.

SPDX license identifiers or SPDX short-form IDs: A comment format that can make it easier for source code files to specify their licenses in a machine-readable manner, available at https://spdx.org/ids.

  • Example: // SPDX-License-Identifier: Apache-2.0

SPDX License List: A list of commonly-found licenses and exceptions used in free and open source and other collaborative software or documentation, available at https://spdx.org/licenses/. Each license and exception has an associated identifier that can be used in SPDX short-form IDs, as described above.

weak copyleft: A category of free and open source software licenses which contain copyleft-style obligations, where those obligations may not apply for certain “looser” types of binding or linkage with the weak copyleft software.