Some Open Source Software Licences are Only ‘Open-ish,’ Says Thoughtworks

It has been estimated 90% of organisations use some form of open source software, and if they needed to go and code it again themselves, it would cost USD $9 trillion. This makes open source a huge global economic resource.

However, some tools have shifted to commercial models in recent times. After years of growth through developer contribution and widespread uptake among users, they are monetising the end result — often to the chagrin of developer communities and dependent business users.

Global technology consultancy Thoughtworks identified the trend in its most recent Technology Radar. Australian Chief Technology Officer, Scott Shaw, said it is partially driven by a closer focus on financials in recent times, and organisations need to ensure they approach open source “with their eyes open.”

Some open source favourites have shifted to commercial licences

In April 2024, Thoughtworks noted a “churn in the previously serene landscape” of open source. “Several prominent tools have recently garnered bad press, when their maintainers switched — in several cases abruptly — from an open-source licence to a commercial model,” it said.

The trend has been building for some years, according to Shaw. While the tech industry has a common set of principles and a number of well understood open source licences governed by the Open Source Initiative, there has been a growing “divergence” from that paradigm.

Abrupt changes to open source licences

The first example are those companies that have changed the terms of their open source licence mid-stream. After building a developer community and onboarding large numbers of users who have integrated the software into workflows under the permissive standards of open source licences, there has been a move to clamp down on that, often linked to revenue.

SEE: The 8 best open source project management software for 2024

While Thoughtworks wrote that “we have no problem paying for software and are fine with the common model of commercial licences for additional functionality,” it added that “we find it problematic when core functionality of a widely used tool is suddenly put behind a paywall, especially when an ecosystem has developed around the tool.”

‘Semantic diffusion’ in open source

There has also been a blurring in what open source means, with Thoughtworks observing “software that proclaims to be open source, yet fundamental capabilities only appear after consumers pay subscriptions or other charges.” In some cases, an open source project may only distribute code, not builds, increasing the burden for organisations using it on premise.

“One example is some large language models that are being loosely referred to as open source that are not; they are open in some way, but they don’t meet the principles of open source, certainly not the way the OSI defines them,” Shaw said.

Docker, Terraform and Llama 3 diverge from pure open source

Thoughtworks said there have been several examples of shifts to commercial licences or “open-ish” licences emerging. Three examples are developer containerisation software Docker, Hashicorp’s Terraform, and Meta’s newly released LLM Lllama 3.

Docker

Docker is open source software used by developers to automate the deployment of applications inside containers. It became the basis for most application distribution and integral to software delivery, with 55% of developers using it daily. Docker also had a convenient Docker Desktop, allowing developers to run Docker locally on a machine to perform testing.

In 2021, and effective in 2022, Docker changed its licensing. While remaining free for small businesses with fewer than 250 employees and less than USD $10 million in revenue, larger enterprises using it professionally needed to pay for a Pro, Team or Business membership, meaning organisations were no longer in compliance if they did not pay fees to Docker.

Terraform

Terraform from Hashicorp is one of the most popular and effective infrastructure as code tools for safely and predictably provisioning and managing infrastructure in any cloud. However, Hashicorp caused an outcry in the open source community when it made the decision to shift from a Mozilla Public Licence v2.0 to a Business Source Licence, because of its widespread use as an open source software supporting DevOps operations and companies.

SEE: The 5 best open source CRMs for 2024

The company explained its decision, primarily, as being to protect its interests from competitors using Terraform to compete with Hashicorp, who can now utilise commercial licences. This did not placate the whole open source community; some were galvanized to start OpenTofu, a community-driven project that aims to create a fork of Terraform and maintain it as an open-source tool, in line with the company’s previous commitments to open source.

Llama 3

Meta’s Llama 3 is being received as a powerful LLM model, Shaw said. However, in terms of its open source credentials, the model has open weights but does not follow other OSI principles like the ability to examine source code and complete unrestricted redistribution. Meta’s Llama 3 requires the payment of licensing fees based on user numbers for the use of weights.

“If you ask Meta, they call it an openly available model. That is honest, but the term open source gets very loosely applied to these things, and I think it’s important for people to understand openly available or free doesn’t necessarily imply open source. I think this is sometimes missed; people don’t completely understand what degree of openness a particular model might have.”

AI LLMs come in many degrees of openness

Thoughtworks said “semantic diffusion” of the open source badging is something being seen in the fast-growing AI space in particular. “Even though this business model has existed before, it seems to be exploited more with many of the shiny new AI tools — offering amazing capabilities a little too hidden under the fine print,” the firm wrote in its Technology Radar.

Shaw said that for LLMs, there’s a range of openness available in different models. They range from completely proprietary, like OpenAI’s ChatGPT, to models where the source code, training data, model structure and weights are all freely available and open for inspection and contribution. One recent example is Snowflake’s Arctic LLM, released on an Apache 2.0 licence.

Two reasons why companies rethink open source licences

Thoughtworks suggests revenue and IP protection are behind some of the licensing moves.

Focus on financials

The whole tech industry has been more cost conscious in recent years due to economic headwinds, with chief financial officers becoming more influential in decision making. Thoughtworks’ Technology Radar said “a lot of blame has been placed on private equity and venture capital firms for putting more pressure on firms for revenue and profitability, particularly as the tech industry has slowed.” Shaw said it has been a time where people all through the industry have been re-examining their business models, leading to some churn in open source.

The protection of IP

Another factor, noted by Hashicorp in its Terraform licensing decision, is the protection of IP. Thoughtworks writes that “others speculate that the open source vendors are only protecting themselves and their intellectual property from the cloud vendors who would profit from the IP through hosted cloud services.”

Shaw said in some cases bigger organisations, like hyperscalers, had been taking open source tools and creating very profitable services and not paying and licensing fees back to the originator of the tools. Though that is essentially the spirit of open source, the originating vendors want to ensure that they receive some form of financial benefit.

There are risks for enterprises when open source licences change

When the licences of widely used open source software projects shift to a more commercial model, it creates a “big headache” for their enterprise users, Shaw said. To remain compliant with licensing terms, companies have to make sure the software — such as Docker Desktop, in the case of Docker — is removed from individual devices; otherwise, they may be hit with licence fees or risk getting caught out in an audit, even if the software is still there unwittingly.

Shaw said organisations already spend a lot of time, money and effort auditing, making sure the software their employees are using are being used within the terms of their licences. Abrupt shifts in the deal on offer from open source providers can be difficult to manage. “I think it’s something that boards, CEOs and CFOs would want to be conscious of, because they may be highly dependent on open source software that has changed its licensing terms,” Shaw said.

Things IT should watch when using open source software

Thoughtworks has advised businesses and IT stakeholders to exercise “particular diligence around licence issues. Pay attention to caveats and make sure that all files in a repository are covered by the licence at the top level,” the firm detailed in its Technology Radar. Shaw added that enterprises needed to approach open source software with their “eyes open.”

Check the details of open source projects

One factor to look at is whether an open source project is truly grassroots supported, or is dependent on a commercial interest with no other apparent business model, Shaw said. In the latter case, he recommends considering if it is worthwhile paying for the enterprise version of the software, so the terms of the licensing are agreed upon contractually from the start.

Beware of data leakage to SaaS models

Another factor to consider is whether the open source software is actually running on a desktop or is sending some data to the cloud. Shaw said enterprises should know how data is being treated if it is an online service and what sort of safeguards there are against redistribution. In some cases, Shaw said there is a risk of data leakage if organisations are not careful.

New vendors and products are competing after licencing changes

When an open source tool changes licence terms and users are forced to pay, there are always competitors waiting in the wings to step in and provide competition, Shaw said. For example, in the firm’s Technology Radar where it flags tools to watch, alternatives to Docker Desktop include Colima. And while the current economy is causing closer scrutiny of business fundamentals, those accentuated drivers for shifting to commercial licences may be cyclical.