Dark Side of Open Source: The Community Strikes Back
What a year it was for open source. We continued seeing open source tools turning to the dark side this year. We had projects relicensing off open source, most notably Redis. We also saw the nasty bickering in the Wordpress community that dragged into court.
But 2024 was the year we saw the community strike back, more fiercely than ever, with successful forks, joining forces with foundations and more.
Before we jump into 2025, let’s look back at 2024, the year the community said out loud: Fork it!
- A great disturbance in the Force
- Redis turns to the dark side
- The community strikes back: Valkey emerges
- Puppet turns to the dark side
- The Puppet community strikes back: Muppet?
- May the fork be with you: OpenTofu and OpenBao reach GA
- The rise of the Foundation
- Wordpress and the Automattic — WP Engine saga
- Rise of the sanctions: Geopolitics invades open source
- Endnote on a high note
A great disturbance in the Force
A couple of years ago, when I gave a talk at Open Source Summit about open source turning to the dark side, people giggled, saying I’m being overly dramatic. This year it took center stage in the keynote of Open Source Summit 2024.
This comes after the turbulent 2023 that saw open source champion HashiCorp taking Terraform off open source, along with other prominent open source projects. FOSS was in flux, and it carried on into 2024.
Redis turns to the dark side
Probably the highest profile case this year was Redis taken off open source. The popular key-value store database was originally licensed under the permissive BSD-3-Clause License, and enjoyed widespread adoption and an active community.
However, in March 2024, Redis Labs (now Redis Ltd.) announced moving Redis to a non-open source license, which follows the trend of “source-available” fauxpen source license.
This followed an earlier move back in 2019 when it had introduced non-open source add-on “modules” model, and much of the innovation has since gone into these modules.
They even, oh-so-symbolically, dropped the mythological community-contributed logo, in favor of a corp-style logo.
The community strikes back: Valkey emerges
The community’s response to Redis’ relicensing was swift and decisive. Within days, the community was determined to keep it open, which triggered a big bang, forming multiple forks and compatible projects, such as Redict and Garnet.
One fork, in particular, caught my eye as the prominent candidate: Valkey. This fork had a few leading indicators for its success:
- It’s got lead Redis maintainers in its ranks.
- It’s got big names driving it, including Amazon Web Services (AWS), Google Cloud, Oracle, Ericsson, and Snap Inc.
- It keeps Redis’ existing OSS license, BSD 3-clause.
- It’s formed under the The Linux Foundation from inception.
Within less than a month from the day Redis relicensing was announced, the community has forked Redis under the name Valkey, released a generally available (GA) version, and got it accepted into The Linux Foundation. That’s record-breaking speed there.
Since the initial GA with v7.2.6, Valkey has been gaining momentum in adoption, as well as in development, and recently reached v8.0 major release with notable performance, reliability, and observability enhancements.
Redis Labs isn’t sitting idle either. In fact, as in a great play, it closes this turbulent year with bringing back its old-new star Salvatore Sanfilippo, the original creator of the Redis open source known as antirez, to serve as an evangelist to “bridge between the company and the community”. The community remembers antirez fondly from his open source leadership for over a decade, though he stayed away for the past 4+ years, and now clearly states that he doesn’t have huge issues with Redis changing its license away from open source. Can he win back the heart of the community? Will Salvatore once again be the “Robin Hood of open source software”, as he called himself?
Puppet turns to the dark side
Redis wasn’t not the only project to turn to the dark side this year. In fact, This concluding month of December saw such case with Puppet, the veteran infrastructure as code project.
Things started shifting after Perforce acquired Puppet Labs in 2022, which culminated with last month’s (November 2024) announcement of Perforce’s “Plans for Open Source Puppet in 2025”:
“Puppet will begin to ship any new binaries and packages developed by our team to a private, hardened, and controlled location”.
Alongside their private repo activity, they “will slow down the frequency of commits of source code to public repositories.” And if community contributors want access to this private repo, they’ll need to sign an End-User License Agreement (EULA) for development use.
The Puppet community strikes back: Muppet?
The Puppet community hasn’t stayed indifferent to the changes since the acquisition, and in light of the recent announcement, it’s now gearing up to fork Puppet to keep it open. The temporary name is OpenPuppetProject, until the formal name is decided (Muppet?), and an initial GitHub repo is set up, though no forked code yet. The Vox Pupuli community is now discussing to adopt the new fork initiative. Follow this post for more details and updates.
May the fork be with you: OpenTofu and OpenBao reach GA
Forking a project isn’t easy by any means. Making it a sustainable project is extremely difficult, and after a crack in a community it’s even harder.
But Valkey wasn’t the only forking success story this year. During 2024, OpenTofu, the Terraform fork, has reached first GA with version v1.6.0, and now at the end of 2024, it’s already nearing v1.9.0 GA.
OpenBao, the fork of HashiCorp Vault fork that was launched last year, has reached first GA this year as well, and is already now in v2.1.0.
These milestones were achieved through rough waters, as OpenTofu had a legal front to face, fending off against HashiCorp’s Cease and Desist letter claiming code theft. In addition, OpenTofu needed to launch a new open registry service to circumvent Terraform Registry after HashiCorp modified the registry’s Terms of Service.
The rise of the Foundation
This year it has become clearer than ever that vendor-owned open source is an oxymoron. This has reinforced the importance of open source foundations as a vendor-neutral ground for coopetition between vendors, as well as collaboration with end users.
This year we celebrated 10th anniversary to Kubernetes, which is a great example of a project that was donated by a vendor (Google, no less) to a foundation — The Cloud Native Computing Foundation (CNCF) — and has grown to the de-facto standard it is today. The Linux Foundation is another good example, with both Valkey and OpenBao having joined it from the get-go.
Big news in that front this year is that OpenSearch, the fork of ElasticSearch and Kibana, has also joined The Linux Foundation. This is especially exciting for me, as I’ve been escorting this project from inception and have been advocating for its move to a foundation through these past three years.
Wordpress and the Automattic — WP Engine saga
Projects can turn to the dark side in many ways, not just via relicensing off open source. One of these is through the trademark™.
One high profile case this year has been the flux in the Wordpress community, when Automattic and its CEO Matt Mullenweg, which admittedly bear the main load of the Wordpress open source development, started haunting WP Engine online and with Cease and Desist letters over their lower OSS participation, which then dragged into court. It got low not just with words like calling WP Engine “cancer to WordPress”, but also setting up a web page listing companies leaving WP Engine’s service, and blocking its access to WordPress.org (which the US court just reverted).
Only then did the community wake up to realize that while Wordpress source code is open source and owned by the WordPress Foundation, the WordPress trademark is in fact owned by the vendor Automattic that created it, and so effectively is Wordpress.org.
The closing scene of 2024 was published on the Wordpress.org news in December 20th 2024: under the seemingly innocent title “Holiday Break”, Mullenweg announced “pausing a few of the free services [of Wordpress.org]”, hoping “to reopen all of this sometime in the new year”.
Rise of the sanctions: Geopolitics invades open source
This year we also saw geopolitics invading the most established open source project: the Linux operating system. In October 2024 several Russian Linux driver maintainers were de-listed from their maintainer positions within the Linux kernel over their connections to Russia.
Linux’s founder, Linus Torvalds, clarified that this was required to comply with international sanctions against Russia following its invasion to Ukraine.
We tend to think of sanctions in the context of import/export etc., but the non-profit organizations that house open source are themselves legal entities (a US-based nonprofit organization, in the case of The Linux Foundation) to which these sanctions apply nonetheless.
The Linux kernel maintainers was the high profile story, though a smaller scale issue came up earlier, in August 2024, when OpenTofu leadership removed providers affiliated with or based in Russia, such as Yandex, from the project’s repository, in a PR that gave little explanations. That PR triggered heated discussions, as well as on subsequent PR, about mixing politics in open source.
This was yet another wake-up call for the open source community. We thought open source transcended politics and boundaries. What does it mean for the (in)dependence of open source international projects?
Endnote on a high note
2024 has been a turbulent year for the open source community. And I haven’t even touched the loaded “open source AI” topic (I’ll have a separate blog post on this one).
There were other cases showcasing that vendor-owned open source is an oxymoron. More projects relicensed off open source this year, such as Snowplow and ScyllaDB. And there are other ways in which open source turned to the dark side, as we’ve seen with Wordpress case, as well as with Linkerd project that stopped producing artifacts and started directing users to the vendor Buoyant, the main backer of the project, for such artifacts. And we all learned about Cease and Desist letters and other legal terms.
However, I have no doubt that open source will keep on eating the world. It is the rising popularity and prevalence of open source that brings on these commercial incentives and power struggles.
We need to carry on maturing our practices, to enhance the sustainability of the projects, and to allow vendors to take part while having viable business models around them. And we should find the way to enable everyone around the globe to take part and contribute, while keeping the project codebase safe and secure for all. Our strength is in our inclusivity, openness and collaboration.
Happy new year, and May the [open] source be with you!
