Why I Licensed Everything Apache 2.0
License choice is a product decision, not just a legal formality. Apache 2.0 over MIT isn't paranoia — it's the patent protection clause, which matters specifically for security software.
Every project I've published uses Apache License 2.0. Not MIT, not GPL, not AGPL. The choice is intentional and specific, not ideological.
MIT License: Permission to use, copy, modify, merge, publish, distribute, sublicense, and sell copies. One condition: keep the copyright notice. No patent provision. 171 words total.
Apache 2.0: Same permissions as MIT plus: an explicit patent license from all contributors, a patent retaliation clause (sue contributors for patent infringement and your patent license terminates), and trademark protection for the project name. 1,503 words total.
For most projects, the practical difference is minimal. For security software, it's significant.
ShieldX is a prompt injection defense system. ShieldY is an infrastructure security scanner. Both operate in a space where incumbent vendors — Palo Alto Networks, CrowdStrike, Darktrace — hold hundreds of patents covering detection algorithms, behavioral analysis, and prevention mechanisms.
Under MIT, someone using ShieldX in a commercial product has no patent license from me or other contributors. If they get sued for patent infringement by an incumbent, the MIT license provides no protection. Under Apache 2.0, they have an explicit patent license from all contributors, and if they use that license to sue other Apache 2.0 projects, their grant terminates.
Multiple security startups have been sued for patent infringement by large incumbents within 18 months of significant adoption. Apache 2.0's patent retaliation clause doesn't prevent that — but it means users of the software have a patent license that's harder to weaponize against the community that produced it.
GPL requires derivative works to be GPL-licensed. For security tools integrated into commercial products, that's a dealbreaker for most commercial users. I want ShieldX used by startups building commercial LLM products. If GPL prevents that, fewer teams get better prompt injection defense. The community goal — more secure AI systems — is better served by maximizing adoption, which means permissive licensing.
Apache 2.0 preserves the project's ability to protect trademarks by explicitly stating the license doesn't grant trademark rights. "ShieldX" as a name is separately registered. This prevents someone from forking the project and selling it under the same name — a pattern that has happened to several MIT-licensed security tools.
For typical application code and utilities: MIT and Apache 2.0 are functionally identical in practice. Choose based on ecosystem convention.
For security tools, cryptographic implementations, and code in patent-dense verticals: Apache 2.0's patent provision earns those extra 1,300 words. It signals to commercial users that you've thought about the IP layer, and it provides structural protection against the patent weaponization pattern that has damaged several OSS security communities.