When Your Open Source Turns to the Dark Side
Lessons learned from the relicensing of Terraform, Elasticsearch, Redis and more
Terrified of Terraform relicensing? It’s not the worst that could happen. Just imagine your beloved open source database, which lies at the heart of your system, being relicensed one day. This happened in the few years with MongoDB, Elasticsearch, Redis and other vendor-owned open source.
Yes, an open source project can turn to the dark side. Apparently checking the license isn’t enough of a safeguard, as they can pull the Bait & Switch stunt on you. So what can you do to protect yourself?
If you’re using an open-source tool, or are in the process of vetting a new tool or framework, here’s a useful checklist:
- Which open-source license does it use? Don’t confuse “source-available” (i.e. fauxpen source) licenses with “open source” ones (as approved by the OSI). And even within the OSI realm, not all OSS licenses are born equal.
- Who’s behind the open source? A one-man show means a single point of failure. If you choose a vendor-owned open source, be aware that could become problematic. Foundational open source is the most solid (though not bulletproof) option.
- What is the governance policy? This includes things such as how it ensures no single entity grabs control, what’s the promotion path for contributors/maintainers, who can review/approve PRs and similar aspects.
- Manage your third-party licensing exposure, just like you manage your third-party security exposure. Prefer least restrictive licenses and look for license contamination (such as AGPL license used inside Apache2 codebase).
- Include license compliance checks in your automation. Beware of auto-updating third party tools and libraries in your CI/CD pipeline without safeguards.
Want to read more on this? Check out my column at InformationWeek, in which I analyze recent case studies of OSS being relicensed or going rogue, each providing a practical guide for vetting and using OSS.
Have you got an interesting case study to share? Or additional checklist items you found useful? Comment on this post and share your experience.
