Safeguard
Licensing

What Is a Copyleft License?

Copyleft licenses grant broad rights on one condition: derivative works must stay under the same terms. Here is how strong and weak copyleft differ, and what actually triggers the obligation.

Safeguard Research Team
Research
5 min read

A copyleft license is an open source license that lets you use, modify, and distribute code freely, on the condition that derivative works are released under the same license. Where permissive licenses like MIT ask only for attribution, copyleft uses copyright law to guarantee that the code, and improvements to it, stay open. The GPL family is the best-known example.

The name is a deliberate play on "copyright". Instead of reserving rights, the author reserves openness: you can do almost anything with the code except lock it up.

How Does a Copyleft License Work?

Copyleft works through ordinary copyright. The author holds copyright in the code and offers it under a license that grants four freedoms: run, study, modify, redistribute. Attached to that grant is the share-alike condition. If you distribute a work based on the licensed code, you must:

  • License your derivative under the same terms,
  • Provide the complete corresponding source code (or a written offer to supply it),
  • Preserve copyright and license notices,
  • Avoid adding restrictions the original license does not contain.

Refuse the conditions and you have no license at all, which makes distribution copyright infringement. That is the enforcement mechanism, and it has held up in court repeatedly, from the German gpl-violations.org cases against router vendors to US litigation involving BusyBox.

What Is the Difference Between Strong and Weak Copyleft?

Not every copyleft license reaches equally far. The practical spectrum:

Strong copyleft (GPL-2.0, GPL-3.0). The share-alike condition covers the entire combined work. If your program incorporates GPL code and you distribute the program, the whole thing must be offered under the GPL. This is the "viral" behavior people worry about, although the obligation only exists when distribution happens.

Network copyleft (AGPL-3.0). The GPL's trigger is distribution, which SaaS never does: users interact with the software over a network and no binary changes hands. AGPL-3.0 closes that gap. If users interact with a modified version over a network, they must be able to get the modified source. This is why AGPL components get special scrutiny in SaaS dependency policies.

Weak copyleft (LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0). The condition is scoped to the licensed component itself. Under the LGPL you can link a proprietary application against the library as long as changes to the library itself stay open and users can relink against a modified version. MPL-2.0 scopes even tighter, to individual files: modify an MPL file and that file stays MPL; the rest of your codebase is unaffected.

What Actually Triggers Copyleft Obligations?

This is the part teams most often get wrong, in both directions. The obligations trigger on distribution (or network interaction, for AGPL). They do not trigger on use.

  • Internal tools: running GPL software inside your company, unmodified or modified, is not distribution. No obligation to publish anything.
  • SaaS with GPL components: serving users over the network is not distribution under GPL-2.0 or GPL-3.0. Only AGPL reaches this scenario.
  • Shipping a product: an installer, a firmware image, a container image handed to customers, a mobile app. All of these are distribution, and copyleft conditions apply to whatever the license defines as the covered work.
  • Selling is fine: copyleft does not prohibit commercial use. You can sell GPL software; you just cannot withhold the source from the people you distribute it to.

The boundary questions, such as what counts as a derivative work versus mere aggregation, and whether dynamic linking creates a combined work, are genuinely contested legal territory. Most compliance programs sidestep the ambiguity with policy: strong copyleft is kept out of anything that ships to customers unless the product is itself open source.

How Should Teams Manage Copyleft Risk in Dependencies?

A copyleft license in your dependency tree is not automatically a problem; an undetected one is. A workable policy has three parts:

  1. Inventory. Generate a full dependency inventory, including transitive dependencies, with the declared license for each component. This is standard SBOM territory, and software composition analysis tooling automates it, flagging copyleft components the moment they enter the tree.
  2. Classify by context. The same GPL library can be fine in an internal CLI and unacceptable in your distributed agent. Policy should key on where the component ends up, not just what the license says.
  3. Gate in CI. License checks belong next to vulnerability checks in the pipeline, so an engineer adding an AGPL package to a proprietary service gets feedback at pull-request time rather than during a due-diligence scramble. Safeguard treats license policy violations as findings alongside CVEs for exactly this reason, and our Academy has a hands-on module on setting license policies that do not drown teams in false alarms.

FAQ

What is the most common copyleft license?

The GPL family dominates. GPL-2.0 (the Linux kernel's license) and GPL-3.0 are the most widespread strong copyleft licenses, LGPL is the most common weak copyleft license for libraries, and AGPL-3.0 is the standard choice for network copyleft.

Can I use copyleft code in commercial software?

Yes, with conditions. You can use and even sell copyleft software commercially, but if you distribute a derivative work you must release it under the same license with source available. Weak copyleft licenses like LGPL and MPL-2.0 allow proprietary applications to use the component as long as changes to the component itself remain open.

Does copyleft apply if I only use the software internally?

No. Copyleft obligations trigger on distribution, and internal use within one organization is not distribution. The exception to remember is AGPL-3.0, which triggers when users interact with the software over a network, even if no copy is ever handed out.

Is copyleft the same as open source?

No. All copyleft licenses are open source licenses, but many open source licenses (MIT, Apache-2.0, BSD) are permissive rather than copyleft. The difference is whether derivative works must stay under the same terms.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.