Spyderisk is licensed under the Apache 2.0 license.
The README in the licenses directory explains how developers should apply license headers to files in the Spyderisk System Modeller. This document is about the why and what of licensing.
The site TL;DR Legal summarises the Apache license as:
You can do what you like with the software, as long as you include the required notices. This permissive license contains a patent license from the contributors of the code.
For most people most of the time, this is all you need to know - please use and enjoy Spyderisk!
Spyderisk source code is available entirely under Open Source licenses, either the Apache2 license as described above, or for documentation, the Creative Commons CC-by-SA.
We use two standards to maintain copyright and licensing of all artefacts in the Spyderisk system modeller project:
- The REUSE high-level system of files and directories regarding licensing
- The SPDX software component descriptors, which are Software Bill of Materials (SBOM) system
Both of these standards can be read by humans and machines, so Spyderisk is compatible with various automated due diligence systems.
The distinction matters legally, but in the day-to-day we just want to acknowledge the work done by many people over the years. Only someone who owns code has the right to license that code. Many substantial Spyderisk contributors commit their work but do not own their contributions because of their employment contract, and therefore they cannot be a licensor.
Many Spyderisk source files simply state "Copyright the Spyderisk licensors" at the top in the manner specified by the SPDX standard, where the owners/licensors are listed in the LICENSORS file. This is usually followed by the statement "Original by A. Person", where "A. Person" is listed in the CONTRIBUTORS file, or occasionally in LICENSORS if they are in fact also owners.
Without repeating the detailed HISTORY file, Spyderisk licensing is explained by its history:
- In 2023, when all source code was open sourced, the University of Southampton (Soton) was the main copyright licensor
- There were many individual code contributors employed by Soton who were and remain Spyderisk authors, but all of their work in Spyderisk while being Soton employees is owned by Soton. These authors (called "contributors" to avoid confusion) are therefore not copyright licensors
- A small proportion of the Spyderisk code has been incorporated from other open source projects, and remains copyrighted by its respective owners/licensors
- Any future contributors to Spyderisk who are not Soton employees will own their contributions, and so they will be both authors and owners/licensors
- Some future contributors may be in a similar situation to Soton employees, and their employer will own all their Spyderisk contributons. We would respectfully request that contributors check with their employer to see if they have the right to contribute individually, because we think that is better for the project overall.
As a matter of policy, Spyderisk does not and will not have a Contributor License Agreement (CLA), for reaons similar to Red Hat, the Software Freedom Conservancy and other leading open source voices.
Spyderisk adheres to the "inbound = outbound" principle, where Licensors get exactly the same rights as anyone else in the world. While we use the excellent Apache 2 license from apache.org, Spyderisk is not affiliated with apache.org, and we do not use the Apache CLAs or other tools which do not share rights equally with all.