5

Before I started making software for a company which requires its software to be closed-source everything was easy, but now I'm drowning in license issues and I have no idea what to do.

I have found several great libraries for TLS and other crypto but all (obviously) have licenses. I am talking about the following licenses:

  1. GNU General Public license, version 2 for Mbed TLS
  2. Apache license, version 2
  3. Microsoft Limited Permissive License (Ms_LPL) for CLR Security
  4. Adaptation of MIT X11 License for Bouncy Castle

I know GNU GPL can only be used if my project is open source, but is it OK to have an example project which we can provide when asked for, which is similar to the code we use on our embedded devices but is just a much simpler version. or do we actually need to provide the entire source code of what is currently running on the device.

  1. Because it is impossible to have the crypto bit open source and the rest of our source code closed source under this license right?

  2. I believe the Apache License would allow us to use the library in closed source projects without problems and only needs a copy of that license when we distribute it, am I correct?

  3. Ms-LPL, for as far as I can see, allows the use and adaptation of the code without restrictions, one can also keep it closed source. but would need to add a copy of the license, same goes for the bouncy castle license if i'm not mistaking?

In all cases there are part of our source code we do not want to give to anyone. The products in which the code is used are being sold. In some cases we might change the code a bit (especially in the case of mbedTLS).

It would be great if someone could help me understand these licenses and could tell me if I'm right about these licenses. And perhaps recommend the license which would be the least problematic (e.g. needing to provide as little paperwork as possible).

jonrsharpe
  • 1,318
  • 2
  • 12
  • 17
Vincent
  • 365
  • 4
  • 11
  • did you check prior questions here before asking? Eg, [Is there a chart for helping me decide between open-source licenses?](http://programmers.stackexchange.com/q/105344/31260) and [How can I compare and contrast open source licenses?](http://programmers.stackexchange.com/q/120308/31260) – gnat May 26 '15 at 08:00
  • 1
    @gnat those questions are about making your software opensource, I'm looking to keep it closed source while using a library which is open source. but the coding horror blog linked in your first link is helpful. – Vincent May 26 '15 at 08:27
  • 1
    This site has a nice interface to show quickly what a license allows, and what a license requires from you: https://tldrlegal.com/ ... maybe that will help you. – Mathias Vonende May 26 '15 at 08:38
  • @maze-le I now know what I can use, thanks, if you make it a proper answer i will accept it. – Vincent May 26 '15 at 08:50
  • Note that many products offer dual licencing; in essence if you do not want issues from using the open source licence, you buy a "closed" licence from the developers that would allow for redistribution. – SJuan76 May 26 '15 at 09:06
  • This site has a nice interface to show quickly what a license allows, and what a license requires from you: [tldrlegal.com](https://tldrlegal.com/) maybe that will help you. – Mathias Vonende May 26 '15 at 08:53
  • what you describe sounds like asked and answered in [Can I use GPL, LGPL, MPL licensed packages with my application and make it closed source?](http://programmers.stackexchange.com/questions/125606/can-i-use-gpl-lgpl-mpl-licensed-packages-with-my-application-and-make-it-close) and couple qestions linked to it – gnat May 26 '15 at 10:44
  • I'm voting to close this question as off-topic because legal advice is off topic on Programmers. The scope of [which software licensing questions are on topic is defined in the faq here](http://meta.programmers.stackexchange.com/questions/7265/when-is-a-software-licensing-question-on-topic) – durron597 May 27 '15 at 02:32

3 Answers3

4

I know GNU GPL can only be used if my project is open source, but is it OK to have an example project which we can provide when asked for, which is similar to the code we use on our embedded devices but is just a much simpler version. or do we actually need to provide the entire source code of what is currently running on the device.

No, it is not acceptable. If you distribute code (either as a binary download or as part of a physical product) that contains code under the GPL license, then you must provide the actual sources from which your program can be recreated.

When writing a closed-source embedded product, libraries under the GPL license are effectively unusable.

To comply with the Apache 2.0 license, you must accompany your product with a document containing the Apache 2.0 license text and a description which part of the software it applies to. This can be a document with all kinds of legal fine-print.

For the MIT license, you just need to keep the existing copyright and permission notices intact in the source code.

For the Ms_LPL license, you must make sure that your device uses a Microsoft Windows operating system and you must keep the existing copyright and permission notices in the source intact.

For choosing which library to use, all can be used in a closed source embedded product (Mbed TLS has a commercial license option available for closed source projects). You should also involve other considerations like

  • correspondence between the features you need and the features provided
  • the amount of adaptation needed
  • support for the library
Bart van Ingen Schenau
  • 71,712
  • 20
  • 110
  • 179
  • Mbed TLS will (hopefully before Q4 2015) also have released it under the apache license ;) Just wondering if it's easyer to start a partnership or to use the apache license when it's out. – Vincent May 26 '15 at 12:46
1

I have no idea what to do.

Ask your company's legal department. It's their job, not yours. And, unlike you, they do know what they are doing.

Jörg W Mittag
  • 101,921
  • 24
  • 218
  • 318
  • Haha, yeh if we had a legal department I'd do that, but we don't... :( – Vincent May 26 '15 at 08:32
  • 1
    The average legal eagle will have no clue in my experience. A lawyer the specialises in software copyright and patent law maybe. – rjdkolb May 26 '15 at 10:52
  • @rjdkolb: I'm assuming that the legal department of a company that sells software products (as opposed to a company which sells something totally unrelated and just happens to have an internal IT department) will have lawyers who know about selling software products. Or at least the company will have a lawyer on retainer who knows about selling software products. Apparently, I was wrong. – Jörg W Mittag May 26 '15 at 10:56
  • @JörgWMittag , maybe some like Oracle,Google or IBM etc. Or maybe you have had better experience than I have had. – rjdkolb May 26 '15 at 11:46
  • @rjdkolb even the six developer shop that I worked at had a lawyer on retainer. Not having a legal person to answer legal questions is just as dangerous as having the salespeople be the sysadmins. –  May 26 '15 at 13:57
0

I know GNU GPL can only be used if my project is opensource

That seems to be a misunderstanding. When you use a GPL library, you only need to open source your own project under GPL again, if

  • your project links directly to that library (due to this part of the GPL FAQ, the relevant thing is how the communication between your prog and the GPLed code works)

  • you are going to publish your project outside of your company (internal use does not require you open your sources)

  • the vendor does not provide a different, alternative license (maybe a commercial one).

So you should first check if these conditions fit to your project, for the specific library you would like to use. And about the other licenses, I think you already found out what you wanted to know.

Doc Brown
  • 199,015
  • 33
  • 367
  • 565
  • The fact that the GPL code is in a separate program does not in and of itself mean it isn't a fundamental part of the project, meaning the whole thing is under the GPL. – Deduplicator May 26 '15 at 09:30
  • Where does the GPL state permission not to include source so long as your program uses a "fork & exec" mechanism to call it? I think this excuse must have been dreamed up by someone to make themselves feel better for violating license terms, or to console them for having chosen a license incompatible with their project. – Brandin May 26 '15 at 11:51
  • @Brandin: see my edit; the GPL FAQ contains the "fork & exec" example at more than one place. – Doc Brown May 26 '15 at 11:53