The process of generating the table included the use of a "standardized" name and acronym for each license, while adopting the SPDX acronym. Afterward, I analyzed the various references to determine whether the licenses are compliant for distribution within software that utilizes the following license types: Apache, GNU GPL (2 or 3), Eclipse, or Proprietary. The approval table appears to be complex enough to suggest some assertions and opens the door to discussion.
- Even if resources provided by the FSF and Fedora project are useful, compliance with or even within the GNU licenses is a nightmare compared to other alternatives.
- GNU GPL's non-compliance with mainstream licenses (i.e. Apache and Eclipse), along with its difficulties addressing license compliance within the GNU licenses themself, may lead to separate ecosystems, and thereby minimizing the situation so that GPL is the correct license choice.
- Software development is integrating more and more components, and it will be increasingly harder to provide clean software bill-of-materials including components distirbuted under one of the GNU licenses.
The first assertion "compliance with or even within the GNU licenses is a nightmare compared to other alternatives." can be cleared up by looking at this table or the table from Fedora licensing page. The table highlights 72 different compliance rules that may apply, which is already quite confusing. And in many cases, it shows that it is possible to get compliant by converting or upgrading the license. It would thereby assume that you or your organization owns all of the copyright, or at least you will be able to contact the copyright owner to gain their approval. It is my assumption, that the many respondents and readers will described this situation as "complex". Of course, this complexity aims to limit the number of relevant licenses if you consider compliance with one of the GNU license family as a key criteria to choose a license for your open source project. David A. Wheeler recently updated his post on this topic, which is definitely worth reading ("Make Your Open Source Software GPL-Compatible. Or Else.", by David A. Wheeler).
The second assertion concerns "GPL's non-compliance with mainstream licenses (i.e. Apache and Eclipse) may lead to separate ecosystems". FSF provides a compliance diagram in this quick guide to GPL V3. As you can see, when V3 of the GPL is used, it allows more permissive licenses to be compliant. Well, at least because it fixes compliance with Apache 2.0, ... but GPL V3 is not compliant with GPL V2. Therefore, it is harder for communities to combine source code and components leading to separate ecosystems. Furthermore, statistics confirm that there are still 3 times more projects under GPL V2 than GPL V3.
The third assertion said: "it will be increasingly harder to provide clean software bill-of-materials including components distirbuted under one of the GNU licenses." Harder, does not mean impossible. At least you can save time by using one of the open source 3rd party component management. These solutions help to qualify a component, and checks its compliance against your license policy. A license policy is sometimes defined as "Permissive only," excluding all components or source code under copyleft licenses (weak or strong).
The GPL is dead. Long live the GPLs.
GNU licenses, have been and are still great for the software industry. They will probably stay in the mainstream as "Strong Copyleft" references, even if the ecosystem is a little bit more complex with GPL-2.0 and GPL-3.0 coexisting as separate communities in the GNU world. We can no longer talk about just GPL, but we have to identify whether we are addressing GPL V2 or V3. By the way, "the cloud" may put AGPL at the top of the open source food chain within a few years...
Epilogue : License compliance, the next battlefield for Oracle, Google, and Apple ?
Over the last few years, we have seen how license compliance takes more and more importance on the software market, and may even become the next legal battlefield for big companies on fast growing markets, like Mobil Apps (see topics related to GPL Apps on Apple Store, or more recently "Google's disappearing Android GPL compliance opportunity", by Jonathan Corbet).