An analysis of GPL’ed code in Thesis


There has come to be a huge debate regarding whether the Thesis WordPress theme can be premium licensed when the WordPress code itself is released under the GPL.  The GPL requires that any ‘derivative work’ must also be licensed under the GPL, so the raw question is whether or not Thesis is a derivative work.

First some disclaimers:

  • My blog is hosted on  I even pay them a little for some premium features.  But I otherwise have no affiliation with either WordPress or Thesis
  • I’m not a lawyer, I’m a developer.  My views here are my own and are based on TECHNICAL knowledge and experience with the GPL, not on the law (which astute observers will note often does not reflect real life)

So is Thesis a derivative work?  Wordpress and the Software Freedom Law Center think so.  But their claim is based on

“The template is loaded via the include() function. Its contents are combined with the WordPress code in memory to be processed by PHP along with (and completely indistinguishable from) the rest of WordPress. The PHP code consists largely of calls to WordPress functions and sparse, minimal logic to control which WordPress functions are accessed and how many times they will be called. They are derivative of WordPress because every part of them is determined by the content of the WordPress functions they call.”

This seems extremely far reaching.  My viewpoint is based on Why the GPL does not apply to premium wordpress themes.  The long and short is that SFLC’s opinion could be applied to any software that runs on Linux.  Meaning you could never have a closed-source software product running on the linux kernel (“Oh, your code calls fork()? GPL!”).  It is commonly accepted that simply integrating with an existing product does not produce a derivative work.  If your code is totally your own, the GPL has no say over how you license it.  This is actually an argument about fair-use far outside just the GPL and has been settled on many different topics including OEM car parts, Nintendo, iPod connectors and other questions of being allowed to build something that interoperates with someone else’s product.  Per the GPL itself a derivative work is: “a work containing the Program or a portion of it, either verbatim or with modifications” so you must copy actual lines of code from their source to be a derivative work. Simply calling WordPress functions doesn’t cut it.

The Question

The problem is then simply one of analysis: Does Thesis contain code from from WordPress?  I wrote a quick script to find out.  Here are the basics:

  • The script takes every line of WordPress source and puts it into an in-memory hash.
  • Every line is lower cased and has all whitespace removed to prevent missing matches from simple indentation or capitalization changes
  • This hash is then checked against every line in the Thesis source
  • It checks only PHP files (for simplicity…avoiding images and such)
  • It excludes lines less than 20 characters long: This could cause it to miss matches, but also helped to filter a lot of stuff like ‘<?php‘ lines
  • It will fail to find code lines that have been modified

So the short of it is that the script can easily detect wholesale copying, but can’t prove that code wasn’t copied and then modified.  However, I think it serves its purpose.  See the bottom of the post for the code (GPL’ed) and instructions on running it yourself.  The results are extensive because many small lines are similar, although many are insignificant.  For example:

-- Match from <wordpress/wp-admin/export.php>:27 to <thesis_17/lib/admin/options_manager.php>:14 --
if (isset($_GET['download'])) {

This is a line you would see in any PHP code where you need to check if the download parameter was in the GET request.  It shows up as a match, but is irrelevant.  In the end, some common sense and technical knowledge must be applied to know if the results are significant.

The Results

My conclusion is that Thesis does contain GPL licensed code from WordPress.  There were several examples that fit, so I’ve chosen the strongest one here that is sufficient to show that the code has been reused.  ONE OF the functions in question is:

wp_list_comments from wordpress/wp-includes/comment-template.php:1387
thesis_list_comments from thesis_17/lib/classes/comments.php:169

And you can see a comparison of the exact matching lines:

Not every line is sequential, but these two functions match pretty closely.  I feel comfortable that this section of code is very clearly in the GPL, and so I am posting a portion of it here:

WordPress/Thesis diff

A section from the start of the function in WP was removed.  But then the rest of it is nearly identical.  Where the lines do not match exactly, their differences are insignificant and clearly show that the original method was copied as a template.

So what does this mean?  I’d say it’s clear that Thesis uses GPL’ed code from WordPress and is therefore subject to the GPL as well. This makes the whole issue of whether “calling functions” or “running in memory with” requires the code to be subject to the GPL completely irrelevent.   Whether or not this means the ENTIRE Thesis codebase must be GPL’ed I can’t say.

The Code

The Perl script for doing this comparison is available at:  You must have a subdirectory with the WordPress source called ‘wordpress’ and a subdirectory with the Thesis source (which is not freely available, so you must have paid for it) in ‘thesis_17’.  I used the Thesis 1.7 source code and WordPress 3.0 (latest) for my analysis.


I don’t have any cruel feelings towards Chris Pearson and this isn’t about who is a jerk or any of the other flaming going on.  But as developers, it’s critical that you are very careful when using and re-selling code to follow the license agreements that we all adhere to.  Thesis clearly has a ways to go in this regard.

I encourage constructive comments, forking of my code, and additional analysis.  If you’re interested in how the GPL over-reaches in cases where there is no copied code, please read about What is a derivative work?

79 thoughts on “An analysis of GPL’ed code in Thesis”

  1. WordPress plugins are analogous to Linux drivers/modules, which have long been a licensing gray area. Applications making Linux system calls are analogous to using WP’s XML-RPC or APP interfaces. Such interactions usually aren’t considered derivative.

    1. Hi Ryan:

      I agree that such interactions aren’t derivative (see the beginning of my post). My argument is based on the fact that if you take GPL’ed linux driver code and then make your own driver code from it (copy & modification, just like Thesis has done), then that code IS derivative and must be GPL’ed.

  2. Wow. Great script Drew! It didn’t take you long to whip that up.

    Yet another point to help Chris realise that Thesis should be GPL! Thanks for taking the time to whip up the script!

  3. I’d like to take the common sense a step back from the code analysis and even back from simply interfacing with a system.

    Taking the action of analyzing the code makes (in my opinion) a huge assumption that a theme as a piece of software is somehow comparable to a CMS. If we claim that a theme for a system (be it an OS, CMS or any other software) is a derivative work of that system, then it is not a stretch to say that any software interfacing with any system for data display, storage, retrieval or manipulation within that system is thereby a derivative work of that system. That outlook seems entirely excessive to me.

    1. Hi Spencer: I VERY much agree that a theme in general is NOT a derivative work (see the beginning of my post). However, Thesis does have a LOT of PHP code that IS a derivative work. My argument is not based on the fact that it interfaces with WordPress (which I don’t believe makes something a derivative work), but instead on the fact that it has PHP code that was taken from GPL’ed WordPress code.

  4. That argument about linux gets me every time

    php is not compiled, where as c source code is. A binary can be compiled including libraries and headers for a specific environment but otherwise be completely self contained .. hence the reputation the c language has for being very portable.

    there are plenty of applications which run on both linux and bsd. Even some that ran on solaris with little or no modification. I can’t see how these would be considered derivative works.

    so, take a php script written for WordPress and try to include in another php content manager and see what happens. I bet you get all kinds of crazy function call errors.

    Its perfectly possible to use php to manage content without WordPress. There are after all tons of php blog platforms and content management systems. But … Thesis requires WordPress. It depends specifically on WordPress, not just php and mysql. It is driven by, and manipulates WordPress core functions.

    Lets not say that every application which runs on linux suddenly becomes a derivative work as a means of defending the current thesis license. Most of these applications really depend on a posix compliant kernel with certain libraries. Linux. just happens to fit the bill.

    Besides An application which requires QT cannot run if you only have GTK an neither of those things is linux.

  5. Many Linux kernel developers consider all modules to be derivative since they call into Kernel internals, whether they contain GPL code or not. WP plugins and LKMs both invoke this much debated legal gray area. Linux implemented a kernel tainting system whereby modules declare the license they use (search for MODULE_LICENSE for details). GPL incompatible modules mark the kernel as tainted. Many developers will not support tainted kernels.

  6. Oops, I used LKM without explanation. LKM = Linux Kernel Module, which is a different beast than a regular application. LKMs load directly into the running kernel and have direct access to kernel data structures and internal API. WP plugins are the same way. When comparing Linux and WP plugins/themes, LKMs are a more apt comparison than applications. The distinction between how an application interacts with the kernel and how an LKM interacts with the kernel is important to the licensing argument. Applications in Linux are like an XML-RPC client for WP. Neither are considered derivative. Plugins and themes are like LKMs, which are considered by many open source developers to be derivative.

  7. Thanks for sharing this technical analysis, I was looking through the Thesis code earlier however your method is probably a little more effective.

  8. Meaning you could never have a closed-source software product running on the linux kernel (“Oh, your code calls fork()? GPL!”)

    Actually, the GPL FAQ specifically clarifies this. Forked code is a separate work and the coder is free to license that however s/he wishes. And I don’t think this exactly touches on the definition of “derivative work”, either. Instead, I think themes in WordPress are a case of “combining programs“.

    The way that WordPress calls a theme, the WordPress framework is essentially “wrapped around” the theme code (WP conditionally pulls in template files from the theme via include()). AND, the theme code must make use of WP functions and complex data structures in order to function. Clearly this intermingling means there’s little chance of realistically claiming that the theme can stand on its own as a separate work, functioning without WP.

    I have suggested that it might be possible to create a theme structure which uses stand-alone template files, and a bunch of shim code in the theme’s index.php to isolate the code mingling. In such a case, it’s probably possible to license the HTML and some of the PHP code separately (and it might be possible to write additional shims to make the templates work with another CMS). But this theme would be so nonstandard that it might have trouble gaining traction with the WP community. But who knows?

    1. Hi Dougal,

      You’re correct that the FAQs make it clear that a dynamic plugin (such as a theme) should be GPL’ed based on its parent. I believe this is an area where the GPL would not stand up to legal scrutiny. Fair-use doctrine seems to overrule the GPL here. Much like you are allowed to make 3rd party iPod cables even though they are proprietary to Apple. You can create something totally your own that interoperates with another product regardless of what the original designer intended (or says you can do).

      In this particular case, it is a moot issue because it is not a question of being a plugin or how it integrates with WordPress. Since Thesis contains GPL’ed code, it must be GPL’ed as well.

  9. Bravo. After your disclaimer at the front, I was expecting the usual “programmer talks about law” tripe. I was pleasantly surprised. You correctly saw that SFLC’s analysis does not hold water, linked to an article that cites cases that show the SFLC is wrong, correctly stated what it actually means to be a derivative work, and then did an excellent analysis of the software in question.

    If you had scatter a few case citations in proper blue book format in the post, and left off the disclaimer, it would have been hard to guess that you aren’t a copyright lawyer.

  10. Since Thesis contains GPL’ed code, it must be GPL’ed as well.

    I find this naive and completely against the spirit of what the GPL should be trying to accomplish. You would be hard-pressed to find a significant piece of software that does not contain some copied code. It is simply the reality of development that we are efficient/lazy creatures. A bit of copied code to accomplish some mundane or routine task in comparison to the overall application should not define what an application is, nor forever mark it as “derivative” in this respect. Creation does not occur in a vacuum…

    But then again, I am no lawyer and that may be exactly what the GPL is trying to accomplish. It wouldn’t be the first time I found a license or law that I thought was completely at odds with reality.

  11. Yeah, I really have no idea whether a court would take into account the FAQs, or would narrow their vision down to only what is stated in the actual GPL license text. I suspect the latter, which probably would not be good for the “themes are GPL” argument. If this does get decided in court, and the “code mingling” concept doesn’t apply, I wonder if there will come a new version of the GPL license text which spells these sorts of things out more explicitly?

    But as you say, in this particular case, it appears that there was some clear incorporation of modified WP code into Thesis. Which kind of demolishes a lot of Chris Pearson’s defense. He could, of course, create a new theme, and be more careful about clean-rooming his code. But when push comes to shove, he’ll probably end up having to give in to GPL for the existing Thesis codebase.

  12. “you must copy actual lines of code from their source to be a derivative work”

    I call shenanigans. Paraphrasing in copyright law is plagiarism. Re-factoring code you saw in someone else’s program is copying. Duh.

    1. Hi Ken,
      You’re totally correct. My intent was not to say that your copy has to be EXACT. Refactoring the code would also subject you to the GPL. I simply wanted to say that writing your OWN ORIGINAL code that simply calls someone else’s API is not enough.

  13. More to the point though, if Chris own written code can’t be considered a separate program from the GPL code that was lifted directly or indirectly from WordPress or a GPL theme, then it must be considered GPL. And so the question is further refined.

  14. In practice, a court would probably use the Abstraction/Filtration/Comparison test. I am not sure that this would stand after filtering out the abstract concepts, the purely functional expression, and finally short words and phrases in what was left.

  15. Interesting post. I’m guessing it opens a can of worms for all commercial theme authors (or at least the ones that have aped the WordPress library functions)

  16. Great analysis, thank you. This saddens me, because through all the mud slinging and flaming I thought this issue was a good exercise to make developers more aware of licensing, and helping make those GPL gray areas a bit clearer. Unfortunately, this takes the argument in a whole different direction.

    1. Hi Nic,

      I’m with you…the debate on derivative works when writing plugins is a totally different one. It’s what everyone was arguing about to begin with when they thought Thesis did not share any code with WordPress.

      For my part, if Thesis did not have any WordPress code, I would be on the side of Thesis. I don’t think the fact that Thesis will not work without WordPress is relevant.

      For example: Able writes a class called “Foo” under the GPL. Baker writes a class called “Foo” as well that is closed source. If you write something that ‘extends Foo’, then your code will not work without ‘Foo’. However, that does not put your code under the GPL. It doesn’t matter whether you INTEDED it to work for Able’s code or Baker’s code. As long as your code is entirely your own, you and you alone hold the copyright and license to the code. No one can force you to release it under a different license.

      This is actually a fair-use question. It’s an area that’s been well established in law, for example by people that want to make car parts, iPod connectors, or anything that interoperates with someone else’s proprietary product. I think if anyone ever went to court against a theme or plugin that does not share any significant common code, then they would lose. But in the case of Thesis, they are clearly in the wrong.

  17. Drew, first of all thanks for your post. Imagine you and 10 peers learn to program PHP together from “awesome programmer X”. All 10 graduate and go separate ways, and 4 of you build something with PHP under GPL. Other 6 guys like what you did and build something completely original, and it has a different license. All 10 of you code very similarly, so the 4 guys claim GPL applies. Is that fair?
    So theoretically, any code that was used to teach me forces me to use a GPL? This is very hypothetical, and I understand the wanted end result, but the way we are getting there is wrong. I personally feel there is more to this than the GPL, and feel the mud slinging does not help. There is a smear campaign taking place, while some of us are trying to actually see the truth. If the code is actually a “derivative”, highlight it, and send a cease and desist letter. Is not that difficult, and it will save Matt a lot of bad publicity. Right now all I see is a playground bully rallying against the one guy that stood up to him. Get your “Lawyers” to find the violation and send a cease and desist letter, very simple. The more I read Matt’s comments, and see Chris retaliate, the more I wonder who is really breaking the law. The supposed violator of the GPL, or the guy on a smear campaign possibly guilty of libel.

    PS WordPress is awesome. Please don’t make me hate it. I plan on getting Thesis regardless, unless someone can point me to a theme that is superior in ease of use, and functionality to thesis.

  18. I’d be very curious what about a comparison of the Thesis code to the code for various other themes and frameworks (which are all GPL). I’d be surprised if there weren’t a lot of non-trivial copying.

    Which is the WHOLE POINT of the GPL. This kind of code re-use is useful and often necessary. Simple point. So sad that it has to be driven home with graphic hypocrisy.

  19. Drew,

    Thanks for the post, and explanations. I know just enough PHP to be a danger to my blog, so sorting this out on my own would have been impossible. Looking for your opinions here.

    As mentioned in a trackback, a former DIYThemes employee admits he copied the code. It would be up to a court to decide whether there is ample evidence Chris knew code had been copied. State laws may ultimately determine whether Chris will be held accountable for the actions of an employee. (Who knows if he was disgruntled at the time he copied the code.)

    1. Let’s assume Chris did not know, had no reason to suspect it, and had no reason to write a script like yours. Are the functions in question so big a deal that Chris should have said, “Gee, I’ve seen this someplace before”?

    2. Does the employee’s admission change your opinion about whether Chris should be forced to make his code GPL if he removes the code in question?

  20. Thanks for the article here. When I started reading all the tweets about Thesis on Twitter, I got the impression that using it exposed a security flaw in WordPress. Later, I finally saw that all the love for Matt and hatred for Thesis was due to the GPL.

    My totally uninformed opinion is: IT’S A FRACKEN THEME FOR CRYING OUT LOUD!!!

    It’s not like Thesis is a fork of WordPress and could be run without installing WordPress first. You need WP in order to use Thesis!

    I can fully understand why the Thesis developers want to keep their source secure. They don’t want other developers to make small changes and sell their version in competition with Thesis. I know I would want that protection if I were selling a theme.

    Anyway, thanks for taking an objective point of view instead of blindly following Matt like most of the WP users seem to be doing.

  21. @drewbias: First off, GREAT job. I love how level-headed your analysis is.

    @dougal: You touched on my two thoughts as I was reading this. First was, I see the points about how maybe GPL does not apply to themes (that’s not the outcome I want, but I can see how the legal argument may be sound.) Given that, I wonder if it would be possible to craft a new license, maybe it would be GPL-WP that would explicitly require themes and plugins to be licensed the same way? I wonder if it’s possible for that to be unambiguously sound from a legal perspective?

    Thought #2 was “Would it be possible for Chris to remove the WP code and get back to the state where there would be no copied code?” or is it a case of “once infected” it can’t every be truly clear without a clean-room rewrite? This is really a question for an actual IP lawyer.

    @MamaCardinal Your point about whether Chris knew about the copying or not has no bearing on his need to take the code GPL, only whether he could be forced to pay punitive damages[1] vs. just being required to GPL Thesis.


  22. Good work.

    I totally agree – I don’t think the GPL applies unless actual code is used and, in this case, it is.

    As for the fact that other systems copy code – it doesn’t make it right and, indeed, if caught they are often trawled through the courts as a result.

    Thesis is generating money from being a theme that integrates into, and includes code from, WordPress. The conditions of that is that it should be GPL – why is it so hard to follow this?

  23. I saw this just now and I wanted to provide another point of view. Does an document have the same license as software? I don’t think so.

    My point of view about WordPress, Drupal or any CMS is that it is more like C. GCC is GPL’ed, but it’s just an interpretation of a standard to create documents (in this case, applications); the same way, WordPress may be GPL’ed, but something using the WordPress engine to render is not a feature but an use for WordPress templating feature.

Leave a Reply to Ryan Boren Cancel reply

Your email address will not be published. Required fields are marked *