Safeguard
Security

GPL Adalah: What the GNU General Public License Means for Your Code

GPL adalah lisensi copyleft yang paling terkenal. This guide explains what the GPL actually requires, why the copyleft obligation matters, and how it affects the code you ship.

Yukti Singhal
Platform Engineer
6 min read

GPL adalah singkatan dari GNU General Public License, the most widely known copyleft open-source license, and it grants broad freedom to use and modify software on the condition that derivative works you distribute are released under the same terms. That single condition, called copyleft, is what separates the GPL from permissive licenses like MIT or Apache and is the reason engineering and legal teams treat GPL dependencies with more care than most other open-source components.

What the GPL grants and what it asks in return

The GPL gives you four freedoms: to run the program for any purpose, to study and modify its source, to redistribute copies, and to distribute your modified versions. In exchange, when you distribute software that includes or derives from GPL-licensed code, you must make the complete corresponding source available under the GPL, including your modifications, and you cannot add restrictions that take those freedoms away from your recipients.

The pivotal word is distribute. If you run GPL software internally and never ship it to anyone, the copyleft obligation to publish source is not triggered. It activates when the software leaves your organization, whether as a downloaded binary, an appliance, or embedded firmware.

Copyleft, in plain terms

Permissive licenses say "do what you like, just keep the copyright notice." Copyleft says "do what you like, but anything you build on this and distribute must carry the same freedoms forward." The intent is to keep the software and its descendants free, so a company cannot take GPL code, improve it, and ship the improvements as closed source.

This is why the GPL is sometimes called viral, though that word overstates it. The obligation attaches to derivative works you distribute, not to everything on the same disk or the same network. Understanding where that boundary sits is the whole game in GPL compliance.

GPLv2 versus GPLv3

Two versions dominate. GPLv2, from 1991, is what the Linux kernel uses. GPLv3, from 2007, added clauses that address issues the free software community cared about by then:

  • Anti-Tivoization: GPLv3 requires that if you ship GPLv3 software in a consumer device, you must provide what's needed to install modified versions, closing the loophole where a vendor shipped the source but locked the hardware so modified builds wouldn't run.
  • Patent provisions: GPLv3 includes an explicit patent grant, so contributors can't distribute the software and later sue users over patents it relies on.
  • License compatibility: GPLv3 improved compatibility with some other licenses, notably the Apache 2.0 license.

The two versions are not automatically compatible with each other. Code that is "GPLv2 only" cannot be combined with GPLv3 code, which is a real constraint when assembling dependencies.

LGPL and AGPL, the important variants

Two relatives change the boundary:

  • LGPL (Lesser GPL) is designed for libraries. It lets proprietary software link against an LGPL library without the whole application becoming subject to copyleft, as long as the library itself and its modifications stay under the LGPL. This is the license to reach for when you want a shareable library that closed-source apps can use.
  • AGPL (Affero GPL) closes the network loophole. Under the plain GPL, running modified software as a hosted service does not count as distribution, so a SaaS provider can modify GPL code without publishing changes. The AGPL treats offering the software over a network as if it were distribution, so a hosted AGPL application must offer its source to users. If your dependency scanner flags an AGPL component in a service you host, that is a real obligation, not a footnote.

Why this matters for software supply chain risk

License obligations travel through your dependency tree the same way vulnerabilities do. A permissive package you added directly might pull in a GPL or AGPL transitive dependency you never chose. If you distribute or host the result without meeting the copyleft terms, you have a compliance problem that can force a code release or an expensive rewrite.

This is a license-scanning problem as much as a security one. The same SCA tooling that surfaces vulnerable dependencies can inventory the license of every package, direct and transitive, and flag copyleft obligations before you ship. Catching an AGPL dependency during development is cheap; discovering it during due diligence for an acquisition is not. Our academy covers how license scanning fits alongside vulnerability management in a single dependency workflow.

Practical guidance

  • Decide your policy in advance: which licenses are allowed, which need review, and which are banned outright.
  • Scan for licenses continuously, including transitive dependencies, not just the packages you added directly.
  • Treat AGPL in a hosted service and GPL in distributed software as review-required by default.
  • When in doubt about whether your use triggers copyleft, get legal advice; the line between "derivative work" and "mere aggregation" is genuinely nuanced.

FAQ

GPL adalah lisensi apa?

GPL adalah GNU General Public License, a copyleft free-software license. It lets anyone use, study, modify, and redistribute the software, on the condition that distributed derivative works are released under the same GPL terms with source available.

Can I use GPL software in a commercial product?

Yes. The GPL does not forbid commercial use or charging money. What it requires is that if you distribute software containing GPL code, you provide the corresponding source under the GPL. Many businesses build commercial offerings on GPL software while meeting that obligation.

Does using a GPL library force my whole application to be GPL?

It depends on how you combine them and which variant applies. Linking against a plain GPL library in distributed software generally extends copyleft to your application, while the LGPL is specifically designed to allow proprietary software to link against the library without that effect. The AGPL additionally triggers obligations for network-hosted software.

What's the difference between GPL and permissive licenses like MIT?

Permissive licenses like MIT and Apache let you build closed-source products with few conditions beyond preserving notices. The GPL adds copyleft, requiring distributed derivatives to remain under the GPL with source available. That obligation is the defining practical difference.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.