Hi, I'm a researcher doing binary analysis work and I was running some SCA experiments on open-source AI avatar projects. This repo came up in my dataset and I found a licensing conflict worth raising.
The project ships under a custom "DUIX.COM Community License," but the repo bundles pre-built FFmpeg binaries that are GPL-licensed:
resources/ffmpeg/linux-amd64/ffmpeg — statically linked ELF, about 77MBresources/ffmpeg/linux-amd64/ffprobe
There's even a GPLv3.txt sitting right next to them, which confirms the build is GPL.
The config string embedded in the binary makes it explicit:
--enable-gpl --enable-version3 --enable-static --enable-libx264 --enable-libx265 --enable-libxvid
For reference, signature matching on the FFmpeg binary came back with 17 OSS components.
A few highlights:
| Component |
License |
Matched Signatures |
| FFmpeg |
GPL (as built) |
8,748 |
| libxml2 |
MIT |
757 |
| SRT |
MPL-2.0 |
487 |
| freetype |
FTL/GPL |
285 |
| libpng |
Libpng |
327 |
The issue is that GPL-3.0 requires the entire combined work to be distributed under GPL-3.0 as well.
The custom DUIX license — which restricts commercial use and requires attribution — isn't GPL-compatible, so these two licenses are in direct conflict.
Anyone using this project under the DUIX terms is also implicitly bound by GPL-3.0 for the FFmpeg portions, probably without realizing it.
A few ways to resolve it:
- Rebuild FFmpeg without
--enable-gpl (LGPL-only build) so there's no GPL obligation
- Relicense the whole project under GPL-3.0
- Drop the bundled static binary and dynamically link FFmpeg instead
Happy to share more from the analysis if it's useful.
Hi, I'm a researcher doing binary analysis work and I was running some SCA experiments on open-source AI avatar projects. This repo came up in my dataset and I found a licensing conflict worth raising.
The project ships under a custom "DUIX.COM Community License," but the repo bundles pre-built FFmpeg binaries that are GPL-licensed:
resources/ffmpeg/linux-amd64/ffmpeg— statically linked ELF, about 77MBresources/ffmpeg/linux-amd64/ffprobeThere's even a
GPLv3.txtsitting right next to them, which confirms the build is GPL.The config string embedded in the binary makes it explicit:
For reference, signature matching on the FFmpeg binary came back with 17 OSS components.
A few highlights:
The issue is that GPL-3.0 requires the entire combined work to be distributed under GPL-3.0 as well.
The custom DUIX license — which restricts commercial use and requires attribution — isn't GPL-compatible, so these two licenses are in direct conflict.
Anyone using this project under the DUIX terms is also implicitly bound by GPL-3.0 for the FFmpeg portions, probably without realizing it.
A few ways to resolve it:
--enable-gpl(LGPL-only build) so there's no GPL obligationHappy to share more from the analysis if it's useful.