Please find below FAQ on various issues that are the result of using Free and Open Source Software (FOSS) licenses in a commercial environment. These FAQ are not static but intended to continuously grow and being adapted. If you feel that a particular question is not correctly or insufficiently answered or even lacking at all, please write to legalªosadl.org.

We gratefully acknowledge the work of our General Counsel Dr. Till Jaeger (jbb Rechtsanwälte, Berlin) who provided these FAQ.

Abbreviations

The terms Free Software and Open Source Software clearly differ with respect to the underlying concept. In a legal and contractual environment, however, they are used interchangeably. In the following FAQ, the term FOSS will - whenever possible - be used for Free and Open Source Software in general.

Glossary

Terms and concepts used here are defined and explained in a Glossary.

Other languages

German

Table of content (switch to keyword search)

• General aspects of FOSS
• FOSS licenses - General information
• The GNU General Public License, Version 2 (GPL-2.0)
• The GNU General Public License, Version 3 (GPL-3.0)
• Liability and Warranty
• Derivative work
• Patent issues
• General and practical aspects of licensing and license agreements
• Practical aspects of source code disclosure
• The Open Invention Network (OIN) License Agreeement
• The GNU Lesser General Public License, Version 3 (LGPL-3.0)
• Copyright notices
• Practical aspects when using FOSS licenses
• The GNU General Public License, Version 2, Classpath Exception (GPL-2.0-with-classpath-exception)
• Practical aspects when distributing FOSS
• The GNU Lesser General Public License, Version 2.1 (LGPL-2.1)
• Permissive Licenses
• Processes and contracts in the context of using FOSS
• General aspects of Copyright Law
• The GNU General Public License, Version 3, with GCC Runtime Library Exception (GPL-3.0 WITH GCC-exception-3.1)
• Artificial intelligence
• Data protection
• Cyber Resilience Act (CRA)

1. What is FOSS?

2. What is the difference between "Free software" and "Open Source software"?

3. What is the distinction between "FOSS," "freeware", "public domain" and "shared source"?

4. What is "proprietary software" or "closed source software"?

5. May FOSS be commercial?

6. How can I use FOSS? What rights of use do I acquire?

1. What types of FOSS licenses exist? How do they differ?

2. What are the most important FOSS licenses, and what type of license are they?

3. How and when is a license agreement concluded?

4. What is license compatibility?

5. Is an FOSS license compatible with the term "All Rights Reserved"?

6. What do the legal terms in FOSS licenses such as “Copyright Notice“, “License Notice“ or “Author Attribution“ mean?

1. What is the GPL?

2. What rights can be acquired by the GPL?

3. What are the obligations when distributing software licensed under the GPL-2.0?

4. What are the obligations when distributing modified versions of software licensed under the GPL-2.0?

5. What are the obligations for purely internal use of software licensed under the GPL-2.0?

6. When does independently developed software have to be licensed under the GPL?

7. Is it permissible according to section 8 GPL-2.0 to prepend a clause to the license text that contains a geographical limitation of the rights granted in GPL-2.0?

8. To what extend does the exception in section 3 GPL-2.0 apply for system libraries?

1. What is the difference between GPL-2.0 and GPL-3.0?

2. When is GPL-2.0 used, and when is GPL-3.0 used?

3. With which licenses is the GPL-3.0 compatible?

4. Are products that are also used in private households - although they have not been originally intended to be used there - considered as “user products” according to section 6 GPL-2.0 for which“installation information” must be provided?

5. Does a company's requirement that a certain text be conspicuously delivered together with GPL-3.0 licensed software qualify as a permissible "additional terms" under Section 7 (3b) of the GPL-3.0? If so, how should the text best be attached?

1. Is the normal exclusion of liability and warranties in FOSS licenses effective in Germany?

2. What is the legal standard for liability and warranty in Germany?

3. What do the terms “Warranty Disclaimer” and “Disclaimer of Liability” in FOSS licenses mean? Is it possible to reject liability for own products that contain FOSS by using those terms?

4. Is it permissible to consider the warranty to be void if it has been demonstrated that a modified Linux kernel has been installed on the embedded system?

5. What does the liability provision of the MPL-2.0 mean for a software service provider when distributing so licensed software to customers?

1. Is a program that forks a GPL-licensed program via a system call or vice versa derivative work?

2. What is the impact of the GPL copyleft clause if two independent software components are distributed together in a common file?

1. Would using VFAT in the Linux kernel constitute an unacceptable risk since Microsoft has patent rights on the use of the VFAT file system?

2. Apparently, a US patent enforcing company is making claims that its patented database house-keeping mechanism is used in the Linux kernel. Do I have to be concerned when I use Linux in a device that is sold to the US?

3. Is an HDMI consortium license required when HDMI technology is used in a product, and what considerations need to be taken into account?

4. Which measurements to evaluate and minimize risks can be recommended for a medium-sized mechanical engineering company that considers to use Google's internet browser „Chromium” in its products?

5. What has to be considered when a process or method which is implemented in FOSS is covered by a patent?

6. Is it permissible to use material provided by a patent holder and a third-party kernel module – with which a complete Linux root file system including the kernel module with a patented real-time communication protocol can be built – under the GPL-2.0 without fearing claims of patent infringement from the patent holder?

7. Company A implements a procedure to which they hold a patent into an Apache-2.0 licensed project and licenses it accordingly. Later, company B implements another procedure for which company A also holds a patent into the same project. Does the Apache-2.0 require company A to also license the procedure that was later introduced by company B under the Apache-2.0?

1. Does the license text of a FOSS license have to be printed again in full within the framework of own license terms, if it has already been delivered to the customer as file, e.g. as part of the software package?

2. What has to be noted in the case of license terms for own developments if distributed in combination with FOSS?

3. Is it sufficient to specify a URL for the license text or does the complete license text have to be supplied to the customer? Is it otherwise useful to work with URLs in contracts?

4. The Trans-Pacific Partnership (TPP) contract prohibits to contractually bind access of the source code to a software distribution. What does that mean regarding the distribution of FOSS in those countries?

5. How are supplier license agreements to be assessed when they prohibit further distribution of the software if it is delivered together with FOSS that requires source code disclosure?

6. Is it advisable to sign a a supplier contract about the delivery of a product containing GPL-2.0 licensed software when the contract requires that no Copyleft effect shall occur neither for the supplier nor the customer?

7. How can the license obligations be met when distributing FOSS, and General Rules and Conditions are to be used that include restrictions of use for software (e.g. prohibition of decompiling) in order to protect own developments?

8. Are interpretations of FOSS license terms legally binding if they are made by the author of such FOSS license?

9. Our developers visit Websites such as stackoverflow.com on a regular basis in order to obtain code samples for particular tasks. Is it allowed to use such code snippets?

10. Can technical certifications influence the licensing of FOSS components?

11. To what extent is acceptance of the Developer Certificate of Origin (DCO) of the Linux kernel community necessary (from a legal point of view) for the license to be valid?

12. May a driver that was developed in Germany using reverse engineering be licensed under the GPL-2.0? If so, does this also apply to other countries?

13. May a library that was originally licensed under CC0-1.0 (upstream version) be redistributed under the GPL-2.0 license as part of a distribution after changes have been made?

14. Is a license change of an Open Source project permissible if it was performed as in the OpenSSL project?

15. What is the recommended approach and prioritization when determining the licenses of multiple source code files in a directory?

16. May Canonical prohibit the use of the "Ubuntu" trademark for modified Ubuntu distributions and exclude users from their update offer? Does the name “Ubuntu” have to be removed from the version string if no certification and proprietary trademark license is to be acquired from Canonical?

17. When interpreting a license text, must the rights holder's statement be taken into account? And can the scope of a copyleft clause be extended indefinitely under copyright law as long as the license text itself leaves room for interpretation?

18. How can you tell whether the MPL-2.0 or the MPL-2.0-no-copyleft-exception is applicable to a software project if the only license notice is the license text, which is identical for both variants, in the “LICENSE” file in the root directory?

1. How should the disclosure of the source code according to Section 3 of GPL-2.0 or Section 6 of LGPL-2.1 be managed if option b) of GPL-2.0 or option c) of LGPL-2.1 was selected and a written offer has to be submitted to the customer?

2. How should the disclosure of the source code according to Section 6 of GPL-3.0 (or LGPL-3.0 that refers to the GPL-3.0 accordingly) be managed, if option b) of GPL-3.0 was selected and a written offer has to be submitted to the customer?

3. How should the offer about source code disclosure be managed if a product contains software components that are licensed under different GPL and LGPL versions?

4. How should the information and disclosure obligations be fulfilled when the software is worked on and an update is made available on the internet from time to time?

5. When updates of GPL 2.0 licensed software are distributed over the Internet, in what way must information obligations and disclosure obligations be fulfilled?

6. When a software update is downloaded from the internet, is the three-year period as specified in the GPL-2.0 recalculated starting from that date, or is the original purchase date still relevant?

7. Is it possible to switch from option b) to option a) of section 3 GPL-2.0, that is, supply the entire source code with the software download? Would this also completely fulfill the disclosure obligations of the original software?

8. Can a modified Linux distro DVD with additional toolchain and Linux kernel source code be redistributed?

9. Can an original Linux distro DVD be bought and redistributed?

10. What has to be delivered? Is it sufficient to deliver only the source code with the Makefile?

11. May a machine builder refuse to deliver to his customer key files and passwords that are required to reinstall the Linux kernel?

12. What is the procedure for transferring the source code according to Clause 3 of GPL-2.0 when option a) is chosen and customers need to be provided with the entire machine-readable source code with the (embedded) product?

13. What can a buyer do when he finds out that a standard Linux distribution is noncompliant and therefore cannot be redistributed?

14. Is it an adequate procedure under the terms of Section 3, paragraph 1 a) GPL-2.0 to store the complete corresponding source code in the internal static memory (flash) of an embedded system?

15. Is there an obligation to provide the source code when passing on intermediate or test versions of a GPL licensed program to selected third parties?

16. When distributing various units of the same product that contains GPL software is it required to accompany each unit with a data carrier storing the source code, or would it be permissible to provide one single data carrier for the whole shipment?

17. Is it required to comply with the license obligations of the GPL in case an engineering company sets up a production machine on the premises of another company where the latter operates the machine and integrates the produced items into their own products?

18. Is it permitted to reverse engineer proprietary firmware in order to obtain the required interface information for the development of a Linux driver that depends on such software?

19. According to section 6 GPL-3.0 the recipient must be provided with the "Corresponding Source“. What does this mean?

20. Does the time of delivery affect the form and scope of the complete corresponding source code that must be made available acc. to GPL-3.0? What must be considered if hardware required for the toolchain is no longer available?

21. We are currently preparing the written offer according to section 3b) of GPL-2.0 for our operation manual, however, we are not quite sure to which date the three years mentioned in the license text refer – date of purchase or date of delivery?

22. Is the distributor of an unmodified Linux based embedded device obliged to make the source code available to the recipient according to the written offer if the latter received the device less than three years ago but the first delivery to the distributor was made more than three years ago?

23. Is it sufficient to provide an anonymous address in the written offer when distributing GPL-2.0 licensed software or is it indispensable to state the full name of the provider?

24. When providing software via download, how are the requirements of the GPL-2.0 to be interpreted according to which “equivalent access from the same place” should be offered for the complete corresponding source code?

25. If a Javascript component is licensed under a FOSS license that requires the disclosure of source code (e.g. https://github.com/dequelabs/axe-core under MPL-2.0), is this obligation sufficiently fulfilled when delivering minified or uglified Javascript?

26. How should the source code for the FreeRTOS kernel be made available under the GPL-2.0-only WITH freertos-exception-2.0?

1. The scope of the OIN license agreement is unclear to us. What precisely is covered?

2. What does it mean and which risks could be involved when a company would like to join the Open Invention Network (OIN) and the License Agreements states that it shall be governed by the laws of the Sate of New York, U.S.A.?

3. Are customers using or distributing Linux-based products of OIN member companies also protected from patent violation actions brought by other OIN members?

1. How are the license obligations to be met if a product contains proprietarily licensed applications that are statically linked to a LGPL-3.0 licensed library?

2. Which source code components are to be provided when statically linking a proprietary software with a LGPL-3.0 licensed library according to clause 4?

3.Which information has to be included in the "Installation Information" according to clause 4e LGPL-3.0 if proprietary software is linked statically to a LGPL-3.0 licensed library?

4. Does a software manufacturer have to fulfill the license obligations of the LGPL-3.0 when distributing software with unresolved symbols of a LGPL-3.0 licensed library that is not part of the delivery?

1. Are there specific requirements on the copyright notice in a source code and, if so, which ones?

2. How should the copyright notice in the header of a source code file formally be designed?

3. Is it allowed to modify the copyright notice in the source code, e.g. by removing references to the company of an employee?

4. Is it required to deliver an external reference if the copyright notice does not mention the copyright holders by name but only provides an indication of them (e.g. "Copyright © 2006-2014 by the respective authors [see AUTHORS file]")?

5. Is it really necessary to provide all copyright notices when distributing a product containing GPL-2.0 licensed software if delayed source code delivery according to option 3b) GPL-2.0 was chosen?

6. Is it allowed to summarize copyright notices from different files of one work that refer to the same author but differ for instance in details of spelling?

7. In the event that a license contains the obligation to provide copyright notices with binary delivery of the software (e.g. BSD-2-Clause: "Redistributions in binary form must reproduce the above copyright notice"), do references to authors or right holders that are not introduced with the usual signal word "copyright" or the (c) or © symbol, but with references such as "written by", "changed by", "code by", "added by", also have to be extracted and provided?

1. Provided FOSS is subject to more than one FOSS license, is it required to choose a license when distributing unmodified software ? Would the situation change if the software had been modified?

2. Is it legally advisable for companies to inform their customers already in the offer or contract about which FOSS licenses or components are contained in the product?

3. When distributing software licensed under the “GPL-2.0 or any later version” can a company choose on their own under which GPL version the software should be further distributed or which license text version should be provided, respectively, or do they have to provide all license texts from GPL-2.0 on?

4. Which license is recommended if an in-house developed code to be used in FOSS and in proprietary software shall be made available and except indicating the origin of the code there is no interest in imposing further restrictions of use?

5. Do holders of rights themselves have to comply with the obligations of their chosen license?

1. Is a manufacturer able to effectively deviate from the license regulations of the GPL by referring to the Classpath Exception and does this exception have similar effects as the exception of copyleft allowed by the LGPL?

1. Is it possible do uniformly fulfill the obligations of various FOSS licenses, and when do especially the information obligations have to be met when FOSS is distributed electronically?

2. Which legal requirements have to be met by a Linux service provider when providing his customers a cumulative mirror server on which various source code packages of FOSS are offered for download?

3. Is it allowed to provide only a reference to a license text (e.g. GPL-2.0) in a graphical user interface of a device and the full license text can be then exported via USB interface or stick by the customer?

4. Is it permitted for a licensee of an MPL-2.0 licensed software to insert a license notice and copyright notices into the individual source code files and then distribute the latter to third parties?

5. Who will be responsible for complying with the FOSS license obligations when third-party FOSS components are subsequently added to a proprietary software product at the customer's premises?

6. Is it allowed to distribute software if information obligations imposed by the rightholder cannot be fulfilled because a Website to which must be referred does not work anymore?

7. Who must fulfill which license obligations if a computer board containing GPL-2.0 and GPL-3.0 licensed software is changing hands several times during its development process?

8. A company purchases a device that contains FOSS and distributes this device unmodified. Instead of selling they lease the device to a third party, does this company have to fulfill the FOSS license obligations?

9. Is the operator of a mirror or a proxy server responsible for the license compliance of FOSS that can be downloaded from the server?

10. What has to be considered when a machine builder installs dual-licensed FOSS on his products but decides to distribute it only under one of the two possible FOSS licenses?

11. How are license conditions that only contain a blanket permission of use (e.g. "Source files may be used unrestrictedly.") to be interpreted? Can this software then be used, modified and distributed in every way?

12. If purchased hardware that contains FOSS is distributed together with a product, does the way of distribution influence the obligation of the distributor to check and ensure that the supplier fulfillled all FOSS license obligations?

13. Is it permissible when distributing a product containing GPL-2.0 licensed software to store all license information on the product’s internal storage so that the information can only be accessed by the user via an external computer with a web browser, a local network connection and the entry of user login data?

14. How could the respective section of a license information text be phrased, in case a manufacturer chooses the so-called „send-in solution“ to comply with the GPL-2.0 obligation to allow reinstallation of modified software?

15. Does the implementation of an integrity check contradict the obligation to allow reinstallation of GPL 2.0 licensed software if it results in the system with the modified GPL 2.0 software no longer being usable for the original purpose? Does it make a difference if the proprietary control software is also linked with LGPL-2.1 licensed libraries, or if the integrity check covers the whole root filesystem including GPL-3.0 licensed applications?

16. Is it impermissible to use proprietary software together with FOSS components if the proprietary license does not allow licensing and redistribution under a FOSS license including permissive licenses?

17. Is it mandatory to comply with further obligations that are stipulated by a FOSS project in addition to the applicable FOSS license terms?

18. Does the copyleft of GPL-2.0 also take effect in case of joint distribution of intrinsically independent software components on an encrypted storage medium? If so, does this also apply if the storage medium can be decrypted again on the customer's request?

19. A company acquires an embedded system that contains FOSS from an OEM and brand labels the system which also includes modifying the software. Do such actions prevent exhaustion of the distribution right to the software when the embedded system is passed on?

20. What should be considered when a European-based company wants to ship their products containing FOSS for encryption to countries for which the U.S. government has imposed export restrictions?

21. What types of export control regulations exist in Germany and the EU, and in which cases is FOSS affected? Do export control regulations have to be complied with when publishing FOSS in a publicly accessible repository?

22. What particularities must be considered when using software licensed under the Reciprocal Public License version 1.5 (RPL-1.5)?

23. Which use cases are covered by the copyleft clause of the AGPL-3.0 when developing an application based on a Java Development and Runtime Engine?

24. Is it also required to comply with the licenses of a software package’s dependencies if the software is not copied and distributed, but made publicly available in a software repository? Furthermore, does it make a difference whether the dependencies are downloaded automatically and invisibly to the user and without the user being able to influence it, or whether, for example, installation instructions contain the information that certain software packages must be installed and where they can be found?

25. Is it permissible for compliance with GPL installation obligations if the recipient of an embedded system can install modified versions of the GPL-licensed software in the writeable layer of the overlay filesystem, but cannot overwrite the original software in the read-only layer?

1. Who is obliged to fulfill the license obligations if a distributed program consists of a proprietary application which is linked to a purchased proprietary library and both need a LGPL-2.1 licensed library in order to be executed?

2. How can the requirements of the LGPL-2.1 license obligation to permit modification of the proprietary software and reverse engineering for debugging such modifications for own use be effectively limited?

3. Does a software manufacturer have to fulfill the license obligations of the LGPL-2.1 when distributing software with unresolved symbols of a LGPL-2.1 licensed library that is not part of the delivery?

4. Is it permitted to link and distribute encrypted libraries with a LGPL-2.1 licensed GNU C library (glibc)?

5. How are the freely usable header file components that are referenced by the LGPL licenses defined? What does the limit of ten lines or less refer to?

6. A software manufacturer develops a plugin that is called by the GNU C library (LGPL-2.1) via the NSS interface. May the manufacturer license the plugin under a proprietary license according to section 6 of the LGPL-2.1?

7. A Linux system contains a large number of software components, some of which depend on each other directly, but also indirectly. To what extent does the copyleft effect of GPL-2.0 and LGPL-2.1 licensed components affect the entire system?

1. Does a software manufacturer have to fulfill the license obligations of the BSD-3-Clause when distributing software with unresolved symbols of a BSD-3-Clause licensed library that is not part of the delivery?

2. Does the MIT license apply to both, source and object code, even though it does not differentiate between these two forms?

3. When distributing Apache-2.0 licensed Java software in object code is it sufficient to include the license text in the same .jar archive in order to fulfill this obligation in accordance to the license?

4. Does the CPOL-1.02 license contain a copyleft clause so that the source code must be disclosed and the software must be re-licensed in case a proprietary in-house development is used together with a CPOL licensed software?

5. To what extent is the scope of the advertising clause intended when a BSD-4 clause licensed software component is used in an embedded system?

6. What should a company consider when planning to use software in its products which is licensed under the "Unlicense"?

7. When distributing software that contains both proprietary and permissive code components, is it required to fulfill all license obligations cumulatively?

8. What practical approach is recommended for complying with FOSS information obligations when a Javascript application is delivered over the Internet?

9. Is it always allowed to copy and distribute software that contains a "public domain" notice without having to comply with license obligations?

1. Which aspects should a company consider when drafting an „FOSS Policy“ for dealing with FOSS?

2. Which specialties have to be considered in freelancer contracts – in contrast to permanent employment contracts - as far as use and licensing of FOSS is concerned?

1. How is the term of copyright protection to be calculated in case the author is not known or the work has been created by several developers, respectively?

1. Can the license for a binary program be freely chosen if it was compiled with the unmodified GNU C Compiler (GCC) and own code was combined or linked with the library "libgcc" (GPL-3.0 WITH GCC-exception-3.1) during its compilation?

2. May a Linux-based embedded system containing a GCC runtime library licensed under GPL-3.0 WITH GCC-exception-3.1 be distributed without any restrictions including preventing reinstallation of FOSS components by using digital signatures?)

3. Does the GCC runtime library exception of the libstdc++ library also apply to static linking, so that an in-house developed program that is statically linked with libstdc++ may be licensed proprietarily?

1. What does a company need to consider when training and using artificial neural networks (ANNs)? And which copyright aspects need to be taken into account?

2. Which use cases are covered by the Llama 2 license?

1. How should an employer handle personal data in public and internal version control systems with regard to data protection law when an employee leaves the company (a) without any information or (b) with a request to delete all personal data?

1. What is a "product with digital elements" in the scope of the CRA?

2. Does the CRA only apply to devices connected to the Internet?

3. What products are exempt from the CRA?

4. Can machines or entire plants be considered as such products with digital elements in the scope of the CRA?

5. When does the CRA have to be complied with for new products?

6. To what extent are products affected that are still subject to change by the regulations of the CRA, e.g., software development kits for which changes are planned by the customer (OEM) and the future intended use is unknown?

7. Does the CRA apply to products that were placed on the market for the first time before December 11, 2027, but which are still offered by the manufacturer in an unmodified state after that date ?

8. Does the CRA also have to be complied with for legacy products?

9. Does “making available on the market” in the context of the CRA apply to serial distribution as one act or to each individual act of distribution?

10 If alternative spare parts are installed for legacy products since the original parts are no longer available, does the CRA only have to be complied with for these spare parts or for the legacy product as a whole?

11. Is a sample code provided to a customer considered a “product with digital elements” under the CRA?

12. Is a developer documentation with code snippets provided to a customer considered a “product with digital elements” under the CRA?

13. Does it make a difference whether a software product is delivered as source code or binary code in the context of the CRA?

14. Does Open Source software fall under the requirements of the CRA?

15. What are “Open Source Stewards” in the scope of the CRA?

16. In the case of custom programming, does it make a difference int the context of the CRA whether the software is handed over directly to the customer or contributed to an open source project?

17. Are there conflicts between CRA requirements and Open Source license obligations, e.g., between integrity requirements  and obligations under the GPL to provide installation information?

18. Who is responsible for the obligations arising from the CRA?

19. Who is responsible for CRA compliance of third-party or Open Source components that are incorporated into a product?

20. What obligations does a manufacturer have under the CRA?

21. What is an assessment of cybersecurity risks in the context of the CRA?

22. What are the CRA obligations around the product with digital elements?

23. What is the designation of a single point of contact in the context of the CRA?

24. What does working with a market surveillance authority (“upon a reasoned request“) mean in the context of the CRA?

25. What means "Information about a ceasing of operations"?

26. What are the legal consequences of incompliance with the CRA?

27. How do product modifications affect the applicability of the CRA? What about customizing of a standard product?

28. Which special rules from the CRA apply to software that is released in new versions several times a year?

29. How long must support be offered for a product according to the CRA? Can the manufacturer decide what the 'expected use time' should be?

30. In the context of the CRA, does the support period start from the date of initial release on the market, or does it start for each individually purchased product upon purchase?

31. Can the update obligation in the context of CRA compliance be outsourced to third-party providers?

32. How does the CRA handle products that have been manufactured according to a customer's specifications?

33. Must CRA obligations be fulfilled when products are delivered to companies within the same group?