Open SNAFU

The discussion surrounding HashiCorp’s Terraform, their license change, and the open source fork–OpenTofu–seems to be the latest in the tug-of-war between software-as-a-service (SaaS. Example Amazon Web Services.) and software vendors that support open source software.

I tend to view Amazon’s open source products as predatory: using other people’s work to put them out of business. That puts money in Amazon’s pocket while sacrificing the long-term viability of those open source projects.

Reading the Hacker News comments from the CockroachDB license change, there seem to be two other basic arguments. Open source software should remain pure to maintain its legal status. And venture capital investment in software vendors is motivating these money grabs in the form of license changes.

I don’t have any relevant experience. And I wonder what other problems there are with SaaS and these open source licensing changes.

• Terraform Fork | The New Stack
• Who are your competitors? | Redis Video Clip | YouTube
• Relicensing CockroachDB | Hacker News

Thanks for posting this, Mike! I’ve been reading up on this topic a lot in the past few days. I thought the research would end up being pointless, but I have an opportunity to talk about it now. So forgive the length, which is gratuitous even for me…

To talk about this with a greater perspective, we need to talk about ElasticSearch and MongoDB. We also need to talk about the Open-Core business model.

MongoDB, ElasticSearch, Terraform, and now CockroachDB have all relicensed their open source programs under source-available licenses. They were also formerly stewarded by companies that made money using the “Open-Core” model.

The Open-Core model is ugly and complicated, in my opinion. It involves drawing an artificial boundary between the parts of your program you think people should have for no cost, and the parts you think they should pay for. It mixes two different issues—paying for software, and being able to use, modify, redistribute and commercially exploit the software. With Open-Core, the parts you think should be paid are the parts your users also can’t modify.

Typically, this results in a “community version” and an “enterprise version”.

You can absolutely make money with it, but if the only way you make money is by selling proprietary software, you are not running a FOSS business. And because you have an incentive to keep the proprietary version more useful than the Open-Core version, annoying members of your community seems inevitable.

Amazon is a ruthless company, and “using other people’s work to put them out of business” is Tuesday for them. I still think they did right by the community when they forked OpenSearch. The key issue here is that Elastic doesn’t own ElasticSearch either.

But instead of hearing it from me, a nobody who has released a few tiny, poorly-written Python programs under a free license, I’ll quote Drew DeVault, prolific free software contributor and maintainer:

Elasticsearch does not belong to Elastic

Elasticsearch belongs to its 1,573 contributors, who retain their copyright, and granted Elastic a license to distribute their work without restriction. This is the loophole which Elastic exploited when they decided that Elasticsearch would no longer be open source, a loophole that they introduced with this very intention from the start. When you read their announcement, don’t be gaslit by their deceptive language: Elastic is no longer open source, and this is a move against open source. It is not “doubling down on open”. Elastic has spit in the face of every single one of 1,573 contributors, and everyone who gave Elastic their trust, loyalty, and patronage. This is an Oracle-level move.

Elastic was not having their lunch eaten by Amazon. They cleared half a billion dollars last year. Don’t gaslight us. Don’t call your product “free & open”, deliberately misleading users by aping the language of the common phrase “free & open source”. You did this to get even more money, you did it to establish a monopoly over Elasticsearch, and you did it in spite of the trust your community gave you.

I hope everyone reading will remember this as yet another lesson in the art of never signing a CLA. Open source is a community endeavour. It’s a committment to enter your work into the commons, and to allow the community to collectively benefit from it — even financially. Many people built careers and businesses out of Elasticsearch, independently of Elastic, and were entitled to do so under the social contract of open source. Including Amazon.

You don’t own it. Everyone owns it. This is why open source is valuable.

(Reproduced under the terms of CC-BY SA)

Drew DeVault isn’t just a free software contributor. He also runs Sourcehut, a free software business. He really believes these things, and he wants to make money with free software, not proprietary software.

I would also like to link to Open source means surrendering your monopoly over commercial exploitation.

One more note to add is that MongoDB and ElasticSearch use the Server-Side Public License (SSPL), not the Business Source License. The SSPL differs in that “requires that anyone who offers the functionality of SSPL-licensed software to third-parties as a service must release the entirety of their source code, including all software, APIs, and other software that would be required for a user to run an instance of the service themselves, under the SSPL.”

The OSI rejected the SSPL as it discriminates against the way you can use the program. They published two blog posts about the license—when MongoDB created the license, and when Elastic switched to it. The GNU Project and FSF have not published an opinion on the SSPL.

However, MongoDB was subsequently dropped from many Linux distribution’s repositories, such as Fedora, Debian, … and Arch Linux. Arch doesn’t discriminate based on proprietary or open source licenses; they’ll just redistribute it if they’re allowed to do so and someone can maintain it. The SSPL makes that very complicated.

See this thread: [arch-dev-public] Mongodb and SSPL

Particularly, this mail: [arch-dev-public] Mongodb and SSPL

I feel I should point out here that there’s uncertainty on part of both
[debian-legal participants][1] and [Debian FTP masters][2] as to
whether the distribution of binaries falls under the service
restrictions. If it does, this would mean all software on the mirrors
would need to be SSPL-compatible (in particular, non-GPL), which
would prohibit us.

Note that the service restrictions (which are different from
distribution restrictions) are applicable to both modified and
unmodified versions; in fact, the original authors [declare][4] this to
be among the design goals of the SSPL.

Even if you run everything with FOSS software, under the really aggressive GPL license, that isn’t enough to satisfy the SSPL. You need to be using software licensed under the SSPL. Effectively, they have designed it so no one can distribute MongoDB commercially or even non-commercially like in the case of a Linux distribution.

The AUR version of MongoDB apparently requires 160GB of disk space and takes several hours to compile yourself.

Alright, sorry, that’s everything! Keep in mind that I’m an outsider. I don’t use any of these programs except MongoDB. This is just what I’ve learned from my own research. I think I need to write more free software before I can have an informed opinion on all this.

I think the relevant opinion from the Free Software Foundation relates to the GNU Affero General Public License.

Thus, our solution to the problem of SaaSS is simple: refuse to use services that are SaaSS.

• Why the GNU Affero GPL | FSF
• Who Does That Server Really Serve? | FSF

I thought this article was a good recap of the issue. And it adds more voices to both sides of the argument.

• What’s Next for Companies Built on Open Source? - The New Stack

My opinion hasn’t changed much, but I’ll make clear a few things I didn’t last year:

• I think you should be able to make money from open source software. There is absolutely nothing wrong with that. I pay for the open source software I use a lot.
• I think everyone should be able to make money from any open source software. As Drew DeVault says, “Open source means surrendering your monopoly over commercial exploitation.” It’s a feature, not a bug.
• Open Core is a better model than having your software all source-available but restricted in usage, assuming you can maintain that model.
• Yeah, making money from open source is hard. But I’m glad the server market is a place where companies feel compelled to make their software open source to compete. If you want to push a proprietary product like cPanel, it needs to be really good. So ultimately we all get better software, one way or the other.
• We’re going to see more companies switching to non open source licenses and that’s concerning in more ways than one. It remains to be seen if the BSL/SSPL works out. The Linux Foundation is large enough to develop a lot of projects, but they’ll hit capacity eventually, unless member companies up their donations. And wouldn’t that be the greatest irony…?

In light of that:

DataCebo changed its license because “we saw a lot of people are using it to compete” with the startup, using the tech to spin up products in direct competition, said Veeramachaneni, who also runs the Data to AI lab at MIT.

This is open source software working as designed, and if you didn’t see it happening, well…

Companies built on open source face tough choices when they don’t think through their commercial offerings from the outset, he said: “I think some projects have been a little bit more, ‘I’m all open source. And then I will figure out the monetization strategy later on.’ And then this switch is needed.”

And on the subject of open source creating competition:

Open source still holds advantages for businesses seeking product adoption, Crilly said. “I think we’ll continue to see businesses use leverage open source, there’s no better way of reaching developers. So if that’s your market, you have to do it.”