Open source software has become an integral part of modern software development, whether in the development of computer games (game development) or plugins for popular platforms such as WordPress or Shopify. Developers often utilize freely available libraries, engines, and code snippets for cost reasons and due to extensive community support. However, "freely available" does not equate to "free of conditions."
Especially in IT law and media law, the legal framework of these open source licenses plays a crucial role. Copyright law and contract law, in particular, establish specific limits on the use of open source, which developers and companies must understand. Awareness of these regulations is vital for legal compliance.
This blog post offers a comprehensive overview of using open source in game development and plugin creation. It focuses on practical aspects, including: license compatibility between common licenses (such as GPL, MIT, Apache), risks and legal consequences of license violations, and the effects of copyleft licenses (especially the GPL) on proprietary software. Additionally, it addresses contractual elements such as integration clauses, testing obligations, and due diligence.
The information is presented neutrally and with legal precision, yet remains accessible for practitioners. Game, software, and plugin developers should recognize what they need to consider to avoid legal pitfalls. Key terms from IT law, copyright law, and contract law are explained. Relevant German legal norms, such as those from the Copyright Act (UrhG), along with court decisions and practical examples, are included to provide a clear understanding.
Basics of Open Source Licenses
Open Source and Copyright
Open source software (OSS) refers to software whose source code is publicly accessible. Third parties may use, modify, and redistribute this software, but always under specific license conditions. Legally, this model is rooted in copyright law.
Under German law, software enjoys copyright protection as a computer program (Section 2 (1) No. 1, Section 69a UrhG). The author or rights holder of the software possesses extensive exclusive rights of use (Section 69c UrhG). These include the rights to reproduce, distribute, modify, or publicly make the program available. Therefore, no one may legally copy or distribute the software without the rights holder's consent.
A software license precisely represents this consent. In a license agreement, the author grants a user certain rights of use (Section 31 UrhG). Open source licenses are typically pre-formulated standard licenses, granting everyone specific rights to the software. These rights are usually provided free of charge and for an unlimited period, but they are always linked to conditions.
These conditions differentiate open source licenses from purely "free" (unconditional) public domain software. From a legal perspective, open source licenses often function like general terms and conditions (GTC). They are unilaterally set by the author and accepted when the software is used. Consequently, they must comply with the law on general terms and conditions (§§ 305 ff. BGB).
It is important to note that even without a signed contract, the open source license applies by implication. Anyone who uses or distributes the software agrees to the terms of the license. With open source, the "conclusion of the contract" occurs, in essence, through the act of using the software.
The OSI (Open Source Initiative) defines criteria for what constitutes an "open source" license. These criteria include free redistribution, access to the source code, permission for changes, and no discrimination against persons or fields of use. Well-known examples of such licenses include the GNU General Public License (GPL), the MIT license, the Apache License 2.0, and the BSD licenses, among many others.
Permissive vs. Copyleft Licenses
Open source licenses can be broadly categorized into two types: permissive licenses and copyleft licenses. The primary distinction lies in the strictness of the conditions governing further use of the code.
Permissive licenses grant extensive rights and impose only minimal conditions. Examples include the MIT license, the Apache License 2.0, and the BSD licenses. They permit the integration of software into your own projects, including proprietary software, and allow redistribution with virtually no restrictions. Typically, these licenses only require that a copyright notice and the license text (or a reference to it) be retained within the software.
For instance, the MIT license mandates that the original license text must accompany any redistributed code. The Apache License 2.0 also includes an explicit grant of patent licenses to users and some protective clauses (e.g., when modifying names/trademarks). Despite these additions, Apache 2.0 remains "permissive" because derived works may be published under any license (including proprietary) as long as its few conditions are met. Permissive licenses are favored by developers for offering maximum freedom and causing minimal legal conflicts. You can build closed software from permissively licensed code without needing to disclose source code or fulfill other usage obligations.
Copyleft licenses, conversely, impose stronger conditions and aim to pass on the freedom of the code. In essence, "copyleft" means that derived works of the licensed code must, in turn, be published under the same license. The underlying principle is to safeguard openness: no one should be able to take free code and transform it into a proprietary offshoot that is inaccessible to others without also making their own changes available to the community.
The GNU General Public License (GPL) is the most recognized and stringent copyleft license. While it allows users to use, modify, and redistribute the program free of charge, this is subject to certain conditions. When redistributing, the source code of the derived software must be disclosed, and the GPL license must apply to it. Additionally, the GPL requires retaining a reference to the licensor (copyright notice) and including a copy of the license with the program.
A disclaimer of liability and exclusion of warranty is also part of the GPL. However, in Germany, a complete exclusion of liability for intent and gross negligence would be invalid under general terms and conditions law (Section 309 No. 7 BGB). The essential core of the GPL is that if you integrate a GPL-licensed program or library into your own software and then distribute it, your entire software must also be under the GPL, and its source code must be openly accessible.
Beyond the "strong" GPL, there are also weakened copyleft licenses. The LGPL (Lesser GPL), for example, is considered a "weak copyleft." It permits an LGPL library to be integrated into proprietary software, as long as the library itself remains interchangeable and under LGPL. In practice, this often involves dynamically linking a DLL or .so file. The proprietary software must then allow the end-user to exchange the library for another version. The proprietary software itself does not have to be GPL/LGPL, but any changes to the LGPL component would need to be published.
Another variant is the AGPL (Affero GPL), which addresses a loophole in the GPL. For AGPL-licensed software, the source code must also be disclosed if the software is not distributed conventionally but used as a service over a network (Software-as-a-Service). This is relevant if, for instance, someone modifies an AGPL-licensed server or web service and offers it publicly. In such a case, there is an obligation to provide the source code of the changes.
In summary: Permissive licenses (MIT, Apache, BSD, etc.) are straightforward and compatible with proprietary use, imposing few restrictions beyond copyright attribution. Copyleft licenses (GPL and similar) ensure openness and force developers to reciprocate: what is taken must be given back. Both models are common in practice, with their use depending on the author's objectives. For game developers and plugin developers, it is crucial to identify the category of a component. This determination dictates how and if you are permitted to publish your own software.
Typical Open Source Licenses at a Glance
It is beneficial to briefly review the most important individual licenses commonly encountered in game and plugin development practice:
- GNU General Public License (GPL): Currently, mainly version 3 (GPLv3) and many projects under version 2 (GPLv2). This is a strict copyleft license. Conditions include: redistribution of the source code for all derived software, the same license type for redistribution, inclusion of the GPL license text, and naming of the author. It is often used for end applications and libraries where enforcing openness is desired (e.g., many Linux programs, as well as some game engines released as open source). Example: The id Tech 3 engine (basis of Quake 3) was released under GPL. Anyone publishing a game based on it would also have to release its code under GPL.
- MIT license (expat): A very short and simple license. Anyone may do anything with the code (modify, sell, license); liability is excluded. The key condition is that the MIT license text and copyright notice must be retained in all copies or significant parts thereof. There are no copyleft requirements, meaning MIT code can be used in proprietary projects. Example: The JavaScript library jQuery is MIT-licensed. It can be used in commercial web projects as long as the license notice is included somewhere in the imprint or code.
- Apache License 2.0: More comprehensive than MIT, but also permissive. In addition to the MIT obligations, it stipulates that the distribution of modified software must indicate what has been changed. It also includes a patent license: Contributing authors grant the user patent rights necessary to use the code. Conversely, a clause states that this patent license is forfeited if a lawsuit is filed against the provider for patent infringement (to avoid patent disputes). Despite these additions, Apache 2.0 is essentially free: Derived software may also be licensed differently (proprietary), provided the Apache license text is included and copyright notices are preserved. Example: The TensorFlow framework from Google is licensed under Apache 2.0. Companies can use it internally or commercially without having to disclose their own code.
- BSD licenses: These include the "3-clause BSD" (or "New BSD") and similar licenses. They are akin to the MIT license, allowing almost anything but requiring only that copyright notices be retained. An older variant, the 4-clause BSD, included an advertising clause (requiring the author to be named in advertising material), which was deemed too restrictive and incompatible with the GPL. Modern BSD licenses are GPL-compatible (more on this in the next section) and widely used, for instance, in networking or for operating systems (FreeBSD, etc.).
- Mozilla Public License 2.0 (MPL): Represents a middle ground between copyleft and permissive licenses. MPL is a file-based copyleft: changes to MPL-licensed files must be disclosed upon distribution, but these files can be included in a larger project without the entire project needing to be open. Proprietary and MPL files can coexist, provided they remain separate files. This license is mentioned here briefly, as GPL, MIT, and Apache are more common in game development and plugins. However, Mozilla, for example, uses MPL for Firefox, and some software libraries are also MPL-licensed. For plugin developers, MPL is less frequently relevant, with GPL or MIT being more common.
Summary of the basics: The various license types define the conditions under which code may be used. Developers should clarify early on which license an open source component has and what this concretely implies. This includes determining whether using it necessitates freely licensing their own code (copyleft) or if a simple notice (permissive) suffices. This question is central to further use in proprietary or commercial projects.
License Compatibility in Practice
When multiple components with differing licenses are combined in a software project, the issue of license compatibility arises. This refers to whether two (or more) sets of license conditions are compatible with each other. Compatibility allows the code to be used and distributed together without violating any of the licenses involved.
What Does License Compatibility Mean?
Every open source license mandates certain obligations. If you have software A under license X and software B under license Y, and you wish to combine A and B in a project (e.g., integrating library A into program B), their license conditions must match. Licenses are incompatible if one contains conditions that contradict those of another, or make it impossible to fulfill both simultaneously. They are compatible if both sets of obligations can be satisfied through a specific licensing path.
For example, code under an MIT license and code under a GPL license can be used together in a project. However, this is only possible if the entire resulting product is then placed under the GPL upon distribution. Why? The MIT license permits redistribution under any conditions (provided the copyright notice remains). It is therefore GPL-compatible because it lacks clauses that contradict the GPL. Thus, you can incorporate MIT code into a GPL project, but the final result must be licensed under the GPL, as the GPL mandates this for the entire work.
Conversely, integrating GPL code into an MIT-licensed project and continuing to publish it under MIT would not be permissible. This action would violate the obligations of the GPL, which requires the entire work to be under GPL, a condition MIT does not enforce. In such a scenario, practically everything must operate under the GPL.
GPL and Permissive Licenses
The GPL is known for its strictness regarding its "partners." It is compatible with many permissive licenses, but certainly not all. Licenses that are GPL-compatible include, for example:
- MIT license and 2- or 3-clause BSD licenses. These licenses have no conditions that conflict with the GPL. The code can be adopted, and the resulting software may (or even must) be under GPL. The original MIT/BSD code is effectively distributed under GPL at that point, which is permitted because the original license allows it.
- Apache License 2.0 and GPL: The specifics of compatibility depend on the versions. Apache 2.0 was classified by the Free Software Foundation as incompatible with GPLv2. The reason lies in Apache 2.0's clause regarding patent licenses and their termination if patent lawsuits arise. GPLv2 lacks such a clause and strictly requires that no additional restrictions be imposed on redistribution. A patent termination clause could be interpreted as an additional restriction. Therefore, Apache 2.0 + GPLv2 = conflicting. Consequently, code under Apache 2.0 cannot be integrated into a pure GPLv2 project without violating one of the licenses. However, Apache 2.0 is compatible with GPLv3, as GPL version 3 was designed to harmonize its patent regulations with the Apache license. This means that code under Apache 2.0 and code under GPLv3 can be combined by publishing the entire work under GPLv3. GPLv3 explicitly permits Apache code integration, provided notice and Apache-specific requirements are met.
- Further examples: MPL 2.0 code can be used in GPLv3 projects because MPL 2.0 includes a clause allowing compatibility with GPLv3 (the MPL code can be dual-licensed GPL if needed). While such specific rules exist for some licenses, they play a lesser role in typical game development scenarios.
In general: combining permissive → copyleft is usually possible. This means permissive code can be incorporated into a copyleft project, and the result becomes copyleft. Conversely, copyleft → permissive is problematic because the copyleft material "brings its own conditions" that would not be fulfilled in a purely permissive (or even proprietary) publication.
Incompatible Combinations
License incompatibility can manifest in several ways:
- Contradictory conditions: Two licenses might demand incompatible actions. For example, a hypothetical license requiring "no copyright notice may be mentioned in the software" combined with one requiring "copyright notice must be mentioned" would be directly contradictory. In real OSS licenses, such stark contradictions are rare, as reputable licenses generally allow attribution. However, more subtle cases exist, such as the previously mentioned GPLv2 vs. Apache 2.0 issue.
- Copyleft vs. Copyleft: Even two different copyleft licenses can be incompatible. For instance, code under GPLv2 (without an "or higher" clause) and code under GPLv3. These two versions of the GPL are mutually incompatible because GPLv3 includes additional conditions not accepted by GPLv2 users. Therefore, GPLv2-only projects cannot include GPLv3 code, and vice versa, without dual licensing. Many GPLv2 projects address this by using "GPLv2 or later." Another example is GPL (strong copyleft) and LGPL (weaker copyleft). Here, LGPL code can usually be converted to GPL code (effectively enforcing the higher GPL standard), but not the other way around without violating the GPL.
- Proprietary vs. Copyleft: This is the most common and relevant incompatibility. Proprietary (non-open) software inherently operates under the manufacturer's "license," where all rights are typically reserved. If GPL code is incorporated without permission, a derived work subject to GPL conditions is created. If the manufacturer is unwilling to place the entire code under GPL, they face a contradiction: distributing GPL-subject code under a proprietary license constitutes a clear license violation. This combination is not permitted unless the conditions are met. Alternatively, the proprietary manufacturer could obtain separate permission from the GPL code originator, perhaps through a dual license agreement.
A practical illustration was the case of VMware vs. the GPL community. VMware integrated parts of the Linux kernel (GPL) into a proprietary product. Without a specific license, this is incompatible, ultimately leading to a legal dispute (Hellwig ./. VMware), which will be discussed later.
In short: Before integrating an open source component, always check its license for compatibility with the overall project license. Many organizations provide a license compatibility table; for example, the Free Software Foundation lists MIT, BSD, zlib, etc., as GPL-compatible. However, the former Apple Public Source License was not.
For a developer's daily work, the following rule of thumb often suffices: use permissive licenses if possible to avoid compatibility issues. If GPL is already in your project, ensure any additional code is at least GPL-compatible (or also GPL). If you aim to remain proprietary, avoid GPL code, as it would compel you to relinquish your proprietary status.
Accumulation of License Obligations
License compatibility does not imply that you can choose which license applies. In a combined product, you must comply with all applicable license obligations. The final product is often offered under a single license (e.g., entirely GPL if open source, or your own proprietary EULA if closed). Nevertheless, the conditions of all integrated open source components must be simultaneously observed. In practice, this means:
- Collect notices: Every integrated OSS requires that you pass on its corresponding license text and copyright notice. Developers should therefore maintain documentation for all third-party components. Files like
NOTICE.txtorOpenSourceLicenses.txtare often found in the installation directory of commercial software. These list all used OSS components with their licenses. This practice fulfills cumulative license requirements. - Offer source code: If even one component in the product is GPL-licensed and the product is distributed, the provider must furnish the licensee with the complete corresponding source code (GPLv2) or make a written offer to do so (GPLv3). This applies regardless of the component's size. It is insufficient to provide only the code of that single component. Since the entire work is considered derived, this includes any custom code linked to the component. Exception: Dynamically linked LGPL libraries. Here, you "only" need to enable the user to exchange the LGPL component, which practically requires providing your own object files or supporting dynamic linking.
- Attribution: Some licenses (e.g., CC0 for code, or formerly the 4-clause BSD) require naming the author in advertising material. Be aware of such specific obligations if you use these licenses to ensure they are not overlooked. Such requirements are less common in classic software licenses but appear more frequently with CC licenses in the media sector.
A typical example of a cumulative obligation in a commercial product involves a computer game. This game might use five open source libraries: one under MIT, one under Apache, two under BSD, and one under zlib. All are permissive, so the game development team does not need to disclose its own code. However, each license requires its text to be present somewhere in the package.
Consequently, the game studio inserts a LICENSES file in the game folder containing the texts of all five licenses and the copyright of the respective developers. This fulfills the license conditions, allowing the proprietary game to be legally distributed with these components.
WordPress Plugins and License Compatibility
A specific situation familiar to many plugin developers concerns WordPress plugins and themes. WordPress itself is licensed under GPLv2. However, WordPress's creators (Automattic) consider every plugin and theme that uses or is based on WordPress to be a derivative of WordPress. This view implies that every plugin must therefore be licensed in a GPL-compatible manner—ideally, also under GPL.
Indeed, the official directories, such as the WordPress Plugin Repository, and marketplaces require that uploaded extensions be licensed under GPLv2 (or a compatible license). Incompatible licenses, such as purely proprietary EULAs or certain restricted licenses, will prevent the plugin from being included in these platforms.
Legally, whether a plugin constitutes a derivative work of the main software remains a complex issue without conclusive clarification. Arguments suggest that merely using defined plugin interfaces (hooks, APIs) does not amount to an adaptation under copyright law, but rather a permitted coupling. However, the boundaries are blurred: if a plugin directly copies WordPress code or loads it into memory (which consistently occurs when calling functions of WordPress core libraries), it can readily be seen as an adaptation or at least a dependent connection.
Prudent developers therefore adhere to the GPL to avoid conflicts with WordPress's license. While, to our knowledge, no lawsuit has yet occurred in Germany by WordPress authors against a plugin developer for license violation, community rules effectively enforce compliance. Those who do not license in accordance with the GPL are excluded from important distribution channels and risk damage to their image.
An interesting practical case involved a legal dispute concerning a WordPress theme before the Higher Regional Court of Karlsruhe (judgment of 27.01.2021, ref. 6 U 60/20). In this instance, a developer had a commercial theme based on WordPress created and distributed without disclosing its source code. A third party (presumably a competitor or open source activist) then demanded the theme's code disclosure, citing the GPL.
The Higher Regional Court of Karlsruhe clarified that, while the GPL mandates the developer to disclose the code upon distribution, failure to do so does not grant anyone else the right to simply publish this code. The theme's exclusive rights holder (the developer) does not automatically forfeit copyright to their own contributions due to a GPL violation. In other words, the GPL does not create general usage rights for anyone to derived software if the developer does not comply with the license conditions.
Rather, the consequence of an infringement is that no one may lawfully distribute the work—neither the infringer nor third parties. Although this ruling addressed rights management (the theme developer could prevent a third party from putting his theme on GitHub, even if it would be subject to GPL), it also implicitly highlights the license compatibility issue: WordPress and a non-GPL theme are effectively incompatible in the sense that the theme should not have been distributed proprietarily. However, it is primarily the WordPress rights holder who can sue for this; third parties cannot enforce it on their own authority.
Conclusion on Compatibility
Especially in larger game development projects, dozens of third-party components often converge. These might include a physics engine, audio libraries, network libraries, etc., potentially with different licenses. Before integration, it is crucial to verify that all licenses are compatible with each other and with the planned end product.
If in doubt, consider finding an alternative with a more compatible license for a component with strict licensing. Numerous tools and overviews are available to help clarify these questions. License compatibility is therefore both a technical and a legal issue: technically, components must harmonize; legally, their licenses must. Only when both aspects are correct can the project be published without concern.
Effects of Copyleft Licenses on Proprietary Software
A central focus of this article is the impact of copyleft (especially GPL) on proprietary software. This raises the question: What happens if a developer or company, which does not intend to disclose its own program (like a commercial game or closed software), nevertheless uses open source code under a copyleft license? What obligations arise, and how far do they extend?
"Viral" Effect of the GPL
The "viral effect" is frequently mentioned in this context. This refers to the scenario where a component under GPL is integrated into a larger software product. According to GPL conditions, the license "infects" the entire product, requiring it to be distributed only under GPL. Like a virus that infects all cells, the license condition spreads to the entire work.
The consequence: The previously proprietary project would have to disclose its source code and place it under GPL if it is to be distributed. From a company's perspective, this means potential disclosure of trade secrets and loss of exclusivity over the software.
In legal terms, the GPL is said to contain a condition subsequent. The granted rights of use are subject to the condition that you comply with the license terms when distributing the software. If a license violation occurs (e.g., by not disclosing your source code), the license automatically expires (as explicitly stated in section 4 GPLv2 or section 8 GPLv3). Consequently, the authorization to further distribute the work is lost. Distributing it anyway constitutes a copyright infringement.
The developer thus finds themselves in a lose-lose situation: either they fulfill the conditions (i.e., publish their code openly, which they did not want to do), or they must forgo distribution (i.e., remove the feature/code or withhold the product). This predicament is precisely what is described as "viral."
From the perspective of copyleft advocates, this is not an unfair trick, but a deliberate choice: those who use free software should contribute to the community. From a company's perspective, however, it is "contagious" and risky. Therefore, many companies take great care to avoid including GPL or similarly licensed components in their proprietary products.
Scope of Contagion: What is Considered a Derivative Work?
A crucial question is the extent of the copyleft effect. It is not always clear whether software A, which interacts with B, is truly considered an "adaptation" or derivative work of B. Copyright law (in particular § 23 UrhG) stipulates that adaptations of a work may only be published with the author's consent. The GPL grants this consent subject to conditions. However, if you can argue that your software is not an adaptation of the GPL work, then the obligation does not apply.
In practice, several differentiations are discussed:
- Static vs. dynamic linking: If a GPL library is statically integrated into a program (meaning the code is merged into one unit during compilation), it unequivocally creates a derived work. With dynamic linking (where the library remains separate, e.g., as a .dll or .so, and is loaded at runtime), the situation is more complex. The Free Software Foundation argues that dynamically linked modules are also part of a derivative work because they run together in memory and communicate. Conversely, some legal experts and developers believe dynamic linking constitutes more of an interface usage, similar to two independent programs collaborating. This view is particularly held if the library remains unchanged and is only accessed via defined API calls.
In EU/German copyright law, concepts like "free use" (§ 24 a.F. UrhG, though narrower for software in the EU) and non-protectable interfaces (ECJ decision SAS Institute vs. World Programming, 2012, determining that functionality and interfaces do not enjoy copyright) could be used as arguments. These arguments suggest that a user's program merely uses the library's functionality via a defined interface without unauthorized modifications. However, this is risky territory. There is no supreme court decision definitively stating that "dynamic linking is not covered by GPL copyleft." Most experts therefore advise: Don't rely on dynamic linking to evade copyleft obligations, especially as many GPL projects explicitly state that plugins/modules are also considered editing.
- Inter-process communication: When two programs run separately and exchange data via a pipeline, network, or file interface, they are generally considered independent works. For example, a proprietary program calls a GPL command-line program and reads its output. There is no code-level mixing here, as they are distinct processes. According to common understanding, this does not create a copyleft effect on the calling program, which remains independently licensed. However, the GPL program must still be passed on in a license-compliant manner, including its source code. Such architectures, involving separation into a GPL part and a proprietary part via a defined interface, are sometimes deliberately chosen to use open source without opening one's own code base. This "workaround" is legally permissible as long as the distinction between the works is maintained. However, caution is advised: it must not be an obvious artifice to circumvent copyleft where a strong connection actually exists.
- Plugins and the platform effect: As discussed with WordPress, the question always arises for plugins whether the plugin is a derivative work of the platform, or vice versa. The GPL posits that every connection results in a joint work unless there is a clear dividing line (e.g., via IPC). Thus, GPL platforms (such as WordPress, WooCommerce, etc.) can necessitate plugins to adopt a GPL license. Conversely, proprietary platforms (such as Shopify or Adobe Photoshop, etc.) impose their own license conditions. Here, the plugin developer usually has autonomy, provided they do not violate the platform's EULA. However, they must be cautious with GPL components in the plugin to avoid having to disclose their own plugin. More on this in the section on plugins.
Examples from Game Development
There are several well-known cases and best practices for managing copyleft in game development:
- Game engines: Some popular open source game engines are licensed under GPL. An example is the id Tech 4 engine (basis of Doom 3), which id Software released under GPL after several years. This allowed the community and other developers to build upon it, but hardly anyone used this engine commercially afterward, as it would have required disclosing the entire game's code. Instead, commercial studios prefer engines that are permissively licensed (e.g., Godot Engine under MIT license) or commercial engines with their own licenses (Unity, Unreal Engine under proprietary/commercial licenses). While these do not offer source code freely (or only under NDA), they provide clear commercial usage rights without copyleft. This demonstrates that the strong copyleft effect of the GPL often deters companies in the games sector if their business strategy mandates closed source.
- Libraries in games: Many games rely on third-party libraries for functions like physics, AI, or UI frameworks. Developers almost always ensure these libraries are permissive (MIT, BSD, zlib, etc.) or at least LGPL (where only changes to the library would need to be disclosed). GPL-licensed libraries are typically avoided. A historical example: The OGG Vorbis audio library for games was originally BSD-licensed (posing no problems), whereas the alternative library FAAC (for AAC audio) remained GPL for an extended period, which commercial projects avoided. Many audio codecs were therefore either developed in-house or licensed, rather than using GPL code.
- Mods and tools: Interestingly, some proprietary games include modding tools or scripting interfaces under GPL or LGPL because the game itself remains decoupled from them. For example, a developer might offer a level editor tool under GPL to help the community create new content. This has no impact on the license of the actual game as long as the tool is separate.
- Dual licensing: Some companies publish parts of their software under GPL to support the open source community, while simultaneously offering proprietary licenses for paying customers. This "dual licensing" model leverages copyleft: anyone wishing to use the software in closed-source projects can purchase proprietary licenses to circumvent GPL obligations. MySQL AB, for instance, operated this way for a long time (GPL for the community, proprietary license for customers). This is less common in game development, but some tools (e.g., certain middleware) follow a similar strategy.
Strategies for Dealing with Copyleft
If you, as a developer, are considering using a valuable GPL-licensed component, several strategies are available:
- Search for alternatives: Often, functionally similar libraries with a more liberal license exist. While the search may take time, it is worthwhile to avoid future conflicts.
- Isolate: If a GPL component is irreplaceable (due to unique functionality), you might try integrating it in a way that avoids creating a derived work. For example, run it in a separate process and communicate with the main program via defined protocols. This allows the main software to remain proprietary, while the GPL component is supplied as an independent tool, including its source code to fulfill GPL requirements. An example would be a level generator bundled with the game as an independent CLI program (GPL); the game only calls "LevelGenerator.exe" externally. However, this is only feasible for specific use cases. It also relies on the distinction between separate programs rather than a single derived work.
- Contribute and publish: Sometimes a project consciously decides to become open source itself, particularly among indie developers. In such cases, GPL code can be used without objection; the entire game, including its source, is simply published. While this might seem commercially unattractive, open development models, potentially supplemented by other revenue streams like donations or services, can be successful. However, this is rarely an option for companies aiming for traditional license revenue.
- Obtain license advice: When in doubt, consult a legal advisor. Specialists in IT law/copyright law can help analyze whether a particular integration method is permissible, what obligations would arise, and if any clauses allow special permissions from the licensor. The consultant will also clarify whether copyright protection even applies, for instance, if only tiny code snippets lacking creative originality have been adopted. However, for software, this is rarely the case; virtually any non-trivial copied code enjoys protection.
To summarize: Copyleft licenses like the GPL significantly impact proprietary software by triggering source code disclosure requirements. Developers must understand this impact and factor it into design and technology decisions. Large companies often have strict guidelines, such as an internal license blacklist/whitelist system. In small development teams, the lead developer or CTO is responsible for monitoring the licenses of all tools used. Underestimating the viral effect could, in the worst case, force your own software to operate under conditions contrary to its business strategy.
Risks and Legal Consequences of License Violations
What are the repercussions of failing to comply with the terms of an open source license? This section examines the legal risks, ranging from warnings and legal proceedings to potential claims for damages. It focuses specifically on German law (UrhG) and highlights some well-known cases.
License Infringement = Copyright Infringement
First and foremost, it must be clear: an open source license violation is not a trivial offense. Legally, it constitutes a copyright violation. This is because the right to use third-party code derives solely from the license. If you do not adhere to the license, there is no effective grant of rights of use (Section 31 UrhG). You are then using the code without the permission of the rights holder. This infringes upon the exclusive rights of the copyright holder, such as reproduction and distribution rights under Section 69c UrhG for software.
In Germany, a clear line of case law has emerged on this matter. The GPL license (as an exemplary open source license) is understood as a right of use granted on a conditional basis (cf. LG Frankfurt a.M., judgment of 06.09.2006 – Ref. 2-6 O 224/06). This means the right to use and distribute exists only as long as the conditions (source code disclosure, notice, etc.) are met. In the event of a breach, the right automatically lapses.
This is permissible under general terms and conditions law (courts have found it not surprising or unreasonable according to § 307 BGB). It does not circumvent § 31 UrhG but rather utilizes its framework. So, what are the potential threats of such an infringement? In civil law, typically:
- Injunctive relief (Section 97 (1) UrhG): The rights holder can demand that the infringer cease using or distributing the software in an unauthorized manner. This injunctive relief can be enforced quickly in summary proceedings (temporary injunction) if urgency is required, or in normal legal proceedings. In practice, a warning letter is usually issued first in Germany. This is a formal request to stop the infringement and submit a cease-and-desist declaration with a penalty clause. For the recipient of the warning, this means undertaking not to repeat the license infringement, or face a contractual penalty. This often helps avoid lawsuits.
In the past, groups like gpl-violations.org (initiated by Harald Welte) have issued warnings to numerous companies. These companies, for example, used Linux components in their devices without providing the source code. Many of these cases concluded with out-of-court settlements after a warning: the infringer provided the source code and paid the warning costs to avoid a lawsuit.
- Removal / recall / destruction: In addition to injunctive relief, the rights holder can demand the removal of existing illegal copies (Section 98 UrhG). For software, this would entail stopping further distribution, withdrawing products from circulation, or at least removing the infringing component. In practice: if a device has been delivered with infringing software, a demand could be made that it not be sold further until the defect is remedied. This can have severe consequences, such as halting product sales or recalling them.
- Right to information (Section 101 UrhG): To quantify damages, the rights holder may demand information on the extent of the infringement. This includes, for instance, the number of distributed software units or associated sales. In the open source context, this is relevant if damages are later claimed.
- Compensation for damages (Section 97 (2) UrhG): If the infringement was intentional or negligent, the infringer owes damages. However, the question arises as to how to calculate damages in the case of open source infringements. Copyright law provides three basic methods: (a) concrete financial loss of the rights holder; (b) surrender of the infringer's profit; (c) license analogy (fictitious license fee).
Option (a) is often ruled out because open source developers do not sell their software commercially. Their "loss" due to an infringement is more non-material or affects the community. Option (b), profit skimming, could be considered in extreme cases: if a company saved or earned significant money by unlawfully using OSS, it might be argued that this benefit should be surrendered. However, this is complex and rarely practiced due to difficulties in proving causality and calculation.
This leaves option (c), license analogy: estimating what a reasonable license fee would have been. However, OSS is licensed free of charge—no license fee is typically due. Nevertheless, some courts initially set a "fictitious license fee" as a penalty estimate. For example, in 2016, the Bochum Regional Court awarded damages by estimating a reasonable license fee, even for free software. On appeal, however, the Higher Regional Court of Hamm (judgment of 13.06.2017 – Ref. 4 U 72/16) corrected this view. It reasoned that if software is under GPL and normally licensed free of charge, one cannot suddenly demand an expensive license fee in the event of infringement.
The judges denied damages based on a fictitious license fee. In practice, this means that for OSS infringements, the rights holder often receives no monetary compensation unless they can prove real damage. This might frustrate developers, but it also underscores that open source licenses' primary leverage is not financial damages, but rather the power of disposal (stopping use). Important: OLG Hamm did not state that all damages are excluded. Theoretically, a competitor lawfully using GPL code could lose competitive advantages or demonstrate similar damages. But this is difficult to quantify.
- Reimbursement of warning costs: If the rights holder issues a justified warning, they can demand reimbursement of necessary legal costs (Section 97a (3) UrhG). This includes legal fees for the warning letter, typically calculated based on the amount in dispute. In practice, the amount in dispute for GPL infringements has been set in the range of €50,000 – €100,000 (e.g., Munich Regional Court I in 2004 set €100,000), which can result in legal fees in the mid-four-figure range. These costs must then be borne by the infringer, creating a noticeable financial impact even without compensation being paid.
- Contractual penalty: If the infringer has submitted a cease-and-desist declaration with a penalty clause, they must pay an agreed contractual penalty if the infringement recurs. This penalty can be substantial (often "to be determined by the rights holder at his reasonable discretion, reviewable by the court"—which can quickly amount to five-figure sums). This ensures the infringer does not simply continue the infringing activity.
Beyond civil law consequences, criminal law is also theoretically relevant. Unauthorized use of copyrighted works can be punishable under Section 106 UrhG, and even more severely for commercial use (Section 108a UrhG). In practice, however, criminal charges for open source license infringements are rarely filed. The matter is usually resolved between the parties under civil law, especially since infringers are typically companies and the injured parties are developers or foundations primarily interested in license compliance rather than criminal prosecution.
Relevant Case Law in Germany
The enforcement of open source licenses in German courts has established several important precedents. Here are some of the most significant decisions and cases:
- Regional Court Munich I, decision of May 19, 2004 (Ref. 21 O 6123/04): This was one of the first court confirmations of the GPL in Germany. Developer Harald Welte (Netfilter/IPTables project in the Linux kernel) obtained a preliminary injunction against Sitecom, a company that used his software in router firmware without complying with GPL conditions. The court prohibited the company from further distributing the software unless the GPL license text was enclosed and the source code offered. Crucially, the Munich I Regional Court clarified that the automatic expiry of the license upon infringement does not violate German law. Specifically, Section 31 (1) sentence 2 UrhG (requiring exclusive licenses in written form) was not circumvented, as a simple right of use was granted conditionally, which is permissible. This was a milestone, affirming the effectiveness of the GPL.
- Regional Court Frankfurt a.M., judgment of 06.09.2006 (Ref. 2-6 O 224/06): Another important judgment that essentially confirmed the same principles: GPL violations lead to the expiry of rights of use (here expressly referencing § 158 para. 2 BGB, concerning terminating conditions). This legal construction was found not to be contrary to GTC law.
- Regional Court of Cologne, judgment of 16.05.2012 (Ref. 33 O 353/11): This case involved the distribution of GPL-licensed firmware in internet routers. The court affirmed the right to injunctive relief for GPL infringement. What made this case particularly interesting was its focus on a "downloader"—a chain of companies distributing software. The ruling clarified that everyone in the distribution chain who passes on the software must comply with license obligations. While the router manufacturer had offered source code, an online portal distributing firmware updates to end-users had failed to do so, also becoming subject to a warning.
- LG Bochum, judgment of 03.03.2016 (case no. I-8 O 294/15) and OLG Hamm, judgment of 13.06.2017 (case no. 4 U 72/16): This case concerned a university that offered software (originally GPLv2, later licensed proprietarily) for download without providing source code. In addition to injunctive relief, the Regional Court of Bochum initially awarded damages in the form of a fictitious license fee. However, the Higher Regional Court of Hamm overturned the damages award. As noted earlier, it denied such a claim because no license fee would normally be due. Nevertheless, it confirmed that a copyright infringement had occurred and that the rights of use had lapsed. Thus, the injunction and costs were upheld, but no separate damages were awarded. This OLG ruling is often cited as an indication that you do not automatically have to expect high fines for OSS infringements, but this does not imply that such infringements are without consequences.
- Karlsruhe Higher Regional Court, judgment of 27.01.2021 (Ref. 6 U 60/20): The aforementioned WordPress theme case. The focus here was less on the infringement itself (which was implicit) but on its consequences: Does the developer lose their own rights to the work? The OLG clearly stated no. The "viral effect" of the GPL does not mean that anyone can use the adaptation without the developer's consent. The GPL "only" causes the loss of rights to the original OSS (i.e., you may no longer use the third-party code), but it does not automatically release the newly created parts to the general public. In other words, copyleft does not force the source code to become public against the developer's will. It merely withdraws permission to distribute the product as long as the developer refuses to disclose it. This ruling provided more legal certainty by establishing that an infringer of the GPL can still invoke their copyright, at least vis-à-vis third parties. In practice, this means the penalty of the GPL is the blocking of distribution, not the expropriation of the programmer. However, there is still the risk that the original rights holder (e.g., WordPress authors) could demand an injunction, ultimately leading to a distribution ban for the theme.
- Hellwig ./. VMware (LG Hamburg 2015, OLG Hamburg 2019): This prominent case illustrates the difficulty in complex scenarios. Christoph Hellwig, a Linux kernel developer, accused VMware of using parts of his (GPLv2-licensed) code in the proprietary VMware ESXi hypervisor without GPL conformity. The lawsuit in Hamburg was ultimately dismissed. Not because the GPL was invalid, but due to evidentiary issues: Hellwig could not clearly prove which parts of VMware were based precisely on his contribution. VMware openly acknowledged using Linux code but also claimed to have written stand-alone modules. The court ultimately avoided the fundamental question of whether the combination constituted a derivative work, ruling in favor of VMware due to a lack of substantiated evidence for the specific code. Hellwig subsequently waived further appeal. This case demonstrates that in large projects with many authors, enforcement can sometimes fail. However, this is not a license for infringements; it often means pressure is then exerted differently, such as through community pressure or the press. Indeed, VMware took several parallel steps to open up or restructure parts of its code to defuse GPL conflicts.
- Harald Welte and gpl-violations.org: There isn't a single definitive decision but a series of successful warnings and interim injunctions (e.g., Munich Regional Court 2005, Berlin Regional Court 2010, in addition to 2004). Welte, as a dedicated developer, virtually proved that GPL infringements can be consistently prosecuted. Many manufacturers of embedded devices (routers, DVD players with Linux, etc.) were found non-compliant with the license and compelled to make improvements. These cases are well-known in the community; legally, they established the enforceability of open source licenses in Germany.
In summary: German courts support open source licenses. Anyone who believes that no one would seriously sue for such "free" licenses is mistaken. The courts recognize license terms as contractual conditions and treat violations as copyright infringements, resulting in the aforementioned claims. At the same time, they acknowledge that this involves free software, so extreme fines are rare. The main instrument is injunctive relief, ensuring the open availability of the code or discontinuing its use.
Practical Consequences for Developers and Companies
What do these legal risks mean concretely for the daily operations of a development team or a company?
- Product delay or stop: In the worst-case scenario, a license violation can halt an entire project. Imagine a video game on the verge of release where a developer inadvertently incorporated a GPL library without the publisher's knowledge. If this becomes public or is reported to the licensor, an injunction prohibiting distribution could follow. The game could not be released until the issue is resolved, either by removing the component (potentially technically impossible close to release) or by disclosing the code (which the publisher might not prefer). Both options can significantly delay market launch or render it economically unviable. Therefore, license compliance is integral to quality management.
- Contractual risk with clients: If a studio develops a game for a publisher and incurs license violations, the publisher may deem this a breach of contract. This can result in claims for damages, such as costs for subsequent code refactoring or contractual penalties. In a B2B relationship, the supplier can be held liable if they fail to ensure rights-free delivery as per the contract. (More on this in the next section "Contractual aspects").
- Exclusion from distribution platforms: In the plugin ecosystem, such as WordPress or browser add-on stores, a violation can lead to expulsion from the platform. For example, if a WordPress plugin is found to use GPL code but does not offer its own source code, WordPress could remove the plugin from its official directory and publicly highlight the issue. Beyond lost sales, this incurs reputational damage, as developers are then perceived as shoddy or legally unreliable.
- Damage to developers' reputations: Open source is a particularly sensitive topic within the developer community. Companies that disregard OSS licenses may face public criticism (e.g., in forums, blogs, Heise news, etc.). Numerous examples exist where media attention followed the discovery of GPL violations in certain products. In the age of social media, such negative publicity should not be underestimated.
- Costs of rectification: If a warning letter is issued, the infringer must generally bear not only the costs of the warning letter but also act swiftly to remedy the infringement. This might involve dedicating developer time to add missing license texts, making source code available to all customers, or even replacing components. This rework consumes resources and money but is essential to prevent greater damage. In the worst case, an update must be distributed to all customers, which can be challenging, especially for embedded devices or games without automatic patching.
Overall, the risks of non-compliance with open source licenses are real and, crucially, business-critical. They can paralyze projects and strain contractual relationships. The good news is that all of this is avoidable if licenses are handled correctly from the outset. Using open source is not inherently dangerous; you merely need to understand and adhere to the "rules of the game." Then, risk transforms into significant benefit.
Contractual Aspects When Using Open Source
In addition to direct copyright issues, contractual regulations also play a significant role in the use of open source in software development contracts. This section examines how open source aspects should be incorporated into contracts, for example, between client and contractor, employer and employee developer, or software provider and customer. Key terms include integration clauses, testing obligations, and due diligence clauses, as well as topics such as warranty, liability, and internal guidelines.
Provisions in Software Development Contracts
When a company commissions software, such as a game or a plugin, from an agency or freelancer, a contract for work and services or a similar development contract is typically concluded. This contract specifies deliverables (functionalities, performance features) and often the applicable quality standards. In recent years, it has become standard practice to explicitly state in such contracts whether and in what form open source components may be used.
Typical clauses in this context include:
- Open source permission or prohibition: Some clients prohibit the contractor from using open source code, especially code under copyleft licenses. This stems from concerns that the supplied software might not be freely usable or could lead to third-party claims. However, a total ban is often impractical, as nearly all software today utilizes some form of library. Consequently, many contracts adopt a more nuanced approach:
"The contractor may use open source software components, provided that these are under a license compatible with licensing law (e.g., MIT, BSD, Apache, LGPL) and their use does not restrict the contractual use of the delivered software by the client. In particular, the use of copyleft licenses that would oblige the source code of the entire software to be disclosed (especially GPL, AGPL) is only permitted with the express written consent of the client."
Such a clause clarifies that a small MIT library is acceptable, but a GPL library requires prior approval, which is usually denied unless the client has specific reasons to allow it.
- Integration clause / third-party software clause: This pertains to disclosing all third-party components used, encompassing not only OSS but also commercial libraries. For example: "Upon delivery, the contractor shall provide the client with a complete list of all third-party software components used, including version number and license, as well as copies of the respective license terms." This ensures transparency. The client can then verify whether these licenses are acceptable. Such clauses form part of the documentation obligation. They protect the client from unpleasant surprises and enable them to identify problematic components if necessary.
- Entire Agreement / Entirety: Some contracts contain an integration clause stating, "This contract represents the entire agreement of the parties; there are no oral ancillary agreements." What does this signify in the open source context? It could become relevant if a contractor incorporates OSS because, strictly speaking, third-party license terms "come into play"—the OSS license is a separate agreement between the rights holder and the user. An integration clause aims to prevent third-party conditions from suddenly influencing the contract.
Naturally, obligations towards the OSS author cannot be overridden by a two-party contract; they apply independently. However, this discrepancy can create tension. In the internal relationship between client and contractor, what is written in the contract applies (e.g., "no obligation to publish"), while externally with the OSS author, the GPL applies (which the client may not even be aware of). It is therefore advisable to explicitly regulate how to handle open source licenses in the contract, rather than remaining silent. This prevents an integration clause from conflicting with OSS terms and conditions. If in doubt, the contractor should point out: "Attention, this software contains OSS with the following conditions; the contract does not change this, and we must comply with these conditions."
- Transfer of rights and OSS: Clients often desire the transfer of all rights to the development result, including exclusive rights of use (Section 31 UrhG). However, if open source is involved, the contractor cannot transfer more rights than they themselves possess. They cannot grant the client exclusive rights to a GPL-licensed component, as this component remains available to third parties under GPL. Contracts should therefore clarify that no exclusive rights need to be transferred for open source components. Instead, the client may use them within the scope of their respective licenses.
Sometimes the following wording is used: "If the delivery item contains open source software, the conditions of the respective open source license apply to these components. Within this framework, the customer receives the rights of use as granted by the open source license; no further granting of rights is necessary or possible." This ensures that no one violates the logic of the OSS license.
Audit Obligations and Compliance Processes
Verification obligations can be stipulated in contracts or internal guidelines. Their purpose is to ensure the correct handling of open source licenses.
- Contractual assurance of testing: A contractor could provide assurance such as: "We have tested all used components for license compatibility." Alternatively, a software supply contract can state that the supplier guarantees the software is free of open source components subject to publication obligations or other restrictions. Such guarantees provide the client with a promise of security. If it later emerges that testing was not performed, this can lead to claims (e.g., compensation, price reduction).
- Audits and tests: In some contracts, especially for larger projects, the client reserves the right to audit. For example, the client might have the code checked by their own experts or tools (e.g., with a software composition analysis) before declaring acceptance. If an unauthorized GPL component is then found, the client can refuse acceptance until it is rectified. This incentivizes the supplier to verify what they are using beforehand.
- Internal company policies: Irrespective of contracts with third parties, companies should implement their own open source compliance guidelines. These internally define how developers should proceed when using open source. For example, an approval process can be established: a developer registers every new open source package in a list, detailing its license, purpose, alternatives, and a responsible person (such as an open source compliance officer or the legal team) approves or rejects it. Many larger IT companies adopt this practice.
Additionally, a list of permitted licenses (whitelist) is often provided, and sometimes a blacklist of particularly problematic licenses (e.g., AGPL, or those with tricky clauses). All these measures fall under "review obligations" in a broader sense—they represent the care that must be exercised before using code belonging to others.
- Documentation obligation: As previously mentioned, it is crucial to fully document internally which OSS components are included in a product. In the chaos of a project, one might forget what was installed months ago, leading to missing components at release, such as the correct license text. Therefore, a bill of materials should be maintained. In contracts, the delivery item can also include documentation, for instance: "The delivery item is the source code of the software, including documentation of all open source elements and their license conditions." This clarifies that delivery is incomplete without this list.
Warranty and Liability for Open Source Use
Let's assume a developer delivers software to a customer, and it later emerges that an OSS license has been violated. What contractual claims could the customer have? This is where warranty (material defects and defects of title) and liability rules come into play:
- Defect of title: According to Section 435 BGB, a defect of title exists if third parties can assert rights concerning the delivered item that prevent the buyer from using it. Applied to software: if the delivered software contains code that may not be used lawfully (e.g., due to a license violation), then a third party—the original author—has claims (injunction, etc.) that affect the contractual use of the software. This constitutes a classic defect of title. In such a case, the buyer/counterparty is entitled to warranty rights: subsequent performance, or, in case of failure, withdrawal or reduction, plus compensation for damages if fault is proven.
Example: A plugin manufacturer sells a company a plugin for its website. The company later receives a warning from an OSS developer that the plugin violates the GPL. The company had to deactivate the plugin and now demands remedy from the manufacturer—either to establish license conformity or compensation for the loss of use. In such a scenario, one would argue: the plugin manufacturer has delivered a deficient product (legal deficiency) and should provide subsequent performance (e.g., deliver a plugin without a license violation via an update that replaces the code) and, if applicable, compensate the customer for incurred damages.
- Material defect: A material defect could also be considered if it was contractually guaranteed that no open source was included, for example. If open source is present, the software does not conform to the agreed quality, which would be a material defect (§ 434 BGB). However, the legal exemption is often qualified as a legal defect. In any case, the supplier must rectify the defect, or the customer has rights.
- Liability clauses: Contracts typically limit the liability of the parties, especially for slight negligence. However, core obligations cannot be excluded, and in cases of intent/gross negligence or warranted characteristics, any exclusion does not apply. Thus, if a developer deliberately or grossly negligently disregards a license, they can hardly invoke liability exclusions. Conversely, if a company uses open source software from an OSS project and it has a bug, for example, the exclusion of liability contained in the OSS license usually applies. However, as mentioned, a total exclusion of liability is limited under German law on general terms and conditions. In extreme cases, an OSS tool user could theoretically hold the author liable if, for example, intent could be proven, which is extremely unlikely. In practice, these considerations rarely play a role because OSS generally does not come with a warranty (it is delivered "as is"). However, in B2B contracts where OSS components are included, it is crucial that the supplier cannot simply refuse responsibility by stating, "There was OSS in it, the warranty is excluded." The supplier remains liable to the end customer unless the contract explicitly stipulates otherwise.
- Indemnification: Indemnity clauses are common in international contracts, particularly with US companies. They stipulate that the supplier indemnifies the customer against all third-party claims arising from IP rights infringement and covers legal costs, etc. Applied to OSS, this means that if an open source copyright holder sues the customer for license infringement, the supplier must intervene to protect and compensate the customer. Such a clause naturally increases pressure on the supplier to ensure compliance from the outset, as they would otherwise be liable for high costs. In German contracts, the term "Freistellung" or "Haftungsfreistellung" is also commonly used. A client could demand: "The contractor indemnifies the client against all third-party claims arising from infringements of copyright or license rights by the software supplied." This effectively shifts the entire risk to the contractor.
To summarize: when using open source, clear contractual provisions should be established to protect all parties. The developer/supplier wants to know what they are permitted to do, and to avoid accusations of illegal actions when their conduct was permissible. The client, conversely, seeks assurance that the product does not contain a "license bomb" that could explode later. Well-drafted contracts and transparent communication about the OSS used foster trust and prevent disputes.
Due Diligence for M&A and Transactions
Another important area is due diligence in company takeovers and investments. When an investor plans to acquire a software development company, they naturally scrutinize its technology. It is now standard practice to also examine open source compliance. Why?
Imagine investor X intends to buy a game studio with a successful proprietary game. If, after the acquisition, it turns out that this game contains unobserved GPL code, the new owner might be compelled to publish the source code or halt distribution until the issue is resolved. This could drastically reduce the value of the entire investment. For this reason, various checks (due diligence) are performed before a purchase agreement is finalized:
- Code scan: Specialized service providers scan the target company's entire code using tools like Black Duck, FOSSID, etc., to generate a report detailing identified open source components with license information. Undeclared components can often be detected this way.
- Policy check: The buyer verifies whether the company has guidelines for managing OSS, how compliance management is structured, and if any past violations or warnings exist. A mature OSS compliance process indicates fewer dormant risks.
- Contracts: Review contracts to identify any clauses with suppliers or partners that could be violated due to OSS (such as the prohibitions mentioned above). For example, if the company assured major customers "no copyleft software included," the auditor should confirm this to avoid subsequent liability risks.
- Open source balance sheet: Some create a list of all OSS with a traffic light rating: green (okay), yellow (caution, e.g., LGPL or MPL, but manageable), red (GPL, AGPL, incompatible licenses). If red entries are found, the purchase price may be renegotiated, or the seller might need to replace these components before closing (refactoring).
In Germany, for example, there have been cases where the sale of a company was postponed until it achieved a clean open source balance sheet. No buyer wants unpleasant surprises shortly after a deal. This applies not only to the acquisition of an entire company but also to individual software products or investor entry.
Even if a sale isn't contemplated, partnerships and distribution licenses can trigger similar assessments. For instance, a large publisher wanting to sign an indie studio might include a clause in the publishing agreement: "The developer warrants that the game does not contain any open source software that impairs the publisher's exploitation rights. The developer shall disclose all open source components to the publisher." This is essentially due diligence by the publisher before investing millions in marketing the game.
Documentation and Dissemination of License Information
A practical yet contract-related topic is passing on license information to end-users. Many open source licenses not only require developers to comply but also stipulate that end users be informed about certain aspects. For example, the GPL mandates that every recipient of the software also receives the license terms and is informed of their rights (e.g., the right to request source code). Similarly, Apache/MIT require the license text to be included in documentation, which must ultimately reach the end-user.
Therefore, the following should be ensured (and contractually required) when the software is delivered:
- Including the licenses: The supplier should include all relevant license texts. It is often agreed that documentation or a help file must contain an "Open Source Licenses" section. For games, this can also be integrated into the "Credits" or "Legal Notices" menu. It is important that it is discoverable within the final product. Physical products, such as a device with software, often come with a booklet or CD detailing the open source licenses.
- Source code provision obligation: If a component under GPLv2 is in the product, the provider must physically or electronically enclose the source code or at least send it upon request. For GPLv3, a written offer or a suitable link valid for at least three years must be provided. These logistical obligations should be considered during project planning. For example, if you produce an IoT device containing Linux (GPLv2), you must either provide the source directly on CD to the end customer or explicitly state in the instructions: "You can find the source code at [URL] or request it from us." Failure to do so constitutes a breach. A best practice: set up a web portal where all OSS components and source code are available for download. You can then refer to this page in all products.
- Contractual penalties in reselling: If a company provides software to a reseller or distributor, it should contractually obligate them to pass on OSS notices. This prevents a scenario where the manufacturer provides all information, but the distributor fails to give the licenses to the end customer, leading to the manufacturer still being held responsible. Therefore, distribution partner agreements sometimes include clauses obligating the partner not to remove any license texts and to pass on all necessary documents. A prohibition on providing information could also be counterproductive: you cannot contractually prohibit the partner from referencing OSS, as this is a legal requirement. Such subtleties should thus be carefully considered.
Dealing with Copyleft in Contracts
It bears repeating: Copyleft components, such as GPL-licensed elements, must be handled very consciously and transparently within a contract. If the client agrees—perhaps because no alternative exists and they are prepared to distribute the code openly—then the contract should precisely state how this disclosure will be made and that the client is aware of this. It may be necessary to regulate who processes source code requests later, whether the contractor on behalf of the client or the client itself.
If the client does not agree to this, the contractor should never use such a component without authorization. If they do, perhaps hoping it goes unnoticed, they are treading on very thin ice. In addition to potential legal action from the OSS author, they also risk a breach of contract with the customer.
In quotations, it can be helpful to state, "We use the following open source tools..." so the customer is informed. Transparency fosters trust and reduces future disputes.
Example from Practice
Consider an agency developing a web-based game for a client. The agency wishes to use a specific JavaScript framework that is under GPL. However, the client wants to keep the game exclusive and its code confidential. Unable to find a comparable alternative, the agency proposes using the framework but operating it separately as a backend service. They agree in the contract that the framework will run on a separate server, and its code, along with the GPL license, will be handed over to the customer, while the actual game remains decoupled. It is also stipulated that the customer consciously agrees to this GPL use and will release the source code of the framework component to third parties upon request. This constructed example illustrates how it is possible to work with copyleft when necessary, provided it is properly structured in the contract. Ideally, however, a different framework would simply have been used.
Special Features of Plugin Development (WordPress, Shopify & Co.)
To conclude the content sections, we will specifically discuss plugins and development for platforms, as this target group was particularly mentioned. Plugin developers often operate within an ecosystem that has its own licensing rules. They must account for both platform policies and OSS licenses.
WordPress and GPL – An Unavoidable Connection
WordPress, as a content management system, is a prime example where the platform's license influences its plugins. WordPress is licensed under GPLv2 (with the additional clause "or higher," which in case of doubt refers to GPLv2, as WP has not yet officially transitioned to GPLv3). The WordPress Foundation has explicitly stated that it considers plugins and themes to be derivatives. In practical terms, this means:
- Plugins listed in the official directory must be GPL-compatible. The most common choice for developers is simply GPLv2 (or v3) for their plugins. Many developers adopt the exact same license as WordPress to ensure compliance.
- Even if a developer sells a plugin commercially (e.g., premium plugins outside the official site), most are still under GPL. This is permissible because the GPL allows sales as long as the license and code remain open. Many plugin providers finance themselves through support, updates, or additional services, rather than through restrictive licenses. The end customer might purchase an annual license for updates, for example, but the code received is GPL—theoretically, they could redistribute it. In practice, few end customers do this, valuing the support. Thus, this is not a licensing conflict.
- Attempts to license WordPress plugins/themes differently have led to conflicts. There were cases where theme developers (e.g., on ThemeForest) placed PHP code under GPL—to comply with WordPress rules—but put CSS/JS/design under a proprietary license to "protect" at least part of it. The legality of this is controversial. Strictly speaking, layout and JS could also be considered part of the derivative work because, combined with the PHP code, they form the theme. WordPress has tolerated marketplaces making this split but continues to promote pure GPL licensing. From a developer and user perspective, a fully GPL-licensed theme/plugin is the most straightforward, as it provides clear expectations.
- A word about forks: If a plugin is GPL, anyone can fork it and distribute it themselves. This indeed happens; some sites offer "GPL plugins," redistributing purchased premium plugins at lower prices or for free. This is legal under GPL, as long as they do not claim authorship (attribution must remain). While annoying for original developers, they primarily counter this with superior service (official updates, support exclusively for paying customers, etc.). License law offers no recourse here, as GPL permits such actions. Plugin developers must therefore recognize this: If you develop for the WordPress ecosystem, you fundamentally accept GPL and the openness it entails.
- Case study: OLG Karlsruhe 2021 (revisited briefly): Here, the commercial theme developer successfully prevented another party from publishing his code. However, this should not be interpreted as an endorsement of his proprietary approach. He effectively relied on a formal property right. Had the WordPress authors sued him, the outcome would likely have differed, probably forcing him to release his theme or accept a distribution ban.
- WordPress plugin developers must also carefully consider which third-party OSS libraries they integrate into their plugin. In addition to the WP→Plugin license flow, there is also plugin→third-party code. A WP plugin can, for instance, integrate an MIT JavaScript library, which is acceptable because MIT is GPL-compatible. What if a plugin uses an LGPL library? This is probably acceptable, as GPL is generally compatible with LGPL, but strictly speaking, LGPL conditions (e.g., references to library changes) would also need to be fulfilled. What if a plugin uses a library that is not GPL-compatible? Then the plugin developer faces a compatibility problem: they cannot publish their plugin according to the rules, as they combine WP (GPL) and this incompatible component. Thus, all components within the plugin must be compatible. The good news is that vast amounts of GPL-compatible OSS exist, making it rare to be forced into using an incompatible component.
Shopify and Proprietary Platforms
Shopify presents a different scenario. It is a closed SaaS platform for e-commerce with proprietary code. However, developers can create apps or themes for Shopify. The legal conditions here stem from two sources: Shopify's own contracts (partner program, API license terms, etc.) and the potential use of OSS within the app.
- Platform license: Shopify provides APIs, generally stipulating that developers must not violate Shopify's rights. Shopify itself is not open source, so there is no copyleft obligation flowing from the Platform→App. Theoretically, Shopify could even prohibit the use of open source components, but it generally does not do so directly. Its primary interest is ensuring app security and legality.
- Use of OSS in Shopify apps: A Shopify app typically comprises two parts: the backend (running on the developer's server or a cloud function that processes requests from the Shopify store) and the frontend part (e.g., an embedded admin UI or scripts loaded into the store).
-
The backend part runs remotely. If a GPL component is used there, it is not "distributed" to Shopify or the merchant; it only runs on the app developer's server. This is comparable to a web service: GPL has no control here unless it is AGPL. Strictly speaking, the developer does not need to publish the source code as long as it operates solely as a service. This was a reason for AGPL's invention: GPL could not "catch" SaaS usage. However, if the developer later wanted to install the app on-premise at the customer's premises (less common with Shopify), distribution would occur, and GPL would apply.
- However, if the developer uses AGPL components in their app backend, they must disclose the source code to the service users as per the license. In this case, users would be the store operators or end customers interacting with the service. This is usually incompatible with a commercial app model, which is why AGPL is often feared by SaaS startups. Shopify apps typically avoid AGPL because it offers no benefit to the developer, only obligations.
- The front-end part of the app: This could include JavaScript, CSS, or Liquid templates integrated into the customer's store. These are actually delivered to the customer (e.g., as part of the theme or in the browser). If OSS code is included here, distribution rules apply again. A developer could, for example, use a JS widget under MIT; this would require retaining the MIT reference in the code. If they wanted to use a UI component under GPL (unlikely but possible), they would be providing the retailer with a GPL component. This would mean the retailer has the right to the source code, and so on. The retailer would be puzzled by this, and Shopify itself would likely disallow it due to potential confusion.
- Shopify itself states in the Partner Program T&Cs that developers must ensure they possess all necessary rights to their app and are not engaging in illegal activities. A blatant OSS violation could theoretically be considered a breach of these terms, potentially leading to the suspension of the developer account. In practice, however, this is likely to occur only if it gains public attention or Shopify receives complaints.
- Unlike WordPress, Shopify does not mandate a specific license for apps. App developers can make their app open source, but are not obliged to. Many keep their code proprietary, even if customers can ultimately view the executed code, at least for the front-end part. Here, the app developer must carefully weigh which open source components to include to avoid unintentionally revealing proprietary information.
-
- Themes on Shopify: Shopify also permits customizable themes that can be sold. Themes are essentially code (Liquid Templates, CSS, JS). The creators determine the license for these themes; Shopify does not mandate "must be open source." Consequently, commercial licenses are often found here. However, if a theme developer integrates a GPL-licensed slider into their theme, for example, they face the same problem as with WordPress: either they must place the slider code (and thus the dependent theme) under GPL, or they are in breach. Since Shopify itself is not GPL, and the slider creator might not realize this, such a situation could go unnoticed, but it is not legally clean. Nevertheless, abundant permissive slider libraries exist, making it easy to avoid GPL parts in Shopify themes.
In short for Shopify developers: While there is more platform freedom to remain proprietary, the responsibility for used open source building blocks rests entirely with the app developer. They must check just as meticulously: What license does each integrated library have? Do I fulfill its requirements (e.g., including copyright notices in minified JS)? What happens if I provide the app to a customer for self-hosting? And crucially: Is anything incompatible with my closed-source app (e.g., GPL)? If so, replace it urgently.
Other Platforms and Plugins
- Browser extensions: These are often open source or contain OSS (e.g., UI libraries). Browsers do not enforce a mandatory plugin license, but the Chrome Web Store, for instance, has copyright compliance guidelines. Unauthorized copying of third-party code can become problematic. In this regard, the general rules apply here too: use OSS, but adhere to its license.
- Game modding and SDKs: Some games allow mods or plugins via SDKs. The main game is typically proprietary, but the mods can carry various licenses. EULAs often state that mods may only be non-commercial and that rights fall to the publisher, etc. This conflicts with OSS licenses, which prohibit restrictions on use (GPL, for example, allows use for any purpose, so a "non-commercial" ban would contradict GPL). Caution is advised: if a modder incorporates GPL code into a mod, but the game EULA stipulates "no commercial use," conflicting terms arise. This is a complex area, but it highlights practical tensions. Modders should ideally choose permissive licenses or public domain to avoid complications.
- App stores in general: Whether Apple App Store, Google Play, Shopify App Store, or WordPress repository, platform operators generally aim to avoid liability for license violations by their developers. This is why Developer Terms almost always stipulate that the developer is responsible. It is therefore up to each developer to ensure they do not infringe any third-party rights. Open licenses constitute third-party rights, making this highly relevant.
Practical Recommendations for Developers and Companies
After reviewing the theory and potential pitfalls, here are some practical tips for software developers—whether in game development, plugin projects, or general software development—to use open source in a legally compliant way without sacrificing its creative and productive benefits:
- Knowledge and awareness: Familiarize yourself with the basics of important licenses. Not every developer needs to be a lawyer, but a fundamental understanding of what GPL versus MIT means is essential. Many companies provide brief training for their developers on this. It helps if terms like "copyleft" or "GPL-compatible" are not foreign concepts. Newly hired developers or freelancers, in particular, should be briefed to prevent inadvertently contributing problematic code.
- License selection before use: Before incorporating an open source library into your project, check the license. Read the license text (at least skim it) or review summaries. Pay attention to keywords: "GNU GPL" should trigger an alert, prompting a closer look to see if it fits the project. "MIT / BSD / Apache" licenses are usually less critical, but still make a note. If uncertain about license compatibility, consult colleagues or, if necessary, legal experts. Online forums (e.g., StackExchange "Open Source") often discuss such questions.
- Document all third-party components: Maintain a list (e.g., in the project's README or a dedicated document) of all external libraries, snippets, etc., that are not proprietary. Record the version and license. This simplifies the creation of the "third-party license" file at the end and ensures nothing is overlooked. It also helps prevent issues if a component is accidentally updated later, its license has changed, and no one notices—having it documented will make you aware.
- Comply with license conditions immediately: It is best to ensure that obligations are implemented during development. For example, if you know you are using MIT licenses, integrate an "Open Source Credits" section into the "About" window or help menu, listing names and license texts. Do not scramble to gather them the day before release. For GPL components, plan from the beginning where you will offer the source code for download or how you will provide it to the user. This should not be an afterthought but part of the release process. Modern build pipelines often include steps to automatically generate an OSS license overview; utilize such automation.
- Choose proven OSS with community support: This is more of a strategic tip. Frequently used open source projects typically have well-documented license information and established practices. An exotic project with a self-made license introduces more uncertainty. Therefore, it is preferable to use popular libraries with known licenses, which reduces the likelihood of encountering unexpected clauses. Moreover, popular projects generally aim for broad usability, tending towards permissive or at least LGPL licenses.
- Be careful when copy-pasting code: Many developers use Stack Overflow or GitHub-Gist for small code snippets. Note: Stack Overflow contributions are licensed under CC-BY-SA (Creative Commons Attribution-ShareAlike License). This is not a typical software license and can be problematic because it requires redistribution under the same conditions (similar to copyleft) and author attribution. Small code pieces from it—some argue this is de minimis (minor) and not protectable, but this should not be relied upon. Better practice: if you adopt something significant, ask the author or at least mention it in code comments. For GitHub Gists or projects without a license, All Rights Reserved applies by default. In other words, refrain from using it or request a license, because without explicit permission, you have no right of use! In short: do not mindlessly copy code from the internet simply because it's "there." Always clarify its license.
- Set a good example: If you publish your own code, whether a small plugin on GitHub or a contribution to a library, choose a clear license and include a LICENSE file. This contributes to the general culture where code is only available with a license. It also makes it easier for others to use your code in their projects if needed. Plugin developers on GitHub, in particular, should not forget to license their repository; otherwise, no one else would actually be permitted to use it.
- Use open source compliance tools: For larger projects or companies, it is beneficial to use tools such as FOSSID, Black Duck, FOSSA, ORT, etc. These tools scan code and generate license reports. They also identify code parts that might originate from OSS (via pattern matching), even if there is no explicit indication. This can reveal, for example, that a block of code was copied from GPL software years ago. While such tools are not 100% error-free, they are immensely helpful. There are also open source tools like the OSS Review Toolkit or simple scripts integrated with
npm,pip, ormavento list dependent libraries and their licenses. - Maintain a license blacklist/whitelist: Internally, define which licenses can be used without issues and which require permission or are prohibited. Example: "Whitelist: MIT, BSD, Apache, MPL, LGPL" (free to use); "Only after approval: GPLv2/v3, AGPL, EPL..." ; "Blacklist: no unknown licenses, no 'Commons Clause', no DIY licenses." This guides developers. Ensure these lists are up-to-date and provide reasons, so developers understand why, for instance, GPL is on the red list (due to its obligations).
- Seek legal advice in case of uncertainty: The subject matter can be complex, especially in special cases like combination issues, stricter licenses, or self-license changes. There is no shame in consulting an IT lawyer. Many law firms, particularly in IT and media law, have experience with open source. The costs are manageable compared to the potential damage caused by a mistake. Especially during company takeovers, large software rollouts, or when a dispute is imminent, engaging professionals is advisable.
- Stay informed: Licenses continuously evolve, new rulings emerge, and new types of licenses appear (e.g., MongoDB's Server-Side Public License, sometimes rejected as "too aggressive"). For a developer, occasionally reading blogs like Heise Developer, Kanzlei-News, or itmedialaw is sufficient to stay abreast of relevant developments.
These measures can significantly reduce risk. Many companies, from small startups to large corporations, have successfully implemented these practices. They use hundreds of open source components without encountering legal traps. It requires discipline and knowledge, but the benefits of using open source—cost savings, rapid development, avoiding reinvention of the wheel—justify the effort.
Conclusion
Open source is ubiquitous and essential in the IT industry, particularly in software development. For game developers, plugin developers, and software companies, the use of open source components offers immense opportunities, ranging from accelerated development to community-driven innovation. Simultaneously, the legal framework must not be overlooked.
From a copyright perspective, open source code remains protected intellectual property, and its use is subject to conditions. In IT law and media law, a distinct field of compliance has evolved around open source, now an integral part of professional practice.
The most important findings from a practical perspective are:
- License compatibility is paramount: Developers must ensure that the open source licenses used are compatible with each other and with the overall project's licensing model. Terms like GPL compatibility or the copyleft effect are not theoretical constructs; they can determine whether a product can be brought to market legally and securely. The GPL, especially as a strong copyleft, demands attention. Its "viral" effect can "infect" proprietary software. In contrast, permissive licenses typically allow problem-free integration. Awareness of license types is therefore essential.
- The legal consequences of infringements are manageable but serious: Those who disregard the rules risk injunctive relief, potentially leading to a ban on the distribution of their software. German courts have repeatedly affirmed the effectiveness of open source licenses, consistently treating infringements as copyright violations. Although high compensation payments are generally not a threat (as open source is free), claims for injunctive relief and information are sufficient to significantly jeopardize projects. License violations can also lead to contractual problems, reputational damage, and loss of distribution channels. Practical cases, from router firmware to university software and WordPress themes, clearly show that prevention is better than rectification after the fact.
- Copyleft and proprietary development can coexist—with planning: Copyleft licenses like the GPL do not preclude commercial use, but they necessitate an appropriate business model (e.g., service instead of license sales) or an architecture that maintains clear separations. For most classic proprietary products, avoiding copyleft components is advisable. If their use is indispensable, developers and decision-makers must carefully weigh the consequences. The "horror" of the GPL often stems from ignorance; understanding its exact scope (as highlighted by the Karlsruhe Higher Regional Court) enables informed decisions. If in doubt, more license-friendly alternatives are usually available for almost every library.
- Contracts and policies foster security within the team and with customers: Knowing license texts is insufficient; internal and contractual regulations for use are also necessary. A company in IT law should establish clear contractual agreements when developing or purchasing software. Integration clauses ensure clients are fully informed, and inspection obligations compel suppliers to exercise due diligence. Due diligence during takeovers prevents "hidden obligations" from being included in the purchase. These are now best practices. Startups and indie developers aiming for growth should cultivate this professionalism early on, as it enhances their products' value in the eyes of investors and partners.
- Acting in line with the target group: Developers of WordPress plugins typically understand that they cannot avoid GPL and adapt to it. Shopify app developers enjoy greater freedom but are solely responsible for ensuring license compliance. Every ecosystem has its own rules; understanding them allows for seamless operation. Crucially, legal aspects must be integrated into project planning. Just as performance or security is considered, license compliance should be on the checklist.
- Use open source as an advantage, not a risk: Ultimately, the impression should not remain that open source is a minefield. On the contrary, it is a powerful tool when used correctly. In terms of IT law, much is now clear and manageable. There are clearly defined licenses and proven procedures. Developers and companies adhering to these can safely and legally benefit from thousands of free components. Especially in software development, game development, and plugin development, open source can save time and money and foster innovation. This only requires accepting the responsibility that accompanies freedom: complying with license terms and making your own use transparent.
To conclude: open source and proprietary software are not contradictory as long as the boundaries are respected. With the knowledge provided in this article—from copyright basics to specific license obligations and contractual safeguards—developers and companies are well-equipped to use open source successfully and in compliance with the law in their projects. This way, the advantages of the open source world can be harnessed without unpleasant legal surprises. At the intersection of IT law and technology, open source remains an exciting field, but with the right preparation, it loses its fright and unfolds its full potential for the benefit of all involved.