RELICENSING

Relicensing and Downstream Distributors

By OpenSource Risk Experts · May 2, 2026

Relicensing and downstream distributors is the part of the licensing wave that catches the companies who ship software rather than just run it. A distributor passes code it did not write to a third party, which means a license change on an embedded component does not stop at the distributor. It flows with the product to every customer who receives it. For independent software vendors, resellers, system integrators, and OEMs, this makes a relicensing event a supply chain problem, not an internal one. This article maps how the change travels downstream and where the distribution exposure concentrates.

We write from the buyer side, as an independent advisory paid only by the buyer. This is not legal advice. For interpretation of any license, we point you to your own counsel. The aim is to make the distribution path legible so you can find the exposure before a customer does.

Why distribution multiplies the exposure

Distribution is the precise activity that source available and copyleft licenses are written to govern. A purely internal user has the lightest exposure, because many license obligations attach only when software leaves your boundary. A distributor crosses that boundary by definition. When you bundle a component into a product and sell it, you are exercising the right the new license most wants to restrict or condition. The Server Side Public License conditions network service distribution, the GNU AGPL attaches source disclosure obligations on network use, and the Business Source License restricts competitive production use. Each of these bites harder on the company that ships.

The multiplication comes from reach. An internal relicensing exposure is bounded by your own deployment. A distribution exposure is bounded by your customer base. Every product instance in the field that contains the affected component is a separate place the new terms apply, and each customer may have a contract with you that assumes the old posture. The recent moves all matter here. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021, Redis moved to the RSALv2 and the Server Side Public License as of March 2024, and HashiCorp moved its tools to the Business Source License as of August 2023. A product that embeds any of them carries the change to wherever it ships.

Who counts as a downstream distributor

The category is broader than many companies assume. A distributor is anyone who passes software to a third party in any form. The obvious case is the independent software vendor that bundles a component into a product. But a reseller who packages and ships, a system integrator who deploys a stack on a client's behalf, an OEM who embeds software in an appliance, and a managed service provider who offers the software as a hosted service are all downstream distributors in license terms. If a relicensed component leaves your control and reaches someone else, you are in scope.

The managed and hosted case deserves attention because it is easy to misjudge. Offering software as a service can be treated as a form of distribution under licenses written for the cloud era, and is the exact use the relicensing wave targets. We cover this in relicensing and cloud and managed service use. The line between what you keep inside and what you push outside is the line that decides much of your exposure, which we treat in relicensing and internal versus external use.

ISVS AND OEMS

Embed the component in a product or appliance, so the new terms ship with every unit sold.

RESELLERS AND INTEGRATORS

Package or deploy the stack for clients, inheriting the distribution obligations on the way through.

MANAGED SERVICE PROVIDERS

Offer the software as a hosted service, the exact competitive use the relicensing wave targets.

Mapping the distribution blast radius

A distributor's response starts with a map that most distributors do not have. You need to know every product, bundle, and service that contains the affected component, which customers receive each one, and whether the new terms permit that distribution. This is harder than mapping internal use, because the component may be buried as a transitive dependency in a product built years ago, and the customers who received it may number in the thousands. Without the full tree, a distributor cannot tell a customer or a regulator what it shipped under which terms. The competitive restrictions that matter most for distributors are set out in the competitive restrictions in the SSPL.

With the map in hand, the options are the familiar three. Migrate to a fork or alternative that carries an open license, negotiate a distribution license with the vendor from the buyer side, or remove the component and reroute the functionality. The broad obligations a distributor inherits are covered in relicensing and your compliance obligations.

The distributor's standing obligation

For distributors the lesson is that license watch is not optional. A company that ships software has a continuing duty to know the license posture of everything it distributes, because a change upstream becomes its problem with every product still in the field. The distributor that maintains a current bill of materials with license state catches a relicense at the next build rather than in a customer dispute. The full landscape of how a license change creates exposure sits in the relicensing exposure pillar.

When you need every product and bundle that carries a relicensed component traced to the customers who received it, our relicensing exposure review produces the distribution map that lets you answer for what you ship.

Questions buyers ask.

How does relicensing affect downstream distributors?

A distributor ships software it did not write, so a license change on an embedded component lands on the distributor as much as the end user. If a vendor, reseller, or OEM bundles a relicensed component into a product it sells, the new competitive use restrictions or commercial license demands flow with the product and become the distributor's exposure to manage.

Who is a downstream distributor in license terms?

Anyone who passes software to a third party, whether as a product, an appliance, a managed service, or a bundle. Independent software vendors, resellers, system integrators, and OEMs are all downstream distributors when they ship a relicensed component as part of what they deliver.

Does distributing a source available component create extra risk?

Yes. Distribution is exactly the activity that source available and copyleft licenses target. The Server Side Public License and the GNU AGPL both attach obligations on distribution or network service, and the Business Source License restricts competitive production use. A distributor is more exposed than a purely internal user.

What should a distributor do after an upstream relicense?

Map every product and bundle that contains the affected component, identify which customers receive it, and assess whether the new terms permit the distribution. From there the options are to migrate to a fork, negotiate a distribution license, or remove the component, with counsel interpreting the obligations.

Is this legal advice?

No. We provide commercial and licensing risk advisory, not legal advice. For interpretation of license terms and distribution obligations, we recommend your own counsel.