Technical Guide

Busting The Myth of GPL

June 21, 2024

Photo by Şafak Atalay on Unsplash
Michael Bromley

Michael Bromley

CTO & Co-Founder

“If I use a GPL library in my website, I’ll need to open source all my code!” This is a very common misconception about the GPL open source license, even amongst seasoned developers - even including open source maintainers.

Since we announced our upcoming move for the Vendure project from the current MIT license to GPL v3, we’ve been flooded with feedback. Most of it very positive, but we've also heard some reservations.

All of the reservations stem from a fundamental confusion about what the GPL does and does not stipulate.

So in the interests of making things clear, let's address these concerns head on and bust the myth of the GPL.

Myth: I’ll need to open-source all my code!

This is the number one misconception about using GPL code in your project. And it is totally understandable, since:

  • The GPL license is actually pretty long and legalese, as opposed to the short, simple MIT license.

  • You probably heard GPL is “copyleft” that “infects” any code it touches like a virus. Scary!

  • We’re developers, not lawyers

For reference, here’s the full text of the GPL v3. Yes, it’s long. You probably look at that, think “ain’t nobody got time for that” and then look for a short summary of the key points. You might end up on tl;drLegal, a website dedicated to providing concise summaries of open source licenses.

Their summary of the GPL v3 states (my emphasis added):

"You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions."

Further down the page under the “must” column it lists “Disclose Source” as a requirement. Seems pretty clear: if you use GPL, you must disclose your source.

But this is extremely misleading and no doubt contributes to the myth of “I’ll need to publish all my code publicly!” and “argh! my codebase is infected now!”

What the GPL actually says

Let’s look at a couple of excerpts from section 0. Definitions (my emphasis added):

To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

Read that last line again.

Building a web app on top of GPL code and making that web app available over the internet is not conveying the work.

So if you use Vendure to build your next e-commerce project, and run the code internally without distributing (conveying) the code beyond your own servers, you are under no obligation to share your source code with anyone.

Can that be right?

Let’s consider WordPress, the most popular open-source CMS that powers over a third of the top 10,000 websites. It uses the GPL v2, and all WordPress plugins - even the commercial plugins - are GPL licensed.

Drupal, another popular GPL-licensed CMS, specifically addresses this in their licensing FAQ:

Do I have to give my web site's code to anyone who visits it?

No. The GPL does not consider viewing a web site to count as "distributing", so you are not required to share the code running on your server.

The GPL FAQ on gnu.org also addresses this topic directly in several places:

Does the GPL require that source code of modified versions be posted to the public?

The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you.

A company is running a modified version of a GPLed program on a web site. Does the GPL say they must release their modified sources?

The GPL permits anyone to make a modified version and use it without ever distributing it to others. What this company is doing is a special case of that. Therefore, the company does not have to release the modified sources.

OK so when does GPL matter?

I hope it’s clear now that for the vast majority of our users, the move from MIT to GPL v3 will have little practical impact. Most of you are building for either internal use, or as an agency on behalf of a company who will use the work internally.

So when does the GPL make a difference?

Firstly, some companies simply have policies prohibiting the use of GPL software. Typically large enterprises with a legal department. Whether this is a justified position or not is debatable.

Secondly, if you want to use the GPL library as the basis of some software that you then plan to distribute, then the GPL obligations of making your source code available will trigger.

We've established that merely making your software accessible over the internet is not “conveying”, so what is?

In the context of a web application, an example would be selling an on-premise license where you provide the application to a customer to run on their own hardware. In this case you'd also need to make the source code available to that customer (important: not to the whole world!) under the GPL license.

A note on AGPL

Another possible source of confusion is the existence of the AGPL license. This is a separate license which explicitly does consider “access over a network” to be a form of distribution. It is therefore often used by infrastructure or SaaS-like open source projects that want to prevent other companies from simply offering hosted derivative works of an open source product.

Again, from the gnu.org GPL FAQ:

"A company is running a modified version of a program licensed under the GNU Affero GPL (AGPL) on a web site. Does the AGPL say they must release their modified sources?

The GNU Affero GPL requires that modified versions of the software offer all users interacting with it over a computer network an opportunity to receive the source. What the company is doing falls under that meaning, so the company must release the modified source code."

Practical Examples with Vendure

If you’re reading this, there’s a good chance you’re building (or considering building) a commerce application on Vendure. So let’s make things a bit more concrete with a few scenarios:

Scenario 1: In-house development

Your company is developing a Vendure application. You have a bunch of custom plugins adding the functionality you need.

You do not have any obligation to make the source of your custom plugins available, since you are not distributing them.

Scenario 2: Development by an agency

Your company is having a Vendure application developed by an external agency. This agency develops custom Vendure plugins to meet your requirements.

Neither you (nor the agency) have any obligation to make the source of these custom plugins available, since they are still only used internally within your company.

Scenario 3: Distribution within your company

You are a company and have multiple internal installations of your Vendure-based app. This is covered in the GPL FAQ question Is making and using multiple copies within one organization or company “distribution”?, and assuming a single legal entity rather than distribution to child companies, then the answer is no: you don’t need to share the source, even to your employees.

Scenario 4: Building stand-alone Vendure plugins

You are building Vendure plugins which you then plan to distribute to others, e.g. via a package registry like npm, and possibly charge for use.

In this scenario you are conveying a covered work and you would need to release the plugin under the GPL license, and thus make the source available to those to whom you distribute the plugin. Again note: this does not mean you necessarily need to make the source available to everyone. Only to those who receive the plugin package.

Scenario 5: Building a product to sell

You are building a commerce platform on top of Vendure that you wish to sell to other companies. You want to allow those companies to get and run those code themselves, i.e. allow “on-prem” installations.

In this case you would be required to make the source code of your custom plugins available. Or purchase a commercial license which removes this obligation.

Don’t fear the GPL

With this post I hope that you have a better understanding of the implications of using GPL libraries in your application.

Is the GPL without consequence? No - you do need to understand the implications and make decisions accordingly. But should the GPL be feared and avoided? Certainly not.

Vendure
Get started

Create your first commerce experience with Vendure in less than 2 minutes

Vendure is a registered trademark. Our trademark policy ensures that our brand and products are protected. Feel free to reach out if you have any questions about our trademarks.

Newsletter

Get the latest product news and announcements delivered directly to your inbox.

© Copyright 2022 - 2024, Vendure GmbH. All rights reserved.