Open Source Software Policy

The proper use of third-party open source software (“OSS”) can be complicated. While I’ve used the following sample policy for years, please review any policy you adopt with your legal counsel.

Different situations have different needs and risk tolerance. Don’t assume it’s okay to just use ideas you found online. (For example, some organizations put Apache 2 on a do-not-use list.)

I suggest reading Heather Meeker’s various articles. She is extraordinarily knowledgeable, and I first adopted this policy framework at her suggestion.

All software projects should leverage open source software where possible, to avoid reinventing existing solutions and to gain efficiencies. However, there are intellectual property considerations when using third-party OSS, and developers need to follow certain guidelines to ensure the integrity of codebases and proper conformance with license obligations.

The following process should be followed when considering the inclusion of third-party OSS:

• Identify the license type. This may be noted in a LICENSE file or on the project website. If you can’t find the license type, treat it as Needs Permission.
• Check the three lists: Acceptable, Needs Permission, and Prohibited.
• Acceptable: this OSS may be used.
• Needs Permission: send an email to <appropriate email address> with a link to the library. It should not be used until permission is granted and confirmed in email.
• Prohibited: this OSS may NOT be used.

This applies to both development and production dependencies.

If there are ever any questions, email <appropriate email address> before using the OSS.

Acceptable

• Boost Software License
• BSD 2-Clause
• BSD 3-Clause
• libpng License
• MIT License
• OpenLDAP Public License v2.7 & v2.8
• PHP License
• Public Domain / Unlicense / CC0
• Python License up to v2.0
• Ruby License 1.0
• Zlib License

Needs Permission

• Apache Software License 1.0/1.1/2.0
• Artistic License 1.0/2.0/Perl
• BSD + PATENTS
• Common Development and Distribution License (CDDL) 1.0
• Eclipse Public License (EPL) 1.0
• Erlang Public License 1.1
• GPL 2.0/3.0
• LGPL 2.0/2.1/3.0
• Microsoft Limited Public License
• Mozilla Public License (MPL) 2.0

Prohibited

• Academic Free License 2.0
• Affero General Public License (AGPL)
• Apple Public Source License
• Code Project Open License (CPOL) 1.02
• Common Public Attribution License (CPAL) 1.0
• Common Public License (CPL) 1.0
• DSPC Public License (DPL)
• Firebird Public License
• H2 License
• IBM Public License (IPL) 1.0
• Metro Link Public License
• Mozilla Public License (MPL) 1.0/1.1 | Netscape Public License 1.1
• Open Software License (OSL) 1.0/1.1
• Q Public License
• Sleepycat License
• Sun Binary Code License
• Sun Public License (SPL) 1.0
• Terracotta Public License v1.0