What is an open-source license violation?

An open-source license violation occurs when someone uses, modifies, or distributes open-source software without adhering to the terms specified in its license. Open-source licenses grant specific freedoms, such as the right to view, modify, and share code, but they also impose obligations. These obligations vary by license type. For example, permissive licenses like MIT or Apache 2.0 require attribution and may include rules about patent rights, while copyleft licenses like GPL require derivative works to be released under the same license. Violations happen when users ignore these terms—such as failing to credit the original author, not disclosing changes, or distributing proprietary software that incorporates copyleft code without making the combined work open source.

A common example is using GPL-licensed code in a proprietary application. The GPL requires that any derivative work must also be licensed under the GPL, meaning the entire project’s source code must be shared. If a developer integrates GPL code into their software but doesn’t release their code as open source, they violate the license. Another example is omitting required attribution. For instance, MIT-licensed code mandates including the original copyright notice in all copies. If a developer uses an MIT library but removes the notice from their documentation or source files, they breach the license. Similarly, Apache 2.0 requires preserving notices about patents or contributors, and failing to include these in distributed code would be a violation. Even unintentional oversights, like forgetting to update license files in a fork of a project, can lead to compliance issues.

Violations can result in legal action, financial penalties, or forced compliance. For example, companies like VMware have faced lawsuits for allegedly mixing proprietary code with GPL-licensed components without proper compliance. Beyond legal risks, violations harm trust within the open-source community, making collaboration harder. To avoid issues, developers should audit dependencies using tools like FOSSA or Scancode, review license terms for obligations, and document compliance steps (e.g., adding attribution files). Projects can also adopt automated license checkers in CI/CD pipelines to flag potential issues early. Understanding licenses and maintaining clear records of dependencies and their requirements is critical to preventing violations, even accidental ones.