A practical, plain-English reference to the licenses that govern open-source code, source-available products, datasets, documentation, and AI models. Know what each one actually requires before you ship โ what you must share, what you must credit, and what patent rights come with it.
A software license is a grant of permission with strings attached. Almost every dispute comes down to five practical questions. Read any license โ open source or not โ by answering these:
The major software, source-available, data, and AI licenses at a glance. "Must share source?" describes the copyleft trigger; "Patent grant?" means an express grant in the license text. This is a summary for orientation โ always read the actual license and confirm version numbers.
| License | Type | Commercial use | Must share source? | Attribution? | Patent grant? | Notes |
|---|---|---|---|---|---|---|
| Permissive | ||||||
| MIT | Permissive | โ Yes | โ No | โ Keep notice | โ None express | Shortest, most popular. Do anything; keep the copyright + license text. |
| BSD-2-Clause | Permissive | โ Yes | โ No | โ Keep notice | โ None express | "Simplified BSD." Like MIT with a no-warranty clause. |
| BSD-3-Clause | Permissive | โ Yes | โ No | โ Keep notice | โ None express | Adds a no-endorsement clause: don't use the author's name to promote your product. |
| ISC | Permissive | โ Yes | โ No | โ Keep notice | โ None express | Functionally equivalent to MIT, simpler wording. Default in the npm ecosystem. |
| Apache-2.0 | Permissive | โ Yes | โ No | โ Notice + NOTICE file; state changes | โ Express + retaliation | The "business-safe" permissive license. Explicit patent grant that terminates if you sue over patents. Preferred for company projects. |
| Unlicense | Public-domain | โ Yes | โ No | โ None | โ None express | Dedicates work to the public domain. No attribution required. (Public-domain dedication isn't valid in every jurisdiction.) |
| CC0-1.0 | Public-domain (data/docs) | โ Yes | โ No | โ None | โ None | Creative Commons public-domain tool. Common for datasets. Not recommended for source code (no warranty/patent terms). |
| Weak copyleft (file- or library-scoped) | ||||||
| MPL-2.0 | Weak copyleft | โ Yes | โ ๏ธ Modified MPL files only | โ Keep notices | โ Express | File-level copyleft: share changes to MPL-licensed files; your other files stay yours. Mixes cleanly into proprietary products. |
| LGPL-2.1 / 3.0 | Weak copyleft | โ Yes | โ ๏ธ Library changes; allow relinking | โ Keep notices | โ ๏ธ Via GPL terms (3.0) | For libraries. You may link from proprietary code if users can replace the LGPL library (dynamic linking / object files). |
| EPL-2.0 | Weak copyleft | โ Yes | โ ๏ธ Modified EPL files only | โ Keep notices | โ Express | Eclipse Public License. File-level copyleft, business-friendly. Common in the Java/Eclipse world. |
| Strong copyleft | ||||||
| GPL-2.0 | Strong copyleft | โ Yes | โ ๏ธ On distribution (whole work) | โ Keep notices | โ None express (implied) | Distribute a binary โ must offer complete corresponding source under GPL. No express patent grant. Linking GPL code generally makes the combined work GPL. |
| GPL-3.0 | Strong copyleft | โ Yes | โ ๏ธ On distribution (whole work) | โ Keep notices | โ Express + anti-tivoization | GPL-2.0 plus an express patent grant, hardware install-info ("anti-tivoization"), and clearer termination. Not one-way compatible with GPL-2.0-only. |
| Network copyleft | ||||||
| AGPL-3.0 | Network copyleft | โ Yes | โ ๏ธ Also when offered over a network | โ Keep notices | โ Express | Closes the "SaaS loophole": if users interact with a modified version over a network, you must offer them the source. Often avoided by companies for internal/hosted use. |
| Source-available (NOT OSI open source) | ||||||
| BSL 1.1 (Business Source) | Source-available | โ ๏ธ Limited until change date | โ Source visible | โ Keep notices | โ None express | Source is public but production use may be restricted (e.g., no competing service) until a "change date," when it converts to an open license (often Apache/GPL). Used by MariaDB, HashiCorp. |
| Elastic License 2.0 | Source-available | โ ๏ธ Not as a managed service | โ Source visible | โ Keep notices | โ None express | Free to use/modify, but you may not provide it as a hosted/managed service to third parties or circumvent license keys. |
| SSPL-1.0 | Source-available | โ ๏ธ Service-provider burden | โ ๏ธ Must open the whole service stack | โ Keep notices | โ None express | AGPL-derived. If you offer it as a service, you must release the source of the entire management/hosting stack. Not OSI-approved. Used by MongoDB. |
| Data & documentation (Creative Commons) | ||||||
| CC-BY-4.0 | Data/docs ยท attribution | โ Yes | โ No (share-alike not required) | โ Credit required | โ N/A | Use anything if you credit the author. Standard for open datasets and docs. (CC is for content, not code.) |
| CC-BY-SA-4.0 | Data/docs ยท copyleft | โ Yes | โ ๏ธ Derivatives under same license | โ Credit required | โ N/A | "Copyleft for content." Adaptations must be CC-BY-SA. Powers Wikipedia / OpenStreetMap. |
| CC-BY-NC-4.0 | Data/docs ยท non-commercial | โ Non-commercial only | โ No | โ Credit required | โ N/A | No commercial use without a separate license. "NC" is a frequent trap for businesses building on "free" data. |
| AI model & dataset licenses | ||||||
| OpenRAIL / OpenRAIL-M | AI ยท responsible-use | โ Yes | โ No | โ Pass terms downstream | โ ๏ธ Varies by instance | Permissive except for enumerated use-based restrictions (e.g., no harm, no unlawful surveillance). Restrictions must flow to all downstream users. Used by Stable Diffusion, BLOOM. |
| Llama Community License | AI ยท custom (Meta) | โ ๏ธ Yes, with conditions | โ No | โ "Built with Llama" + license | โ ๏ธ Conditional | Commercial use allowed, but a >700M monthly-active-user threshold requires a separate Meta license; naming/attribution rules apply. Not OSI open source. |
| Gemma Terms of Use | AI ยท custom (Google) | โ Yes | โ No | โ Pass terms + notices | โ ๏ธ Conditional | Broad commercial rights with a Prohibited Use Policy that binds you and all downstream recipients. Not OSI open source. |
| Commercial / Proprietary | Proprietary | โ ๏ธ Per contract | โ No (closed) | โ ๏ธ Per contract | โ ๏ธ Per contract | A negotiated EULA/SaaS agreement. Everything โ use, redistribution, patents, support, indemnity โ is whatever the contract says. No default rights. |
Plain-English explainers for the six families above. When in doubt, classify a license into one of these before you read the fine print.
AI licensing breaks the old assumption that "the license covers the code." A modern model release is really a bundle of distinct assets โ and the rights to each can differ. This is where most teams get exposed.
Practical checklist for adopting any open-weight model: (1) identify the license on the weights, separately from the code; (2) confirm commercial use is allowed at your scale; (3) record the acceptable-use restrictions you must propagate; (4) check the dataset provenance and its license; (5) verify the terms on model outputs. A model that's "free to download" can still be unusable for your product.
Apex Vanguard runs license-readiness reviews โ we inventory every dependency, model, and dataset in your product, flag the copyleft, source-available, and AI use-restriction traps, and hand you a clear obligations map before you ship or raise. Pair it with Vanguard IP-Researcher to keep that inventory current as your dependencies change.
Book a license-readiness review โ IP & license consulting ยท $400/hr ยท Vanguard IP-Researcher from $200/mo with a 30-day free trial