Apache 2.0 vs MIT: Who Rules Open Source in 2026

The open source world in April 2026 has officially traded its manifesto for a spreadsheet. We are seeing a massive, accelerating shift toward permissive licensing. Why? Because builders want to ship, not litigate. The era of 'ideological purity' has been steamrolled by 'operational pragmatism.' Enterprise demand is the hammer here, and it is hitting the nail of compliance hard.

According to data from RedMonk's 2026 State of Open Source Licensing report, permissive licenses now govern approximately 73% of open source components on GitHub - down slightly from a peak of 82% in 2022, though package registry data from deps.dev shows no such dip and skews even more permissive. The direction of travel remains clear: eliminate legal friction. Companies want to integrate, modify, and sell software without the ghost of a disclosure obligation haunting their repository. If you are building in the cloud or shipping AI agents, permissive is the only way to move at market speed.

Apache and MIT take the throne

Two names dominate the landscape: Apache 2.0 and MIT. Together, they hold over 50% of the market.

The enterprise safe house: Apache 2.0

Apache 2.0 is the heavy hitter for commercial AI. It provides what builders call 'enterprise-safe language.' It does not just let you use the code; it grants explicit patent rights. This acts as a shield against the kind of patent litigation that keeps CTOs awake at night.

Google released its Gemma 4 model family under Apache 2.0 on April 2, 2026 - a landmark move because it marks the first time in the Gemma family's history that models have been released under a true OSI-approved open source license. Earlier Gemma versions shipped under a custom "Gemma Terms of Use" that, while relatively permissive, carried legally ambiguous restrictions that routinely stalled enterprise legal reviews. The switch to Apache 2.0 was not about charity; it was about utility. By replacing proprietary license terms with an industry-standard one, Google ensures Gemma 4 becomes the foundation for as many commercial applications as possible. This follows a path set by Alibaba's Qwen models and the GLM-5 model from Z.ai (formerly Zhipu AI). If you want your model to be the industry standard, you give it an Apache 2.0 license.

The Swiss Army knife: MIT

For tooling and libraries, MIT remains the king of simplicity. In April 2026, the zai-org/GLM-5.1 MoE model dropped under an MIT license, reinforcing its status as the go-to for AI agent infrastructure. However, the MIT license is currently under fire. Proposals for AI-resistant addenda to permissive licenses have circulated throughout early 2026, attempting to block AI training without permission. Critics are rightly pointing out that once you add those kinds of strings, it is no longer an open license. It is a contract.

The AI-driven copyleft crisis

Copyleft is not dead, but it is definitely in the corner. While GPLv3 still has a home in internal platforms, it is becoming a rarity in customer-facing SaaS. AI is creating a technical loophole that might make copyleft harder to enforce in practice.

Take the case of 'chardet.' The maintainer of this library, which sees approximately 130 million downloads a month, used Anthropic's Claude Code to rewrite version 7.0 from specifications. He then flipped the license from LGPL to MIT. The logic? If an AI rewrites the code from scratch, the copyleft 'taint' might not carry over. The original author, Mark Pilgrim, returned from years of internet silence to dispute this directly, arguing that no right to relicense existed. The legal outcome remains unsettled.

This question gained serious weight in March 2026 when the US Supreme Court declined to hear Thaler v. Perlmutter on March 2, 2026. By leaving intact the ruling that purely AI-generated works cannot receive copyright protection under current US law, the court reinforced the principle that human authorship is a bedrock requirement - but left unresolved the harder question of how much human contribution is required and whether AI-rewritten code qualifies as a derivative work. If there is no copyright in purely AI-generated output, the enforceability of copyleft against such rewrites becomes genuinely murky legal territory.

The defensive retreat

Not everyone is happy about AI's impact on open code. In April 2026, Cal.com announced a shift to a closed-source model - but the reason was not AI companies consuming their code without contributing back. The stated driver was AI-powered security threats: automated vulnerability scanning tools that can now analyze public codebases at machine speed, dramatically lowering the barrier for attackers to find and exploit weaknesses. The company simultaneously released Cal.diy, a fully open-source version of its platform for hobbyists and self-hosters. We are also seeing the rise of 'AI-resistant' licensing proposals in the broader community. It is a defensive play. For some, the risk of having a public codebase weaponized against them by AI-assisted attackers outweighs the benefits of an open ecosystem. The 2026 State of Open Source Survey, due this spring, will likely confirm that the industry is no longer just worried about software freedom; it is worried about software survival.