Safeguard
Security

GPL Meaning Explained: What the GNU General Public License Requires

GPL means GNU General Public License, a copyleft license that grants broad freedoms but requires you to share source under the same terms. Here is what that means for your code.

Yukti Singhal
Platform Engineer
6 min read

GPL means the GNU General Public License, a copyleft open-source license that grants anyone the freedom to use, study, modify, and redistribute software, on the condition that derivative works are released under the same license with source code available. The GPL meaning that trips teams up is that last part: "copyleft" is what separates the GPL from permissive licenses, and it can create obligations that reach into your own proprietary code if you are not careful about how you combine it.

Understanding the GPL is less about the philosophy and more about knowing when the sharing requirement kicks in.

Where the GPL comes from

The GPL was written by Richard Stallman and the Free Software Foundation to protect the "four freedoms" of free software: the freedom to run the program, to study and change it, to redistribute copies, and to distribute modified versions. The mechanism that enforces those freedoms downstream is copyleft.

A permissive license like MIT or BSD says "do what you want, just keep the copyright notice." Copyleft goes further: it says "you have these freedoms, and you must pass the same freedoms on to anyone you give the software to." That reciprocal obligation is the defining feature of the GPL and the reason it matters for compliance.

The core obligations

If you distribute software that includes GPL-licensed code, the license generally requires you to:

  • Provide the complete source code for the work, or a written offer to supply it.
  • License the whole combined work under the GPL, so recipients get the same freedoms.
  • Preserve copyright and license notices.
  • State any changes you made to the original code.

The word doing the heavy lifting is "distribute." The GPL's obligations are triggered by conveying the software to others, not merely by using it internally. This is the single most misunderstood point about the GPL.

Using GPL code internally

If you run GPL software inside your company and never distribute the binaries outside your organization, the copyleft obligation to publish source generally does not trigger. You can modify a GPL tool for internal use and keep those changes private, because you have not conveyed the software to anyone else.

The important exception is the AGPL, the Affero GPL. The AGPL closes what its authors saw as a loophole: it treats providing access to the software over a network as equivalent to distribution. If you run modified AGPL code as a web service, you are typically obligated to offer users the source, even though you never shipped them a binary. Any team running a SaaS product needs to treat AGPL dependencies with particular care.

GPL versions and the linking question

There are two GPL versions in wide use, GPLv2 and GPLv3, and they are not interchangeable. GPLv3 added explicit patent grants and anti-tivoization terms. A subtlety worth knowing: GPLv2 without the "or later" clause is not compatible with GPLv3, so combining code under those two licenses in one work can create a conflict.

There is also the LGPL, the Lesser GPL, designed for libraries. The LGPL lets you link a library into a proprietary program without the copyleft spreading to your whole application, as long as users can replace the LGPL library. The distinction between static and dynamic linking, and how far the "derivative work" boundary extends, is genuinely contested legal territory. When a real product decision rides on it, get counsel rather than a blog's opinion.

Why this is a security and engineering problem, not just legal

License obligations become a real risk when a GPL or AGPL dependency enters your codebase without anyone noticing. A permissively licensed package you depend on might itself pull in a GPL component transitively, and now your "MIT-safe" application has a copyleft obligation buried three levels deep in the dependency graph. Nobody chose it; it arrived with something else.

This is exactly the kind of thing that surfaces only at the worst time, during an acquisition due-diligence review or a customer's security questionnaire. Catching it early is a matter of inventory. Software composition analysis reads your dependency tree and reports the license of every package, including the transitive ones. An SCA tool such as Safeguard can flag a GPL or AGPL license appearing anywhere in your graph and let you set a policy that fails a build if a copyleft license shows up where you did not expect it. If you want a broader map of how licenses differ, our guide to types of software licensing lays out the permissive-versus-copyleft spectrum.

A practical policy

Most engineering organizations settle on a tiered policy:

  • Allow permissive licenses (MIT, BSD, Apache 2.0) freely.
  • Review weak copyleft (LGPL, MPL) case by case, checking how the code is linked.
  • Restrict or forbid strong copyleft (GPL, AGPL) in code you distribute or serve, unless the whole project is intentionally GPL.

Encode that policy in your dependency scanner so it enforces itself on every pull request. That turns license compliance from a manual audit into a gate, which is the only way it stays reliable as the dependency tree grows.

FAQ

What does GPL stand for?

GPL stands for GNU General Public License. It is a copyleft free-software license created by the Free Software Foundation that guarantees users the freedom to run, study, modify, and redistribute the software.

Does using GPL software mean I have to open source my code?

Only if you distribute software that incorporates the GPL code. Purely internal use generally does not trigger the source-sharing obligation. The AGPL is the exception, treating network access to the software as distribution.

What is the difference between GPL and LGPL?

The GPL is strong copyleft: derivative works must also be GPL. The LGPL (Lesser GPL) is designed for libraries and lets you link the library into a proprietary program without the copyleft spreading to your whole application, subject to conditions.

How do I find GPL dependencies I did not choose?

Use software composition analysis to scan your full dependency tree, including transitive dependencies. It reports the license of every package, so a GPL or AGPL license pulled in indirectly becomes visible and can be blocked by policy.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.