Open Source Licenses Explained: MIT, Apache 2.0, GPL, and Commercial Use Compliance Guide
Open source software forms modern software engineering’s infrastructure, but “open source” doesn’t mean “use freely however you want” — every open source project has a license, and license terms determine what’s legally permitted. Ignoring licenses can create real legal liability, especially when using GPL-licensed code in commercial products.
Major License Types
MIT License: the most permissive mainstream license, requiring only preservation of the original copyright notice — allows virtually any use including commercial closed-source products. React (core), jQuery, and Vue.js use MIT.
Apache 2.0: adds a patent grant clause to MIT — grants users rights to patents held by contributors related to the software, while prohibiting users from suing contributors over patent claims (the patent retaliation clause). Android, Kubernetes, TensorFlow, and Elasticsearch use Apache 2.0. For enterprise-context open source use, Apache 2.0 provides clearer patent protection than MIT.
GPL series: copyleft license with the “viral” core clause — if your software includes and distributes GPL code, the entire software must also be open-sourced under GPL. Linux kernel uses GPL v2. GPL v3 additionally prevents Tivoization (using technical measures to restrict users from running modified versions). LGPL permits dynamic linking without triggering copyleft, commonly used for libraries.
Practical Commercial Compliance Requirements
Open source dependency scanning should be part of the CI/CD pipeline. FOSSA and License Finder are the primary automated license compliance scanning tools. SPDX (Software Package Data Exchange) is the standard format for recording software dependency license information.
