Licence flips

An open source project whose contributions, artefacts or roadmap depend on a single sponsor is a project whose licence on future versions is revocable. This legal precision matters: when a publisher changes a project’s licence, the versions already released under a free licence remain freely usable forever — no one can retroactively revoke the GPL or BSD on code already distributed. What changes is the licence applied to future versions. But this technical distinction offers no practical comfort: a user pinned to an obsolete free version progressively loses security fixes, new features and compatibility patches. Legal freedom over past code becomes useless if one has to use present code.

The cases that follow document licence flips operated by companies that had built up a dominant position over their open source project, then withdrew on future versions the freedom they had initially granted. Each case follows a similar pattern: a permissive free licence used for growth, followed by a switch to a restrictive licence once the project becomes critical enough that migration costs the users dearly.

Hashicorp — The flip of an entire DevOps stack#

Date : 10 August 2023 (announcement of the flip) Status : confirmed, two active forks maintained (OpenTofu, OpenBao) Manifesto theses illustrated : 5, 11, 12

The fact#

On 10 August 2023, Hashicorp announced the move of its entire product portfolio from the free MPL 2.0 licence (Mozilla Public License) to a Business Source License (BSL) v1.1. This licence prohibits competing commercial use: a third party can no longer offer these products as a managed service without an agreement with Hashicorp.

The following products were affected simultaneously:

• Terraform — infrastructure-as-code, the most widely covered product
• Vault — secrets management (API keys, certificates, passwords), considered the de facto standard in its segment and often described as “impossible to replace” in the short term in mature IT environments
• Consul — service mesh and service discovery, a central brick in many microservice architectures
• Nomad — container and workload orchestrator, an alternative to Kubernetes for many organisations
• Packer — virtual machine image creation, a pivot of infrastructure CI/CD chains
• Boundary — secure remote access to infrastructures
• Waypoint — application deployment

This was therefore not an isolated change to a single tool, but the simultaneous flip of an entire DevOps stack which many European organisations — banks, telecom operators, public administrations, industrial groups — had adopted as the very backbone of their cloud infrastructure.

Hashicorp’s public justification: protect its business model against cloud providers (notably AWS) which were monetising these tools without contributing to their development. But the decision affected the entire ecosystem: integrators, European providers, communities, all suddenly legally constrained in their use.

The reaction was immediate, but uneven across products. In September 2023, a consortium of players — including Gruntwork, Spacelift, Env0, Scalr, Harness, Digger — announced the fork OpenTF (renamed OpenTofu after acceptance by the Linux Foundation), which shipped a stable release in January 2024 under preserved MPL 2.0. In April 2024, the Linux Foundation also welcomed OpenBao, a fork of Vault, under the same model. For the other products — Consul, Nomad, Packer, Boundary, Waypoint — no credible fork has emerged to date.

In April 2024, Hashicorp was acquired by IBM for $6.4 billion.

What it demonstrates#

The Hashicorp case is the most pedagogical of this family for illustrating thesis 5 (“revocable free project”) on several counts:

1. A free licence is not a permanent state for future versions. All Hashicorp product versions released before 10 August 2023 remain under MPL 2.0 and always will — that is a settled legal fact. But from that date, every new version ships under BSL. A user who wants to remain strictly open source must therefore freeze on ageing versions, or migrate to forks where they exist.

2. The depth of the dependency multiplies the cost of leaving. An organisation using “only” Terraform can migrate to OpenTofu with reasonable effort. But an organisation that built its architecture around Vault + Consul + Terraform + Packer simultaneously faces a migration cost multiplied by the number of products, with no unified fork covering the entire stack. The more an organisation has adopted a publisher’s full stack, the costlier the flip is to work around.

3. “Must have” status is a capture factor. Once a product becomes the de facto standard in its segment, it leaves the register of tools and enters that of infrastructure. Organisations no longer truly “choose” it; they adopt it because the entire ecosystem (training, certifications, providers, integrations) revolves around it. This lock-in by standardisation is precisely the mechanism described in thesis 12 of the manifesto.

4. The asymmetry of the rescue reveals the dependency. Whether AWS, Google or consortia dominated by American players fund the licence forks, Europe remains structurally absent from these rescue operations. Flips are settled between American players, with no significant European participation — even for tools massively deployed in Europe.

5. The subsequent acquisition of Hashicorp by IBM confirms that the licence flip was not a stable policy but a step in a broader commercial strategy. For European users, this means the roadmap of their infrastructure bricks now depends on IBM’s trade-offs, regardless of their own priorities.

Sources#

• Hashicorp (August 2023), HashiCorp adopts Business Source License : https://www.hashicorp.com/en/blog/hashicorp-adopts-business-source-license
• OpenTofu (January 2024), launch announcement : https://opentofu.org/blog/the-opentofu-fork-is-now-available/
• Linux Foundation (September 2023), welcoming the OpenTofu fork.
• Linux Foundation (April 2024), OpenBao : announcement of the Vault fork.
• The Register (August 2023), coverage of the Hashicorp licence flip.
• IBM (April 2024), press release on the acquisition of Hashicorp for $6.4 billion.

Redis — Two flips in six years#

Dates : August 2018 (Redis Modules → Commons Clause), March 2024 (Redis Core → SSPL/RSAL) Status : confirmed, Valkey fork active Manifesto theses illustrated : 5, 11

The fact#

Redis is one of the most widely used in-memory databases in the world, long published under a BSD licence. Its history of flips spans several years:

• August 2018: Redis Labs (later renamed Redis Inc.) adds the Commons Clause to several Redis modules (RedisGraph, RedisJSON, RediSearch, RedisML, RedisBloom). This clause restricts commercial use. The event provoked a major debate in the open source community.
• March 2024: Redis Inc. announces that Redis Core itself flips from the BSD licence to dual-licensing under SSPL (Server Side Public License) and RSAL (Redis Source Available License). Both licences prohibit competing commercial use as a managed service.

The reaction was immediate. The Linux Foundation announced on 1 April 2024 the Valkey fork, supported by AWS, Google Cloud, Oracle, Ericsson and Snap. Valkey kept the original BSD licence. According to a survey conducted that year, 83% of large Redis users had either already migrated to Valkey or were testing it.

In May 2025, Redis Inc. backtracked: Redis 8 was released under AGPLv3 (alongside SSPL and RSALv2), a licence this time recognised by the OSI as open source. The return of Salvatore Sanfilippo, Redis’s historical creator, as developer evangelist in November 2024 preceded this change. The trajectory is now identical to Elasticsearch’s: restrictive flip (March 2024) → credible fork (Valkey, April 2024) → erosion of the commercial position → partial return to open source (May 2025).

What it demonstrates#

The Redis case is instructive on three counts. First, because it shows that licence flips are not isolated events but trajectories: a company starts by restricting peripheral modules (2018), tests the community’s reaction, then moves on to the core of the product (2024). Second, because the response — the Valkey fork — is carried mainly by AWS and Google, that is, the very players Redis Inc. accused of monetising its work without contributing. Defending free software is therefore done with several million dollars of commitment from American cloud providers, not by European or citizen mobilisation. Finally, because Redis’s return to AGPLv3 in May 2025 confirms that the existence of a credible fork disciplines publishers: without Valkey, it is likely Redis Inc. would never have returned to an open source licence.

Sources#

• Redis Labs (August 2018), Apache 2 Modified with Commons Clause : https://redis.com/blog/apache-2-modified-with-commons-clause/
• Redis Inc. (March 2024), Redis Adopts Dual Source-Available Licensing : https://redis.io/blog/redis-adopts-dual-source-available-licensing/
• Linux Foundation (March 2024), Linux Foundation Launches Open Source Valkey Community : https://www.linuxfoundation.org/press/linux-foundation-launches-open-source-valkey-community
• Techzine Global (May 2025), Redis returns to open source after damaging community relationship : https://www.techzine.eu/news/infrastructure/131056/redis-returns-to-open-source-after-damaging-community-relationship/
• The New Stack (March 2024), coverage of the Valkey fork.

Elasticsearch — The SSPL flip and the birth of OpenSearch#

Date : 14 January 2021 Status : confirmed, OpenSearch fork active Manifesto theses illustrated : 5, 11

The fact#

On 14 January 2021, Elastic NV (a Dutch company listed on NYSE) announced the move of Elasticsearch and Kibana from the free Apache 2.0 licence to dual-licensing under SSPL and Elastic License. As in the Redis case, these licences prohibit competing commercial use as a managed service. Elastic’s public justification: prevent AWS from monetising Elasticsearch via its Amazon Elasticsearch Service without contributing to its development.

AWS responded quickly. In April 2021, Amazon announced the OpenSearch fork under preserved Apache 2.0 licence. OpenSearch is today a project under Linux Foundation governance (since September 2024), with dozens of AWS-employed maintainers and an established contributor ecosystem.

Three years later, in August 2024, Elastic backtracked: Elasticsearch and Kibana regained an open source licence (AGPL v3) alongside their proprietary licences. OpenSearch’s competition had visibly eroded Elastic’s position faster than it had anticipated.

What it demonstrates#

The Elasticsearch case is interesting for its dual trajectory: the 2021 flip, then the partial reversal of 2024. It shows that:

1. A licence flip can be counterproductive even for its author. Elastic lost more market share than it gained by monopolising the managed service.
2. The existence of a credible fork disciplines publishers. Without OpenSearch, Elastic would probably never have reverted.
3. Elastic’s European domiciliation made no difference. Although based in the Netherlands, Elastic NV is listed on NYSE and operates according to American commercial logic. This illustrates that a company’s “European domiciliation” is no guarantee of sovereign behaviour.

Sources#

• Elastic NV (January 2021), Doubling down on open : https://www.elastic.co/blog/doubling-down-on-open
• Amazon (April 2021), Stepping up for a truly open source Elasticsearch : https://aws.amazon.com/blogs/opensource/stepping-up-for-a-truly-open-source-elasticsearch/
• Elastic NV (August 2024), Elasticsearch is open source, again : https://www.elastic.co/blog/elasticsearch-is-open-source-again
• OpenSearch Foundation (September 2024).

MongoDB — The founding precedent of the SSPL#

Date : 16 October 2018 Status : confirmed, no dominant fork Manifesto theses illustrated : 5, 11

The fact#

On 16 October 2018, MongoDB Inc. announced the move of its MongoDB database from the free AGPL v3 licence to the Server Side Public License (SSPL) — a licence MongoDB itself created for the occasion. The SSPL prohibits competing commercial exploitation as a managed service: any third-party provider offering MongoDB as SaaS must publish its entire service code under SSPL, which is commercially impossible for most operators.

The SSPL was not recognised as open source by the Open Source Initiative, which maintains the reference definition of free software. MongoDB withdrew its own approval request in March 2019 rather than wait for a formal rejection. The Free Software Foundation also considers the SSPL non-free. These are positions taken by reference organisations, not official legal qualifications — in strict law, the SSPL is a licence that distributes source code under extended copyleft conditions. Nevertheless, MongoDB continues to present itself as “source available”, and the SSPL became the model copied by Redis, Elastic and others in the years that followed.

Unlike the Redis and Elasticsearch cases, no dominant fork has emerged for MongoDB. AWS launched its own MongoDB API-compatible service (Amazon DocumentDB), but without a true fork of the MongoDB code itself.

What it demonstrates#

The MongoDB case is the founding precedent of all subsequent flips. It showed that a company could:

1. Invent its own restrictive licence, presented as “open source-like”.
2. Hold against criticism from the OSI and FSF without major user disaffection.
3. Preserve its dominant position without a credible fork emerging, because the project’s complexity and the absence of any actor with both the means and the motivation make a fork impractical.

This last point is the most worrying for European sovereignty. Forking a project as complex as MongoDB requires a payroll, an expertise and a global distribution that no European actor possesses. The MongoDB flip is therefore, to date, irreversible — and that irreversibility is precisely what thesis 5 fears.

Sources#

• MongoDB Inc. (October 2018), The Server Side Public License : https://www.mongodb.com/blog/post/mongodb-now-released-under-the-server-side-public-license
• Open Source Initiative, position on the SSPL : https://opensource.org/blog/the-sspl-is-not-an-open-source-license
• Free Software Foundation, qualification of the SSPL.
• Linux Foundation, debates on the SSPL.

RHEL / CentOS Stream — The flip on source redistribution#

Date : 21 June 2023 Status : confirmed, Rocky Linux and AlmaLinux reorganised in degraded mode Manifesto theses illustrated : 5, 7, 11, 12

The fact#

On 21 June 2023, Red Hat announced that CentOS Stream would become the sole public source repository linked to Red Hat Enterprise Linux (RHEL). Before that date, the sources for each RHEL release were published on git.centos.org, freely accessible to any individual or company. After that date, access to the full RHEL sources was restricted to customers and partners under contract, via the Red Hat Customer Portal.

The official wording was: “CentOS Stream will now be the sole repository for public RHEL-related source code releases. For Red Hat customers and partners, source code will remain available via the Red Hat Customer Portal.” The stated reason was editorial efficiency (avoiding the maintenance of redundant repositories), but the practical effect was immediate on the ecosystem of RHEL-derived community distributions: Rocky Linux, AlmaLinux and Oracle Linux suddenly found themselves cut off from their canonical source for 1:1 binary rebuilds against RHEL.

This decision was part of a trajectory begun in late 2020, when Red Hat announced that CentOS Linux 8 — until then a faithful downstream of RHEL — would become CentOS Stream, an upstream of RHEL. Users wanting 1:1 compatibility with RHEL had to migrate to other distributions. Rocky Linux (carried by Greg Kurtzer, one of the historical founders of CentOS) and AlmaLinux (carried by CloudLinux) had been created in 2021 precisely to meet that need. The June 2023 decision hit both projects hard: they had built their technical model on free access to RHEL sources, a model that was disappearing without notice.

The Rocky Enterprise Software Foundation and AlmaLinux OS Foundation took several months to reorganise. AlmaLinux publicly chose to drop strict 1:1 binary compatibility in favour of ABI compatibility (Application Binary Interface), which covers most enterprise use cases without requiring access to RHEL’s exact sources. Rocky Linux opted for indirect access strategies via Red Hat’s UBI (Universal Base Images) and free developer subscriptions. Both projects continue to exist in 2026, but in a degraded mode compared to what they would have been with free access to RHEL sources.

What it demonstrates#

This episode illustrates, with a precision no abstract reasoning could match, the mechanism that the new section “The distributor syndrome” of the inventory of gaps operationalises. On the evening of 20 June 2023, hundreds of European providers — hosting providers, integrators, vertical publishers — had built their infrastructure on the CentOS Stream → RHEL chain or its derivatives. On the morning of 21 June 2023, those providers learned through a public announcement that this chain had just changed its rules. None of them had been consulted. None of them had been warned in advance. None of them had recourse.

The decision itself was neither illegitimate nor illegal: Red Hat is within its rights to define how its products are distributed. But it illustrates that the “open source” legal status of a brick does not protect against unilateral modification of redistribution conditions by its producer. When the producer of the brick is foreign, when the European providers redistributing it do not participate in its governance, and when the public buyers who value sovereignty have not required a technological continuity plan in case of unilateral flip, the entire ecosystem becomes vulnerable to decisions made beyond its control.

The echo with OpenShift is direct: OpenShift is Red Hat’s property; in the current structure, nothing protects against a Red Hat-IBM decision analogous to that of June 2023, which could tomorrow modify access, redistribution, pricing or support conditions for OpenShift — a product redistributed in several French SecNumCloud offers (see family 3).

Sources#

• Red Hat, announcement of 21 June 2023, picked up on the Red Hat site and widely covered by the specialist press.
• Phoronix, “Red Hat Now Limiting RHEL Sources To CentOS Stream”, 21 June 2023 : https://www.phoronix.com/news/Red-Hat-CentOS-Stream-Sources
• LWN.net, “Red Hat cutting back RHEL source availability”, 21 June 2023 : https://lwn.net/Articles/935592/
• The Register, “Red Hat strikes a crushing blow against RHEL downstreams”, 23 June 2023 : https://www.theregister.com/2023/06/23/red_hat_centos_move/
• OpenLogic, “RHEL Source Code Restriction: What It Means for Rocky Linux and AlmaLinux”, updated 17 November 2023 : https://www.openlogic.com/blog/rhel-source-code-access-changes
• Linuxiac, “Red Hat Restricts Access to Its Source Code”, 22 June 2023 : https://linuxiac.com/red-hat-restricts-access-to-its-source-code/
• Public communications from the Rocky Enterprise Software Foundation and AlmaLinux OS Foundation, June–October 2023.

Family synthesis#

The five documented cases (Hashicorp, Redis, Elasticsearch, MongoDB, RHEL/CentOS Stream) follow a recognisable pattern:

1. Growth phase: a permissive free licence (Apache 2.0, BSD, MPL, AGPL) or public source redistribution, maximising adoption.
2. Domination phase: the project or distribution becomes critical to its users and accumulates a base of paying users or redistributors.
3. Flip phase: the publisher changes the licence (Hashicorp, Redis, Elasticsearch, MongoDB) or the conditions for redistribution of artefacts (RHEL/CentOS) to prohibit competition on managed services or 1:1 binary rebuilds.
4. Reaction phase: depending on the case, fork (Terraform → OpenTofu, Vault → OpenBao, Redis → Valkey, Elasticsearch → OpenSearch) or no fork (MongoDB; Consul, Nomad, Packer, Boundary, Waypoint), or degraded reorganisation (Rocky Linux, AlmaLinux).

The RHEL/CentOS case extends the pattern’s perimeter: it is not strictly a licence flip (RHEL versions under GPL remain under GPL for whoever obtains them), but a restriction on access to artefacts producing the same practical effect on the redistribution ecosystem. The common mechanism — unilateral decision by a single sponsor altering redistribution — generalises to every brick where a commercial entity concentrates production.

This pattern is now documented, predictable, and reproducible. Any successful open source project carried by a single company, and any proprietary distribution whose ecosystem depends on the publication of sources, is a candidate for this trajectory. European organisations adopting these projects today must factor the possibility of this flip into their sovereignty assessment — and prefer, at functional equivalence, projects under distributed governance (see family 5).

→ Related operational commitments#

The device documents several concrete commitments that actors along the chain can make to anticipate, work around or exit the licence flip patterns illustrated above.

• User organisations: audit your exposure to single-vendor dependencies; study at least one migration out of an identified single-vendor component; give preference to bricks under European governance or multi-vendor neutral governance.
• Publishers and providers: at functional equivalence, favour multi-vendor neutral bricks in the offers proposed.
• Developers: examine the governance jurisdiction of third-party components used in professional projects.

Full catalogue of commitments →