What Open Source license should you use?

Welcome to Syntax. On this Monday Hasty Treat, we're gonna be talking all about open source. What is open source? What are the different types of licenses that you should know about? And maybe what should you use on your project? My name is Scott Tolinski. I'm a developer from Denver. And with me JS always

is CJ. What's up, CJ? Hello. Not much. Doing good.

I'm I'm loving this, spring weather here in Denver. Yeah. Me too. I've been doing some major yard work. I Wes, we have some periwinkle out front, which apparently, periwinkle, invasive. Did not know that. And I was seeing, like, it growing. I was like, this is so beautiful, the purple flowers. But from what I read, it can choke out everything else in your your, your little, landscaping, so you gotta keep it under control.

So I I was just, like, ripping out periwinkle yesterday. Not I wanted to keep some of it, but I wanna keep it under under control.

Definitely.

Yeah. And let's talk about open source. But before we do, let's talk about Sentry. This podcast is brought to you by Sentry, and Sentry is huge in the open source.

Sentry is open source. You can read more about that at open.century.i0.

In fact, you can check out the Sentry code Bos for Vercel, and we're gonna be talking a little bit about what makes Sentry's open source license interesting later on in this episode. But not only is Sentry open source, Sentry gave $500,000 to open source maintainers last year, which they kind of do maybe not to that amount, but they do a a large, sponsorship of open source projects every year. And in fact, one of the cool things that they do even for syntax is they they scan our Deno, and then they donate to all the projects that we use in the syntax code base. So how cool is that? It's like actually giving back to the projects that we actually get to take advantage of. So shout out to Sanity, for doing some really cool open source work. It's a really, really awesome thing they do.

So, CJ, let's get into it first and foremost.

When people hear open source, you know, I'm sure some people know exactly what that refers to and other people who might be newer just hear the word and just goes over. You Node? They don't even think about it. So what is open source, and and what makes a a project open source?

Definitely.

Yeah. And and I I've seen that misconception a lot in that people hear open source, and they think, oh, just that means it's free. Like, especially working with, like, nontechnical people, they're like, oh, it's open source. Must mean it's just free. It's free software. But Yeah. I'm gonna read you and and the listeners the definition from Wikipedia and then kind of, like, dive into what it's talking about there. So on Wikipedia, it says open source software or OSS is computer software that is released under a license in which the copyright holder grants the users the right to use, study, change, and distribute the software and its source code to anyone and for any purpose.

And so the key point here is that the software has a specific license applied to it, and that license is an open source license. The common thing that you'll you'll hear people talk about is, open source is, like, free as in free speech, not free as in free beer. Not like you're getting something for free, but you're you're getting, like, the the ideas are free in in in a way. I don't know if that's the, like, the best analogy. Hey, though. That's good. I I I think that makes sense. Everybody likes a a free beer, but that's not what this is. Right? No. Yeah. And I think another disclaimer before we talk about all this stuff, we are not lawyers. Like, this deals with copyright law, and, this isn't legal advice. So if you're worrying about this stuff for, like, a company or your project, you should definitely seek legitimate legal advice. We're just gonna tell you what we know as as developers. So Yeah. Yeah. Totally. And and definitely, it could be seen as

from either a hobbyist perspective, just straight up developer's perspective.

But, again, yeah, if if you're going to be basing your entire company's open source policy off this episode, maybe not the best call.

Yeah. And, so with that idea, this idea of source available is not necessarily open source. So, like, you can you can go on GitHub and you can see millions and millions of projects and actually look at their source code. On a surface, like, that is source available.

But specifically looking at the license itself is gonna tell us what we can actually do with that source code. A really good website to learn about this stuff is choosealicense.com.

And they have a breakdown of, if you're deciding to choose an open source license for your project, what do you care about? And they talk about that and tell you which licenses you should choose. But at the bottom of the site, they have this section that talks about what happens if you don't choose a license. And so if you ever come across a GitHub repo that doesn't have a license applied to it, technically, and Wes guess according to US copyright law, if there is no license applied to it, it actually is under an exclusive copyright by default. So the the website choosealicense.com talks about the the scenario where you come across code that doesn't have a license on it. And if you're a user and you come across this repo, it actually means that you technically don't have permission from the creators to use that software, modify it, or share it. Lack of permission is not permission is what you're saying. Exactly. Okay. Yeah. And and and it does get a little more technical because there is a terms of service on the GitHub website, and they do have things they do say things like, well, if you're putting your code here, then you're allowing people to fork it. So it gets a little more complex than that, but all of this to say,

you should probably choose a license. If you're gonna be putting code on GitHub, you should choose a license, and and we're gonna talk about that here. Yeah. And and I I think ESLint some regard too, if you are not sure what the future of your code looks like, you're probably going to want a to pick a less permissive license just because you can always open it more.

But when you try to close down software, I believe it's only closed down from that point forward. As in if if I go from an a fully open source code base that's open sourced in, you know, for for total free use in 2020, if I lock it down in 2022, that code from 2020 to 2022

is available. Right? That is under the original license. Yeah. That's my understanding as well. So that's why I think it's a great point that if you plan on building a business with your software, like, if you wanna try to make some money from it, that's definitely when you need to start to think about the different types of licenses and potentially not even I mean, I guess it depends on your business and what you're trying to do, but you might not even publish it to GitHub until you're really ready and until you've really, like, added a license on it and that kind of thing. Yep. And and one of these licenses that we'll get into a little bit down the line is something that Century uses because they're a business. They run on open source software, but you can't just steal Century's code base. So we'll we'll talk all about what that means. Definitely. And, with that in mind so earlier in the episode, Scott mentioned open dot century. Io. It actually is a great entry into learning about open source as well because they talk about how Sentry, a very successful and awesome, product in business, how they can be open source and still be profitable. And so they talk about the licenses that they use. And, specifically, there's a section on benefits. So I think I'll just talk about really quick some of the things that I like about open source and and some of the reasons why I apply the MIT license to all of my my code repos. So aside from syntax, I also have a channel called Coding Garden. And every single project I've ever created for CodingGarden, every example code, everything I have released under the MIT license. And so we'll talk about types of licenses next, but the MIT license is a very open license. And this is one of one of the benefits listed on this Sanity site about open source is, for educational purposes. And so the reason I liked to release my software under an open source license is I I want to educate people. I wanna show examples. I want people to be inspired by the things that I've done. And so for me, that's that's a really big benefit is being able to teach through source code. And so that's one benefit of of open source as well. Yeah. Totally. Yeah. Another one that, I guess well, it Sanity can be a double edged sword, but this idea of being more secure. So lately, you've probably seen in the news a lot of stuff about software vulnerabilities and exploits and things going wrong, that, basically put businesses and people at risk.

But with software that is open source, it can have a lot of different eyes on it. And so with a lot of different eyes on it, you have, potentially, very smart people, very technical people that can go in and audit that source code and find bugs or find vulnerabilities and and fix them. And so this is one of the things that that Century benefits from as well is the source is open, so anybody can go in and look. And if they find a bug, Century also has a a bug bounty program. So, if you're out there and you're looking at the source and you actually find something that could could have caused a vulnerable vulnerability issue or or something like that, Century will actually pay you for that. And so that's another really cool thing about open source is that it creates more secure code. I don't know, Scott, if you've looked at this page, Open dot century. Io, are are there any of the benefits that kind of, like, you identify with in your code? Yeah. I I mean, I think a lot of the ones that you've already talked about, you know, given the fact that I I've done so much

education, that I like to keep my repos in general kind of open. And, also, MIT, like, when you're first getting into open stuff in general, open source, you do just kinda say, oh, just throw MIT on it and call it a day because, you know, a lot of the stuff I'm doing specifically is to give people, that feel. But the community oriented stuff is always good. My community oriented, vibes with my open source software is different because it is yeah. It's more educational Bos. Like, I want people to look at this stuff. But also, again, improve the code if they see something that could be a better example or perhaps the code could be written in a different way, or even just commented on.

I I host a number of open source projects, like my Sanity Tracker JS open source that that I run, Habit Path Scott io. And one of the cool things that happens there is the community has looked at various parts of the UI and improved the UI, given better error messages on login screens and things like that just because they're using the software. Hey. I'm using I'm a member of this this software. I'm using it. If I don't like how this is outputting this error message, I can just go in there and make it a little bit better. Add a a little if statement there or pnpm in a a nice little error message. And granted, that's a very optimistic view of how community driven open source works. But at a small scale, you know, a handful of people using this stuff, it can be really just a Node experience. Now granted when you get ESLint, like, code bases like Vite or something, it could be a nightmare of of contributions and people wanting to to mess up things or or change things or have their opinions or be angry or mad, but I do like the the community aspect of it.

Definitely. And I think for people that are wanting to get into open source for whatever reason, like wanting to become an open source contributor, that's typically where it starts JS you're using some piece of software, and then you come across a bug or a feature that you would like, and you just work on it. So I did this when I was using and learning about Coolify.

So there were some, like, bugs in the UI that I came across, and I was like, might as well I mean, I'm using it. Might as well try and fix it. So that got me to pull the repo down, make a PR. And I think I had, like, 4 different PRs that got merged into COOLIFY just because I was using it, and I found some some ways to improve it. Yeah. That was that was pretty neat of you, by the way.

Yeah. Of course.

So let's talk about the different types of licenses. You might notice that anytime you create a new project on GitHub, if you're in the UI at least, if you if you click new, a new repository, you know, you enter your repository, perhaps, there's a little checkbox that says, add a git ignore or add a read me. Well, you might notice that there's also choose a license.

And from here, this is the easiest possible way to choose a license that might suit your project because it's just going to initialize your project with that license. And if you know what you want or what type of license you might want, If you just wanna throw MIT on there, it's super easy to one click MIT, and then your repo will then have that license.

So let's start off talking about the different types of licenses.

And the first ones we're going to be getting into are the permissive types of licenses. And permissive in this context means, you can do more with this code.

They're less locked down.

Yeah. And the first Node and and probably most popular is the MIT license, and it's very simple and and readable. And, honestly, I'm just gonna read the first first clause in it because you've probably seen this before. So it says, permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files to deal in the software without restriction, including without limitation, the rights to use, copy, modify, merge, publish, distribute, sublicense, and or sell copies of the software, and to permit persons to whom the software is, furnished to do so is subject to the following conditions. But, basically, when you put this license on your software, you are saying, anyone is allowed to take my source code and do anything they want with it. They could take that source code and then close source it. They could make it so that Yep. Any changes they make, no one gets to see. They could take that open source repo and literally just start a business off of it. Like, they could create commercial software. They don't even have to modify the source code. They could literally take that repo, decide to host it somewhere, and start making money off of it. With that also is the, like, the last clause here that basically prevents the creator of the software from being liable for anything. So let's say you had some software that you didn't, put the MIT license on, but maybe, you did allow people to use your source code. If they started a business with that software and then something went wrong, maybe somebody got hurt or maybe it lost them money or something like that, If you didn't have this little clause here on the MIT license that says, like, I have no liability for what you do with my software, then you potentially would be liable. You could get into some some legal trouble there. So that's another reason you would apply this license to your software is because if somebody decides to go use it in maybe a way you didn't intend or something goes wrong, this license basically says that you're not liable for for what happened there. Yeah. And, the the MIT license is fairly straightforward. It's, like, just 3 tiny little paragraphs, and it's permissive in that way. It says, do whatever you want, but if something goes wrong, I'm not liable. Yeah. I think there is a common misconception that,

all of these licenses are very difficult to read. But even the the FSL license, which we'll talk about, it's all very readable if you get into it.

But, yeah, MIT, I think that I think one of the reasons why it really blew up with GitHub itself is simply because it is so easy to parse, easy to read, nice and simple.

Definitely. And another one that falls under permissive is the Apache license.

And a lot of companies like the Apache license more because it basically has more it's it's a bit longer and more verbose than the MIT license, and it has more wording around liability and trademark use. And so if you look at the Apache license two point o, it's a little bit longer, still very readable. Yeah. But, one of the reasons people might choose this instead JS they still want their software to be open to people, but they wanna make sure they have certain

limitations in terms of liability and, like, trademark use and a few other things like that. But, again, you could fork and use for commercial reasons. I I think this is this, little green, blue, red thing that, this website has going on, the choose my license, is is really pretty neat and a great way to visualize this stuff if you're if you're first getting into it and wondering about some of these licenses.

So let's talk about the next kind, which is copy left. Now what JS copy left refer to here?

Yeah. So it's the opposite of copyright.

And I actually don't know if copy left is is is a I don't know if it's a dig on on the licenses themselves.

I can't believe I never knew that. Yeah.

But the the whole I so the idea with copyright is you're locking down restrictions and profiting what people can do with your stuff. Copyleft is you're trying to open it up. Mhmm. And, one of the the main licenses here is the the GNU GPL, the GNU public public license. And, one of the things about it is it says so if you apply this license to your software, it says if someone makes modification to your software, they must release it under this exact same license. So, it it technically can be used for commercial use.

But if a company decides to use this software to to start a company, any changes they make, they also have to release into the public. They can't keep those those closed source. And so one of the main benefits here is it makes sure that any changes that are made, any improvements or whatever Vercel, have to be rereleased into the world. And there are successful businesses that have, been established that, like, even use this license, but it does prevent some big corporation from coming along and basically just saying, oh, we're gonna reuse this and then not share any of the modifications or changes that we make. Yeah. But you do have to be careful with these licenses because of that very reason. So I I worked at a large enterprise and every single dependency that we decided to use, our legal team had to look at the license. And because we were a company that had intellectual property and wanted to make sure we could profit off of any changes that we make, any library that was under this license, we were not allowed to use. Basically, we we couldn't touch it because by simply even using one of these libraries in our in our own project, there's potential that we would have to relicense our entire proprietary source code. So that's something to look out for. When I worked at Ford,

same thing. If we wanted to npm install anything, you had to email legal first. Yeah. Dear legal, may I please install jQuery? Like, it was yeah. So obnoxious. Right? Node. Definitely.

And, the the interesting thing there is, though I mean, I I guess I don't have the exact wording here. And, again, I'm not a lawyer, so, like, don't take me on this. Go read all the licenses yourself. But is there is this idea of, like, linking software as well. And so linking in the world of JavaScript is literally like just doing an import for a library. You're technically linking to that source code. In other languages and and run times, you might be linking to, like, a compiled code or something like that. But I do believe there JS a clause in GPL that that is if you link, that's the same thing as, like, using the software itself. Again, I may not may may not be completely right on that, but that is something you have to look out for and, why there are other types of licenses that exist that are copy ESLint, but also somewhat permissive. And so, this this leads ESLint, one of the licenses I found, which is called the Mozilla public license. So it's by by the Mozilla Foundation.

And it is very much inspired by the Gnu GPO, but it says you can link to it without applying this license to your own software. And so for I I believe, like, the Firefox web browser is under the MPL license. And so if for whatever reason you wanted to use the Firefox code Bos but then create some sort of, like, closed source commercial software, you wouldn't then have to go put the the GPL in it. It could be a a a secondary license.

Yeah. Those are the the main licenses that you're gonna come across, especially, like, if you're at a smaller company or just, like, working on your own hobby projects. You basically have permissive, meaning you just wanna limit your liability but let anybody do anything, or copy left. I will say the the other term that was used when I was working in enterprise, I think it's also, like, not a positive term, but it was called a viral license.

Because, like, with the the Gnu GPL, it's viral in that any software that uses this will will try to spread that license to it. So, yeah, those are the 2 types, super permissive or, super open in in in sharing. And then you have things in the middle as well. Yeah. But that kind of leads us into business licenses. So, I know, that Century has created their license. Can you can you talk a bit about that, Scott? Like, why would why would a company want a different license than the ones we've talked about? What's what's involved there? Yeah. So the the this new Sanity license is called the FSL,

and it is kind of based off of, did you say Bos? The the do do people say busl? Is that how they I've never said it out loud. Yeah. I've never said it out loud. Yeah. The p u s l. I don't know. The yeah. So it it is kind of, like, based off of that. But, the function functional software license is basically here, so that way you can build a business on top of your software without having to worry about people just yanking your code and starting their own business on it, but also have some more permissiveness there. In fact, there's a really great if you wanna learn more about this license because, I know they spent so much time putting this together. The FAQ is really good Wes it talks into harmful free riding. What about AGPL v three JS not permissive enough? What about OpenCore? Not permissive enough. So what can you do with the FSL? You can do anything with FSL software except undermine its producer.

You can run it for almost all purposes, study it, modify it, and proposing improvements back to the producer.

After 2 years, it becomes permissive open source software under Apache 2.0 or MIT. So, basically, Sanity allows you to run your own version of Sentry's paid product on your own servers if you want to. They let you study the code. They let you look at it. They let you share improvements to it if you want. But you cannot just fork it and create a business off of it. Because I I think that's the big concern. Right? You you're like, I wanna have a business, but I also want to share an open source software. I believe in making source public.

But at the same time, I don't I don't want just Joe Schmoda to take a copy of my code base, throw up a version of it, do a a pallet swap on it. Next thing you know, undercut us on price or something.

Yeah.

And, I think one of the key points there is that after 2 years, it becomes permissive open source. And so the whole idea here is it basically forces pnpm any software that applies this license to innovate. Right? So Right. Basically and so like Scott was talking about earlier, you if you license a piece of software and then you try to change the license, the license that was applied to the software at any given point in time applies to all the software before it. Right? And then the, like, the new license that you applied only applies to the to the changes. So what we're saying here is that after 2 years have elapsed, that old source code, basically, the commit from 2 years ago, technically, is now open source under Apache 2.0 or MIT, and you technically could start a business using that older version of the software. But that now forces Sanity and, and the company based on the software to innovate and make sure that in the past few years, we have added new features and and new things that people would wanna use that basically give us a a business advantage and and would make sense for us to keep running this this as a business. So it's it's a pretty interesting concept there, and and I believe the so this is getting into territory I don't know as much about, but I believe the the business source license or the BUSO, it has a similar clause. The Bussel.

I think its clause is, like, something like 4 years or maybe there's another license that's similar to this, but they they say 4 years. But I think one of the one of the reasons that the functional software license was created was to kind of, like, shorten that timeline

and, make it so that if you're using this license, you really do have to innovate. Wow. So with the we'll have we'll have links to some of this stuff, but, you know, companies using Bos are, HashiCorp, Redis.

Although Redis, they just they just started using this license. Correct? This is a brand new jump because they were straight up open source. This is March 2024.

So they they recently moved to one of these more locked down licenses, which kind of freaked a lot of people out, actually.

That Wes, like, a a whole thing.

And that was, like, the one of the reasons they did it is because people were basically profiting off of their software. Like Totally. People had, services where you could pay them to host your your Redis database. And Redis basically wanted to make sure that they could profit off of that. Now, I mean, you could get into the ethics and business of, like, should they be doing this? But as a business trying to make money, that's one thing they wanted to do is if you're a business that's gonna be hosting Redis software, you should and you're gonna be charging your users, they want you to potentially pay a licensing fee back to Redis because you are technically using using their software. So that's why they they started doing this. They still do use some open licenses. One of the ones I came across was the server side public license, which actually originated at MongoDB.

But I believe this is like a forked version of the GPL. So the we we talked about the Gnu GPL earlier. It's like a forked version of that that has a few differences. And so one of the major reasons that the SS, LPL, the Vercel side SSPL, the Vercel side public license was created, was to kind of, like, close some gaps in the the GNU GPL license. And so under the Gnu GPL, I have a Stack Exchange, answer pulled up here.

But, it's legal to create a proprietary program b that uses a GPL license program over a local network.

So, basically, if it's using the program over a network, so like a MongoDB or like a Redis, technically, it was legal to to do that and keep it proprietary even with the GNU public license. Interesting. Another thing in GNU public license is, it's legal that program b provides a service to an end user over the network. And so this gets into one of the main reasons Redis adopt this adopted this is anyone, wanting to host Redis would, be able to do that without having to pay any licensing fees or anything like that. And then the last Node here is it's legal to modify program a without sharing changes since a is connected to, the network and the end user is provided with the service under a different network. So, like, there's some weird wording in there that basically makes it so that, you could create proprietary versions in in certain scenarios. And so the SSPL basically closes up those gaps and makes it so that any any changes or anything else completely have to be

open source, and it doesn't have that that proprietary loophole there. Yeah. You know what? Even just going back to the Redis stuff, by the way, I don't I don't know if I really got the, anger towards Redis. Because before Redis went under a new business license, I had almost never considered if I was gonna pay for I usually, I host my own Redis. But if I was gonna pay for a Redis, which we actually kind of do with Upstash here at Syntax, I would have not gone to Redis' website because I just did not know that they had a paid service. I'm gonna be entirely honest. I've been using Redis for so long, and I had no clue they had their own paid service. So for me, it's like, oh, yeah. They've they wrote their software. It's not like it's an outrageous amount of money. I'm gonna typically host mine myself anyways. But yeah. I mean, I get I get how people could be upset by it. Maybe you've built a business off of it. But ESLint GED, seriously, man, it's it's really not that hard to host your own.

If you've got your own server set up somewhere, it's pretty trivial to spin up a Redisense since. Definitely.

And, so yeah. Those are the types of licenses. I think one of the last things we'll we'll talk about here is choosing license and then also, like, acknowledging licenses.

So if you use software that is under the MIT license, technically, the MIT license states that you have to include this license in your own software whenever you rerelease it. Yeah. So it says the above copyright notice and this permission notice shall be included in all copies or substantial portions of the software. And so you may be wondering, alright. I'm using a library that's MIT. What does that mean? A really good example of this is Discord. So if you go to discord.com/licenses, they have every single dependency listed here that they use, like, in the Discord mobile app or the Discord desktop app and the associated licenses. So things like Babble are listed here.

Yeah. There's just a whole bunch of, like, Babble dependencies, and they literally have the MIT license from Sebastian McKenzie listed on this page here. And then, yeah, there's some other Babble licenses.

And then we get into, like, AWS libraries and stuff like that. These are under the Apache license, and so you see that listed here. And so this is like a really good example in the wild of you have some software that people are using, but you should according to those licenses, you should have a page that lists the soft the dependencies that you use and and the licenses that are applied to them.

Wow. Yeah. And if you wanna choose a license for yourself, like CJ had mentioned earlier in this episode, choosealicense.com, really great resource.

And if if it feels even overwhelming to look at, like, I don't really know what I wanna do, and I just wanna know how they're all different.

The forward slash licenses page on this site really gives you a nice overview of the different types of licenses with that red light, green light, you know, blue light kind of deal. It shows you basically what's permissive about them and what's locked down. And it really kind of just quickly swipe up and down, you're gonna be able to see what what's going on.

So so it should be pretty pretty easy, to get an idea of what you want your software to do. And you should probably know that before trying to choose a license. You gotta sit down and think, what do I actually want people to do with my software? What is this going to be? Is this going to be a business eventually? Is this going to be Sanity project? Is this just, goofing off and whatever? So you have a good idea of what you're trying to do first and foremost.

Yep. And then once you've chosen a license, you need to add it to your app. And, one of the things that I really like to use for this is a package called license. It's on npm. You can do an npm install dash g. And then in any directory, you just say license space and then the name of the license. Mhmm. And it will generate that license file in that directory and, like, put your your name on it. So I use this for all my projects.

Like Scott mentioned earlier, when you're creating a new repo on GitHub, you can technically just choose MIT, and it'll generate that for you. And then the other thing is if you're in the world of Node. Js and and JavaScript, your package dot JSON has a license field there, and so you would you would wanna list the name of the license that you're using there as well.

Cool. Well, that's it for open source. We should do even more on this. We should maybe have somebody, from Century's open source team on it to to really get into some nitty gritty. But I think this was a really great introduction for anybody who, well, sees the licenses and starts to freak out that it's something legal going on here. That's kind of been me for a while. So, I I really appreciate this time to to pick this up and and share these resources. And, yeah, let us know what kind of software you have. What type of license are you using? Is it something different than what we talked about? Is there anything interesting going on with your software licensing that we did not cover in this episode? Leave a comment on our YouTube. We're youtube.com forward slash at syntax f m. We wanna hear from you. That's all I got today. Anything else, CJ?

That's all I got. Thanks for watching, everyone. Pnpm. Peace.