A legal counsel explains licence compatibility to engineers: "You need to understand the difference between permissive and copyleft licences before you add any open-source dependency. A permissive licence lets you use, modify, and redistribute the code with very few conditions — the main one being attribution. A copyleft licence is different: if you distribute a derivative work, you must release it under the same licence. Strong copyleft takes it further — even linking to the library can trigger the obligation." Which statement best describes a permissive licence?
Permissive licence: a licence that places minimal restrictions on how software can be used, modified, or redistributed. The core obligation is usually attribution — keeping the original copyright notice and licence text. Common permissive licences: MIT — the most widely used open-source licence; very short, requires attribution; no patent grant. Apache 2.0 — adds an explicit patent grant (contributors licence their patents to users) and a NOTICE file requirement; preferred by enterprises. BSD 2-Clause / 3-Clause — similar to MIT; 3-Clause adds a non-endorsement clause. Contrast with copyleft licences, which require derivative works to be released under the same licence. Derivative work: a work based on a copyrighted original (e.g., a modified version of a library). In conversation: "We prefer Apache 2.0 dependencies because the explicit patent grant protects us from patent claims by contributors — something MIT doesn't provide."
2 / 5
An open-source maintainer asks a new contributor to sign a document before their pull request is merged: "Before we can accept your contribution, you'll need to sign our CLA. A CLA — Contributor Licence Agreement — is a legal document where you confirm that you own the code you're contributing and that you grant us the rights to use it. Some projects use a DCO instead, which is lighter-weight: you just add a Signed-off-by line to each commit to certify you have the right to submit the code." What is the key practical difference between a CLA and a DCO?
CLA (Contributor Licence Agreement): a legal contract between a contributor and a project owner. The contributor grants the project the right to use, relicence, or sublicence their contribution. CLAs are common in corporate-backed open-source projects (Google, Apache, HashiCorp). May be individual (ICLA) or corporate (CCLA). DCO (Developer Certificate of Origin): a lighter-weight alternative, introduced by the Linux kernel project. Each commit includes a Signed-off-by: Name <email> git trailer, certifying the contributor has the right to submit the code under the project's open-source licence. No separate legal document is required. Inbound licence: the licence under which a contributor submits code. Outbound licence: the licence under which the project distributes code. CLAs allow the inbound and outbound licences to differ (e.g., the project can change its outbound licence later). In conversation: "We switched from a CLA to a DCO — it reduced friction for new contributors because they don't need to wait for a countersigned PDF before their PR can be merged."
3 / 5
Fill in the blank with the correct term: "The engineering team ran a licence scan on their new product and found a dependency released under the GPL v3. Their lawyer explained that GPL is a ______ licence — sometimes called a 'viral' licence — because if you distribute a product that includes GPL-licensed code, your entire combined work must also be released under the GPL." Which term correctly fills the blank?
Strong copyleft: a licence condition that requires any distributed software incorporating the copyleft-licensed code to be released under the same licence. The GPL family are the canonical strong copyleft licences. GPL (GNU General Public Licence): the original strong copyleft licence; triggers on distribution of binaries linked against it. GPL v2 ("or later") vs GPL v3 (adds patent retaliation, anti-tivoisation clauses). AGPL (Affero GPL): extends the copyleft trigger to network use — if you run AGPL software as a service (SaaS), you must release the source. Used by MongoDB, Grafana. Weak copyleft: licences like LGPL (Lesser GPL) and MPL (Mozilla Public Licence). Copyleft applies only to the licensed file/component itself — you can link against it from proprietary code without triggering the full copyleft. Licence compliance strategy: replace strong copyleft dependencies with permissive equivalents when building proprietary products. In conversation: "We identified a GPL v3 dependency in our pipeline — we need to either replace it with an MIT-licensed alternative or open-source that module separately."
4 / 5
A compliance engineer is reviewing a software bill of materials for an enterprise client: "Every component in this SBOM needs a valid SPDX identifier in the licence field — not just free text like 'Apache licence' or 'version 2 of the GPL'. SPDX identifiers are standardised short strings: Apache-2.0, GPL-3.0-only, MIT. They're machine-readable, so tooling can automatically flag incompatible licences and generate the correct attribution notices." What is an SPDX identifier?
SPDX (Software Package Data Exchange): an open standard by the Linux Foundation for communicating software bill of materials (SBOM) information, including components, licences, copyrights, and security references. SPDX identifier: a standardised string from the SPDX Licence List (spdx.org/licenses) that unambiguously names a licence. Examples: MIT, Apache-2.0, GPL-3.0-only, GPL-3.0-or-later, LicenseRef-custom-commercial. Licence expression: an SPDX formula combining identifiers with AND/OR/WITH operators. E.g., MIT OR Apache-2.0 (you may choose either); GPL-2.0-only WITH Classpath-exception-2.0 (common in Java/OpenJDK). SBOM (Software Bill of Materials): a machine-readable inventory of all components in a software product; formats include SPDX and CycloneDX. Attribution notice: the copyright and licence text you must include when distributing software under permissive licences. Automation: tools like FOSSA, Scancode, and Syft generate SBOMs with SPDX identifiers, enabling automated policy enforcement. In conversation: "Our CI pipeline runs a licence scan and fails the build if any dependency has an SPDX identifier that matches our blocklist of strong copyleft licences."
5 / 5
Match the definition to the correct term: "A company releases its database product under two different licences simultaneously. Community users can use it free of charge under an open-source licence. Enterprise customers pay for a commercial licence that includes additional features, SLA guarantees, and no copyleft obligations. This approach lets the company monetise the software while still building an open-source community." Which licensing model is described?
Dual licensing (also: multi-licensing): releasing the same software under two or more licences simultaneously, allowing users to choose which applies to them. Typically: open-source licence (e.g., GPL or AGPL) for community users + commercial licence for enterprises that want to avoid copyleft obligations. Examples: MySQL (GPL + commercial via Oracle), Qt (GPL + commercial via Qt Group). Related commercial licence models: Open core: the core product is open source (e.g., MIT/Apache); advanced/enterprise features are closed-source proprietary add-ons. Used by GitLab, Elasticsearch. BUSL (Business Source Licence): source-available but not open-source. Restricts production/commercial use for a defined period (typically 4 years), after which the code converts to an open-source licence. Used by HashiCorp (Terraform → BSL), MariaDB. Per-seat licence: a commercial model where the cost is based on the number of individual users (seats). Common for desktop and enterprise software. EULA (End-User Licence Agreement): a legal contract between a software vendor and the end user specifying terms of use for proprietary software. Governs what the user may and may not do with the software. In conversation: "We chose dual licensing — AGPL for community, commercial for enterprises — so SaaS companies can't run our platform without paying, but individual developers can still use it freely."