GLOSSARY

Open source license glossary.

This open source license glossary defines the terms behind relicensing risk plainly: source available, the Business Source License, the Server Side Public License, the GNU AGPL, copyleft, blast radius, SBOM, and the community forks. Definitions are for identification and risk context, not legal advice.

Open source license risk: The exposure an enterprise carries when software it runs in production changes its license terms. A relicense can introduce competitive use restrictions, copyleft obligations, or commercial license demands on software already deployed.
Source available: A model where the source code is readable but the license restricts use. Source available is not the same as open source. The Business Source License and the Server Side Public License are source available, not OSI approved open source licenses.
Business Source License (BSL): A source available license that restricts competitive production use and converts to an open license after a delay, commonly four years. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the BSL as of August 2023.
Server Side Public License (SSPL): A source available license that turns on how software is offered as a service, requiring the release of related service source. Redis, Elasticsearch, Kibana, and MongoDB have used the SSPL. It is not OSI approved.
GNU AGPL: A strong copyleft open source license that extends obligations to software offered over a network. Distribution and network use can trigger requirements to release corresponding source.
Copyleft: A license condition that requires derivative or, for network copyleft, network accessible works to be released under the same terms. The reach of the condition is the core of the exposure it creates.
Relicensing: The act of a project changing the license under which it is distributed. A relicense can move a project from an open source license to a source available one, changing the terms for software already in production.
Blast radius: Everything downstream of a relicensed component. The risk is rarely the named project alone; it is every system, pipeline, and product built on top of it.
SBOM: A software bill of materials: a complete inventory of the components in your software. A license aware SBOM tracks the license state of each component, not just its version.
OpenTofu: The community fork of Terraform created after the move to the Business Source License, distributed under an open source license.
Valkey: The community fork of Redis created after the move to the SSPL and RSALv2, distributed under an open source license.
OpenSearch: The AWS led fork of Elasticsearch and Kibana created after the move to the SSPL, distributed under an open source license.

For depth on these terms, see the open source risk white papers or the services that map them to your tree.

COMMON QUESTIONS

Questions buyers ask.

Is source available the same as open source?

No. Source available means the code is readable but the license restricts use. The Business Source License and the Server Side Public License are source available and are not OSI approved open source licenses.

What is the difference between BSL and SSPL?

The Business Source License restricts competitive production use and converts to an open license after a delay. The Server Side Public License turns on offering the software as a service and requires related service source to be released. Confirm specifics with your own counsel.

What are OpenTofu, Valkey, and OpenSearch?

They are community or vendor led forks created after relicensing events: OpenTofu from Terraform, Valkey from Redis, and OpenSearch from Elasticsearch and Kibana, each under an open source license.