The open-source community disagrees on how “free” open source licenses should be used. Open-source vendors are frustrated because some open source license terms are keeping them from profiting, while developers are frustrated because their software is being used by unethical people with dishonest intentions.
Developers and vendors are now dealing with a host of new “open source” licenses that are considered open-source in name only. Any license the community comes up with can be called “open source,” as long as they don’t claim their license is “OSI approved.”
The Open Source Initiative, or OSI, is the organization that determines the “open source definition“. They provide a list of ten rules that specify what a software license needs in order to qualify as open source. The OSI must provide the organization’s stamp of approval for a license to be accepted as open-source.
Problems arise when non-standard open-source licenses advertise that they are “based on” well-known OSI-approved licenses, which can lead to the assumption by developers that they use the same rules.
Developers have gotten used to assuming that if they copy and paste an open-source repository, from NPM for JavaScript packages, or PyPI for Python packages, they have the OSI or FSF permission to use, modify and redistribute the code. These assumptions can be costly mistakes because these “almost” open, licenses are showing up in a lot of these same repositories.
MongoDB’s Server-Side Public License
The well-known fight with open-source licenses began in October of 2018 when MongoDB, changed its license from the AGPLv3 license to something Mongo calls the Server Side Public License (SSPL). They were attempting to address an issue the company was experiencing with cloud providers that were using MongoDB code as their backbone to hosted SaaS versions of the database without sending money or contributions to Mongo.
“The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open-source server-side software,” said Eliot Horowitz, MongoDB’s co-founder and then-CTO, at the time. “Unfortunately, once an open-source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community. We have greatly contributed to and benefited from open-source, and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open-source innovation.”
The terms of the SSPL are unchanged from the AGPLv3, and only affect SaaS companies who must purchase a commercial license or open-source all of the software they’re using to support Mongo as a Service. These requirements are not permitted by the Open Source Definition, which states, “The license must not place restrictions on other software that is distributed along with the licensed software. The license must not insist that all other programs distributed on the same medium must be open-source software.”
MongoDB made several modifications in an attempt to get OSI to approve its license, but eventually withdrew SSPL from the approval process when it became apparent the license wouldn’t be approved. MongoDB continues to use the SSPL to license its database.
Cockroach Labs’ Business Source License
In June of 2019, Cockroach Labs, changed the license on its flagship product, CockroachDB, from Apache License version 2 to the Business Source License (BSL). The company isn’t stating that its license qualifies as open-source but refers to it as a “source available” license.
The change doesn’t affect users unless they use it for a commercial SaaS offering, the same as the MongoDB license.
“CockroachDB users can scale CockroachDB to any number of nodes,” the company said in a statement. “They can use CockroachDB or embed it in their applications (whether they ship those applications to customers or run them as a service). They can even run it as a service internally. The one and only thing that you cannot do is offer a commercial version of CockroachDB as a service without buying a license.”
This issue speaks to the ever-evolving software licensing environment that companies are forced to deal with.
Ethical Software Licenses
Coraline Ada Ehmke, the creator of Contributor Covenant, which is the code of conduct used by Linux, as well as other organizations came up with the Hippocratic License, a modified MIT license that attempts to ensure that software is only used for ethical purposes.
“Politics and software are so tangled that they cannot be reasonably separated,” Ehmke wrote on the license’s website. “Consider the GPS software that tells you how to get to a restaurant; it’s also used to direct military drones to their targets. The facial recognition software that unlocks your phone? It’s being used to record, track, and target the activities of political dissenters.”
The license attempts to address these issues by disallowing the use of software covered by the license to violate human rights principles as determined by the United Nations or human rights laws in any jurisdiction.
This intent contradicts the OSI’s open-source definition: “The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.”
The main problem with ethical open-source licenses is that they are vague, which leads to several challenges down the line. As an example, the JSLint license, which is the MIT license but modified with the single line, “The Software shall be used for Good, not Evil.” It’s a question of not who, but how many will take advantage of that vagueness.
Ehmke has said that she intends to eventually submit the Hippocratic License to OSI for approval, OSI’s president Joshua Simmons says that hasn’t happened. He also stated that if it is eventually submitted, approval would be unlikely.
“My personal view is that it won’t pass muster,” Simmons said. “Discussion of the license and others like it have identified a number of issues that would need to be addressed, and I suspect that some of those issues can’t be addressed without fundamentally changing the license.”