GPL Infection

I loved a game called ICO.

A PS2 masterpiece. You hold a girl's hand and flee through a fog-draped castle. Almost no dialogue, almost no HUD. The silence and negative space were beautiful. But ICO was recalled over a GPL violation. A compression library called libarc was GPL-licensed, and its code shipped inside the game. No source disclosure, no license notice. Sony chose to halt sales rather than release the source. The PS3 HD remaster fixed the issue, so you can still play it.

What is the GPL? In short: "If you use this code, you must open-source yours too." It is called copyleft. A mechanism designed to protect free software, but a headache for commercial products. Embed even a single line of GPL code and the entire project falls under GPL terms. That is why people call it infection.

Open-source licenses split into two families. Copyleft and permissive. GPL belongs to the first. MIT, BSD, and Apache 2.0 belong to the second. Permissive licenses say "use it however you like, just keep the copyright notice." The barrier to commercial use is low. That is why the most popular libraries on npm and GitHub tend to be MIT-licensed.

LGPL sits in the middle. If you only link to the library, your calling code stays closed. That is why ffmpeg is LGPL. But statically link a GPL component like x264, and the whole binary falls under GPL.

Many developers run npm install without checking licenses. Have you ever verified that no GPL package lurks inside your node_modules? Trace a dependency's dependency's dependency and you might find GPL hiding somewhere. A day may come, as it did for ICO, when ignorance is no defense.

That beautiful game vanished from shelves because part of its code was too free.