Skip to content
Published on

Introduction to Source-available Licensing

Categorized
Open Source

Source-available licensing refers to a software licensing model in which source code is made available to users. However, it differs from open-source licensing in that accompanying licensing terms may not meet all the criteria of open source licenses, such as those defined by the Open Source Initiative (OSI).

A source-available license grants users access to source code, allowing them to view, modify, and sometimes distribute the code. However, there may be restrictions or limitations imposed. These restrictions most often include limitations on commercial use, restrictions on redistributing modified versions, or requirements to share modifications with the original developer without necessarily making them public.

So, the key distinction between open source and source-available is the degree of freedom granted regarding the usage, modification, and distribution of source code. Open source licenses generally adhere to a set of principles ensuring a high degree of freedom, whereas source-available licenses aim to restrict commercial activities while still allowing users access to source.

A Brief History

In 2023, the software development ecosystem witnessed the introduction and propagation of a number of source-available licenses intended to bridge between open and fully proprietary software. The terms of such licenses fall short of actual open source practices and do not pass OSI muster: they invariably fail to observe the entire Open Source Definition, in particular by restricting freedom of redistribution and freedom of use.

These licenses emerged in response to organizations publishing software under an OSI-approved license only to discover that other, established open source users and publishers (Red Hat, Amazon et al.) were integrating, deploying and monetizing that software with no direct benefit to the project founders.

“Source-available: sour grapes or a failure of vision?”

Critics of this movement characterize the shift to source available licensing as "sour grapes" or at least as a failure of vision in harmonizing business models and accompanying licenses. Proponents claim to want to protect investments in software development, especially by start-ups, under the rubric of "Freedom without Free-riding".

The poster children for this movement are Hashicorp, Sentry, MariaDB, and Redis. and the licenses they promote include

These licenses purport to protect software authors by including terms and limitations on the number of users, size of organization, revenue enjoyed from the governed software and/or establishing a timeline for exclusivity and conversion to OSI-approved licenses like MPL.

Issues with Source-available Software

Source-available software presents many of the same issues to safe and successful integration and deployment as open source software, but amplified by the lack of an active and dynamic community to curate and advance the code base (beyond the commercializers).

  • Limited security review

  • Failure to attribute contributions

  • Availability of a current SBOM

  • License clock counting down to relicensing

Moreover, open source management tools (SCA, etc.) often overlook source-available modules and/or do not correctly account for the terms of the licenses that govern that software. For example, if source-available software is licensed exclusively for non-commercial or non-production use, users and integrators of that software will need to perform manual review of the use case, level of exposure, and the need to pay royalties or another licensing fee to the authors. Repeat and rinse.

To date, source-available licensing has primarily affected enterprise software. In the domains of embedded systems and test automation, there exist ample quantities of dual-licensed software, but as yet very little code licensed under source-available terms. But given the richness and complexity of all types of software and the prevalence of open source across most domains of endeavor, such software will be here soon.