Safeguard
Open Source Security

Copyleft vs Permissive Licenses

Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.

James
Principal Security Architect
Updated 7 min read

Every pull request that pulls in a new npm package, PyPI wheel, or Go module also pulls in a license — and that license is a legal contract, not a suggestion. The GNU GPL, first published by Richard Stallman in 1989, requires anyone who distributes derivative works to release source code under the same terms. The MIT License, dating to 1988, imposes almost no obligations beyond keeping a copyright notice. Between those two poles sits a spectrum of copyleft and permissive terms that determines whether shipping a dependency creates a legal disclosure obligation or costs nothing at all. Security and legal teams that treat "open source" as one bucket routinely discover — usually during due diligence for an acquisition or a customer audit — that a transitively-included GPL or AGPL component has quietly imposed source-disclosure requirements on proprietary code. Knowing which license family a dependency belongs to, and what it actually triggers, is now a baseline software supply chain security control.

What is the actual difference between copyleft and permissive licenses?

Copyleft licenses require that derivative or combined works be distributed under the same license terms, while permissive licenses let you relicense the code however you want, including as closed-source proprietary software. The GNU General Public License (GPL), first released in 1989 and now at version 3 (2007), is the canonical copyleft license: if you distribute a binary that statically links GPL code, you must offer the corresponding source under the GPL. Permissive licenses like the MIT License (1988) and the BSD License (1990s, UC Berkeley) impose almost no conditions — attribution and a disclaimer of warranty, full stop. Apache License 2.0, released by the Apache Software Foundation in 2004, is also permissive but adds an explicit patent grant, which is why it's now the default choice for corporate-backed projects like Kubernetes and TensorFlow. The practical difference shows up at distribution time: permissive code can be embedded silently; copyleft code can force a disclosure decision you didn't know you were making.

Which specific licenses count as copyleft versus permissive?

Copyleft splits into "strong" and "weak" variants, while permissive licenses are largely interchangeable in practice. Strong copyleft — GPLv2, GPLv3, and the AGPLv3 (2007) — extends its terms to any work that links against or combines with the covered code, and AGPL adds a network clause that triggers even when you only offer the software as a hosted service rather than distributing a binary. Weak copyleft — the LGPL, the Mozilla Public License 2.0 (2012), and the Eclipse Public License 2.0 — limits the obligation to the licensed files themselves, so you can link a proprietary application against an LGPL library without open-sourcing your own code. Permissive licenses — MIT, BSD-2-Clause, BSD-3-Clause, Apache 2.0, and ISC — all allow relicensing under proprietary terms. Industry composition data bears this split out: Synopsys's 2024 Open Source Security and Risk Analysis report, which audited 1,067 commercial codebases, found MIT was the single most common license by far, while GPL-family licenses still appeared in roughly a fifth of codebases scanned — enough that a security team ignoring license category is guaranteed to be carrying copyleft exposure somewhere in its tree.

Why did Elastic, MongoDB, and HashiCorp move away from open source licenses entirely?

They moved because permissive and weak-copyleft licenses don't stop cloud providers from reselling the software as a managed service without contributing back. MongoDB created the Server Side Public License (SSPL) in October 2018, a copyleft-style license that requires anyone offering MongoDB "as a service" to open-source the entire service stack, specifically to block AWS from monetizing DocumentDB-style offerings. Elastic followed in January 2021, relicensing Elasticsearch and Kibana from Apache 2.0 to a dual SSPL/Elastic License model for the same reason — then reversed course in August 2024, returning Elasticsearch to AGPLv3, a recognized OSI copyleft license, after determining SSPL's business goals were better served by a license the community would actually call open source. HashiCorp took the opposite path in August 2023, moving Terraform, Vault, and other tools from the permissive Mozilla Public License 2.0 to the non-open-source Business Source License (BSL) — a decision reversed in June 2024 when IBM acquired HashiCorp and the community fork, OpenTofu, kept building under the original MPL 2.0 terms. Each move illustrates the same pressure: permissive licenses maximize adoption but let competitors profit for free; copyleft licenses protect against that but scare off enterprise legal teams; SaaS-specific licenses try to split the difference and often satisfy neither camp.

What actually happens if a company violates a copyleft license?

Violating copyleft terms exposes a company to injunctions, statutory copyright damages, and forced source disclosure, and it has happened to major consumer electronics brands. The Software Freedom Conservancy sued Vizio in October 2021 in California state court, alleging that Vizio's SmartCast TVs shipped a Linux-kernel-based firmware without providing the corresponding source code required under GPLv2 and LGPLv2.1 — not a copyright claim, but a breach-of-contract claim seeking specific performance (source release) rather than damages, a legal strategy that survived Vizio's motion to dismiss in 2022 and continued through appeal in 2024. Earlier, Jacobsen v. Katzer (Federal Circuit, 2008) established that violating even a permissively-styled open source license's attribution terms constitutes copyright infringement, not merely breach of contract, which materially raises the potential damages and makes injunctive relief easier to obtain. For a security or legal team, the lesson is concrete: copyleft non-compliance isn't a theoretical audit finding — it's active, ongoing litigation risk with a real settlement or disclosure cost attached.

How does a copyleft obligation actually get triggered inside a commercial codebase?

The obligation triggers based on how the code is combined and distributed, not on whether a developer meant to use it. Static linking, direct source inclusion, and forking a GPL project all trigger the "derivative work" threshold under GPLv2/v3, obligating source release for the combined work. Dynamic linking is legally murkier — the Free Software Foundation's position is that dynamically linking against a GPL library still creates a derivative work, while some courts and the LGPL explicitly carve out an exception for it. AGPLv3 goes further with its Section 13 network clause: simply running AGPL-licensed code to power a SaaS product, with zero binary distribution to any customer, is enough to trigger the source-offer requirement, which is exactly why many enterprises ban AGPL dependencies outright in their open source usage policies. This is also where transitive dependencies cause the most damage: a permissively-licensed application can pull in a GPL or AGPL package four levels down in its dependency graph — inside a build tool, a test harness, or a vendored utility — and the organization is bound by that license's terms whether or not any engineer ever read it.

How Safeguard Helps

Safeguard's SBOM generation and ingest pipeline builds a complete, versioned inventory of every direct and transitive dependency — including their declared licenses — so copyleft components like GPL, AGPL, and SSPL packages are flagged the moment they enter a build, not discovered during an acquisition audit. Griffin AI cross-references license findings against actual usage patterns, distinguishing a vendored GPL utility that's merely invoked as a subprocess from one that's statically linked into a shipped binary, which is the distinction that determines real legal exposure. Reachability analysis further narrows the signal: if flagged copyleft code exists in the dependency tree but is never reachable from your application's compiled code paths, Safeguard deprioritizes it instead of generating a compliance alert your legal team has to chase down manually. When a genuine violation risk is found — say, a transitive AGPL dependency introduced by a minor version bump — Safeguard can open an auto-fix PR that swaps in a permissively-licensed alternative or pins to a pre-violation version, closing the loop between detection and remediation without a manual legal review cycle for every dependency update.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.