Safeguard
Licensing

GNU GPL Explained: Versions, Obligations, and Compatibility

GPLv2 vs GPLv3, what the copyleft obligation actually requires, why 'GPLv2 or later' matters, and which licenses you can and cannot combine with the GPL.

Safeguard Research Team
Research
6 min read

The GNU General Public License (GPL) is a strong copyleft license: you may use, modify, and redistribute GPL code freely, but any derivative work you distribute must be licensed under the GPL with complete source code available. It is one of the most consequential licenses in software, covering the Linux kernel, Git, Bash, and a large share of the open source ecosystem, and its obligations are enforceable copyright conditions, not suggestions.

Two versions matter in practice, GPLv2 (1991) and GPLv3 (2007), and the differences between them are exactly where compliance mistakes happen.

What Is the GNU General Public License?

The GNU General Public License was written by Richard Stallman for the GNU Project, with version 1 published in 1989. Its purpose is explicit: guarantee that software freedom survives redistribution. Where a permissive license lets a downstream vendor take the code proprietary, the GPL forbids it. Everyone who receives a GPL binary is entitled to the source, and to pass both along under the same terms.

The license grants the standard four freedoms (run, study, modify, share) and attaches conditions when you distribute:

  • Provide the complete corresponding source code, or a written offer valid for a defined period.
  • License the whole derivative work under the GPL.
  • Keep copyright notices and license text intact.
  • Add no further restrictions.

Running GPL software, including modified versions, purely inside your organization triggers nothing. SaaS built on GPL components triggers nothing either, since serving users over a network is not distribution; that gap is what the separate AGPL-3.0 license closes.

How Do GPLv2 and GPLv3 Differ?

GPLv3 was a substantial rewrite responding to fifteen years of practice. The load-bearing differences:

Patents. GPLv2 has only an implied patent license. GPLv3 contains an explicit patent grant from every contributor and terminates the rights of anyone who sues users over patents in the covered code.

Tivoization. TiVo famously shipped GPLv2 Linux on hardware that refused to boot modified kernels, complying with the letter of source availability while blocking the freedom to modify. GPLv3 requires "Installation Information" for consumer devices, so users can actually run their modified versions.

Compatibility. GPLv3 was drafted to be compatible with Apache-2.0; GPLv2 is not (Apache-2.0's patent termination clause counts as an added restriction under GPLv2). This one difference decides many real-world combination questions.

Termination. GPLv2 terminates permanently on violation. GPLv3 restores rights automatically if you cure the violation within 30 days of notice, which makes remediation far less risky.

"Or later." Many projects license under "GPLv2 or later", letting recipients choose either version. The Linux kernel is deliberately GPLv2-only, which is why kernel-adjacent compatibility questions remain strict.

What Does GPL Compatibility Mean in Practice?

Compatibility asks: can code under license X be combined with GPL code into one distributed work? The direction is asymmetric. Permissive code can flow into a GPL project; GPL code cannot flow into a permissive or proprietary one without relicensing the result.

Combining with GPL codeGPLv2-onlyGPLv3
MIT / BSD-2 / BSD-3CompatibleCompatible
Apache-2.0Not compatibleCompatible
LGPL-2.1 / LGPL-3.0Compatible (v2.1) / via upgrade (3.0)Compatible
MPL-2.0Via its GPL-compatibility mechanismSame
ProprietaryNot compatibleNot compatible

The hard boundary questions are about linking. The Free Software Foundation's position is that linking, static or dynamic, generally creates a combined work subject to the GPL; some lawyers disagree for dynamic linking, and courts have not settled it cleanly. The LGPL exists precisely to remove the ambiguity for libraries: it permits proprietary applications to link against the library, provided changes to the library itself stay open.

How Do You Stay Compliant with the GNU General Public License?

GPL compliance failures are rarely deliberate. They happen because nobody knew the component was in the shipped artifact. A container image, a firmware blob, or an Electron app can carry hundreds of transitive components, and any GPL code among them makes source obligations attach at distribution time.

Practical program:

  1. Know your inventory. Generate an SBOM for every release artifact and extract declared licenses for each component, including transitive dependencies. This is a core software composition analysis capability rather than a manual exercise.
  2. Set policy by destination. GPL in an internal tool is routine. GPL in a distributed proprietary product is either a blocker or a decision to open that product.
  3. Gate at pull request time. License checks in CI catch the new GPL-licensed dependency when it costs minutes to swap, not after it has shipped in three releases. Safeguard surfaces license findings next to vulnerability findings so both go through the same triage flow; see pricing for what is included in each tier.
  4. Honor the mechanics. Ship the license text, preserve notices, and make source offers that actually work. Enforcement actions, from the BusyBox suits to the ongoing Software Freedom Conservancy litigation against Vizio, consistently target vendors who ignored requests for source.

FAQ

Can I use GPL code in commercial software?

Yes, commercial use and even selling GPL software is explicitly allowed. The constraint is distribution: if you distribute a work derived from GPL code, you must offer the whole work under the GPL with source available. Internal commercial use triggers no obligations.

Does the GPL apply to SaaS?

No. GPLv2 and GPLv3 obligations trigger on distribution, and offering functionality over a network is not distribution. AGPL-3.0 was created specifically to extend copyleft to that scenario, so check whether components are GPL or AGPL before relying on the SaaS exception.

Is GPLv2 compatible with Apache-2.0?

No. Apache-2.0's patent-related conditions count as additional restrictions under GPLv2, so the two cannot be combined in one work. GPLv3 resolved this: Apache-2.0 code can be incorporated into a GPLv3 project.

What happens if I violate the GNU General Public License?

Your license terminates, making continued distribution copyright infringement. Under GPLv3 you can cure the violation and have rights restored; under GPLv2 termination is permanent unless the copyright holders reinstate you, which is one more reason enforcement outcomes usually involve settlement and compliance commitments.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.