15 minutes
Open source is leverage. This is how you use it deliberately.
It's the default way software gets built now — and it comes with terms. Respect them.
Black Duck OSSRA 2024–25
Where we're going
Foundations
Internal use and distribution trigger different obligations.
The landscape
MIT · BSD · Apache-2.0
GPL · LGPL · AGPL · MPL
"Dangerous" doesn't mean bad — it means requires context and review.
Plain-English terms for any license → tldrlegal.com
The obligations
| License | Keep notice | State changes | Disclose source | Same license | Network = dist. | Copyleft reach | SaaS risk |
|---|---|---|---|---|---|---|---|
| MIT | ✓ | — | — | — | — | none | none |
| BSD-3 | ✓ | — | — | — | — | none | none |
| Apache-2.0 | ✓ | ✓ | — | — | — | none | none |
| MPL-2.0 | ✓ | — | ✓ | ✓ | — | file | low |
| LGPL-3 | ✓ | ✓ | ✓ | ✓ | — | library | low |
| GPL-3 | ✓ | ✓ | ✓ | ✓ | — | program | low |
| AGPL-3 | ✓ | ✓ | ✓ | ✓ | ✓ | network | HIGH |
✓ = required · SaaS risk = must you reveal source just for hosting it? · Sources: choosealicense.com, tldrlegal.com · not legal advice
Surface area
Rarely the dependency you meant to add. Usually everything around it.
Remediation
First: how is it used — distributed, hosted, linked, bundled, modified, or dev-only?
Then pick a path:
AI-assisted development
You can't inventory what you didn't know you added.
The exposure
Inventory
A Software Bill of Materials: every component in what you ship, as a machine-readable document — SPDX or CycloneDX.
abridged CycloneDX
The habit
Closing
Almost everything you ship was written by people you'll never meet, and given away for free. The license is what they asked for in return. Respect it, and know what you've actually taken.