Open source license risk for government.

Government runs on open source. Case management systems, public facing portals, the databases behind benefits and records, the search that makes information findable, and the automation that builds and secures the infrastructure all rest on widely adopted projects. Open source license risk for government is the exposure that appears when one of those projects changes terms, because the obligation lands on software that already delivers essential public services. The relicensing wave reached exactly the components the public sector relies on most, which means a system signed off years ago can carry exposure no one has mapped since.

Where relicensing exposure hides in a government stack

The exposure clusters in the data and infrastructure layer. Public sector search and analytics very often run on Elasticsearch, which moved from Apache 2.0 to the Server Side Public License and the Elastic License in 2021, with the AWS led fork OpenSearch as the open destination. Caching, queues, and data services frequently use Redis, which moved to a source available model as of March 2024, with the community fork Valkey now available. Infrastructure automation commonly relies on Terraform and the wider HashiCorp suite, which moved to the Business Source License as of August 2023, with the OpenTofu fork as the open path. Each of these is a staple of public sector engineering, and each has relicensed. The picture is complicated further by contractors and systems integrators, who build and hand over deliverables that may embed any of these components, so an agency can hold relicensing exposure it never directly chose.

Why government is particularly exposed

Several features of the public sector concentrate the risk. The first is the lifespan of the systems. Government software runs for years, sometimes decades, so a dependency adopted under an open license can still be in production long after the project moved to source available terms. The second is the budget cycle. Funding is fixed in advance against defined programs, and a sudden commercial license demand has no natural line item, while a forced migration competes for engineering capacity with statutory deadlines that cannot move. The third is procurement. Long cycles and contractor delivery mean the body that carries the exposure is often not the team that introduced it, and the contractual record may not make the license posture visible. Source available is not open source, and these licenses are not approved by the Open Source Initiative, so the restrictions they add are precisely what turn a settled system into an unbudgeted problem.

How an agency maps and contains the exposure

The work starts with a complete picture. An open source license risk assessment maps the full dependency tree across the agency's systems and its contractors' deliverables, and records the current license state of each component rather than the one it carried at sign off. A relicensing exposure review then traces the blast radius of each relicensed component and sizes the cost in terms a finance and oversight function can use. Where a change is needed, open source remediation advisory weighs each option, a migration to an open fork such as OpenSearch or Valkey, a commercial license sized to real use, or a configuration change that removes the contested use, and sequences the chosen path around the agency's operational and budget calendar. A public sector body that took this route is described in the case study on how a government body built an open source policy and an open source program office.

Make it a standing capability, not a one off

The relicensing wave is not over, and the next change will land on systems that have moved on since the last review. Agencies that turn the one off map into a standing capability, with a current inventory, procurement language that captures license posture from contractors, and a policy that catches a relicense at intake, spend far less when the next change comes. Building that capability is the work of open source governance and policy, which sets the approval gates and license allowlists that keep a future relicense out of the critical path. The aim is a public sector stack whose license posture is known and defensible to auditors and oversight at any point, not only after a finding forces the question.