Licenses of dependencies

@Bob_Carpenter, are you ok with including a library that’s Apache 2.0 inside Math?

From my research Apache 2.0 is non-viral and is ok to use with the BSD. See wikipedia.

Moreover, the Apache foundation themselves consider the BSD licences to be of category A, which means that you can use any BSD work in the context of an Apache project:

@wds15, I think you have the direction backwards. From your Wikipedia link, it says Apache 2.0 improves compatibility with GPL-based software, which is too restrictive for BSD.

If you look at the license compatibility wikipedia page, under “Compatibility of FOSS licenses,” the diagram shows the arrow going from BSD-new to Apache 2.0. This is consistent with what you’re stating about BSD 3-clause being compatible with Apache 2.0. But if that diagram is right, Apache 2.0 is not compatible with BSD 3-clause.

Ah, I see. If you follow the link to the source of that diagram which you quote,

There they explain that combining a more restrictive license with a less restrictive license is possible - it’s just that you downgrade the permissiveness; but you can do it. In our case the Apache 2.0 is categorised as less permissive than the BSD. Reading through the license statements it’s not clear to me how the Apache 2.0 license is less permissive though.

(I am not an expert on this stuff, really)

That’s right. We can only be as open as our least restrictive license. (That’s a simplified view. There’s some more complication of linking vs distribution.)

That’s why this is an open question. I’d prefer to stay with BSD 3-clause because that’s more open and what Stan has been, but maybe it’s ok to go with Apache 2.0? We may have to evaluate whether restricting the license is worth the benefit of TBB.

I don’t know anything about the Apache licenses. It looks complicated and may be something we again want to kick off to the NumFOCUS laywers.

We do require compatibility with GPL, but it looks like we’re OK there.

What’s more restrictive about Apache?

What does that mean? I think I understand GPL compatibility in that you need a license you can use with GPL that doesn’t enforce copyleft.

I’m not even sure about the implications of the Boost or Eigen licenses.

Yes, everything points to it being compatible with GPL. Maybe a better question: what properties do we want in our open source license?

I think we should ask NumFOCUS lawyers: can we stay BSD-3 while depending on Apache 2.0?

I haven’t picked out exactly what is more restrictive beyond the requirement that any source changes have to be clearly marked. Maybe there’s more.

I’m not exactly sure yet.


I have filled in lot’s of more details in the wiki on the TBB, see here.

There I also included more details on license implications. The main question asked here was about compatibility with the GPL license - and the answer to that is that the Apache 2.0 is compatible with GPL-3 only. See the statement on

I wonder about:

  1. How can we make progress on this now?
  2. Do we still need to ask NumFOCUS lawyers for something - or are we already filing a request to them?
  3. In case we need to ask them things - what are the open points to ask?
  4. How can we reach out to them if needed?


As with all things related to Stan technical details, the management chain is @seantalts, @breckbaldwin, and @andrewgelman as head of technical working group, executive director, and chairman of the governing body.

I’m not following up on any of this stuff myself any more.

I don’t know anything about licensing, and frankly a lot of these questions haven’t been tested in court anyways. I’d be happy to forward a question to NumFOCUS and see if they can help us. Is the question “Can we stay BSD-3 if we include an Apache 2.0 dependency?”

I think that’s the right question to ask. @wds15, is that the right question? To be more specific, we include the headers (it is not link only).

Well … at the end, you, @syclik, are going to review the PR; so please ensure that the question you want to have addressed is being asked (that does not mean you are legally liable in any way, of course - but the reviewers view is key). The questions to ask could be

  • Can we stay BSD-3 if we include an Apache 2.0 dependency?

Moreover, the question came up if we have additional constraints inherited by the Apache 2.0. So this could be asked as well (but its not required, I guess; so if we are charged loads of money for this, then maybe spare this):

  • Do the additional constraints of the Apache 2.0 license constrain the remainder of the Stan-math source code? Specifically, do the patent related clauses of the Apache 2.0 apply to the remainder of Stan-math? This is referring to point 3 " Grant of Patent License ." from the license,

@syclik: Do we need that additional question? Is that all?

A key point asked was if the Apache 2.0 can be used with the GPL - but that is clearly asked by the FOSS (on in that we can use it with the GPL-3.

Quick question, how one could do a patent with Stan?

I don’t know… but the BSD allows you to do anything with Stan-math. So you can grab it, code some patented thing into it and you would not be obligated to do anything about this. The Apache 2.0 licences could touch this aspect - but I doubt that, because the Apache 2.0 holds for the TBB, but not the rest of Stan-math (this is my understanding).

… but you are right in that this may be unlikely and we may want to save resources and forward this question; I leave that decision to others.

Anything can be turned into a patent. Let’s say:

  • X patents technology A
  • Y patents technology B that depends on technology A

At this point, neither X nor Y own sufficient rights to put technology B into practice. Either Y needs to get rights to patent A from X or X needs to get rights to patent B from Y.

This illustrates how patents let you stop other people from implementing technology, but do not give you the right to build the technology you patent. For that, you need rights to all the technology on which your patent depends.


I can approach NumFOCUS lawyers or others but I need a very clear description of the question I am asking. Is the above the question?


A good lawyer should be able to help us formulate the question based on our goals. We had a back and forth last time I tried asking them about GPL and PyStan.

I believe the goal here is to include an Apache 2.0 library in our distribution, but I’m not 100% sure.

We tried asking NumFOCUS’s lawyer once before and got an answer in plain English. What we failed to achieve was agreement among our developers as to what the answer meant.

a comment/question:

Are we adding it to our library or are we just redistributing it (with its licence?)?

This is exactly the kind of semantic distinction for which we need an intellectual property lawyer. :-)

NumFOCUS has a lawyer that can work with us. I can set it up, who wants to be part of the conversation? Respond in this thread.