2025 - The Year in Open Source

Introduction

Multiple intertwined trends defined open source in 2025:

1. The central role of open source in AI, and what “open source AI” really means

2. Rising tension over license changes, especially regarding "source-available" licensing

3. Growing concern about software supply chain security

4. Validation of commercial OSS (COSS)

5. Growth of open source in test automation

Following is a breakdown of these trends across commercial and technical domains.

Open Source in AI

Today's AI stacks, including even highly proprietary large language models, rely heavily on open source frameworks, libraries, and tools. While only a minority of AI models truly meet OSI criteria for open source, the broader AI ecosystem would not exist without open source elements and approaches.

The 2025 global open source report noted that AI/ML was viewed as the technology area that gains most from being open, with adoption of open‑source AI/ML apps rising from about 35 percent to 40 percent in a year. Organizations increasingly cited code and model transparency as crucial for auditability, regulatory compliance, and the ability to host sensitive data on proprietary infrastructure.

What counts as open source AI?

Under the OSI AI Definition 1.0, an Open Source AI must grant the freedoms to

• Use the system for any purpose, without permission

• Study how the system works and inspect its components

• Modify the system for any purpose, including to change its output

• Share the system for others to use with or without modifications, for any purpose.

A major theme is the controversy around “open source AI” definitions, especially the difference between “open weights” models and fully open source AI as defined by OSI’s Open Source AI Definition (OSAID). Without access to training data and sufficient documentation, many models are better described as “open weight” rather than genuinely open source, even if they are marketed otherwise.

Growth of Open Agentic AI

2025 saw increasing focus on open standards and projects for AI agents and orchestration, culminating in new Linux Foundation efforts such as broader work around open agent frameworks and protocols, positioned as a way to keep emerging AI infrastructure interoperable and not purely proprietary.

Licensing Trends

After HashiCorp walked back its commitment to open source, other widely used projects continued to move from permissive open source licenses to various “source‑available” or Business Source–style terms: Elastic moved from Apache 2.0 to a dual license; CockroachDB went from Apache 2.0 to BSL, MongoDB adopted SSPL after trying AGPL, and so on.

This pattern also engendered open source forks like OpenTofu (from Terraform) and OpenBao (from Vault) that rapidly gained traction and vendor backing, despite (or because of) their eschewing Business Source licensing. These cases became canonical examples of how abrupt changes damage developer trust, fragment ecosystems, and push enterprises to reevaluate dependencies.

Ongoing debates over license changes (e.g., Redis) emphasized that license changes for popular components like Redis—moving from BSD to SSPL and then AGPL—raised both legal and governance concerns, forcing users to reassess compliance, obligations, and the risk of retroactive term changes. This fed a broader narrative that organizations must actively track upstream license drift as an operational risk, not a theoretical legal issue.

Fear of future pressure on flagship projects flagged that the business pressures that hit Terraform, Vault, and others could eventually reach projects like Hadoop, Kafka, Lucene, Kubernetes, Prometheus, and Ansible, even though many are foundation‑governed today, keeping “license shock” on every architectural risk register.

Open Source Supply Chain Insecurity

Software supply chain security remains a top concern, with open source dependencies, build pipelines, and package ecosystems seen as critical risk points. The trend includes more emphasis on standards, SBOMs, and regulatory moves such as the EU’s Cyber Resilience Act, which will shape how open source components are vetted and maintained.

OWASP OSS Ranking

The role of open source and a perception of its vulnerability caused OWASP (Open Worldwide Application Security Project) to promote supply chain security from ninth place to third in its Top Ten Security Threat ranking.

Enterprise adoption and security/compliance

Surveys showed OSS deeply embedded across enterprise stacks, with strong perceived benefits like productivity, reduced lock‑in, lower TCO, and improved innovation and security; yet many organizations still rely on ad‑hoc “community health checks” rather than systematic security frameworks. This disconnect drove demand for SBOM tooling, supply‑chain scanning, and enterprise‑grade support around critical dependencies.

Validation of COSS

Venture investment in COSS

In the popular imagination, open source software represents a vast storehouse of freely-accessible soffware, available for use in infrastructure, in intelligent devices and also on the desktop. But commercial software of all types increasingly depends upon open source software for functionality that spans the functional software stack, from firmware to operating systems run-time libraries to middleware to applications. Software and hardware suppliers monetize open source by building their wares on and around free and open source software.

The Linux Foundation/COSSA/Serena State of Commercial Open Source 2025 report found that commercial open source startups had raised about $26.4 billion cumulatively by 2024 and significantly outperformed closed source peers in valuation and exit value (roughly 7x higher IPO valuations and 14x higher M&A valuations). This trend clearly positions COSS as a mainstream, strong investment category for infrastructure software rather than a niche model, defying conventional wisdom.

The same report also showed COSS startups move from seed to Series A and B faster than proprietary peers and graduate between funding stages at nearly double the rate, underscoring investor conviction that open‑core/community‑driven companies scale more efficiently.

Moreover, the Linux Foundation report reiterated that OSS is now the backbone of critical systems across OS, cloud, web, database, DevOps, and AI stacks, yet “most” organizations still lack mature OSPOs, governance, and security processes around the software they rely on.

Open Source in Test Automation

As in the other segments cited above for COSS, OSS in test automation is enabling both technical innovation and financial success. In test and measurement, OpenTAP continues to gain deployment, in Keysight products and as a community platform. OSS is also ubiquitous In other platforms across other test domains (see table below).

OSS Licensing

Test code itself is typically internally developed and deployed, without an explicit license; test code for opens source projects, by contrast, most often follows the licensing of the project code it's designed to test. For its part, while internally-developed and deployed test automation code is usually unlicensed/proprietary, major testing efforts in corporate settings increasingly build on off-the-shelf COSS and community-distributed open source.

And open source options for test automation tools and platforms are plentiful and varied:

Other summaries of Open Source in 2025 and predictions for 2026:

Open Source: Inside 2025’s 4 Biggest Trends - Steven J. Vaughan-Nichols, in The NewStack

The State of Open Source Software in 2025 - Irving Wladawsky-Berger, at the Linux Foundation

What’s in store for open source in 2026? - Mike Milinkovich, at the Eclipse Foundation