GLOSSARY

What is distribution?

A plain definition for the people who carry the risk. This glossary entry explains what distribution means in open source licensing, why it is the trigger for so many obligations, how the GNU AGPL extends it to hosted services, and where the enterprise exposure sits.

Distribution is the act of conveying software to another party. Shipping a product, sharing a binary, posting a download, or delivering a container image to a customer are all forms of distribution. The term matters because distribution is the trigger for many open source obligations. A copyleft license does not ask you to publish your source while you develop in private. It asks when you distribute. Understanding where that line falls is the difference between an obligation that sleeps and one that is live.

Why distribution is the trigger

Open source licenses grant rights in exchange for conditions, and most conditions attach at the moment the software changes hands. The GNU GPL requires that when you distribute a derivative work, the people who receive it get the same freedoms, including access to the corresponding source. If you never convey the software outside your organization, that reciprocity condition generally never activates. This is why internal use of copyleft software is usually low risk, and why distribution is the single concept that decides whether an obligation applies. The mechanics of that obligation are set out in the entry on what copyleft means.

Internal use versus distribution

Running open source software on your own servers, for your own teams, generally does not count as distribution. You have not conveyed the software to a third party. This is the reason a component can sit safely inside an organization for years and then create exposure the day it is built into a shipped product. The same code, the same license, but a different action. For an enterprise, knowing which components are confined to internal use and which travel into delivered products is the practical heart of distribution risk.

The service gap and the AGPL

For years, offering software as a service sidestepped distribution entirely. A provider could run GPL software behind a web interface, never hand a binary to anyone, and never owe the source. The GNU AGPL was written to close this so called service gap. It treats offering the software over a network as a distribution like event, which means a hosted service can carry the same source disclosure obligation as a shipped product. For a software as a service business, an AGPL dependency turns the network itself into the point of distribution, and the difference from plain GPL is set out in the entry on what the GNU AGPL means.

Why distribution matters for enterprise risk

Distribution is where dormant obligations wake up, so it is central to open source license risk. A clear record of which components are internal only and which are conveyed in products or hosted services tells you where the live obligations sit. Map that profile, decide in advance how copyleft and source available components are handled at release, and the exposure stays bounded. Browse the full open source license risk glossary for related terms.

COMMON QUESTIONS

Questions buyers ask.

CONTAINMENT

Know which components you distribute and what they oblige.

A confidential open source license risk assessment. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.