Notes from the Field: SCA Analysts and Code Insight Product Trainers talk Observations, Trends and Findings.
I find the subject of GPL Linking Exceptions resurfacing often, whether I’m on a SBOM review call with an audit client, advising on Remediation Practices and open source license policy creation, or simply refreshing my peers knowledge on open source license exceptions. There are a lot of tricky ones out there, but below I cover two key factors that are always in play and will dramatically impact your efforts on all levels of remediation and policy creation when building your commercial products.
What is the difference between Static linking and Dynamic linking?
First off—Linking is how code is bundled and made to work together.
Many open source licenses use linking as a test to determine what code needs to be shared with the community. Many important software licenses are affected by Linking, especially GPL and LGPL licenses.
- All software is compiled into a single executable file
- Modules often “hidden” inside single exe
- Sometimes required by your platform (esp. in the embedded computing space)
- All source released if any GPL/LGPL in use in the file
This diagram shows how compiled code gets linked into a statically linked executable. They end up compiled into a single file.
Under licenses like the GPL license, you are required to share all the source used to create this binary if you distribute it, including your own. In this case the same would be true of LGPL licensed code except in specific circumstances. For example, there’s no need to share code if you provide special compiled linkable object files for YOUR code to end users in the LGPL case.
- Modules are compiled into separate library files (.dll or .so)
- These Modules or files can be seen by users
- Only LGPL source shared in its file; GPL still a concern everywhere it is found
This diagram shows how compiled code gets linked into a DYNAMICALLY linked executable. They end up compiled into multiple files, often with .dll or .so extensions.
Under licenses like the GPL license, you are required to share all the source used to create all of these binaries if you distribute it.
In this case LGPL licensed modules would require the source for the LGPL module (box) to be distributed. The rest of the source can be kept closed if desired (your code).
Regardless of whether your organization has policies in place for handling Linking Exceptions it is good to understand how you are affected by each scenario, whether it be static or dynamically linked code. Once we understand our obligations and how the LGPL and GPL affect us regarding binaries we can help our organizations better navigate the landscape of some of these tricky copyleft license exceptions.