|
|
Subscribe / Log in / New account

The complexity of BUSL transformation

By Joe Brockmeier
August 5, 2024

The Business Source License (BUSL) is a source-available license that "converts" to an open-source license after a period of time. In theory, this means that a few years after a version of a product is released under the BUSL, it becomes open source and is fair game for Linux distributions to package along with regular open-source projects. In practice, the license throws a few curveballs that require special consideration and caution, as the Fedora Project recently discussed.

The concept of proprietary-to-open has been around for quite some time. For example, Aladdin Enterprises developed Ghostscript under a similar scheme from 2000 to 2006. The company's proprietary version, Aladdin Ghostscript, was released under the source‑available (and misnamed) Aladdin Free Public License first and then later as Ghostscript under the GPLv2. That, however, was a two‑step process where the source release was performed under a different name and a clear change of license.

BUSL was, however, the first license to include a transformation clause rather than the licensor performing a separate release under the open-source license. It was introduced in the article "Introducing 'Business Source': The Future of Corporate Open Source Licensing?" by Michael (Monty) Widenius and Linus Nyman in 2013, and then applied in 2016 to MariaDB's database-proxy product, MaxScale.

The idea behind the license, according to the article, was to "harness the benefits of open source while generating sufficient income for the program's continued development". BUSL permits modification and redistribution of the code, but restricts "production use" of the software as long as the terms of the BUSL apply. After a period of time, generally four years, BUSL specifies that the code becomes available under the GPLv2 or later, or a compatible license.

Since the release of MaxScale under the license, a handful of other companies have adopted BUSL for some or all of their products as well. During its larval stage, BUSL-licensed software is a non-starter for inclusion in most Linux distributions. Now that some of the software is emerging from its non-free chrysalis, the question is whether and how it might be included as open-source software.

Transformation

Recently, Michal Schorm sought guidance about how to treat software once it had transformed to use a free license. Specifically, Shorm asked about the MaxScale 21.06 release on GitHub with a change date of June 3, 2024. He wanted to know how Fedora packagers should represent the license in the binary package, and if there were other special considerations for formerly BUSL software.

Neal Gompa wondered if the System Package Data Exchange (SPDX) format, which is what Fedora now uses in its packaging to identify licenses, should add a way to specify that a license had converted. "Non-free licenses converting to FOSS licenses have been a thing for a few years now. Now we're starting to see stuff 'convert', we probably want a way to express that?"

Richard Fontana, a member of Red Hat's legal team who advises Fedora on legal issues, said that the question of how to categorize software that had transitioned to a free license had not come up before. He said that it was "'fine' in theory, but somewhat risky" to package the software for Fedora:

I imagine that in some cases it won't be clear whether a particular version mixes BUSL (at various stages of the process towards the "change date") and post-BUSL licenses.

If it was clear that the change date had been reached, then it might require some further action to document that beyond the license tag in the RPM, Fontana said. But, he said, "we can cross the bridge when we come to it -- or have we come to it?" Daniel P. Berrangé said "Yes & no". The branch shared by Schorm had files with change dates that had not yet passed the change date, which was the risky scenario that Fontana worried about. "I presume this is because that branch will be getting [maintenance] bugfixes periodically and they'll be setting a new Change Date each time." But, if MariaDB had distributed a source tarball instead, it would be from a fixed point in time and easier to determine if the code was older than the change date.

Schorm followed up to say that he had been contacted by MariaDB and that it had indicated that they would like to see MaxScale adopted by Linux distributions since its oldest major version had just reached its transformation date.

With that information, Berrangé said that the company could take steps to make it simple by updating the branch for the old version and replacing the license and file headers with GPL instead of BUSL. Finally, the company should release an updated tarball with appropriate bug fixes to make the licensing entirely unambiguous, "and thus [trivially] accepted by any distro maintainers". If it is clear that software has passed its change date, Fontana said, then its BUSL heritage is not an obstacle to packaging in Fedora. Packagers should make it clear that the operative license is the one allowed for Fedora and use that license in the RPM spec file.

Vít Ondruch asked about security fixes. If a security vulnerability is discovered and fixed in a later version of the software, should that patch be reimplemented? Fontana said that might be an option, but Berrangé cautioned that it could be tricky if "the 'reimplemented' patch ends up being effectively (or actually) identical to the official patch".

Up in the air

The Fedora conversation trailed off without any concrete plan of action for handling security updates or other maintenance for ex‑BUSL software. It seems almost certain that packagers would be responsible for implementing their own bug and security fixes for any given release, effectively becoming a fork of the upstream. Then, when another version reaches its change date, the packagers would need to reconcile the homegrown fork with the next upstream release.

All of that, of course, could be avoided if companies chose open-source licenses in the first place. Failing that, they could take a cue from Aladdin's playbook and actively maintain open-source releases under a different name that don't have the same complexities of BUSL‑licensed software.


to post comments

Security updates

Posted Aug 6, 2024 8:11 UTC (Tue) by chris_se (subscriber, #99706) [Link]

> Vít Ondruch asked about security fixes. If a security vulnerability is discovered and fixed in a later version of the software, should that patch be reimplemented? Fontana said that might be an option, but Berrangé cautioned that it could be tricky if ""the 'reimplemented' patch ends up being effectively (or actually) identical to the official patch"".

"We'd really like to provide a fix for this 0-day unauthenticated remote code execution vulnerability, but we're not completely sure if we can legally do so."

Personally I think that security fixes that could end up looking identical are those where the fix is so trivial that it probably isn't copyrightable. And the more complicated fixes will not be that similar if developed in a clean environment (think what people who do reverse engineering do). So legally I believe that this should be completely fine. But would want I bet my own livelihood on this? When it comes MariaDB as a company as it stands now, sure, I think they've earned a lot of community trust to think they'd be very reasonable about this. But what if they are bought by some really litigious actor at some point in the future?

Maybe someone can convince MariaDB to update their BUSL to explicitly carve out an exception for security fixes for bugs that are present in code whose license has already been "transformed"? That those fixes can immediately be used under the GPL?

Avoid if possible

Posted Aug 6, 2024 9:34 UTC (Tue) by spacefrogg (subscriber, #119608) [Link] (1 responses)

I would avoid these types of licenses as much as possible. By being able to shift the conversion date at any later point by modifying content, it effectively becomes what I want to call: susceptible to "license poisoning". Nobody should have that power. It is even worse than CS licenses, because it might create factual dependencies during its "open state" just to close again later and establish grounds for coercion.

The only acceptible form of these licenses would be to have a transition date that remains fixed to initial software release. You don't want to spoil your business? Don't put out updates on an already open branch. Your choice. But taking people's freedom away after the fact? Not your choice. (At least should not be deemed acceptable.)

Avoid if possible

Posted Aug 6, 2024 15:25 UTC (Tue) by Wol (subscriber, #4433) [Link]

Much as I think this is horribly convoluted, imho the licence should say once a git tag is branched off as an official release, the date of the branch is the "flag day" for going Open Source, and any bug fixes, security fixes, whatever applied to the branch afterwards don't reset that date.

If the promise was "when we release the branch, that sets the date in stone, and we promise to cherry-pick bugfixes and security fixes into that branch from master", I'd be happy with that.

But then, I'm very pragmatic. I'd also be happy with the licence saying "if you upload features / fixes / et al to an Open Source branch, that is implicit permission to pull them into the next BUSL release, I'd be happy with that too. Why not - the company developers have to eat, too ...

Cheers,
Wol

unsupported by upstream.

Posted Aug 6, 2024 13:58 UTC (Tue) by ballombe (subscriber, #9523) [Link] (6 responses)

The short version is that the open-source version is not supported by upstream
Do you want to package such software ? How will you support it ?
The alternative is to either fork the open-source version or ignore it altogether.

unsupported by upstream.

Posted Aug 6, 2024 15:29 UTC (Tue) by Wol (subscriber, #4433) [Link] (5 responses)

> The alternative is to either fork the open-source version or ignore it altogether.

Or package it as "if you want support you'll have to pay the vendor"?

Given that FLOSS is all about Free *LIBRE*, why does there seem to be so much emphasis in the community on Free *GRATIS*?

Cheers,
Wol

unsupported by upstream.

Posted Aug 7, 2024 11:09 UTC (Wed) by spacefrogg (subscriber, #119608) [Link]

That is all good, but where does that connect to the people having to make the decision to package a program or not? There is an implicit expectation to a distribution that packages software is supported. If you make RH customers pay for the update, do the Fedora users see that, too? It just creates more grounds for a divide amongst users and for coercion. You are actually delivering the examples to make my earlier point.

unsupported by upstream.

Posted Aug 7, 2024 11:43 UTC (Wed) by ballombe (subscriber, #9523) [Link] (1 responses)

> Or package it as "if you want support you'll have to pay the vendor"?

Not going to work, since the vendor is only going to support the proprietary version which is 4 year ahead.

unsupported by upstream.

Posted Aug 7, 2024 18:40 UTC (Wed) by Wol (subscriber, #4433) [Link]

Unfortunately, I've been dropped into exactly that position by my employer. I wanted to use the Free ScarletDME - my employer has said "no, but we have no problem paying for OpenQM".

And at the end of the day, what customer, *provided they are not surprised*, would object to a major upgrade?

My worry - speaking for myself - is I don't like nasty surprises. If I know support is going to cost me - it is what it is.

Cheers,
Wol

Forking because upstream refuses to support something the distro cares about

Posted Aug 8, 2024 8:29 UTC (Thu) by farnz (subscriber, #17727) [Link]

You also, as alluded to by Berrangé's quote in the article get into a sticky situation if upstream doesn't want to support something downstream supports, and then later upstream decides to make downstream's decision untenable.

Fundamentally, any packaging work you do entails (hopefully temporary) forks to keep the package in line with distro policies; most of these forks are relatively minor (e.g. "fix build on AArch64" when upstream only supports x86-64), but there's always the risk of a major fork (e.g. "port to libfoo 2.0", when upstream vendors libfoo 1.0) that changes the feature set of the package. If upstream then chooses to go a different direction, you're at risk of pain.

For example, if libfoo is a structured data importer, supporting CSV, TSV, JSON, XML, and YAML, and libfoo 2.0 refactors the API and then adds XLSX support, downstream has a problem if upstream decides to port away from libfoo completely to libquux that only supports CSV, TSV, JSON, XML and YAML - you used to introduce XLSX support, and now you've got to take it away.

This is why it's generally frowned upon to package things where upstream isn't willing to work with you to make the forks temporary; if you'd stuck to upstream, you'd have had no change in functionality. If you'd persuaded upstream to accept your port to libfoo 2.0, they'd have planned their move to libquux knowing that they be losing XLSX support; by doing it yourself, you end up in a position where they can legitimately say "we never supported XLSX; you'd have to ask your distro why they added and then removed XLSX support".

Free *LIBRE* includes right to make changes & pass them on

Posted Aug 16, 2024 13:48 UTC (Fri) by jjs (guest, #10315) [Link]

If someone controls who makes changes to the code, it's not free (libre). I could, theoretically, take MariaDB and fork my own version. I could even do that with Linux (note: in neither case would I recommend ANYONE use my fork - but I could). With BUSL, only the original vendor can do patches. I can't even use the code in production without a license.

IFF patches to the older versions fall under the OLD (GPL at a set date license) does the software become LIBRE. The vendor is free to continue patching, but only if they keep the license GPL does it remain LIBRE. That's the issue here - when exactly does that transformation from BUSL to GPL occur? If the vendor puts in one patch into the old code, does that reset the clock? Or are those patches GPL? And who decides / how is the decision made? From a legal/liability standpoint, it matters.

Note that, for any patches not from the vendor to the GPL version, those patches CANNOT legally be pulled into the latest BUSL version of the code - BUSL does NOT grant the same rights as GPL, and is thus incompatible with it.

The answer to support for FOSS for companies willing to pay is for them to pay for developers of the open source software. There may be foundations (such as The Document Foundation and the Linux Foundation), companies (Canonical, Red Hat, Collabra among others), or pay to individuals. Budget 1/2 what licensing of the proprietary software would cost (heck, even 100%). You get your needs prioritized, you get the software fixes, and you always retain the option to change support vendors.

Open Source

Posted Aug 6, 2024 15:35 UTC (Tue) by dskoll (subscriber, #1630) [Link]

Open Source / Free Software is not a business model. It's a philosophy. While a (very) few companies have made a successful business out of pure Open Source software, it's not a good idea to create a license that's a muddled mix of proprietary and free.

Make your licenses proprietary or free. But don't try to mix the two; it won't work. If I were a distro maintainer, I would not touch BUSL-licensed software. The risks are too high.


Copyright © 2024, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds