The SaaS Loophole in GPL Open Source Licenses

The SaaS Loophole In GPL Open Source Licenses
Table of Contents

 When the copyleft AGPL was first published, many leaders in the open source community had something to say about the issue of a supposed loophole in the GPL open source license that allowed SaaS companies to integrate GPL open source libraries without sharing their code. This “loophole” was intentionally left in version 3 of the GPL due to the fact that letting users interact with a piece of software over the network does not constitute distribution.

Distribution is the triggering event of the GPL,” explains Adv. Haim Ravia, chair of the Cyber & Copyright Group at Pearl Cohen Zedek Latzer Baratz, an international law firm with offices in Israel, UK and the US. “In the absence of distribution, a user is merely using the software, and since the act of running the GPL code is not subject to the license, one does not have to share their modifications to the code”.

The GPL copyleft license

The GPL is a copyleft, or viral license. This means that if your work is based on, or derivative of, a GPL component, and you distribute your work, it must be made available subject to the GPL. This includes your obligation to release its source code, as well as granting recipients the GPL rights to modify and distribute the entire code. The source code that you release must also be under the same GPL (hence the name viral license since it jumps from project to project).

When it comes to SaaS or Application Service Providers (ASP), the GPL requires that only the parties that are actually distributing their modified version of GPL code abide by the GPL. This can be read basically that making your software available through remote interaction does not amount to “distributing”, and does not trigger the GPL.

Good GNUs: AGPL — the GNU solution that closes the GPL SaaS loophole

Section 13 of the GNU’s AGPL closed the GPL SaaS loophole by obligating companies to make their source code open and available to the public when they are using AGPL licensed components on a server connected to the network — as is the case with SaaS and ASP, and modifying AGPL components:

“Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.”

“The difference between the GPL and the AGPL in relation to SaaS is that the triggering factor in the AGPL is modification, while in the GPL the triggering factor for license enforcement is distribution,” says Adv. Ravia.

The GPL SaaS loophole made headlines around the time the AGPL was released. Some experts said it wasn’t really needed, while others wondered whether it served the commercial giants of software over the open source community and smaller, younger businesses.

Distribution and license confusion

Much of the confusion has to do with the real meaning of the word “distributed” when it comes to software. This is an important distinction, since as long as you aren’t distributing your code, you don’t need to share it, and the answer is more nuanced than you might expect.

For example, the GPL considers sending Javascript to the browser to be distribution of code, and that means that if you happen to be using a GPL library as part of the Javascript sent to users, then the loophole does not apply. In this case you will need to share your client-side source code. Considering the dominance of Javascript in web development, finding a SaaS product that is 100% Javascript-free is quite a challenge.  

Mind the SaaS loophole: Choose your open source licenses wisely

While the debate around the GPL SaaS loophole and the efficiency of the AGPL might be a thing of the past, the licenses in the open source components that you are using matter. Many of them are a challenge to understand if you’re not well versed in legalese, but that doesn’t mean you can get away with being non-compliant.

Using open source components and counting on a supposed loophole in their open source licensing to stay compliant is not recommended. Choose your licenses wisely, consult with legal experts when necessary, and make sure you have an open source license compliance policy in place.

*Disclaimer: This post is not legal advice, it is for informational purposes only. If you need legal advice, you should consult with an attorney, who has reviewed all relevant facts and applicable law.

Stay up to date on open source licenses

Recent resources

Mend.io is a Strong Performer in the Forrester Wave™ Software Composition Analysis, Q4 2024

See why Mend.io is recognized as a Strong Performer in The Forrester Wave™ Software Composition Analysis (SCA) Q4 2024 report.

Read more

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more