Legal Cred for an Open-Source Project

I am not a lawyer. The information here is not, not is it intended to be, legal advice. 

Many open source projects unfortunately don’t concern themselves with presenting a clear legal perspective, which could be costing them community!

An open source project must present legal credibility to be considered seriously by a commercial enterprise.

I recently attended the iTech 2017 convention in Calgary, where the luncheon keynote was Digital Transformation Leaders Are Few and Far Between from Snehanshu Shah, SAP Global VP Customer Innovation. Shah purported that leading companies in digital transformation will use next-generation technology to continuously improve core infrastructure, while quickly incorporating new technologies for competitive edge, and that technologists who can apply inexpensive technology to solve these business problems will have value. Open-source software is now a proven development model with communities of essentially independent developers, collaborating in a non-competitive environment and sharing the development labor. It is inevitable that the business transformation spoke of by Shah will be aided by open-source software technologies, driving down the cost of infrastructure and providing sources of competitive advantage in a digital age.

It is in the nature of a young open-source project team to organise itself loosely. This should not be surprising, considering project members are typically volunteer developers donating their time to scratch their own personal itch, and more interested in writing code then in documentation or project process. A mantra of the open-source community is Talk is cheap. Show me the code. However, this is not to disparage project teams because it is hard to have value without working code.

Unfortunately though, this behavior is in contrast with a commercial enterprise’s typical need for security and stability to operate in the best interests of its owners. An enterprise must be absolutely confident that their adoption of a particular open-source software application cannot be jeopardized later, for example through misunderstanding or lack of appreciation for legal concepts by the project team, or a falling-out within the team leading to a disagreement over code ownership. A commercial enterprise requires confidence of longevity.

Ownership (Copyright)

The fundamental aspect of credibility is clear ownership of source code and other assets. Major projects often require contributors to sign a Copyright Assignment Agreement (CAA) or a Contributor License Agreement (CLA), which for all intensive purposes transfers ownership of the contribution to the project. However, this requires creation of a legal entity to assign or license contributor rights to, which is often beyond the need or ability of a smaller project team.

Simpler approaches are possible. For example, the Maestro project includes a legal statement in one of the project’s source code files – in the file. The statement specifies the license under which the software can be used, that contributors retain individual copyright to their work as recorded in the repository commit log, and that contributions are accepted with the assumption they were provided under the terms of the same license. The legal statement was committed to the project repository before any contributor contributions were accepted. This approach was deemed sufficient considering the project potential and risks, and ultimately a business decision.


The second-most fundamental aspect of credibility is the license, and the license terms that control use of the software. To have value, the license must be be legally binding and enforceable. Well understood and even legally tested licenses exist, but many open-source developers still write their own license, based on how they would like their software to be used. For example, Anuko Time Tracker, a popular web-based timesheet system, uses its own Liberal Freeware License, which appears to address the same concerns as more established and tested licenses such as the BSD, MIT, and Apache licenses. To an enterprise, not using a well-known and understood license can easily prevent an application from being considered further. Enterprises must be concerned with potential liability, and a well known and tested license will provide greater credibility. 

Permissive vs Copyleft

The anticipated use of the software must of course be compatible with the terms of the license, but also potential future use should be considered. There are two basic types of open-source licenses, permissive and copyleft. The two have very different goals and different implications for a commercial enterprise.

The goal of a permissive license is to encourage use through as few restrictions as possible, while the goal of a copyleft license is to ensure source code remains available even if modified by a third party. Commercial enterprises generally prefer a permissive license to a copyleft  license because it reduces risk of the license constrain the business at some point in the future. 

The original copyleft license was the GNU GPL, which required that source code be provided to everyone the application was distributed to. When remotely served web applications became popular, it was realized that GPL-licensed web applications hosted remotely did not have to make source code available, because the application wasn’t being distributed according to the GPL. This was against the philosophy of the copyleft community and became known as The ASP Loophole. As a result, the GNU Affero General Public License (AGPL) has become the popular copyleft license for web applications, requiring that source code be available to anyone who accesses the application. However, having to make source available should not be the greatest concern to a commercial enterprise for a copyleft license. The greatest concern should be whether the copyleft license could constrain future business direction or opportunities because of how the license extends itself to integrated – or integrating – applications to also apply to the end result. 

To explore this using an example, first assume an engineering department within a commercial enterprise is trying to improve project management, and starts using Anuko Time Tracker as an electronic timesheet system to record time spent by employees on projects and tasks. If use of  Time Tracker proves successful, the enterprise may expand use to other departments as well. Eventually the enterprise may make minor customizations as well as provide access to contract staff for entering their time, and to clients for reviewing their project’s dashboard. Assuming Time Tracker continues to be successful, the enterprise may want to integrate it with other internal systems, such as a vacation database or ERP system.

Because Time Tracker  uses the permissive Liberal Freeware License, there will be no practical constraint on how the enterprise can use, modify and integrate Time Tracker –  ever. However, if Time Tracker had been licensed using the AGPL, not only would customizations have to be shared with clients, subcontractors, and possibly competitors, but integrations with other applications may be impossible due to incompatible licensing. While it may be possible to perform an integration without the copyleft license becoming “viral” (a popular metaphor, implying that a copyleft license “infects” everything it touches), careful review of both the specific licenses and of the software architectures involved will be necessary to establish business viability.

In Conclusion

If you want to attract enterprise users to your open-source software project, then remove obstacles from their path. It doesn’t matter what you think, it’s what they think. Perception may not be reality, but it’s perception that matters. Make it easy for outsiders to understand the legal position of your project, and what the implications and options are.  

There is a plethora of legal advice on the internet, some useful, some less useful, and some absolutely wrong. Laws are specific to a jurisdiction, and much will simply not even apply to you. There are also subtleties and implications that only an expert can competently advise on. If it’s important, seek professional guidance!

For more anecdotal information,‘s FLOSS Weekly podcast interviewed several project teams that had to deal with legal issues.

  • Roberto Rosario had to develop Mayan EDMS in a way that would permit GPL licensing although he was working as an employee of the Porto Rico government, and also deal with an early fork that threatened the project’s future. See FLOSS Weekly Episode 253.


Remember, if it’s important, seek professional guidance!

Enterprise and Open Source – Copyright, Trademark and License

I am an engineer, not a lawyer, and this is personal opinion, not professional advice. Licenses and other legal documents can be complicated, and words like “meaningful”, “non-trivial” and the like may be interpreted differently based on jurisdiction, context and domain. Consult with a lawyer if it’s important, but it seems to boil down to the basics – copyright, trademark, and a license.

I won’t get into the reasons why an enterprise might care about being legally compliant and to what degree, but if it does, it will be considering liabilities imposed by its use of Open Source software. Liabilities carry strategic risk, which ultimately is financial risk.

The great advantage of Open Source software is that development and support costs can be shared among a community of interested parties, with individual modifications to meet unique individual needs. An Open Source project is essentially a partnership, with a large and diverse set of partners. This gives rise to issues of ownership and restrictions or liabilities.

If the liabilities associated with some software cannot be accepted, the software cannot be used. Unfortunately, it is also likely that the software cannot be used if there is a lack of clarity regarding liabilities. A project team that provides clarity regarding legal issues makes it easy for an enterprise to use their software, join their community and give back to their project.

Since an Open Source project is a partnership, with a large and diverse set of partners, it will require some degree of structure in order to function effectively. It will also want to protect itself against any ill will, internal or external.

In this article, I propose an approach for Open Source projects to protect themselves, and to provide the legal clarity that enterprises may require.

Ownership and Identity

An Open Source project is made up of more than just its code. An Open Source project is also a community of individuals, driven to achieve common goals and held together by a project name and on-line meeting places (typically the code repository, project website, mail list, issue tracker, forum, and wiki).

To ensure survival, the project team must protect itself against those who would do it harm – most commonly by using the project code or name for commercial gain against the intent and desires of the project team.

Copyright, Trademark and License

There are three tenants to protecting an Open Source project: Copyright, Trademark and a License. Copyright law will protect source code ownership, especially when the code is maintained in a secure public revision management system (e.g. GitHub). Trademark law will protect the project name and image against misuse, and a license will protect contributors and the community in general from liability, and protect access to changes if desired.


Copyright is a legal concept that generally gives the author of an original work exclusive rights to their work. The copyright for a line of code is generally held by its author (developer), unless it is assigned to someone else. Assignment may be implicit, such as when an employee creates code for an employer (“works for hire”), or explicitly through a formal agreement, such as a Contributor License Agreement (CLA) or Copyright Assignment Agreement (CAA). Issue in licensing will arise if copyright ownership is ambiguous or unclear, because only the owner of a work can license it.

Open source projects generally follow one of two options:

  • Developers retain individual copyright to their code. Developers may declare through a Contributor License Agreement (CLA) that have the legal right to submit their code, and the CLA may include additional terms under which the code is provided.
  • Developers assign the copyright to their submitted code, using either a Contributor License Agreement (CLA) or a Copyright Assignment Agreement (CAA), to a legal entity used by the project team for that purpose.

Comparing the two, retaining copyright ownership without a CLA is the simplest although weakest legally, and any desired re-licensing will be difficult to impossible as it will require the explicit consent of all owners. Assigning ownership to single entity using a CLA or CAA will be the strongest legally, although it will be an obstacle to receiving ad hoc submissions from the community at large.


Trademark law will provide practical protection of the project’s name, so long as the project uses the name in a way that can be trademarked, generally some type of logo. An individual (e.g. the project founder) or a legal organization owns the trademark (which preferably should be registered), and allows for its fair use by creating a Trademark and Logo Policy (e.g. the Maestro Trademark and Logo Policy, based on the Drupal Trademark and Logo Policy).

A Trademark and Logo Policy clarifies rights over the use of the project’s identity. Your name and logo are important to your community, and may want to create T-shirts, booth displays at trade shows and conferences, support material for clients, etc., that incorporate the project name and logo. The Trademark and Logo Policy controls their use to the benefit of the project as a whole, and provides a background from which abusers can be legally instructed to stop.


Generally, the simpler a license is the better. Some projects use different licenses for different things, such as the GPL for code and a Creative Commons license for documentation, I can only recommend using as few licenses as possible to achieve your purpose.

When it comes to the choice of license, use a permissive license (e.g. BSD, Apache or MIT license) if you want the software used by as many people as possible (in particular by enterprises wary of copy-left licensing). Use a copy-left license (e.g. GPL or AGPL) if you want to enforce that your code continues to remain Open Source.

The GPL generally requires that changes and extensions must also be licensed by the GPL, which is why technical and popular writing describe it as “viral”. Commercial enterprises can understandably react conservatively to issues that obligate, constrain or impose liability, reinforcing the value of a permissive license in the presence of uncertainty.

Should it be desired at some time to change the license, it is easier when a single entity holds copyright to the entire source repository, and harder if a large number of developers individually hold copyright to their own contributions – no matter how small. This can be both a benefit and a curse. Projects often start with a single developer who provides all the code, but ownership quickly becomes complex and intertwined as others first submit bug fixes, and then later provide entirely new features that cross the application. Consider the future you want for the project and plan for it, before it becomes too late practically to do anything other than start over.

Don’t think the source license will protect the project or software name. From the perspective of the license, the name is just a character string that can be changed like any other. Adding additional conditions to the license (essentially creating a new “license plus some stuff” license) only complicates licensing, making enforcement more difficult and impeding acceptance by reducing clarity.


Here are my recommendations for Open Source projects. Use your source code revision management system to your benefit by including legal notices and documents in your repository. That way they become integral to the project, inherently related in time to other contributions, and difficult to refute.

1. Include a License and Copyright section in the README file in the project source code, as well as prominently on the project website. State the license fort the code, and who owns the copyright. Describe any legal requirements for submissions, such as whether a CLA or CAA must be submitted first, or the terms assumed to apply to submissions (such as the same license terms as the project). Explicitly say whether the license covers Plug-ins or other extensions.

The GPL generally applies to Plug-ins, although some prefer to believe otherwise. Being explicit will avoid misunderstandings, clarify the intent of the project and even encourage development (as well as save you from repeatedly having to answer the question).

2. Include a Trademark and Logo Policy section in the README file in your project source code as well as prominently on your project website. State who owns the trademark/logo, whether it is if registered, and describe what will be considered fair use (and what will not).

3. Publish a list of the Open Source projects included in your own project, including the license each uses. This makes it easy for potential users to readily and properly evaluate all their implications. Ensure each included project identifies its own license in your repository. Compliance is a chain, the legal clarity of subordinate projects is just as important as your own. If necessary, work with subordinate projects to improve their legal clarity, it will benefit you both.

Related Information‘s FLOSS Weekly podcast (hosted by Randal L. Schwartz of Perl-book fame) has interviewed several project teams that had to deal with licensing issues.

Bob Jacobsen had to regain control over the Open Source model railroad controller software he had written in order to clear his name professionally. See FLOSS Weekly Episode 117 and Java Model Railroad Interface (JMRI) in Wikipedia.

Roberto Rosario had to develop Mayan EDMS in a way that would permit GPL licensing although he was working as an employee of the Porto Rico government, and also deal with an early fork that threatened the project’s future. See FLOSS Weekly Episode 253.