A license to trust: Can you rely on 'open source' companies?

Opinion Company after company has had their start in open source software, and then gone on to dump their open source licenses once they've achieved a measure of success. It's time to stop it.

With a handful of exceptions, everyone uses open source to build their programs. It simply works better. In the last few years, though, one business after another has launched its releases on the backs of open source developers and then dumped their open source license in favor of a semi-proprietary one. It's not fair, and it's not right.

These companies have included Confluent, MongoDB, Elastic, Redis Labs, and most recently HashiCorp. They all have pretty much the same story, the big bad cloud companies come along and deliver their software as a service at scale, and they can't afford to compete. 

I'd feel more sorry for them if it wasn't for the fact that they were wildly successful by most business standards. For example, in its last quarter, HashiCorp reported current non-Generally Accepted Accounting Principles (GAAP) remaining performance obligations of $394.6 million with 29 percent year-over-year growth. On August 11th, after HashiCorp announced its license change from Mozilla Public License (MPL) to the Business Source License (BSL), the company had a market cap of $5.61 billion.

Neither was Elastic unable to compete. When Elastic turned its back on open source, the company was worth almost $14 billion. In 2018, MongoDB dropped the GNU Affero General Public License (AGPL) for its own Server Side Public License (SSPL) and reported a relatively small subscription revenue of $103.8 million, albeit an increase of 56 percent year-over-year, and services revenue of $5.6 million, an increase of 8 percent year-over-year. 

They're not hurting. None of these companies were in financial hot water.

No, the bottom line was that their owners and the venture capital firms behind them wanted more money – a lot more money. In particular, VC firms are in the unicorn-hunting business. You might be happy with hundreds of millions, they want billions, thank you very much. 

Other open source developers and companies are unhappy with this trend. Joe Duffy, CEO and founder of Pulumi, a rival open source, Infrastructure as a Service (IaaS) company, pronounced HashiCorp's announcement as "disingenuous. We tried many times to contribute upstream fixes to Terraform providers, but HashiCorp would never accept them. So we've had to maintain forks. They lost their OSS DNA a long time ago, and this move just puts the final nail in the coffin," he opined on the forum. 

Amanda Brock, OpenUK's CEO, which doesn't have a horse in the IaaS race, appeared disappointed with the company's move. "HashiCorp has always been a true open source company, and what Mitchell Hashimoto and Armon Dadgar achieved from a project never intended to be commercialized has been incredible."

Brock then asks, "Taking it to an IPO and seeing Mitchell have the apparent wisdom to step aside and allow a more experienced individual to run HashiCorp – but has that also led to its downfall as an open source company?" Her answer is yes.

"The statements about BSL are sadly open-washing. It would be wrong to suggest these two ever intended a bait and switch, but they have indeed switched away from open source. The pressure of enabling their competitors with their innovations – an inevitability of open source – did not align with the need to generate shareholder value."

That led her to another, bigger question: How much money is enough? Is a lot of money with others generating a lot of money, too, a reason to stop?" She's left "wondering whether had Mitchell remained CEO, this would have occurred?"

Directing his attention to HashiCorp's business model, Dotan Horovits, principal developer advocate for cloud-native, open source security Logz.io, said: "Companies fail to understand that open source is not a business model. As a result, we see this 'rights ratchet' model, pulled off as a defensive move against competitors, instead of building a sustainable business model. Unfortunately, this means that vendor-owned open source is becoming a business risk to users. relicensing is one-way open source that can 'turn to the dark side.'" 

The dark side? Yes. Let's say, for example, you're an open source developer, who's not a stock owner in one of these companies. You may no longer be able to use your code. All too many projects have a CAA (Copyright Assignment Agreement), which gives copyright ownership to an organization, and/or  Contributor License Agreement (CLA), which gives the organization a  non-exclusive, perpetual license. Many of these also give the controlling entity the right to change the code's license.

Now, there's nothing wrong with a CLA – CAAs are much dodgier – but you're giving control of how other people can use your code in someone else's hands. For example, the reason we don't have an OpenSolaris today, even though Sun open sourced the code, was it used a CAA. When Oracle took over, they controlled all the copyrights and closed the code. That was it for OpenSolaris, although there is a fork, illumos, and related distros such as OpenIndiana

• Add 'writing malware' to the list of things generative AI is not very good at doing
• 30 years on, Debian is at the heart of the world's most successful Linux distros
• Maker of Chrome extension with 300,000+ users tells of constant pressure to sell out
• Google opens up Chrome 117 Developer Tools box, drops in a few spanners

That's not what open source is all about. Open source, at its heart, is sharing with other people. These companies and licenses are all about control and profit. 

There's nothing wrong with making money. But, I've gotten really tired of projects that use open source for their start and then turn their backs on the philosophy that made them their first hundreds of millions. At the very least, they need to stop pretending they're open source once they've moved to a "Look but don't touch" or "Look but don't profit from it" license. ®