5

Before I started making software for a company which requires its software to be closed-source everything was easy, but now I'm drowning in license issues and I have no idea what to do.

I have found several great libraries for TLS and other crypto but all (obviously) have licenses. I am talking about the following licenses:

  1. GNU General Public license, version 2 for Mbed TLS
  2. Apache license, version 2
  3. Microsoft Limited Permissive License (Ms_LPL) for CLR Security
  4. Adaptation of MIT X11 License for Bouncy Castle

I know GNU GPL can only be used if my project is open source, but is it OK to have an example project which we can provide when asked for, which is similar to the code we use on our embedded devices but is just a much simpler version. or do we actually need to provide the entire source code of what is currently running on the device.

  1. Because it is impossible to have the crypto bit open source and the rest of our source code closed source under this license right?

  2. I believe the Apache License would allow us to use the library in closed source projects without problems and only needs a copy of that license when we distribute it, am I correct?

  3. Ms-LPL, for as far as I can see, allows the use and adaptation of the code without restrictions, one can also keep it closed source. but would need to add a copy of the license, same goes for the bouncy castle license if i'm not mistaking?

In all cases there are part of our source code we do not want to give to anyone. The products in which the code is used are being sold. In some cases we might change the code a bit (especially in the case of mbedTLS).

It would be great if someone could help me understand these licenses and could tell me if I'm right about these licenses. And perhaps recommend the license which would be the least problematic (e.g. needing to provide as little paperwork as possible).

jonrsharpe
  • 1,311
Vincent
  • 383

3 Answers3

4

I know GNU GPL can only be used if my project is open source, but is it OK to have an example project which we can provide when asked for, which is similar to the code we use on our embedded devices but is just a much simpler version. or do we actually need to provide the entire source code of what is currently running on the device.

No, it is not acceptable. If you distribute code (either as a binary download or as part of a physical product) that contains code under the GPL license, then you must provide the actual sources from which your program can be recreated.

When writing a closed-source embedded product, libraries under the GPL license are effectively unusable.

To comply with the Apache 2.0 license, you must accompany your product with a document containing the Apache 2.0 license text and a description which part of the software it applies to. This can be a document with all kinds of legal fine-print.

For the MIT license, you just need to keep the existing copyright and permission notices intact in the source code.

For the Ms_LPL license, you must make sure that your device uses a Microsoft Windows operating system and you must keep the existing copyright and permission notices in the source intact.

For choosing which library to use, all can be used in a closed source embedded product (Mbed TLS has a commercial license option available for closed source projects). You should also involve other considerations like

  • correspondence between the features you need and the features provided
  • the amount of adaptation needed
  • support for the library
Bart van Ingen Schenau
  • 78,673
1

I have no idea what to do.

Ask your company's legal department. It's their job, not yours. And, unlike you, they do know what they are doing.

Jörg W Mittag
  • 104,619
0

I know GNU GPL can only be used if my project is opensource

That seems to be a misunderstanding. When you use a GPL library, you only need to open source your own project under GPL again, if

  • your project links directly to that library (due to this part of the GPL FAQ, the relevant thing is how the communication between your prog and the GPLed code works)

  • you are going to publish your project outside of your company (internal use does not require you open your sources)

  • the vendor does not provide a different, alternative license (maybe a commercial one).

So you should first check if these conditions fit to your project, for the specific library you would like to use. And about the other licenses, I think you already found out what you wanted to know.

Doc Brown
  • 218,378