Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

Apache vs MIT License

Most people use some kind of software every day, whether they are developers, end-users, or somewhere in between. The average end-user doesn’t care what a software license is or what kind of license they use, but its license permissions and restrictions govern developers’ use of open-source software. In turn, developers must license the software they produce to control its use. Developers should consider the advantages of Apache vs MIT license use.

What Is a Software License?

There are many types of software licenses, but all of them are legally binding. A software license includes rules and requirements about how the users can utilize said software. It also establishes how fees for using the software are determined and how much the user is allowed to modify, copy, or disperse the software.

There are five main types of software licenses, and the main differences are the level of restrictions placed on users of the software. Starting with the least restrictive license:

  • Public Domain License – There are no restrictions on software with this license. This means that everyone can utilize and modify the software.
  • Lesser General Public License – LGPL licenses specify provisions by which users can include components of the licensed software in new software. Developers can link modules from their libraries with LGPL-licensed products.
  • Permissive – Permissive software licenses allow modifications and distribution of the software’s components. However, permissive software includes a few requirements and restrictions governing its use.
  • Copyleft – Copyleft licenses are more restrictive. Although users can modify and distribute this software, any new software that uses the original software as a component is bound by the specific license of that original software.
  • Proprietary – This is the most restrictive category of software licenses. This type of software is closed source, and no modification or redistribution is allowed. The creators of proprietary software retain ownership.

Except for proprietary software, these licensing types are known as open-source software. Developers use myriad open source software products to build new projects. It is essential to be confident that the new project doesn’t violate any of the restrictions outlined in each component.

Much of the software that developers use have permissive licenses. Two of the most widely used permissive licenses are MIT and Apache 2.0, and there are benefits to each license type. Choosing which type to use as part of a toolset can be determined partially by how freely developers want to distribute their projects derived from the original.

What Is the MIT License?

The MIT license is a very short permissive license that is extremely easy to obtain. It is only three paragraphs long, and its language is simple and easy to understand, which some users prefer. In a nutshell, MIT-licensed software can be used in any way as long as the copyright information from the original software is included in the license file of any project derived from it, and the creator isn’t held liable for any future uses.

An incentive for both creators of original MIT-licensed software and developers who use such software when building their own projects is that this license allows for monetization. The original creator can charge others for its use, and in turn, developers of derivative projects can also charge for their products.

New development projects using MIT-licensed software as a component can be licensed as either open source or proprietary.

Businesses or developers using code from software under the MIT license to build new projects aren’t required to release any modifications made to the original code, which is an important benefit for those whose projects are proprietary. Not releasing code modifications allows a competitive advantage to be maintained, so using MIT licensed software is very attractive to those looking to sell their derivative product.

When choosing how to license new software, developers often choose the MIT license so that the contained code is more likely to be used to develop new projects, especially if they intend to charge for its use. Also, because of the simplicity of an MIT license, including the license information and copyright in derivatives is very easy to accomplish. As well, since the MIT license is so popular, businesses and developers may be more likely to trust software bearing that license.

One major drawback to the MIT license is a result of the time frame it was composed and released. At that time, software patents weren’t utilized; therefore, the MIT license doesn’t include verbiage to release patents to other developers. This lack can be detrimental because developers may shy away from using software with no explicit patent rights release clause. Possible copyright infringement could also result from using MIT-licensed code because the language doesn’t specify certain usage rights.

What Is the Apache 2.0 License?

The Apache 2.0 license is a permissive license that is somewhat similar to the MIT license. The main difference is that the Apache license includes more specific rules governing its use and any derivatives. The Apache license is much more challenging to read for the average person because it consists of a lot of legal jargon, and it’s also much longer than the MIT license’s three paragraphs.

Like the MIT license, Apache 2.0 allows code to be reused and modified by developers, including for monetary gain, and states that the original author must be referenced and cannot be held legally liable. However, the precise language used in the Apache license places more rules and restrictions than the MIT license on how its content can be used. The Apache license also states that users do not have the right to use any trademarks owned by its creator.

The Apache 2.0 license requires that any significant modification of code under this license must be described. The actual modified code doesn’t have to be released, but the changes must be described in a notification included in any released derivations.

A benefit that Apache 2.0 licenses have over MIT licenses is that developers can claim patents on derivative projects. The language allowing patent right transference clearly specifies the terms that some users — and lawyers — appreciate because the degree of legal protection provided minimizes the risk of potential lawsuits.

One drawback of Apache 2.0 is that code under that license isn’t compatible with GPL2 software. There is, however, an exception that can be combined with the Apache 2.0 license that may provide a legal fix when that code is used with GPL 2 software.

Apache vs MIT License: Which Is Better?

The answer of which license is best depends on what software it is licensing. Broadly speaking, if developers desire the assurance of patent protection, Apache 2.0 is the better choice. If the goal is for the resultant modified software to be highly accessible by future users without constraints, developers should choose MIT.

The bottom line is that each license has its own benefits and drawbacks, so there’s no definitive answer to which is better. The goals of the specific development project being built can govern this choice on a case-by-case basis.

How Does Understanding MIT and Apache 2.0 Licenses Relate to Security?

Regardless of whether you feel Apache or MIT is the right open source software for your project, all open source software needs to have multiple security checkpoints in place protecting against malware, viruses, or similar vulnerabilities. Thankfully, you can use a software compositional analysis (SCA) tool as one of your checkpoints to help you keep track of any newly discovered vulnerabilities in your open source software. 

How Can SOOS Help?

SOOS offers an effective SCA tool with unlimited scans and unlimited users at an affordable price. To learn more, browse through the FAQ page or create an account to start using SOOS today.

Copyright © 2022 SOOS| Terms of Service | Privacy Policy