The FOSS license is the bait, and the CLA is evidence that they had ill intent from the start
The concern is if they stop dual-licensing, and future releases don't come under a free license, but they only work on their proprietary relicensed version. You have the option to fork, under the same free license that it was originally under - you just won't get further updates from the company involved. I don't see the problem here: You aren't entitled to those updates just because you made some contributions.
That, or maybe people make a "snapshot" just in case. I don't believe many people seriously consider leading the effort of maintaining a fork...
Would be worth explaining why: my understanding is that if you sign a CLA, you typically give a right to relicence to the beneficiary of the CLA. So you say "it is a GPL project, my contribution is GPL, but I allow you to relicence my contribution as you see fit".
If the project uses a permissive licence already, honestly I don't really see a big impact with signing a CLA: anyone can just take the codebase and go proprietary with it. However, if it is a copyleft licence, then signing a CLA means that the beneficiary of the CLA doesn't play by the same rules and can go proprietary with the contributions!
If you don't want a rug pull, you should use a copyleft licence and not sign a CLA: nobody can make Linux proprietary because the copyright is shared between so many people.
If you use a permissive licence, then a rug pull is part of the deal.
True. Yet CLAs do not always give away all rights.
Shitty behavior like this is more common with software both OSS and commercial than in the past. Treat any meaningful software engagement like a celebrity marriage.
Would it be a rug pull if those maintainers simply burned out and decided "I'm moving onto something else," Leaving the project in limbo, with nobody maintaining it?
Or maybe they really do enjoy working on the project, but it doesn't pay the bills, so they have to look for an alternative way to monetize it, and that way can continue working on it.
My opinion is that unless you genuinely just enjoy working on something and sharing it, you are not obliged to do unpaid labour for the benefit of anyone else. Companies depending on FOSS software should be contributing financially to each and every one of them. This is the real shitty behavior - the expectation these companies have of getting bugfixes and improvements for free.
In the Mongo/Elastic and Amazon cases for example, this is far smaller companies being taking advantage of by a giant. IMO they were right to "rug pull" by relicensing under SSPL. Amazon can easily afford to maintain forks for these projects - but it probably would've been cheaper for them to just contribute financially, and they wouldn't have needed to switch from AGPL. Anyone who works on OpenSearch without compensation is a fool - essentially doing unpaid labour for one of the wealthiest companies on the planet.
Being able to fully support each and every dependency you use should be absolute minimum for any commercial project.
Of the rest, it’s fine to keep using old versions of things…however, things with ecosystems that move on or contributors/users that fetishize “actively maintained” as a use-this-not-that indicator can complicate that decision.
It's open-washing
They retaliate against customers that share source code, and claim that this doesn’t fall under the “without further restrictions” clause in the redistribution of source code phrase in the GPL.
Anyway, rug pulls are apparently possible, even with the GPL, at least until this is taken to court and IBM loses.
Do they have to use shells or other subterfuge?
https://www.zdnet.com/article/rocky-linux-9-arrives-with-eve...
That says they pull from CentOS Stream, which I think is upstream from RHEL.
Just to clarify, this depends upon the exact CLA you sign. Canonical's CLA (CCLA) [1] for example, contains this clause in Section 2.3 Outbound license:
> We may license the Contribution under any licence, including copyleft, permissive, commercial, or proprietary licences. As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the licence or licences which We are using for the Material on the Submission Date.
This means that they promise to release your contribution under the original license as well. Or in other words, they won't relicense the old contributions retroactively. There may be other CLAs that don't make this promise. It's generally a good idea to read and understand what you are signing up for. (Applicable for any agreements, not just CLAs, since your argument is to avoid them.)
Almost all CLAs let the contributor retain the copyright. (If I understand correctly, copyright transfers are involved only in CAAs.) So that option is also available for you to do whatever you want to do with your contributions. In any case, the actual problem is the breach of an unwritten trust you place in the project owners. Since you generously contributed your work to them and everyone else, you'd expect the same favor in return for the contributions by others in the future. But CLAs leave that open and under the sole control of the project owners, primed for a rug-pull. The only way you'll ever get the benefit of those contributions after a rug-pull is if you collaborate directly with the other contributors - a fork in essence.
> If you don't want a rug pull, you should use a copyleft licence and not sign a CLA
There is an odd and particularly hideous combination of those two - AGPL + CLA. I'm generally a proponent of AGPL. However, I believe that this combination is worse than a permissive license + CLA. Copyleft licenses require you to supply the source code (including your custom modifications) upon request to anyone you distributed the application to. In AGPL, the use of an online service also falls under the definition of 'distribution of application'. So you have to distribute the modifications of the server-side code to anyone who uses your service. I see this as a good thing - because someone else with a lot of resources can't just improve and host your service, denying you the benefit of those improvements. However with a CLA, the project owner (perhaps a company) can host a relicensed version with undisclosed improvements, while you will be forced to reveal your improvements if you try to do the same (since you're using AGPLed code). You wouldn't have the same problem if the source was under a permissive license + CLA.
But here is where it gets particularly egregious. The above problem can also affect software under just a permissive license and no CLA. This is what happened to Incus and LXD. LXD was initially under the Apache license and the linux containers community, in collaboration with Canonical. One fine morning, Canonical just decided to take control of the project, prompting the linux containers community to fork it as Incus. For a while after that, both projects used to borrow code from each other since they had the same license. But then Canonical decided to relicense LXD under AGPLv3 + CLA. This means that it was no longer possible for Incus to borrow code from LXD due to license incompatibility, while Canonical continued to do so under a slightly odd arrangement. You can read about it in detail here: [2]
[1] https://canonical.com/legal/contributors/agreement?type=indi...
[2] https://stgraber.org/2023/12/12/lxd-now-re-licensed-and-unde...
To me it sounds like they reserve the right to use my contribution in their proprietary code as they see fit... My point was that by using a copyleft licence and not signing a CLA, I prevent them from using my contribution in a proprietary fork.
You effectively prevent your contribution from being merged back into the original project. This generally means your contribution isn't likely to be used. It will sit in its own repo for others to find.
This open source purism is toxic. Projects have to be sustainable.
Hyperscalers have hoovered up the entire Internet and own the entire mobile device category. We're over here bickering about small developers writing source available / OSS-with-CLA.
If the community cares so damned much, they can take the last open version and maintain it themselves.
Please take all of this negative energy and fight for a breakup of big tech instead.
Now I would argue that the sustainability of OSS is more important at least in the context of an lwn article. That doesn't mean one can not argue that rug pulls are the bigger threat, but that's not what you accused the previous poster off.
FSF wants to be able to relicense as/if the legal landscape evolves, but in a way consistent with the original license aims. I fully support this (and I want to give them this flexibility), but admit that this is based on my trust in FSF more than anything else.
FSF wants a contribution agreement to ensure that it doesn’t have to litigate with 1000s of companies who might claim some contribution that an employee of theirs made was corporate IP*. I also understand this, particularly given the incentive for a company to intentionally cause a “tainted” contribution to get into FSF products.
My willingness to “go along” with an FSF CLA is much, much greater than for a random company who wants to trade on and benefit from the goodwill of the “we’re open-source!!” banner and yet be able to rug-pull later.
* - I think I have exactly one tiny change into emacs from decades ago. It took me way longer to get corporate sign off on the CLA than it did to author the change.
FSF is the only organization that I would trust with a CLA. Everyone else has mixed motives.
As this stuff keeps happening I think the GPL will regain popularity.
All because of the nonsense and all the rugpulls.
As to the SSPL and similar license, the FSF hasn't publicly commented on it but they also don't include it in their list of approved free software licenses, so we know that the FSF doesn't really think the line could/should be drawn far from the GPLv3 and AGPL.
And we were either paying these companies (looking at VMWare), or looked for quotes and intending to pay these companies. But suddenly, your configuration management is supposed to cost almost 6 digits per year. Very basic services should suddenly cost a mid-6-digit range per year for a basic suport contract. Sorry but what the fuck? And - again, looking at VMWare - even then we can't really rely on it?
I've been recommending to instead sponsor foundations, or straight up paying maintainers and developers of OSS we use regularly. The giggles when suggesting that have been getting quieter. But I'd rather hire a Proxmox/qemu dev than start paying the next VMWare.
I believe this kind of schizophrenia is the price to pay of (too) big organizations.
If contributors/maintainers are not happy with what the small company does, they can fork the project (assuming a liberal license) and continue in their own way. Valkey is a good example (with an interesting twist of license dynamics where Redis can use Valkey code now, but not the other way around).
> We have built a world where it is often easiest to just use whatever a cloud provider offers
And, IMHO, this is the major problem in the dev community these days - we've become lazy and focused on nonsense ("pretty"/unusable UIs, web gymnastics, llm, "productivity" etc.). We didn't have problems in the past to fork or reimplement OSes (various BSD instances), compilers (gcc versions), databases (MariaDB), and so on. There are tons of geniuses around hacking on cool stuff, but, sadly, the loudness of various hipsters and evangelists limits their visibility.
> Those providers may not contribute back to the projects they turn into services, though, upsetting the smaller companies that are,
The significant contribution that these providers (AWS, et al.) make to these projects is often overlooked - free advertisement. If I can remember correctly, ElasticSearch got popular when AWS started to offer it as a service. Additionally, cloud providers usually contribute (by employing core developers, shipping patches or testing) to the kernel, gcc or jdk, from which these small companies benefit significantly. In contrast, they themselves could do none of this.
But it is easier to blame "big scary clouds" than to rethink your business model. Be honest, start closed; no one will touch that and no one will be standing in your way.
https://news.ycombinator.com/item?id=42601846
I see what you mean. The original developer can engage
in a practice that blocks coopertation.
By contrast, using some other license, such as the ordinary GPL,
would permitt ANY user of the program to engage in that practice.
In a perverse sense that could seem more fair, but I think it
is also more harmful.
On balance, using the AGPL is better.RMS doesn't like the GPL for SaaS software for exactly the same reason they created the AGPL in the first place, and developer inconvenience is less of a concern than potential user freedom breach.
The entity to which the exception is sold could itself close the software for its own users. But so could it if the code was released under a permissive licenses and this is, critically, why RMS finds this acceptable: he doesn't want to consider releasing software under permissive licenses unethical. This is a limit he doesn't want to cross. After all, one can't be blamed for all the sins in the world and it's the company closing the code that would be doing non-free software, not the original authors.
AGPL+CLA doesn't enable more cases of users losing freedom than a permissive license, so this is okay for RMS.
Now, it is a view strictly focused in terms of user freedom outcome and that's probably how anything RMS says should be interpreted by default. Nothing prevents you from considering that there are other aspects to consider and that the imbalance AGPL+CLA creates is unacceptable.
On a side note, it makes me think of the Qt business model.
RIP VibeVoice Large 7B
https://arxiv.org/pdf/2508.19205
https://github.com/microsoft/VibeVoice
Nice to have forks & downloadable models now 'innit
Need to fix the money before everything else can be fixed.
The whole reason for these “rug pulls” is abuse of the open source ethos by big companies using it as free labor for SaaS and giving nothing back.
SaaS is more like feudalism than any other software model, yet the open source community seems committed to making sure the SaaS industry can continue its free ride.
Part of why I’d hesitate to ever again make free (as in beer) software is this whole toxic shitty mentality. If I give you a ton of work for free, say thank you. If a bunch of investors fund that, say thank you. This entitlement mentality from a bunch of people with careers that mostly put them in or near the global 1% is gross. It’s not like you people need stuff for free. You ain’t poor.
I mean, it is technically what it means to have a foss license but I just can't shake the feeling that we as a society are feeling so entitled that people are advocating against sspl licenses or etc. when I do think that if you are a dev and you wish to work on foss full time then something like sspl might be good in that regards.
Open source Contributors just don't get paid for the work they are doing. They are sadly doing free labour. I feel like I personally might start coding stuff in sspl or maybe just source available licenses if they get more favourable. The whole terminology behind source available licenses is kinda weird in the sense that basically a single clause which is meant to stop big cloud providers from selling your service that you built can make something like agpl foss and sspl not foss/source available.
So "win" is a multi-layered definition. Business, big business and Corporations win in economic terms often because, they have economic objectives and then execute them. Authors scratch an itch, or finish a college degree, or move on to join another band. none of those things have the aggregate, countable result that a quarterly income statement has.. in 2025, what code is stable, generally available and (often) maintained? is that "winning" ? other corollaries possible..
He was rightfully outraged when he discovered he had basically done years of free labor for Microsoft, and ended up leveraging a DMCA notice to shutter the project, due to the lack of a CLA and the inherent nature of Bukkit being ultimately glued onto the Mojang server jar to be useful.
https://blog.jwf.io/2020/04/open-source-minecraft-bukkit-gpl...
If you choose to give gifts to the world, that’s great, but you should go into it with your eyes open and not expect anything back. The world includes a lot of terrible people and you’re giving them gifts too. It’s okay to change your mind.
Calling it a “rug pull” when a software vendor relicenses seems like biased language. We still have all the gifts they gave us. It’s unfortunate that they changed direction, but nothing lasts forever.
This is not, strictly speaking, true. The example projects saw contribution in terms of code, testing, documentation, and - most importantly - marketing and evangelism.
These projects are not things put up on GitHub as a convenience that people just happened to adopt: the companies in question spent great sums of money encouraging adoption, usually with developer evangelists on staff who’d preach the technical advantages and talk about benefits of the licensing to convince people to use them.
It’s naive at best to position that as simple “gift culture” and claim it’s biased to call it what it really is: a rug pull.
In the case of Redis the company promised explicitly it would always keep the license for Redis core: until it didn’t. That’s a rug pull, plain and simple.
Accepting code and other contributions, encouraging other FOSS projects to rely on a project and then relicensing? Rug pull.
Show me a project that was not aggressively marketed for adoption using open source as a selling point and I’ll agree that’s not a rug pull. If Acme Corp just happened to have a GitHub repo for something under a FOSS license and people organically found and adopted it, okay. I’m not aware of any such examples, though.
So in a way the "rug pull" achieved what it wanted, amazon is now contributing to development.
I think discussing these "rug pulls" without discussing the destructive habit of many large companies to only profit without giving back misses the mark. Any community where there is a large imbalance between the ones doing the work and the ones profiting will over the long run become unstable.
Now, it might be better for the Open/elasticsearch ecosystem, because AWS is contributing more, and possibly the competition drives both Opensearch and Elasticsearch to be better. But on the other hand, there is now a split between two incompatible products, and Elastic has certainly lost some trust.
I'm honestly curious since I've been considering how I license my large OSS projects lately [1], and I really do want to understand what would be "acceptable" here. Start more funding campaigns for the project? Work on it less? Sell merch? Openly communicate that they'll need to re-license without additional funding?
1. It's too vague about what is covered by it. This makes using such software risky in practice. Is the OS it runs on included? What about a log aggregator used to collect logs? Or a system backup system? The VM hypervisor and orchestration software for running the VMs that host it? I think it would be better if it was more clearly scoped to components that are specifically related to the service itself and not general purpose components of the hosting environment and/or things that could easily be substituted with other standard open source or off the shelf components.
2. It isn't compatible with AGPL or GPL. This is especially bad combined with 1. Does that mean you can't run the service on Linux? I don't think it could be compatible with AGPL code directly linked to it, but it could allow external components to be under most open source licenses.
IANAL, and don't know exactly how to word a license that fixed those issues, but I think there could be something better than the SSPL, and maybe such a license has a better chance of getting OSI approval.
3np•15h ago
Switching your existing build-infra to sync sources from a new remote should be a snap.
Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.
andersmurphy•14h ago
3np•10h ago
Guessing unrelated to the comment itself, prolly got a minor downvote army on my back after a different recent comment on Gaza matters.
Downvotes are just a noisy signal in general and I wouldn't read that much into a few here and there, it comes with the territory.
Oh and yeah, this meta makes for tedious threads so site guidelines and all that.
pjmlp•14h ago
This happens a lot in commercial products where scripting languages are used, for example.
Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.
anilgulecha•14h ago
Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.
MangoToupe•12h ago
pjmlp•12h ago
A hard lesson many have come to learn when there are bills to pay, and coffee priced donations hardly make it.
MangoToupe•7h ago
zozbot234•11h ago
pjmlp•9h ago
Apparently the do whatever isn't do whatever when it happens to their little bonsai project.
ryukafalz•11h ago
This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).
hedora•10h ago
The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)
Imustaskforhelp•7h ago
ryukafalz•5h ago