Relicensing and Procurement Approval Processes

Procurement and approval processes were designed for a world where a license was effectively permanent. A component was reviewed, approved, and adopted, and the license recorded at that moment held for the life of the dependency. The relicensing wave broke that model. The question is no longer only whether a component was acceptable when it was adopted. It is whether it is still acceptable now, and whether the process would notice if it stopped being so.

Why traditional approval gates miss relicensing

A traditional gate has two blind spots. The first is time. It approves a component and then has no trigger to look again, so a license change that happens after adoption passes unseen. The component keeps working, the approval record still reads open source, and nothing prompts a fresh look. The second is classification. Many gates treat source available licenses as if they were open source, because the code is readable and the distinction is unfamiliar. A component under the Business Source License or the Server Side Public License can clear a gate that was never told these are not open source and carry real restrictions. The distinction itself is set out in permissive versus copyleft versus source available explained.

What an approval process should check

A process fit for relicensing checks four things at intake. It confirms the current license state of the component against primary sources, because a name in a registry is not proof of the terms in force. It flags any source available license explicitly, so that the Business Source License and the Server Side Public License are never silently treated as open source. It captures the intended deployment pattern, because the same component carries different exposure for internal use than for offering the software as a service. And it records an as of date, so the approval can be revisited rather than trusted forever. These four checks turn a one time gate into a position that can be maintained.

The deployment pattern check matters because the recent license changes were written to target hosted and managed offerings. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1, and as of March 2024 Redis moved to a dual model including the Server Side Public License. Whether either reaches you turns on how you run the component, which is covered in relicensing and cloud and managed service use.

Catching a relicense at intake rather than in an audit

The cheapest moment to deal with a relicensed component is before it is wired in. A process that catches a source available license at intake can choose an openly licensed alternative, such as OpenTofu or Valkey, before any code depends on the original. A process that misses it pushes the discovery downstream, to a vendor letter or an audit, where the blast radius is wider and the options are fewer. The economics of that delay are covered in the cost to cure open source license risk, and the alternatives that intake can steer toward are covered in the OpenTofu and Valkey fork story.

Adding the checks without slowing delivery

The goal is not a heavier process. It is a smarter one. The checks belong inside the intake and build gates teams already pass through, not in a separate review that delivery learns to route around. An allowlist that distinguishes open source from source available, combined with an automated flag when a tracked dependency relicenses, catches the risk at the speed teams already work. The design of those gates is a governance question, and a relicensing exposure review sizes the existing exposure while governance work prevents the next one. The wider landscape sits on the relicensing pillar.

We are independent and buyer side. We take no vendor fees and resell no software, so the approval criteria and exposure findings we produce reflect your risk and nothing else. This is commercial and licensing risk advisory, not legal advice. For interpretation of specific license terms and your compliance position, engage your own counsel.