RELICENSING

Source available is not open source, and why it matters.

Source available is not open source. The phrase sounds pedantic until a project you depend on relicenses and the distinction starts costing money. This article explains the difference plainly, names the licenses that drive the concern, and shows where the exposure actually sits.

The most expensive assumption in enterprise software is that visible code means free code. It does not. Source available is not open source, and the gap between the two is exactly where relicensing risk lives. When the difference is ignored, a tool that passed every license check yesterday becomes a restricted component today, and the obligation can attach to software already running in production. Naming the distinction is the first step to controlling it.

What open source actually means

Open source is not a vibe or a synonym for visible. It is a defined term. The Open Source Initiative maintains a definition that requires, among other things, the freedom to use the software for any purpose, to study and modify it, and to redistribute it without discrimination against fields of use. A license is open source when it meets that definition and is approved by the Open Source Initiative. The freedom to use for any purpose is the part that matters most here, because it is the part source available licenses remove.

What source available means

Source available means the code is published and readable, but the license places conditions on how you may use it. You can inspect the source, often modify it, sometimes redistribute it, but the grant stops short of the freedom an open source license provides. The most common restriction is on competitive or service use: you may run the software, but not to offer it as a competing product or managed service. Because the restriction targets a use rather than a distribution, it can apply to deployments you already have.

The two licenses driving current concern are the Business Source License and the Server Side Public License. The Business Source License restricts competitive production use and converts to an open license after a delay, commonly four years. The Server Side Public License carries a strong condition aimed at parties who offer the software as a service, requiring them to release a broad set of surrounding source. Neither license is approved by the Open Source Initiative. Both are source available. Neither is open source.

The relicensing wave that made this urgent

This was an academic distinction until a series of widely used projects crossed the line. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad and Packer from an open source license to the Business Source License 1.1, with the community fork OpenTofu. As of March 2024 Redis moved from an open source license to a model that includes the Server Side Public License, with the fork Valkey. Elasticsearch and Kibana moved from Apache 2.0 to the Server Side Public License and the Elastic License in 2021, with the AWS led fork OpenSearch. MongoDB moved to the Server Side Public License in 2018. Each of these tools was adopted as open source and is now source available, and many enterprises never recorded the change.

Why the distinction matters for enterprises

Most license policies were written for a world of permissive and copyleft licenses. They have a category for MIT, a category for the GNU GPL, and an implicit assumption that anything with visible source is acceptable. They have no category for a competitive use restriction. So when a project relicenses to source available terms, the relicensed component slides through intake unflagged, because the policy literally cannot see the new risk. The exposure then accrues silently until an upgrade, an audit, or a deal brings it forward. By that point the cost to cure is higher and the timeline is someone else's.

The trap is the assumption, not the license

Source available licenses are not inherently dangerous. They are a legitimate choice by maintainers who want to limit how their work is commercialized. The danger is purely the mismatch between how the software is treated and what the license actually says. An enterprise that records source available as its own category, and decides in advance how it will treat such components, carries far less risk than one that keeps calling everything open source. For the broader families, read the relicensing pillar.

Is source available code safe to use internally?

Often, but not always, and never on assumption. Many source available licenses restrict competitive or service use rather than ordinary internal use, which means an enterprise running the software for its own operations may be unaffected. But the terms vary between licenses and between versions, and some conditions can reach production deployments. The correct posture is to read the specific text, confirm how you actually deploy, and put the interpretation question to your own counsel rather than relying on the freedom an open source license would have granted.

What to do about it

Give source available its own line in your policy and its own flag in your dependency map. Decide how each source available component is treated before the next relicense lands. When a change has already reached your estate, size the blast radius and choose a path: migrate to a community fork such as OpenTofu, Valkey, or OpenSearch, remove the dependency, or negotiate a commercial license if continued use is right. These companion articles go deeper: the competitive restrictions in the SSPL, the OpenSearch fork story, and the open source relicensing FAQ.

COMMON QUESTIONS

Questions buyers ask.

CONTAINMENT

Find the source available components in your estate.

A confidential relicensing exposure review. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.