Recent court ruling makes it more important than ever to understand the GPL

It’s much less dangerous than a chainsaw

When Alan Shimel reported on the recent court decision against Westinghouse Digital in the BusyBox suit, he talked of the GPL having teeth. Think about the teeth of a saw. Very useful, but requiring understanding and care. It's surprising how misunderstood the license is, especially given its popularity.

GPL remains the most used license for software freely available on the Internet. My company, Black Duck, maintains a KnowledgeBase tracking (among other things) license usage. Of the hundreds of thousands of projects out there, nearly 50% are licensed under the GNU General Public License 2.0. (The references below to GPL, refer to that license.) Adding in LGPL and GPL 3.0, the total is over 60%. On to the misconceptions...

If we let a viral license inside our firewall, all our company's IP will be infected

Don't get excited. The GPL has been characterized as "viral" in that it requires any work based on the GPL code to be licensed under the GPL license. Most people in the field interpret that to apply to source combined with GPL source or linked to a GPL library (there's a debate around dynamic linking). But certainly it does not apply to all code behind the same firewall or ever sitting on the same disk (otherwise, code would be compromised, just by being on a Linux machine).

If my code gets infected, I have to release it to the world

GPL licensed code (including any code that becomes GPL by being combined with GPL) must be made available to anyone to whom it's distributed, but that doesn't necessarily mean it needs to be made public. The easiest way to satisfy this obligation is to include source code with the object code when distributed. The alternative is to provide source code upon request (oddly this must be on physical media) to any third party that requests it. In that case, therefore, there is a chance of becoming essentially public.

You can't charge for GPL code

Well, technically one can, but practically...not so much. You can charge me whatever you want, but you can't restrict me from passing it on for free, so it's hard to maintain much of a price.

GPL is only a concern for ISVs, because others don't "distribute" software

It's true that the GPL obligations of concern are triggered on distribution.  This absolutely applies to ISVs, but don't forget embedded systems companies. Everything has software in it these days. A BMW contains millions of lines of code; shipping a car is distributing software.

But how about Enterprise IT organizations? A company can use GPL code freely inside its firewall (although they are obliged to keep notices intact in the code and should therefore have some process in place). However, many such organizations today do, in fact, distribute software. I have Bank of America app in my pocket as we speak. Insurance companies often provide applications to independent agents to tie them into their systems. Many companies have subsidiaries, affiliates and partners to whom they distribute.

But a bigger picture issue is that Sarbanes-Oxley requires public companies to disclose IP ownership and to monitor for violations (even if they are complying).  Companies need to track open source they use, just like any other third party software. The Cloud too raises some interesting issues. Are SaaS companies exposed? Not to GPL for reasons cited above, however, a SaaS company might someday want to extend its business model or be acquired by a company with that in mind, so they would do well to manage their use of GPL code. And, then there's the AGPL license aimed specifically at SaaS companies.

Open source software is like a chainsaw. Using it absolutely makes you more productive, but you really should read the instructions first.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022