Corporate Open Source is Dead

IBM is buying HashiCorp for $6.4 billion.

That's four months after HashiCorp rugpulled their entire development community and ditched open source for the 'Business Source License.'

As someone on Hacker News pointed out so eloquently:

IBM is like a juicer that takes all the delicious flavor out of a fruit

skywhopper replied:

HashiCorp has done a good job of pre-draining any flavor it once had.

Some people wonder if HashiCorp's decision to drop open source was because they wanted to juice the books for a higher price. I mean, six billion dollars? And they're not even a pointless AI company!

This blog post is a transcript of the video I posted today, Corporate Open Source is Dead. You can watch it on YouTube.

Meanwhile, Redis dropped the open BSD license and invented their own 'Source Available' license.

And last year, I covered how Red Hat found a way to just barely comply with the open source GPL license for their Enterprise Linux distro.

Other companies like MongoDB, Cockroach Labs, Confluent, Elasticsearch, and Sentry also went 'Source Available'. It started with some of the smaller players, but as rot sets in at even the biggest 'open source' companies, open source devs are choosing the nuclear option.

When a company rug pulls? Fork 'em. Literally!

Terraform, HashiCorp's bread and butter, was forked into OpenTofu, and adopted by the Linux Foundation. Companies who built their businesses on top of Terraform quickly switched over. Even juicier, OpenBao—a fork of HashiCorp's other big project Vault—is backed by IBM! What's going to happen with that fork now?

At least forks seem pretty straightforward in Hashi-land. In the wake of Redis' wanton destruction, it seems like there's a new fork every week!

And some developers are even exploring ditching the Redis code entirely, like redka's an API-compatible wrapper on top of SQLite!

After Red Hat closed its door—most of the way, at least they didn't try pulling a switcheroo on the license itself! Oracle, SUSE, and CIQ scrapped together the OpenELA alliance to maintain forks of Enterprise Linux. And CentOS users who'll be left in a lurch as June marks the end of CentOS 7 support have to decide whether to use AlmaLinux or one of the ELA projects now.

All these moves shattered the playbook startups and megacorps used—and now we're seeing, abused—to build up billions in revenue over the past decade.

It was all in the name of 'open source'.

As free money dries up and profits slow, companies slash headcount almost as fast as community trust.

2024 is the year corporate open source died

2024 is the year Corporate Open Source—or at least any remaining illusions about it—finally died.

It's one thing to build a product with a proprietary codebase, and charge for licenses. You can still build communities around that model, and it's worked for decades.

But it's totally different when you build your product under an open source license, foster a community of users who then build their own businesses on top of that software, then yoink the license when your revenue is affected.

That's called a bait-and-switch.

Bryan Cantrill's been sounding the alarm for years—yes, that Bryan Cantrill, the one who posted this gem:

Brian's presentation from 12 years ago is worth a watch, and the bottom line is summed up by Drew DeVault:

[Contributor License Agreements are] a strategy employed by commercial companies with one purpose only: to place a rug under the project, so that they can pull at the first sign of a bad quarter. This strategy exists to subvert the open source social contract.

By working on a project with a CLA, where you sign away your code, you're giving carte blanche for the company to take away your freedom to use their software.

From a company's perspective, if they want CLAs or if they want to use an anti-open-source license, they do not care about your freedoms. They're protecting revenue streams. They'll often talk about freeloaders, whether it's Amazon building a competing hosted solution, or some startup that found a way to monetize support.

But in the end, even if you have GPL code and you charge people to get it, it's not truly free as in freedom, if the company restricts how you can use, modify, and share the code.

But there's a distinction here, and I know a few people watching this are already yelling at me. There's "free" software, and there's "open source."

People in the free software community correctly identified the danger of calling free software 'open source.'

I don't think we have to be so dogmatic about it, but there is a fundamental philosophical difference between the free software community, with organizations like the Free Software Foundation and Software Freedom Conservancy behind it, and the more business-oriented 'open source' culture.

Open source culture relies on trust. Trust that companies you and I helped build (even without being on the payroll) wouldn't rugpull.

But time and time again, that trust is shattered.

Is this slow death of corporate open source bad? Well, it's certainly been annoying, especially for devs like me who felt connected to these communities in the past. But it's not all bad.

Why it's not bad for corporate open source to die

In fact, this could be a huge opportunity; what happened to the spunky startups like Ansible, HashiCorp, Elasticsearch, or Redis? They were lighting their industries on fire with great new software.

What happened to building up communities of developers, crossing cultural and economic barriers to make software that changed the world?

There are still projects doing that, but so many succumb to enterprise money, where eye-watering amounts of revenue puts profit over philosophy.

But as money dries up, as more developers get laid off after the insane hiring trends of the past five years, maybe small dev teams can move the needle.

The AI bubble hasn't popped yet, so some great people are getting sucked into that vortex.

But someone else could be on the cusp of the next great open source project. Just... don't add a CLA, okay?

And it's not just devs; big companies can join in. Historically bad players like Microsoft and maybe even Oracle—man, it pains me to say that. They've even made strides in the past decade!

IBM could even mend some wounds, like they could reunite OpenTofu and Terraform. There's precedent, like when IO.js merged back into Node.js after a fork in 2015.

People asked what Red Hat could do to get me interested in Enterprise Linux again. It's simple: stop treating people who don't bring revenue to the table like garbage. Freeloaders are part of open source—whether they're running homelab or a competing business.

Companies who want to befriend open source devs need to show they care about more than just money. Unfortunately, the trend right now is to rugpull to juice the quarterlies, because money line always goes up!

But you know what? I'd just prefer honesty. If revenue is so dependent on selling software, just... make the software proprietary. Don't be so coy!

But to anyone who's not a multi-billion dollar corporation, don't be a victim of the next rugpull. The warning signs are clear: Don't sign a CLA. Stay away from projects that require them.

Stick to open source licenses that respect your freedom, not licenses written to juice revenue and prep a company for a billion-dollar-buyout.

Maybe it's time for a new open source rebellion. Maybe this time, money won't change company culture as new projects arise from the ash heap. Maybe not, but at least we can try.


Jeff, you have misspelt Bryan Cantrill's name.

I would say that this starts at the top - Where the Linux Foundation and other entities have been usurped by Corporations like Microsoft who want to control Open Source and direct the money towards their interest.

Got lost in all your ranting there. At some point somebody has to pay 'something' for the labor and other expenses including legal. There's a point where free doesn't keep the lights on.

Confused which project(s) meet your idea of purity. Perhaps Sqlite ( or are you thinking more like how Nginx seems to be semi-open if I remember correctly. Some features require $$$, or they used to be that way some years ago....

Drupal comes to mind (this blog runs on it). Instead of one company trying to hoover up all profits associated with it, there is a fairly wide ecosystem of companies that work together on it, many of them employing one or more full-time open source devs.

"A rising tide lifts all ships," and I don't think it or Linux would be better had they adopted a license other than GPLv2.

Drupal's had its own failures, but licensing was not one of them!

30+ years ago when I wrote a number of HOWTOs for the Linux Doc Project a lot of people there were upset when folks came in thereafter and published the books of those docs in bound editions you'd see in a bookstore for years.

At the time a few of us tried to reason with them and reminded them "hey you said the terms were that it was ok to use any way you want - it's a little late to complain about somebody doing exactly that". There was quote the brouhaha at the time.

We did get a tiny cut of the proceeds, which was nice, but the publishers didn't have to do that. We said free day-one and meant free.

Eventually the LDP disappeared, but then again pretty much so has the O'Reilly book ecosystem I guess. Even for pay has age limits.

There's an econ paper about the economics of software that builds modularly, Beyond Public and Private, Collective Provision Under Conditions of Supermodularity, and I think "freeloader" in the terms of the supermodular means something completely different. They're not freeloaders so much as value added to the network. That businesses want to add walls to the garden at the end is more a criminal "cash out" mentality.

I would have said something like "Startup Open Source is Dead."

Established companies like Amazon are bastions of open source today. For the benefit of their customers (and their revenue streams), they sponsor revitalized forks of the projects that startups rugpull. And while the useful projects they originate are a lot smaller or fewer than their behemoth engines could sustain, these are genuine contributions to the community without much threat of bait-and-switch, since they go into them with their eyes wide open as to the realities of open source.

I'm sure you can think of some counterexamples, and because they often operate the forks through foundations it's easy to attribute the work to the goodwill of the community, but big players like Amazon, Microsoft, and Google are part of the community, even if IBM doesn't care to be anymore.

It's really important to distinguish between CLAs that do copyright assignment and those that do not. Many CLAs do not, and are used for reasons unrelated to wanting to screw you.

Important distinction indeed.
If the CLA does *not* include copyright assignment, then you end up with distributed copyright - and a unilateral license change is no longer possible. Unless the license allows it: Permissive licenses do allow to reproprietize code.
I'd focus on the nature of the development process: Is it an open development process? With an open and diverse (multi-company) community with open decision taking? (The Four Opens[1] of the OIF reflect this well.) Because if it is, a single company that wants to make it proprietary can be almost ignored. This is what we look at in our Open Source health check.