Rug pulls, forks, and open-source feudalism
Power dynamics
Since the beginning of history, Foster began, those in power have tended to use it against those who were weaker. In the days of feudalism, control of the land led to exploitation at several levels. In the open-source world, the large cloud providers often seem to have the most power, which they use against smaller companies. Contributors and maintainers often have less power than even the smaller companies, and users have less power yet.
![[Dawn Foster]](https://static.lwn.net/images/conf/2025/osseu/DawnFoster-sm.png "Dawn Foster")
We have built a world where it is often easiest to just use whatever a
cloud provider offers, even with open-source software. Those providers may
not contribute back to the projects they turn into services, though,
upsetting the smaller companies that are, likely as not, doing the bulk of
the work to provide the software in question in the first place. Those
companies can have a power of their own, however: the power to relicense
the software. Pulling the rug out from under users of the software in this
way can change the balance of power with regard to cloud providers, but it
leaves contributors and users in a worse position than before. But
there is a power at this level too: the power to fork the software,
flipping the power balance yet again.
Companies that control a software project have the power to carry out this sort of rug pull, and they are often not shy about exercising it. Single-company projects, clearly, are at a much higher risk of rug pulls; the company has all the power in this case, and others have little recourse. So one should look at a company's reputation before adopting a software project, but that is only so helpful. Companies can change direction without notice, be acquired, or go out of business, making previous assessments of their reputation irrelevant.
The problem often comes down to the simple fact that companies have to answer to their investors, and that often leads to pressure to relicense the software they have created in order to increase revenue. This is especially true in cases where cloud providers are competing for the same customers as the company that owns the project. The result can be a switch to a more restrictive license aimed at making it harder for other companies to profit from the project.
A rug pull of this nature can lead to a fork of the project — a rebellious, collective action aimed at regaining some power over the code. But a fork is not a simple matter; it is a lot of work, and will fail without people and resources behind it. The natural source for that is a large company; cloud providers, too, can try to shift power via a fork, and they have the ability to back their fork up with the resources it needs to succeed.
A relicensing event does not always lead to a popular fork; that did not happen with MongoDB or Sentry, for example. Foster said she had not looked into why that was the case. Sometimes rug pulls take other forms, such as when Perforce, after acquiring Puppet in 2022, moved its development and releases behind closed doors, with a reduced frequency of releases back to the public repository. That action kicked off the OpenVox fork.
Looking at the numbers
Foster has spent some time analyzing rug pulls, forks, and what happens thereafter; a lot of the results are available for download as Jupyter notebooks. For each rug-pull event, she looked at the contributor makeup of the project before and after the ensuing fork in an attempt to see what effects are felt by the projects involved.
In 2021, Elastic relicensed Elasticsearch under the non-free Server Side Public License (SSPL). Amazon Web Services then forked the project as OpenSearch. Before the fork, most of the Elasticsearch contributors were Elastic employees; that, unsurprisingly, did not change afterward. OpenSearch started with no strong contributor base, so had to build its community from scratch. As a result, the project has been dominated by Amazon contributors ever since; the balance has shifted slowly over time, but there was not a big uptick in outside contributors even after OpenSearch became a Linux Foundation project in 2024. While starting a project under a neutral foundation can help attract contributors, she said, moving a project under a foundation's umbrella later on does not seem to provide the same benefit.
Terraform was developed mostly by Hashicorp, which relicensed the software under the non-free Business Source License in 2023. One month later, the OpenTofu fork was started under the Linux Foundation. While the contributor base for Terraform, which was almost entirely Hashicorp employees, changed little after the fork, OpenTofu quickly acquired a number of contributors from several companies, none of whom had been Terraform contributors before. In this case, users drove the fork and placed it under a neutral foundation, resulting in a more active developer community.
In 2024, Redis was relicensed under the SSPL; the Valkey fork was quickly organized, under the Linux Foundation, by Redis contributors. The Redis project differed from the others mentioned here in that, before the fork, it had nearly twice as many contributors from outside the company as from within; after the fork, the number of external Redis contributors dropped to zero. All of the external contributors fled to Valkey, with the result that Valkey started with a strong community representing a dozen or so companies.
Looking at how the usage of these projects changes is harder, she said, but there appears to be a correlation between the usage of a project and the number of GitHub forks (cloned repository copies) it has. There is typically a spike in these clones after a relicensing event, suggesting that people are considering creating a hard fork of the project. In all cases, the forks that emerged appeared to have less usage than the original by the "GitHub forks" metric; both branches of the fork continue to go forward. But, she said, projects that are relicensed do tend to show reduced usage, especially when competing forks are created under foundations.
What to do
This kind of power game creates problems for both contributors and users, she said; we contribute our time to these projects, and need them to not be pulled out from under us. There is no way to know when a rug pull might happen, but there are some warning signs to look out for. At the top of her list was the use of a contributor license agreement (CLA); these agreements create a power imbalance, giving the company involved the power to relicense the software. Projects with CLAs more commonly are subject to rug pulls; projects using a developers certificate of origin do not have the same power imbalance and are less likely to be rug pulled.
One should also look at the governance of a project; while being housed under a foundation reduces the chance of a rug pull, that can still happen, especially in cases where the contributors are mostly from a single company. She mentioned the Cortex project, housed under the Cloud Native Computing Foundation, which was controlled by Grafana; that company eventually forked its own project to create Mimir. To avoid this kind of surprise, one should look for projects with neutral governance, with leaders from multiple organizations.
Projects should also be evaluated on their contributor base; are there enough contributors to keep things going? Companies can help, of course, by having their employees contribute to the projects they depend on, increasing influence and making those projects more sustainable. She mentioned the CHAOSS project, which generates metrics to help in the judgment of the viability of development projects. CHAOSS has put together a set of "practitioner guides" intended to help contributors and maintainers make improvements within a project.
With the sustained rise of the big cloud providers, she concluded, the power dynamics around open-source software are looking increasingly feudal. Companies can use relicensing to shift power away from those providers, but they also take power from contributors when they pull the rug in this way. Those contributors, though, are in a better position than the serfs of old, since they have the ability to fork a project they care about, shifting power back in their direction.
Hazel Weakly asked if there are other protections that contributors and users might develop to address this problem. Foster answered that at least one company changed its mind about a planned relicensing action after seeing the success of the Valkey and OpenTofu forks. The ability to fork has the effect of making companies think harder, knowing that there may be consequences that follow a rug pull. Beyond that, she reiterated that projects should be pushed toward neutral governance. Dirk Hohndel added that the best thing to do is to bring more outside contributors into a project; the more of them there are, the higher the risk associated with a rug pull. Anybody who just sits back within a project, he said, is just a passenger; it is better to be driving.
Foster's slides are available for interested readers.
[Thanks to the Linux Foundation, LWN's travel sponsor, for supporting my
travel to this event.]
| Index entries for this article | |
|---|---|
| Conference | Open Source Summit Europe/2025 |
Posted Sep 6, 2025 12:24 UTC (Sat)
by immibis (subscriber, #105511)
[Link] (25 responses)
The confusion comes about because the OSI declared it to not be open source. But they are a corrupt institution. Their explanation[1] makes no reference to the license text whatsoever, only vague handwavey excuses that apply equally well to AGPL, and the members/sponsors of the OSI are primarily companies that sell cloud stuff and have a strong interest in preventing more software from using the SSPL.
You can also check the license text itself and verify that it doesn't "discriminate against a field of endeavour". I recommend finding the plain text version, and diffing it against the AGPLv3. They differ only in the name of the license, and one short section.
[1] https://opensource.org/blog/the-sspl-is-not-an-open-sourc...
Posted Sep 6, 2025 13:15 UTC (Sat)
by claudex (subscriber, #92510)
[Link] (8 responses)
Yeah, that's the section that is considered the issue to be able to use the software to provide the service. As it requires to publish all code that interact with the software, like monitoring, backup and storage code. That's a big difference with AGPL.
> "Service Source Code" means the Corresponding Source for the Program or the modified version, and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available.
Posted Sep 6, 2025 14:15 UTC (Sat)
by smurf (subscriber, #17840)
[Link] (5 responses)
"Service Source Code" means the Corresponding Source for the Program or the modified version, and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available.
Oops, you now cannot use a commercial backup system for which you don't have the source code in conjunction with the SSPL-licensed service you're offering. Also does "storage software" incorporate the firmware of your disk drive or not? far from clear just by reading this license, that "without limitation" clause does raise a red flag or three, doesn't it?
Sorry to be blunt, but that kind of overbearing restrictive language is the antithesis of OSS. My conclusion is that anybody who proclaims the SSPL to be "free" either didn't read it or has an agenda. Or both.
Posted Sep 6, 2025 15:09 UTC (Sat)
by immibis (subscriber, #105511)
[Link] (4 responses)
Posted Sep 6, 2025 20:05 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
* You run the service on Linux, so you need to provide the Linux kernel under the SSPL.
You will probably say this is a nonsensical overreading. I agree it is nonsensical, but there is nothing in the license which actually *says* as much. That's a problem.
Posted Sep 6, 2025 20:44 UTC (Sat)
by bgilbert (subscriber, #4738)
[Link] (1 responses)
The old Sun RPC license required that Probably they meant all tape media with Sun RPC on it, but you never know.
Posted Sep 6, 2025 22:11 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link]
Posted Sep 7, 2025 6:56 UTC (Sun)
by smurf (subscriber, #17840)
[Link]
The SSPL doesn't limit its scope; heck it even says so, quite unequivocally. You have the source code to your UEFI bootloader, and the network card's firmware, and your backup software, and all the other stuff the license mentions and/or implies? No? Surprise: (almost) nobody has. Thus de facto nobody can provide networked services using SSPL'd software, thus the license limits what the software may be used for, thus SSPL'd code is not free by, well, basically every definition of Open Source out there.
Posted Sep 12, 2025 15:46 UTC (Fri)
by immibis (subscriber, #105511)
[Link] (1 responses)
It may be poorly thought out, but it isn't nonfree.
Posted Sep 12, 2025 15:53 UTC (Fri)
by corbet (editor, #1)
[Link]
Posted Sep 6, 2025 13:39 UTC (Sat)
by DemiMarie (subscriber, #164188)
[Link]
Posted Sep 6, 2025 14:15 UTC (Sat)
by jjs (guest, #10315)
[Link] (9 responses)
"9. License Must Not Restrict Other Software
The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open source software."
By the terms of the SSPL, all other software that interacts with the SSPL'd software must be Open Source (https://webassets.mongodb.com/_com_assets/legal/SSPL-comp... - see Section 13). Violation of OSD #9 (which is derived from the Debian Social Contract Guidelines - https://www.debian.org/social_contract#guidelines).
"But they are a corrupt institution."
That's a serious allegation - feel free to provide verifiable evidence of that (and no, the fact that they have corporate sponsors doesn't make them corrupt. If it did, every non-profit in the world would be considered corrupt).
Posted Sep 6, 2025 15:09 UTC (Sat)
by immibis (subscriber, #105511)
[Link] (8 responses)
Posted Sep 6, 2025 15:52 UTC (Sat)
by pbonzini (subscriber, #60935)
[Link]
The discrimination against fields of endeavor is also at least plausible. The AGPL instead only extends the circumstances under which you shall provide the sources.
Posted Sep 6, 2025 18:38 UTC (Sat)
by jjs (guest, #10315)
[Link] (6 responses)
But, with AGPL, I can bundle a monitoring tool that interacts with my software only through defined APIs with my software, because, in accordance to the OSD, I don't need to have everything on the distribution Open Source. Only my "Corresponding Source Code" for my project.
OSD (https://opensource.org/osd) Clause 9:
The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open source software."
AGPL (https://www.gnu.org/licenses/agpl-3.0.en.html) Clause 5:
Again, note here that I'm using the monitoring tool that connects via an API, that I am using to make the software service work for me to provide service to you. AGPL specifically excludes things that interact through an defined API (see clause 13 in the link above).
Check out clause 13 under https://webassets.mongodb.com/_com_assets/legal/SSPL-comp... where you can see the changes MongoDB made to the AGPL. My monitoring tool is specifically included in their license. So under the AGPL, I can use a commercial monitoring tool with my software and not have to provide it if I provide my program. Under SSPL, I have to provide it under an Open Source License. As a company, this puts restrictions on them that Free Software (OSD/Debian Free Software Guidelines/OSD) specifically forbid from being included.
Posted Sep 7, 2025 17:25 UTC (Sun)
by immibis (subscriber, #105511)
[Link] (5 responses)
That - linking without linking - is exactly what the SSPL is meant to prevent.
Posted Sep 8, 2025 2:40 UTC (Mon)
by jjs (guest, #10315)
[Link] (1 responses)
"linking without linking" - Repeat that phrase a few times - "Doing A without doing A".
Linking in software has specific meaning. From CMU (https://csapp.cs.cmu.edu/2e/ch7-preview.pdf) "Linking is the process of collecting and combining various pieces of code and data into a single file that can
How does a commercial backup software "link" to the software? If so, it does so with every piece of software on every system it backs up. How does a commercial monitoring software that uses defined APIs "link" to the software? How does running the software in a container on Microsoft Windows cause Windows to "Link" to the software? Per Section 13 of the SSPL, they all need to be distributed with the SSPL code. Define how each of them links, per the definition from CMU, to the software.
If I wrote the monitoring software BEFORE I encountered the SSPL software, made no changes to it, or even purchased it, I cannot redistributed the SSPL software (even unchanged) on a disk without including my monitoring software (which I have may not have the right to redistribute, because I didn't write it and control the license). Even though many programs may do the exact same thing. Even if I include some other program that does the exact same thing but is Open Source, I can't distribute because that software is not what I'm using. F/LOSS software does not contaminate other, unrelated software. SSPL does.
Short answer as to how they "link" (per the CMU definition above) - they don't.
Don't get me wrong. MongoDB owns the software. They can license it however they want. But that a) doesn't mean anyone else has to use that license, and b) that just because they want it to be considered an Open Source License that it is one.
BTW - still awaiting answer to:
That's a serious allegation - feel free to provide verifiable evidence of that (and no, the fact that they have corporate sponsors doesn't make them corrupt. If it did, every non-profit in the world would be considered corrupt).
From Wex (https://www.law.cornell.edu/wex/corruption): "Corruption is the dishonest, fraudulent, or criminal use of entrusted authority or power for personal gain or other unlawful or unethical benefits. "
From the law dictionary of corruption (https://thelawdictionary.org/corruption/): "Illegality; a vicious and fraudulent intention to evade the prohibitions of the law. The act of an official or fiduciary person who unlawfully and wrongfully uses his station or character to procure some benefit for himself or for another person, contrary to duty and the rights of others."
I'd be very interested in seeing the verifiable evidence you have that they have committed such acts. I imagine legal authorities would be interested as well.
Posted Sep 8, 2025 5:17 UTC (Mon)
by smurf (subscriber, #17840)
[Link]
That being said, I don't think OSI is. They may not always do what you and me would like them to do, their ideas about the free-ness of AI models are ample proof of that, but this by itself is neither necessary nor sufficient.
Posted Sep 8, 2025 10:00 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (2 responses)
> That - linking without linking - is exactly what the SSPL is meant to prevent.
Which means that the SSPL is not a *COPYRIGHT* licence. The GPLv2 set out to be a *copyright* licence, which meant that it did not talk about anything other than copying, distribution and *LINKING*, because copyright only extends as far as derivation. And derivation is a legal concept, not anything the FSF/GPL have jurisdiction over.
The GPL v3 (and other licences) added patent law into the mix, which I personally think was a mistake.
The SSPL is now trying to add other stuff - over which it has absolutely no legal jurisdiction - into the mix. This effectively results in a licence where compliance is impossible, because it is demanding actions over which it has no lawful authority, and which (as other people have pointed out) are quite likely to be illegal.
Cheers,
Posted Sep 10, 2025 10:30 UTC (Wed)
by arsen (subscriber, #161285)
[Link] (1 responses)
Why? The goal is to undermine all sorts of restrictions that are placed by the owning class on users. Patents are, in this regard, no different to copyright.
Posted Sep 10, 2025 14:39 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
I agree with you that the "owning classes" as you call them are covetous and rent-seeking, but I think mixing copyright and patents is a stupid thing to do.
They're also fundamentally different in that program copyrights (outside of the US) have *always* been treated as a "written work", and it makes sense that way. They are, basically, a mathematical treatise. And written works are not patentable. Nor are mathematical proofs. And programs are also just a (not necessarily correct :-) mathematical proof. So software patents are completely different in that they are figments of miserly lawyers' imagination, not something that actually exists.
So my patent licence would simply be "By distributing this work you accept that it is not patentable material, and you therefore agree not to sue anyone using it for breach of patent. This does not bind your defence in any way shape or form if you are sued on patent grounds for using this work". But that would be *separate* from the copyright licence.
Just as trademark law is a completely separate, third branch of IP, and the GPL explicitly says nothing about it other than explicitly saying you are allowed to exercise it over GPL'd works (and you should be - trying to ban it would be a very stupid thing to do...)
Cheers,
Posted Sep 7, 2025 0:54 UTC (Sun)
by linuxrocks123 (subscriber, #34648)
[Link] (3 responses)
OSI has rejected it as an open source license. Debian has rejected it as DFSG-compatible. FSF does not list it as a license for free software.
https://opensource.org/blog/the-sspl-is-not-an-open-sourc...
None of the three organizations in our community that are respected for the purpose of classifying licenses as sufficiently free for use by the community has stated that the SSPL is free. The SSPL is therefore not a free license.
You want to say it's an immibis-compatible license, go ahead. You want to say all three of our license-approval organizations suck, go ahead. But it's not open source, it's not DFSG-compatible, and it's not Free. Those decisions are not yours to make, and those decisions have been made.
Posted Sep 7, 2025 17:26 UTC (Sun)
by immibis (subscriber, #105511)
[Link] (2 responses)
Posted Sep 7, 2025 20:49 UTC (Sun)
by linuxrocks123 (subscriber, #34648)
[Link]
Posted Sep 8, 2025 0:29 UTC (Mon)
by tialaramex (subscriber, #21167)
[Link]
I appreciate that this is in direct opposition to your view, but when everybody else says that's a dog and you're still sure it's a cat, it's time to re-consider, isn't it in fact possible that you're just wrong and it is a dog after all ?
Posted Sep 12, 2025 14:32 UTC (Fri)
by rqosa (subscriber, #24136)
[Link]
Posted Sep 7, 2025 8:16 UTC (Sun)
by k3ninho (subscriber, #50375)
[Link]
There's an assumption hiding here that drives the whole fork and/or rugpull situation: action by the company won't affect the surrounding ecosystem, that's to say actions to raise revenue won't deter free-at-point-of-use customers from contributing fixes or features and will definitely convert them to paying licensees.
Companies have to answer to shareholders but they have to do this within the scope of the customers and cashflow of their business -- and these rugpulls and forking events alter the ecosystem around a company in ways the investors won't expect. The systems-thinking view or a power analysis would raise these as risks not to mess around with. There's always room for "destroying customer relationships or harming base resources that your business relies on -- those are things which will cause your business to fail, even if your investors insist you do them."
K3n.
SSPL is a free license
SSPL is a free license
SSPL is a free license
SSPL is a free license
SSPL is a free license
* You run the service on a virtual machine that somebody else (e.g. AWS or GCP) hosts, so you have to provide the source code for their hypervisor (and possibly other components, further down the stack, that you don't even know about).
* Your engineers use laptops or workstations to develop the service, so you need to provide whatever IDE they are running under the SSPL.
* Oops, one of your engineers installed Vim or Emacs without telling you, now you need to provide Vim or Emacs under the SSPL.
* Your engineers use iPhones and/or Android devices to receive urgent notifications ("pages") when your service fails in production. This is necessary to make the service work reliably, so you need to provide iOS and/or Android under the SSPL.
SSPL is a free license
this legend is included on all tape media and as a part of the software program in whole or part
.
SSPL is a free license
SSPL is not a free license
SSPL is a free license
I see little value in continuing to go around in circles about this. The community consensus is clearly that the license is non-free. If you feel differently and want to use SSPL-licensed software, that's fine. But let's not belabor this point any more, please?
SSPL is a free license
SSPL is not a free license
SSPL is not a free license - Per Open Source Definition
SSPL is not a free license - Per Open Source Definition
SSPL is not a free license - Per Open Source Definition
SSPL vs AGPL / Free Software / OSD / DFSG on what must be included
"
9. License Must Not Restrict Other Software
"A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate."
SSPL vs AGPL / Free Software / OSD / DFSG on what must be included
Words have definitions. Definitions matter. Guidelines matter. But wanting doesn't mean having.
be loaded (copied) into memory and executed. Linking can be performed at compile time, when the source
code is translated into machine code, at load time, when the program is loaded into memory and executed
by the loader, and even at run time, by application programs."
"But they are a corrupt institution." (referring to OSI).
Corruption?
SSPL vs AGPL / Free Software / OSD / DFSG on what must be included
Wol
SSPL vs AGPL / Free Software / OSD / DFSG on what must be included
SSPL vs AGPL / Free Software / OSD / DFSG on what must be included
Wol
SSPL is a free license
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537
https://www.gnu.org/licenses/license-list.html
SSPL is a free license
SSPL is a free license
Me: No, it doesn't appear on their list of certified devices.
You: Absence of evidence is not evidence of absence!
SSPL is not a free license
Be aware that in this post from February 2019 to the OSI's License-review mailing list, the primary author of the OSD (and the DFSG), Bruce Perens, argued that section 13 of the SSPL does not comply with the OSD's criteria #6 ("No Discrimination Against Fields of Endeavor") and #9 ("License Must Not Restrict Other Software").
SSPL is a free license
Make assumptions about the ecosystem explicit