In most software organizations, licensing is a legal team's problem. In organizations that ship products containing hundreds of open-source dependencies, it's an engineering problem with legal consequences. The difference between "we use open source" and "we are in compliance" is a gulf that spans millions in legal fees and, in extreme cases, forces entire product lines to be pulled.
Sarah Chen (name changed for professional privacy) has been the lead for a large enterprise's Open Source Program Office (OSPO) for six years. Her organization maintains roughly 1,500 active repositories, each dependency tree a potential legal landmine. "I spend my day not in courtrooms but in build logs and dependency graphs," she says. "The law is the destination. The code is the road map."
This is a profile of how one OSPO lead actually handles the messiest part of that job: GNU license compliance at scale.
The Inbox That Never Empties
Chen starts each morning with a Slack channel populated by automated alerts from FOSSA and ScanCode. Each notification is a candidate license incompatibility logged by a nightly scan of the organization's build pipeline. "I used to be excited when we got zero alerts," she says. "Now I know that just means our scan coverage is incomplete."
The alerts fall into three buckets. The easiest are clearly misidentified licenses—the ScanCode classifier flags a file as "GPL-2.0-only" when a developer included a three-line snippet from a StackOverflow answer that happened to contain a copy of the GPL boilerplate in a comment. "That's noise," Chen explains. "I close it in under a minute."
The middle bucket is weak copyleft ambiguities. A library is marked "LGPL-2.1" but actually imports GPL-3.0 code. The static linker might be the difference between a clean bill of health and a mandatory source release. Chen triages these by checking the actual import graph, not just the declared license.
The hard bucket is the one that keeps her awake. Direct GPL propagation into proprietary code. A developer in a product team added a utility function copied from a forum post. That utility function was derived from a GPL-2.0-only library. One repository, one developer, one cut-and-paste. The entire product line's compliance chain now has a gap.
"The vast majority of GPL violations in products are not malicious. They're ignorance. A junior developer sees a 15-line function on a blog and thinks 'this is too trivial to matter.' That's how companies get sued."
The Dependency Tree as a Legal Document
Chen's team maintains a living document that looks nothing like a contract. It's a provenance graph: a directed acyclic graph where each node is a file, each edge is a relationship (import, include, link, copy-paste). The graph is regenerated nightly from the build system's output, not from a manually curated spreadsheet.
"Manual curation fails at scale," Chen says matter-of-factly. "You can't ask 300 developers to log every snippet they paste. You have to instrument the toolchain."
Her team uses ORT (OSS Review Toolkit) to trace dependencies through Maven, npm, PyPI, and Go modules. They augment this with a custom Git hook that runs a license classifier on every commit. When a developer introduces a file that contains license text or a copyright header, the hook flags it before it reaches the main branch.
The result is a compliance delta on every pull request. A PR that adds a new dependency shown to be GPL-3.0 triggers a manual review block. The developer cannot merge until Chen or a team member signs off.
# Example: A Git hook that blocks commits containing GPL-licensed snippets
#!/bin/bash
# .git/hooks/pre-commit
FILES=$(git diff --cached --name-only --diff-filter=A)
for file in $FILES; do
if grep -q "GNU General Public License" "$file"; then
echo "ERROR: $file contains GPL license text."
echo "This commit is blocked. Contact OSPO for review."
exit 1
fi
done
"That hook alone cut our false-negative rate by 40% in the first quarter," Chen reports. "It's primitive, but it catches the pattern that most violations start as: a developer pasting code without reading the header."
The Copyleft Compatibility Web
The core intellectual challenge of GNU compliance is not reading license text. It's understanding how licenses interact at the linker and runtime level. Chen keeps a table on her wall. It's not a legal document—it's a compatibility matrix she built from reading the Free Software Foundation's FAQ and cross-referencing it with actual court rulings.
| License (Code) | Can link with GPL-2.0? | Can link with GPL-3.0? | Can distribute combined? |
|---|---|---|---|
| GPL-2.0-only | Yes | No (unless upgrade clause) | Yes, if all source distributed |
| LGPL-2.1 | Yes (dynamic link only) | No | Yes, with notice |
| Apache-2.0 | No (GPL-2.0 incompatible) | Yes (GPL-3.0 compatible) | Yes, as GPL-3.0 combined work |
| MIT | Yes | Yes | Yes |
| AGPL-3.0 | No | Yes | Yes, with network source requirement |
"GPL-2.0 is the hard one," Chen notes. "It's the most widely used copyleft license in legacy enterprise code, and it's incompatible with Apache-2.0, which is the most popular permissive license for modern cloud-native projects. That single incompatibility causes more compliance headaches than any other pair."
Her team's automated scans flag any case where a GPL-2.0 dependency is statically linked with an Apache-2.0 dependency. "If it's dynamic linking, we're fine. If it's static, we need to either relicense, replace the dependency, or move the GPL code into a separate process with IPC."
The Snippet Sinkhole
The hardest problem Chen faces is not full libraries. It's snippet contamination—the invisible accumulation of small blocks of GPL-licensed code that developers paste from forums, Stack Overflow, or GitHub gists. These snippets rarely carry copyright headers. They are code without provenance.
"We ran an experiment last year," Chen says. "We took the entire codebase of a moderate-sized product—about 500kloc—and ran it through a token-sequence similarity checker against a corpus of 10,000 GPL-licensed GitHub repositories. We found 47 candidate snippets that matched GPL code with high confidence. Twenty-three were false positives from generic algorithms. Twenty-four were real."
Twenty-four snippets, none longer than 20 lines. Each one a potential GPL propagation vector. "The question is not whether we can find them. It's whether we can prove the provenance. And proving provenance backwards through a chain of copy-paste is incredibly difficult."
Chen's team uses Codequiry's snippet-level similarity engine to do this work. "What I need is not just 'this code is similar to GPL code.' I need 'this code matches these three specific GPL-licensed files, and here is the commit history showing the copying.' That's a higher bar, but it's the bar that matters for compliance."
The solution Chen settled on is a combination of pre-commit scanning and a monthly full-codebase sweep. The pre-commit scan catches new snippets before they contaminate the main branch. The monthly sweep catches existing contamination that bypassed the hooks—typically from third-party contractors who pushed code through a different path.
The Third-Party Code Audit
Speaking of contractors: Chen's organization brings in approximately 200 contractors per year across multiple product teams. Each contractor signs a standard IP assignment agreement. But the agreement is only as good as the code review that follows.
"We had a case two years ago where a contractor delivered a complete authentication module. It passed code review. It passed static analysis. It passed security scans. But it contained a 30-line function that was copied verbatim from a GPL-2.0-licensed project on GitHub. The function was the core of the token validation logic."
The contractor had not disclosed the dependency. They had copied the function, changed variable names, and did not include the copyright notice. "That's not just a compliance issue. That's a copyright infringement issue. The original author could sue for damages."
"If a contractor delivers code that violates a GPL's notice requirements, the liability sits with the company that distributes the product. The contractor disappears. You are left holding the legal bag."
Now Chen's team runs a contractor-specific audit pipeline. Every commit from a contractor account is flagged for an additional license scan. The scan compares the new code against a corpus of GPL-licensed projects using both textual and AST-based similarity. If the similarity exceeds a threshold (Chen uses 75% for snippets under 50 lines, 60% for longer blocks), the commit is blocked and the contractor is asked to provide provenance documentation.
"I've had contractors push back. They say 'this is a standard algorithm, it's not copyrighted.' I point them to the specific GitHub repository that has an identical function, with a copyright header, and ask them to explain the similarity. Usually the next commit removes the copied code."
The Art of the Compliance Notice
When a GPL violation is found in a shipped product, the response is not to panic. It's to issue a notice and offer source code. Under GPL-2.0 section 3, the penalty for noncompliance is loss of the license to distribute. The cure is to provide the complete corresponding source code.
"I've seen companies try to hide violations. They patch the binary and hope nobody notices. That's a terrible strategy. The GPL's termination clause is self-executing. Once you violate, you lose the right to distribute. If you keep distributing after that, you're infringing copyright, and the damages are statutory."
Chen's team maintains a template for compliance notices. It specifies the product, the version, the GPL-licensed component, and a URL where the source code can be downloaded. "We send it to the copyright holder, publish it on our website, and include it in the product's documentation. It's a 30-minute process once you have the automation in place."
The more common scenario is pre-release. "We catch 90% of violations before they ship. The remaining 10% we catch in the first month of distribution. We've never had a lawsuit. But we've spent hundreds of hours on the close calls."
The OSPO as Internal Consultant
Chen's team has grown from two people to eight in six years. They serve as an internal consultancy, not a enforcement squad. "If I just block commits, developers will work around me. If I explain why a license matters, and show them the clean alternative, they adopt the practice."
Her team maintains a internal wiki called "The Licensing Playbook" that documents every dependency, every license, and every compatibility decision. It is updated within 24 hours of any scan result that changes the status of a dependency. "If a developer asks 'can I use this library?', I want them to be able to find the answer in 10 seconds, not wait for a legal review."
The playbook includes a decision tree for the most common scenario: a developer wants to use a GPL-licensed library in a proprietary product.
- Can the library be replaced? If yes, use the replacement. If no...
- Can the library be used as a separate process? For example, a GPL-licensed image processing library can run as a standalone service called via REST. If yes, isolate it. If no...
- Can the product ship under a GPL-compatible license? If the product's business model allows open source, this is the cleanest path. If no...
- Can the library be used under a commercial license? Many GPL projects offer commercial licenses that remove the copyleft requirement. If yes, purchase one. If no...
- Do not use the library. Find an alternative, even if it means rewriting the functionality.
"I've never reached step five with a product team that actually needed the functionality. There's always a commercial license or a workaround. But having the tree published means I'm not explaining this from scratch every time."
The Tooling Gap and the Human Element
Chen is careful to note that no tool catches everything. "ScanCode misses about 15% of license declarations because they're embedded in non-standard comment formats. FOSSA sometimes classifies code with no license as proprietary, which generates false positives. And the AST similarity tools catch structural copies but miss semantic reimplementation—where a developer understands the algorithm and rewrites it from memory, but produces a functionally identical implementation."
The semantic reimplementation case is the hardest to audit. "If a developer reads a GPL-licensed sorting algorithm, closes the browser, and writes their own implementation from memory, the resulting code might pass every similarity check. But legally, if the algorithm is not generic (if it contains original creative choices), it may still be a derivative work."
That's a legal determination, not an engineering one. Chen's role is to flag the scenario and document the chain of knowledge. "I can't tell a developer 'you cannot write a quicksort because you saw a GPL-licensed one.' That's absurd. But I can tell them 'if you copy the comments, the variable names, and the specific edge-case handling from that GPL code, you have created a derivative work.'"
Lessons for Other Organizations
Chen offers three pieces of advice for any organization starting an OSPO or scaling license compliance.
First, automate the data collection but not the decision. "Let machines produce the compliance delta. But let humans make the judgment calls about what constitutes a derivative work, what constitutes fair use of a snippet, and what constitutes a de minimis copy. The GPL does not have a clear 'safe harbor' for small copies. Courts have not provided one. So the judgment is yours."
Second, invest in developer education, not just legal language. "I run a 30-minute seminar every quarter. I show developers real examples of code that triggered violations. I show them the cost. I show them how to check a license before pasting. It takes 30 minutes and it saves months of cleanup."
Third, accept that perfect compliance is a myth. "You will miss some snippets. You will misclassify some licenses. You will have a product ship with a GPL library you didn't know about. The goal is not to have zero violations. The goal is to find them before the copyright holder does, and to fix them fast when you do."
Chen's organization has not been sued. She attributes that to a combination of automation, process, and a culture that treats licensing as an engineering concern rather than a legal afterthought. "The GNU licenses are not mysterious. They are precise, well-documented, and enforceable. The work of compliance is matching that precision in your own codebase. It's engineering work. That's what makes it interesting."