Open Source Risk in Carve Outs

A carve out separates a business unit from its parent and sells it as a standalone asset. The financial model treats the unit as if it already runs on its own, but the software rarely does. Open source risk in carve outs is the exposure created at the seam, where the unit is detached from a parent it was deeply entangled with. Shared platforms, internal forks, and enterprise agreements negotiated at the group level do not split cleanly, and the components that have relicensed in recent years sit right where the cut is made. The result is a unit that may be running software it no longer has clear rights to operate the day the deal closes.

This article sits under the pillar on M and A and compliance and supports our open source M and A due diligence service. It is written for deal teams on both sides of a divestiture, the sellers who want a clean separation and the buyers who carry the exposure if the seam tears after signing.

Why a carve out is harder than a whole company deal

A whole company acquisition inherits a dependency tree that already stands on its own. A carve out has to build one by cutting a unit out of a larger tree, and the entanglement is the problem. The carved out unit may run on a shared data platform the parent operates centrally, may rely on an internal fork the parent maintains, or may depend on tooling licensed under a parent wide agreement. None of that travels automatically. The buyer acquires a unit whose software was designed to lean on a parent that will no longer be there, and the gaps are not visible in a normal data room. Most parents cannot produce a dependency tree scoped to the unit alone, because the unit was never managed as a separate entity. That gap is where the exposure lives.

Where relicensing and license rights split unevenly

The recent relicensing wave makes the seam more dangerous. If the carved out unit depends on a component that has changed terms, the buyer needs to know who holds the rights to use it. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License as of August 2023. Redis moved to the Redis Source Available License and the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License in 2021. Where the parent holds a commercial license to keep using one of these in production, that license is usually scoped to the parent entity and does not transfer with the unit. The buyer can find, after close, that the carved out unit is using a relicensed component under a license that no longer covers it.

Copyleft obligations split unevenly too. A component under the GNU GPL or AGPL that the unit ships in its product may have been managed under the parent's compliance process, and that process does not come with the carve out. The fork question becomes live as well. Where the open path is a community fork such as OpenTofu for Terraform, Valkey for Redis, or OpenSearch for Elasticsearch, the buyer has to decide whether the standalone unit will adopt it, and who pays for the migration. Source available is not open source, and these licenses are not approved by the Open Source Initiative, so the restrictions they add are exactly what determine whether the unit can keep running as is. The concrete distribution duties are set out in copyleft distribution obligations explained.

How to map and price the exposure before the agreement is set

The work is the same discipline as an open source license risk assessment, scoped to the carved out unit rather than the whole parent. Build a dependency tree for the unit alone, direct and transitive. Mark each component on three axes: is it shared with the parent, does a parent held license cover it, and has it relicensed. Check copyleft and distribution obligations against how the unit actually ships its product. Then attach a cost to cure and a clear owner to each finding, so the transition services agreement and the price both reflect reality. This converts a hidden seam into a set of priced line items, the same method described in quantifying open source risk for a deal.

Timing decides whether the work pays off, just as in a full acquisition covered in open source risk in M and A due diligence. A buyer who learns during diligence that a parent held HashiCorp license will not transfer can require a fresh license as a condition, fold the cost into the price, or push it onto the seller. The same finding after close is a cost absorbed alone. The transition services agreement is the tool that buys time, letting the unit keep using a shared platform while it stands up its own, but it has to name the open source components and the migration path, or it simply postpones the problem. For exposure that sits specifically in the asset being acquired, see relicensing exposure in an acquisition target, and for how the same exposure moves the headline number, see open source risk and deal valuation. The throughline holds: map the unit alone, name who owns each rights gap, attach a number, and the seam becomes something you price rather than something that prices you.

RELATED READING