Practical guidance for selecting and complying with non‑permissive licenses across the SDLC.
This is not legal advice. For high‑stakes use, consult counsel.
Triggers (what creates obligations):
- D = Distribution of binaries/source
- L = Linking/combining into one program (static or dynamic)
- F = File-level modification (you changed covered files)
- N = Users interact over a network (SaaS/hosted)
- SaaS = Offering as a managed/competing service
- A = Attribution required in UI; B = Branding/name rules
- T = Time-delayed conversion to an OSS license
- P = Patent grant/termination; C = License compatibility
License terminal classes (used throughout):
- SC = Strong copyleft (GPL-2.0/3.0, OSL-3.0, Sleepycat)
- WC = Weak/file-level copyleft (LGPL-2.1/3.0, MPL-2.0, EPL-2.0, CDDL-1.0)
- NC = Network copyleft (AGPL-3.0, CPAL-1.0, RPL-1.5, OSL-3.0, Sleepycat)
- NS = “No‑SaaS” / competitive‑use restricted (SSPL-1.0, Elastic v2, Confluent Community, RSALv2)
- TD = Time‑delayed open (BSL‑1.1, FSL‑1.1)
- FOU = Noncommercial / principle‑restricted (PolyForm NC, Prosperity, Hippocratic, Do‑No‑Harm, Anti‑996)
- BA = Brand/attribution quirks (PHP‑3.01, JSON, CPAL‑1.0)
- LG = Legacy/quirky OSI (APSL‑2.0, NOSA‑1.3, QPL‑1.0, SPL‑1.0)
flowchart TD
A0[Start: You are the Creator] --> A1{"Will users<br/>receive your software? (D)"}
A1 -- "No: internal-only" --> A2{"Will external users<br/>interact with it? (N)"}
A2 -- "Yes (SaaS/hosted)" --> A3{Do you want SaaS reciprocity?}
A3 -- "Yes" --> A3Y[Choose NC: AGPL/OSL/CPAL/RPL]:::nc
A3 -- "No" --> A4{Do you want to block hosted competitors?}
A4 -- "Yes" --> A4Y[Choose NS: SSPL/ELv2/Confluent/RSAL]:::ns
A4 -- "No" --> A5{"Time-release strategy desired? (T)"}
A5 -- "Yes" --> A5Y[Choose TD: BSL/FSL]:::td
A5 -- "No" --> A6{"Noncommercial/Principle restrictions? (FOU)"}
A6 -- "Yes" --> A6Y[Choose FOU family]:::fou
A6 -- "No" --> A7{"Brand/Attribution required? (A/B)"}
A7 -- "Yes" --> A7Y[Consider BA: PHP/CPAL/JSON*]:::ba
A7 -- "No" --> A8["Stop: Use permissive (out of scope) or revisit goals"]
A1 -- "Yes: distribute binaries/source" --> A9{Must downstream derivatives be open?}
A9 -- "Yes, whole program (L/D)" --> A9Y[Choose SC: GPL/OSL/Sleepycat]:::sc
A9 -- "No, only modified files/libs (F)" --> A9N{"Need patent grant/compat (P/C)?"}
A9N -- "Yes" --> A10Y[Choose WC: MPL/EPL]:::wc
A9N -- "No / file-level ok" --> A10N[Choose WC: LGPL/CDDL]:::wc
A9 -- "No reciprocity" --> A8
classDef sc fill:#ffe5e5,stroke:#d33,stroke-width:1.5px;
classDef wc fill:#fff0e6,stroke:#f80,stroke-width:1.5px;
classDef nc fill:#e6f5ff,stroke:#08c,stroke-width:1.5px;
classDef ns fill:#eaf7ea,stroke:#2c8,stroke-width:1.5px;
classDef td fill:#f5eaff,stroke:#90f,stroke-width:1.5px;
classDef fou fill:#fff7d6,stroke:#cc9,stroke-width:1.5px;
classDef ba fill:#f0f0f0,stroke:#999,stroke-width:1.5px;
- Are you distributing binaries/source? (D)
- Will users interact over a network? (N)
- Do you want reciprocity (downstream must share)? Whole program (SC) vs file-level (WC).
- Do you want to block managed-service competitors? (NS)
- Do you want time-delayed open? (TD)
- Any noncommercial/principle constraints? (FOU)
- Any UI attribution or branding rules? (A/B)
- Need patent grant or specific compatibility? (P/C)
flowchart TD
B0[Start: You are the Emulator] --> B1{Will you copy any code<br/>or distinctive artifacts?}
B1 -- "Yes" --> B1N[Stop: High risk — adopt source license or clean-room refactor]
B1 -- "No (ideas only)" --> B2{"Will you link/combine with upstream? (L)"}
B2 -- "GPL/strong copyleft" --> B2G[Avoid linking if proprietary; or adopt GPL]:::sc
B2 -- "LGPL library" --> B2L{Can you enable relinking/replacement?}
B2L -- "Yes" --> B2LY[OK with LGPL obligations]:::wc
B2L -- "No" --> B2LN[Avoid or re-arch to IPC/plugin boundary]
B2 -- "MPL/EPL/CDDL code" --> B2M[Keep your code separate; publish changes to their files]:::wc
B2 -- "No linking/combining" --> B3{"Hosted/Service? (N)"}
B3 -- "Yes" --> B4{Is upstream AGPL/OSL/CPAL/RPL?}
B4 -- "Yes" --> B4Y[If modified, publish server-side source; CPAL needs UI attribution]:::nc
B4 -- "No" --> B5{Is upstream 'No-SaaS'/competitive-restricted?}
B5 -- "Yes" --> B5Y[Do NOT offer as a managed service; interoperate only]:::ns
B5 -- "No" --> B6{Noncommercial/Principle restrictions?}
B6 -- "Yes" --> B6Y[Confirm permitted use or obtain license]:::fou
B6 -- "No" --> B7{"Time-delayed license? (T)"}
B7 -- "Yes" --> B7Y[Plan adoption post Change Date; avoid pre-conversion violations]:::td
B7 -- "No" --> B8{"Brand/Attribution quirks? (A/B)"}
B8 -- "Yes" --> B8Y["Honor badges; avoid restricted names (e.g., PHP); JSON is non-OSI"]:::ba
B8 -- "No" --> B9[Proceed: Clean-room build with provenance logs]
classDef sc fill:#ffe5e5,stroke:#d33,stroke-width:1.5px;
classDef wc fill:#fff0e6,stroke:#f80,stroke-width:1.5px;
classDef nc fill:#e6f5ff,stroke:#08c,stroke-width:1.5px;
classDef ns fill:#eaf7ea,stroke:#2c8,stroke-width:1.5px;
classDef td fill:#f5eaff,stroke:#90f,stroke-width:1.5px;
classDef fou fill:#fff7d6,stroke:#cc9,stroke-width:1.5px;
classDef ba fill:#f0f0f0,stroke:#999,stroke-width:1.5px;
- No copying of code/tests/config/comments/unique structure.
- Linking strategy: GPL (avoid unless GPL), LGPL (relinking), MPL/EPL/CDDL (file boundaries).
- Hosted obligations (NC) and No‑SaaS bans (NS).
- Noncommercial/Principle constraints (FOU).
- Time‑delayed conversion (TD).
- Attribution/Brand quirks (BA).
- Provenance logs and SCA in CI.
Use the snippet that matches the terminal reached in your flow. Copy both the README and Design Doc blocks into your repo.
GPL‑3.0‑only — README
License & Distribution
This project is licensed under GPL‑3.0‑only. If you distribute a program that links or combines this code into a single work, you must license the entire combined work under GPL‑3.0 and publish the complete corresponding source, including build and installation information. Include the GPL license text and notices; state your changes.
GPL‑3.0‑only — Design Doc
- Avoid static linking with proprietary modules; prefer process boundaries (CLI/IPC).
- Ship NOTICE, license text, and change logs with artifacts.
- If delivered on user devices, include installation information (“anti‑Tivoization”).
OSL‑3.0 — README
External Deployment counts as distribution. If you make the work available for use by external parties (e.g., SaaS), publish corresponding source under OSL‑3.0 and comply with notice/patent provisions.
Sleepycat (Berkeley DB) — README
If you redistribute software that uses Berkeley DB, you must provide the source code of that application under terms no less open than the Sleepycat license.
LGPL‑3.0‑only — README
Modifications to LGPL‑covered files must be LGPL. Applications may remain under a different license if recipients can relink/replace the library. Provide object files or a relinking method if statically linked.
LGPL‑3.0‑only — Design Doc
- Prefer dynamic linking; if static, provide relinkable objects and reverse‑engineering allowances.
MPL‑2.0 / EPL‑2.0 — README
Changes to licensed files must be published under the same license. Code in separate files may be under another license. EPL includes a patent grant/termination; MPL is file‑scoped and compatibility‑friendly.
CDDL‑1.0 — Note: file‑level like MPL, but GPL‑incompatible; avoid mixing with GPL stacks.
AGPL‑3.0‑only — README
If users interact with a modified version of this program over a network, we must offer them the complete corresponding source of that modified version under AGPL‑3.0. Include license text and notices.
AGPL‑3.0‑only — Design Doc
- Track server‑side diffs; automate packaging of source‑offer artifacts.
CPAL‑1.0 — README
Requires prominent attribution in the user interface and network‑use source availability. Specify badge text/location in UX specs.
RPL‑1.5 / OSL‑3.0 / Sleepycat — Notes: broad reciprocity; OSL counts external deployment; Sleepycat triggers when redistributing apps using the library.
SSPL‑1.0 — README
You may not offer this software as a service without releasing the entire service stack under SSPL. This license is not OSI‑approved.
Elastic License 2.0 / Confluent Community / RSAL‑v2 — README
Source‑available with restrictions: you may not provide the software as a managed service or to compete with the licensor’s hosted offering. See the license for restricted activities and commercial licensing options.
Design Doc (all NS)
- If roadmap includes hosting/managed features, escalate for relicensing or substitute components.
BSL‑1.1 — README
This release is under Business Source License 1.1 until the Change Date: YYYY‑MM‑DD, after which it converts to [Apache‑2.0/MIT/GPL‑2.0‑or‑later]. Before the Change Date, usage is limited to the Additional Use Grant.
FSL‑1.1 — README
This release is under Functional Source License 1.1 and will automatically convert to [Apache‑2.0 or MIT] on YYYY‑MM‑DD (two years from publish, unless otherwise stated). Pre‑conversion restrictions apply.
Design Doc (TD)
- Track the Change Date; plan post‑conversion license switch and community contribution policy.
PolyForm Noncommercial — README
Free for noncommercial use under PolyForm Noncommercial. Commercial use requires a separate license.
Prosperity — README
Noncommercial with a time‑boxed commercial trial. Commercial use after the trial requires a paid license.
Hippocratic / Do‑No‑Harm / Anti‑996 — README
Use is restricted by field‑of‑use (human rights, harm, labor). Not OSI‑approved. Ensure your use is permitted.
Design Doc (FOU)
- Add a Use‑Case Review gate in go‑to‑market and record approvals.
PHP‑3.01 — README
Naming restrictions apply: do not use “PHP” in product or project names; no implied endorsement.
JSON — README
“Use for Good, not Evil” clause — not OSI‑approved. Verify policy compatibility before use.
CPAL‑1.0 — see NC section for UI attribution details.
APSL‑2.0 — README
External deployment (network) of modified versions triggers publication of source.
NOSA‑1.3 — README
Contains an “original creation” clause that complicates combining third‑party code; note that some communities consider it not free.
QPL‑1.0 / SPL‑1.0 — README
Historical licenses with GPL‑compatibility issues. Prefer modern alternatives (MPL‑2.0/EPL‑2.0).
Use this as a default policy. Adjust per org. “Green” passes CI; “Yellow” warns; “Red” fails.
| Class | Typical use | Distribution (D) | Linking (L/F) | Network (N) | Managed service (SaaS) | Attribution/Brand (A/B) | Notes |
|---|---|---|---|---|---|---|---|
| WC (LGPL/MPL/EPL/CDDL) | Libraries/mixed codebases | 🟢 | 🟡 (LGPL relinking) | 🟢 | 🟢 | 🟢 | Keep file boundaries; LGPL relinking required |
| SC (GPL/OSL/Sleepycat) | Pure FOSS apps | 🟡 (ok if GPL) | 🔴 (for proprietary) | 🟡 | 🟡 | 🟢 | Whole‑program reciprocity; OSL external deployment; Sleepycat ties app source to library use |
| NC (AGPL/CPAL/RPL/OSL/Sleepycat) | SaaS reciprocity | 🟡 | 🟡 | 🟡 / 🔴 (if modified and not publishing) | 🟡 | 🟡 (CPAL badge) | Ensure server‑side source offer; CPAL UI credit |
| NS (SSPL/ELv2/CCL/RSAL) | Source‑available, no‑SaaS | 🟢 | 🟢 | 🟢 | 🔴 | 🟢 | Not OSI‑approved; do not build hosted clones |
| TD (BSL/FSL) | Open‑later | 🟡 | 🟡 | 🟡 | 🟡 | 🟢 | Respect pre‑conversion limits; track Change Date |
| FOU (PolyForm/Prosperity/Hippocratic/…) | Restricted use | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🔴 for unapproved commercial/prohibited domains |
| BA (PHP/JSON/CPAL) | Attribution/branding | 🟢 | 🟢 | 🟢 | 🟢 | 🟡 / 🔴 | Check app‑store/brand policies; JSON is non‑OSI |
| LG (APSL/NOSA/QPL/SPL) | Legacy only | 🟡 | 🟡 | 🟡 | 🟡 | 🟢 | Review special clauses; consider modern replacements |
# Default license policy (edit per repo)
allow:
- Apache-2.0
- MIT
- BSD-2-Clause
- BSD-3-Clause
- ISC
- MPL-2.0
- EPL-2.0
- LGPL-2.1-or-later
- LGPL-3.0-or-later
warn:
- GPL-2.0-only
- GPL-3.0-only
- AGPL-3.0-only
- CDDL-1.0
- CPAL-1.0
- QPL-1.0
- PHP-3.01
- APSL-2.0
- NOSA-1.3
deny:
- SSPL-1.0
- Elastic-2.0
- Confluent-Community-1.0
- Redis-Source-Available
- PolyForm-*
- Prosperity-*
- Hippocratic-*
- Do-No-Harm-*
- Commons-Clause
- JSONscan_deps -> produce SBOM/licenses.json
if any license in deny: fail CI
if any license in warn: warn + require approval label "license:approved"
if green-only: pass
### Licensing checks
- [ ] Role: Creator / Emulator
- [ ] Distribution (D): yes/no
- [ ] Linking/Combining (L/F): GPL / LGPL / MPL / EPL / CDDL / none
- [ ] Hosted (N): yes/no
- [ ] Managed Service (SaaS): yes/no
- [ ] Attribution/Brand (A/B): yes/no
- [ ] Restrictions (FOU): none / NC / Principled
- [ ] Time‑delayed (T): none / BSL / FSL — Change Date: ____
- [ ] Patent/Compatibility (P/C): required? ____
- [ ] Terminal class chosen: SC / WC / NC / NS / TD / FOU / BA / LG
- [ ] README + Design‑Doc terminal snippets inserted
- [ ] SCA/NOTICE automation configured
- Keep this doc versioned with each license change.
- If dual‑licensing, clearly scope which subtrees/artifacts are under which license.
- Automate NOTICE generation and SCA scans in CI.
LinkedIn // GitHub // Medium // Twitter/X
A bit about David Youngblood...
David is a Partner, Father, Student, and Teacher, embodying the essence of a true polyoptic polymath and problem solver. As a Generative AI Prompt Engineer, Language Programmer, Context-Architect, and Artist, David seamlessly integrates technology, creativity, and strategic thinking to co-create systems of enablement and allowance that enhance experiences for everyone.
As a serial autodidact, David thrives on continuous learning and intellectual growth, constantly expanding his knowledge across diverse fields. His multifaceted career spans technology, sales, and the creative arts, showcasing his adaptability and relentless pursuit of excellence. At LouminAI Labs, David leads research initiatives that bridge the gap between advanced AI technologies and practical, impactful applications.
David's philosophy is rooted in thoughtful introspection and practical advice, guiding individuals to navigate the complexities of the digital age with self-awareness and intentionality. He passionately advocates for filtering out digital noise to focus on meaningful relationships, personal growth, and principled living. His work reflects a deep commitment to balance, resilience, and continuous improvement, inspiring others to live purposefully and authentically.
David believes in the power of collaboration and principled responsibility in leveraging AI for the greater good. He challenges the status quo, inspired by the spirit of the "crazy ones" who push humanity forward. His commitment to meritocracy, excellence, and intelligence drives his approach to both personal and professional endeavors.
"Here’s to the crazy ones, the misfits, the rebels, the troublemakers, the round pegs in the square holes… the ones who see things differently; they’re not fond of rules, and they have no respect for the status quo… They push the human race forward, and while some may see them as the crazy ones, we see genius, because the people who are crazy enough to think that they can change the world, are the ones who do." — Apple, 1997
Why I Exist? To experience life in every way, at every moment. To "BE".
What I Love to Do While Existing? Co-creating here, in our collective, combined, and interoperably shared experience.
How Do I Choose to Experience My Existence? I choose to do what I love. I love to co-create systems of enablement and allowance that help enhance anyone's experience.
Who Do I Love Creating for and With? Everyone of YOU! I seek to observe and appreciate the creativity and experiences made by, for, and from each of us.
When & Where Does All of This Take Place? Everywhere, in every moment, of every day. It's a very fulfilling place to be... I'm learning to be better about observing it as it occurs.
I've learned a few overarching principles that now govern most of my day-to-day decision-making when it comes to how I choose to invest my time and who I choose to share it with:
- Work/Life/Sleep (Health) Balance: Family first; does your schedule agree?
- Love What You Do, and Do What You Love: If you have what you hold, what are YOU holding on to?
- Response Over Reaction: Take pause and choose how to respond from the center, rather than simply react from habit, instinct, or emotion.
- Progress Over Perfection: One of the greatest inhibitors of growth.
- Inspired by "7 Habits of Highly Effective People": Integrating Covey’s principles into daily life.
David is dedicated to fostering meaningful connections and intentional living, leveraging his diverse skill set to make a positive impact in the world. Whether through his technical expertise, creative artistry, or philosophical insights, he strives to empower others to live their best lives by focusing on what truly matters.
— David Youngblood