Relicensing and Open Source Foundations

The relicensing wave has a common thread: the projects that changed terms were each controlled by a single company. That is not a coincidence. The structure of ownership and governance is what makes a license change possible in the first place, and it is also what makes one unlikely. Understanding the difference helps a buyer judge how durable a dependency is before adopting it, and it explains why the community forks moved toward foundation stewardship. The broad mechanics of a change are set out on the relicensing pillar; here the focus is governance.

How open source foundations lower relicensing risk

A foundation holds a project under neutral, multi party governance. Copyright is often spread across many contributors or held by the foundation itself, decisions run through a defined process, and no single member can rewrite the license by fiat. That structure removes the mechanism a single vendor uses to relicense. There is no controlling party with both the right and the commercial incentive to flip the terms, which is why projects under mature foundation governance very rarely move to source available licenses. For a buyer, neutral stewardship is a meaningful signal that a dependency is less likely to change underneath you.

Why single vendor projects relicense more often

A project controlled by one company is a different proposition. The vendor often holds broad rights, sometimes through a contributor license agreement that assigns those rights inward, which means a single board decision can change the license. When a cloud provider or a managed competitor builds a service on the project and captures revenue the vendor wanted, relicensing becomes a commercial lever to pull. That is the pattern behind the recent moves. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a Redis Source Available License and the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021, and MongoDB moved to the Server Side Public License in 2018. Each was a single vendor project at the time. The acquisition angle is covered in relicensing triggered by acquisition.

Where the major forks landed

The community response to the recent changes leaned on foundation stewardship precisely because it addresses the root cause. OpenTofu, the fork of Terraform, and Valkey, the fork of Redis, both moved under the Linux Foundation umbrella, and OpenSearch continues the Elasticsearch lineage under open governance. Placing a fork inside a foundation is a deliberate signal that the new project will not repeat the single vendor pattern, because control is shared rather than held by one company. That is a large part of why these forks are treated as durable continuations under open terms rather than as temporary mirrors. The fork dynamics are examined in the OpenTofu and Valkey fork story and the OpenSearch fork story.

The limits of governance as a guarantee

Foundation governance lowers the odds of a unilateral relicense, but it is not a guarantee and it does not address every risk. A foundation hosted project can still lose maintainers, slow down, or depend on components that carry their own terms. Governance is one input into a durability judgment, not the whole answer. The disciplined approach is to record the governance model alongside the license for every significant dependency and to treat single vendor control as a risk factor rather than a disqualifier. Plenty of well run single vendor projects are worth adopting, provided you go in with eyes open about how the terms could change.

How to weigh governance in adoption and renewal

Bring governance into the same inventory that tracks licenses and versions. For each major dependency, capture who controls the project, whether a contributor agreement concentrates rights, and whether a foundation hosted alternative exists. Use that signal during selection and at renewal, where a lower license change risk can tip a close decision. The aim is not to avoid all single vendor software, which would be impractical, but to know where the relicensing risk sits and to have a plan for it. A risk assessment captures these governance signals as part of the dependency picture, and the procurement workflow is covered in relicensing and procurement approval processes.

We are independent and buyer side. We take no vendor fees and resell no software, so our read of a project's governance reflects your risk and nothing else. This is commercial and licensing risk advisory, not legal advice. For interpretation of a foundation's governance documents or a contributor agreement, engage your own counsel.