In this MonkCast with the Monks, we have mustered the analysts and run amok to discuss recent developments in the open source landscape, focusing on the NATS controversy with the CNCF, the Redis relicense, and the rise of the AGPL. They chat about the implications of licensing changes, the dynamics of community involvement, the sustainability of open source business models, and the contrasting situations of different projects like Linkerd and NATS. The discussion emphasizes the need for nuanced conversations around the value of foundations like the CNCF and challenges faced by smaller open source projects.

Links

• Stephen O’Grady, “OSS: Two Steps Forward, One Step Back,” TECOSYSTEMS, 6 May 2025.
• “Shootout at the CNCF Corral,” Oxide and Friends, 1 May 2025.
• “Protecting NATS and the integrity of open source: CNCF’s commitment to the community,” CNCF Blog, 1 May 2025.
• “CNCF and Synadia Align on Securing the Future of the NATS.io Project,” CNCF Blog, 1 May 2025.
• Salvatore Sanfilippo, “Redis is open source again,” antirez, 1 May 2025.

Transcript

Kate Holterhoff (00:12)
Hello and welcome to this special MonkCast with the Monks. We’ve mustered the analysts to chat current events in open source because there’s been a lot happening in recent months, My name is Kate Holterhoff, Senior Analyst at RedMonk, and instead of me handling guest introductions, to quote Winifred Sanderson in Hocus Pocus, Monks, make thyself known.

Rachel Stephens (00:30)
I’m Rachel Stephens. I am the research director at RedMonk.

James Governor (00:34)
So I’m James Governor. I’m co-founder of RedMonk and I’m all about developers.

Steve O’Grady (00:39)
I’m Steve O’Grady, co-founder of RedMonk.

James Governor (00:40)
Good, I love the idea that we’ve been mustered it. That sounds very yellow and good.

Steve O’Grady (00:48)
Mustard is one thing, but Hocus Pocus is quite another.

Kate Holterhoff (00:50)
Do you not like Hocus Pocus? That’s terrible.

Steve O’Grady (00:51)
it’s the worst movie.

Rachel Stephens (00:52)
No he does

not. It’s the best.

Steve O’Grady (00:54)
It’s the worst movie that’s not frozen.

Kate Holterhoff (00:57)
was like a nice spooky movie. I thought you’d be into that. Like it’s up in your neck of the woods. It’s New England. Come on. Okay.

Steve O’Grady (00:58)
⁓ it’s, no, it’s horrible. It’s,

Kate Holterhoff (01:05)
All right, so I’ll lay out a quick agenda of subjects to be covered for this special recording. In no particular order, we are going to talk about the NATS relicense kerfuffle with the CNCF, Redis is open source again, and to be a bit meta, we’re also going to discuss Steve’s recent post on the RedMonk website, quote, open source, two steps forward, one step back, which he published on May the 6th, as well as Rachel’s conversation with Brian Cantrill, Adam Leventhal, Adam Jacob.

and Eliza Weisman on Oxide and Friends. And in that episode, which was published on the 1st of May, they discuss how there is a shootout at the CNCF Corral, which is probably a better title than I’m gonna come up with for this episode. So NATS, CNCF, Redis, where do we wanna start?

Steve O’Grady (01:49)
⁓ man, I don’t know. I mean, I don’t really want to start with any of it.

Kate Holterhoff (01:51)
You

James Governor (01:51)
Yeah Steve, where do we want to start with these-

Apparently

this is about licensing and open source, Steve.

Steve O’Grady (02:02)
Yeah, that’s my favorite subject. Well, in the spirit of ripping the bandaid off or putting the bad news first, I think we might as well talk about NATS and CNCF. Rachel, you did a good job of running through the particulars on the Oxide podcast. I don’t know that we need to get all the details, but do you want to just lay out the basic series of events?

Rachel Stephens (02:18)
Yeah, so I would say the basic series of events is NATS is a project within the CNCF landscape. It is an incubating project, so it’s an established project within the CNCF. And CNCF is an open source foundation for those who are not aware, meaning that it is a consortium of projects vendors,

users who have come together to support projects and have them come to be governed in a vendor neutral way and have them be sustained in a vendor neutral way. And the primary backer of the NATS project is a company called Synadia. Synadia donated the project seven years ago, seven years ago, I believe. And in the interim, as per their

Steve O’Grady (02:58)
Yeah, sounds

Rachel Stephens (03:03)
recent claims have said that they are not having the returns that they expected to have, not having the contributors that they expected to have and wanted to pull the project back into Synadia and have it not be open source again.

which the CNCF and ecosystem obviously strongly objected to. There was a large pushback there and in recent weeks they apparently have come back to the negotiating table. in the… Yes.

James Governor (03:32)
Even the professional CNCF haters were very, very angry

about this, so…

Kate Holterhoff (03:36)
Ha

Steve O’Grady (03:37)
Well,

I mean, not all of them.

James Governor (03:40)
Not all of them.

no, there is one. There is one notable CNCF hater who in fact had a different view. That’s true.

Steve O’Grady (03:42)
Alright, I-

Yeah. So I mean, again, I don’t think we need to, you know, theoretically they come back to the sort of table and all is putatively well, with, Synadia and the CNCF and so on. And that’s great. You know, certainly that’s a much preferred outcome to lawsuits and so on. And I think the thing that I struggled with with this was that, there are a couple different layers to this.

Right? You know, there’s the layer of, what is the CNCF’s value to companies that are contributing either project money or both. And, certainly in the Oxide podcast, I think there were real and substantive questions asked about that. Those are fair questions to ask, certainly of every foundation. There are questions in terms of on both sides, of the logistics in terms of, how things were handled.

Um, particularly with respect to the NATS trademark itself, which, uh, sort of came to issue with, with MLB, uh, with the Nationals. so there’s, there’s that layer as well. but for me, I think the thing that I really struggled with, you know, with some of the reactions, to James’s point, most of the reactions that I saw, even among people who have, no real love for the CNCF were like, yeah, you can’t do this. And to me, all of the other questions are secondary.

Right. So in other words, forget Synadia, forget NATS. If you are a vendor and you come to a foundation and you willingly submit your project, you go into that knowing what the trade-offs are. Right. You go into that knowing that you are giving up control, you’re giving up trademark, you are donating a project in search of some return. Now, whether you get that return or not, to me is not material. Like you go into it knowing that this is a one-way door that you cannot exit from because

The, the analogy that the Oxide folks use was like a marriage, right? To me, the more appropriate analogy for a foundation is like the United States. So if you have, if you are a foundation and you willingly let a project that you know, wants to secede then what you’re telling all of the projects in there is that they can also do that. And in so doing what you’re telling essentially all of the people who are relying on.

the foundation to be a neutral home for a project that they are not in fact a neutral home. Right. So to me, all of the sort of other things that have come up in this discussion on the other podcasts and so on are, are fine. there are appropriate times for that, but this was just a, a really simple yes or no, like, and this was not a thing that, so that’s the thing, like, the suggestions that were made, like, oh, they should let this happen. I’m like, they can’t.

they fundamentally can’t like no foundation can do that because then you are essentially saying, we’re a neutral home until somebody decides that they don’t want the project to be a neutral home anymore. And that’s just not a, to me, that’s a non-starter. So in other words, it was, I was frankly shocked at some of the reactions that were like, no, no, just let them go. I don’t understand why they’re not doing this. I couldn’t process that. And so,

I mean, the good news for me, as I said at the top is, that seems like, some things got worked out behind closed doors. I can’t speak for any other monks. I haven’t been briefed. So I haven’t talked to any of the parties involved here. So I don’t know what sort of, conversations were had, promises were made or whatever, but, they have avoided, quote unquote, the nuclear option here, right. Which is, going to essentially to legal war, right. over project trademark, ownership, et cetera.

because that’s a bad outcome for everybody. And I’m glad that cooler heads seemed to have prevailed. But, it was one of these things, like I said, for me, it was just a now is not this is not the occasion to debate the individual merits of the CNCF or frankly, any other foundation, right? This was a an existential question for them and any other foundation, like full stop. So anyway, that’s my that’s my rant.

Kate Holterhoff (07:32)
It’s a good rant. I was interested in the precedent for this. And so everyone keeps talking about Linkerd. How did the Linkerd situation differ from what Synadia tried to do?

Steve O’Grady (07:43)
So I think the Linkerd and I think Adam brought this up on the podcast if I remember right So Linkerd is also in there and that’s the Adam suggestion I thought was appropriate, right? I’m trying to think of like how detailed, we don’t want to go into all the nitty gritty details here, it’ll take too long. So the short version is that the commercial organization behind Linkerd basically said, okay, we are not going to provide

stable builds effectively. So in other words, the code’s open source. It’s all here. If you want to go build your own stable build and test it, knock yourself out. If you want a stable build that’s tested and QA and all that, you come to us and you pay for it, right? And that’s definitely skirting the line in being a quote unquote neutral home, for a project. But it is at least within the spirit in the sense that, you know, the, the, ⁓

know, trademark and all that is still retained by the foundation. So the CNCF, certainly my understanding was that they were not thrilled and would not certainly prefer to see companies follow this, this path. But that is much better than, put it this way, if you’re the CNCF or again, any other foundation and you have a choice between, all right, this company, project’s still going to live here, but they’re not providing stable builds versus I’m going to

pull my project out and my trademark out, you definitely prefer the former. So yeah, that’s the, I think the shortest version of the Linkerd thing that I can think of.

Rachel Stephens (09:05)
And if you look in some of the comments that were happening on LinkedIn during this, the buoyant was the company behind Linkerd and some of the comments that were coming from CNC folks were very much in favor of it. I would vastly prefer the stable build route. It’s definitely a route that’s.

Steve O’Grady (09:23)
Yeah,

I mean, it’s you know, look, we have seen it is, it all comes back to the same problem, right, which is that if you have a project that is available for free, it’s hard to get people to pay for that. Right? Because here’s the project, here’s the source, in particular, for providing stable builds, like, hey, I’ve got what I need. Right. And that’s not new to foundations. That’s not I mean, that’s sort of the

running theme through the history of open source. So people try to find different mechanisms, different levers to get people to pay, right? And Adam Jacob, for example, is very much in favor of trademark as a lever. He has put a lot of his time and effort around that and trademark is indeed vitally important as one of the core intellectual property mechanisms that governs code. And so that’s one route. Stable builds is another route.

James Governor (09:52)
Okay.

Steve O’Grady (10:12)
And we’ve even seen with Red Hat in recent years, So basically saying, all right, we are going to limit our distribution to customers. That’s what we consider distribution in terms of, OK, I’m not providing free bits to everyone else. So in other words, the source code is available and people can incorporate it. But again, it’s skirting the line of providing stable builds.

You know, people are trying to find ways to, um, add, you know, just a little bit of friction, right? while still living up to, their responsibilities as an open source project, um, or open source sort of foundation member. Uh, and, they are people get creative and that they’ll try all sorts of different things. Right. Um, and, to me, like I said, it comes down to,

with respect to foundation specifically, right? It’s, you either have, you you have to know going in what you’re giving up in return for what you think you’re going to get out of it. Right. And that’s the thing for, whether it’s, the Apache foundation or Eclipse or whomever, right? If you are going the foundation route, you are in search of, you’re making a bet effectively that by giving up

sole control of a project, you’re going to get outsized return or distribution or any number of different returns from that. You may or may not get that, right? It’s a bet. But it’s a bet you just can’t take back

Rachel Stephens (11:30)
I think for me, one of the things that happens a lot in these discussions is somebody will come into the comments and they’ll say, open source is not a business model. And then they kind of like mic drop and walk away and then fail to actually talk about the nuances of what the business models are and how hard it is to actually make that happen. And it’s really hard. It’s really hard to make money when you are giving your software away for free.

And I think that one of the things that, and it’s definitely one of the things that came up really passionately on the podcast with Oxide is just the struggle of what do we want to do for some of these projects that are coming into the CNCF? Because a lot of the projects that are coming into the CNCF and open source, just foundations in general, tend to be projects that are single vendor backed.

and they are commercially driven and the people are there because they want to make money. And so I think a lot of these foundations are kind of at a crossroads of what do we want to do to help these projects succeed and thrive when they’re not the really big cloud backed projects? Like how are we going to sustain some of these littler projects and how are we going to make sure that they are successful in addition to like the big Kubernetes projects as well?

Steve O’Grady (12:48)
Yeah, no, I think that’s right. it’s, it’s, this is not a revelation or shouldn’t be a revelation to most people in, in, you know, in software today, which is that, the amount of software that’s paid for is vanishingly small, right? we have a, we all in to some degree or another rely on software that is

It’s made up of projects that are small, underfunded, don’t have a commercial aspect. I’m trying to remember when, this is probably close to decade ago at this point, but when there was a core vulnerability in SSH, which is that’s pretty core project. And it was revealed that no one was funding it, right? Because it’s a tragedy to the commons.

problem writ large, so, yeah, foundations are part of that. Commercial organizations are part of that. I mean, there are systemic issues in open source, right? There are, in terms of where contributions come from, how it’s paid for, relying on free labor, et cetera. And I don’t think anyone would really dispute that. Like I said, for me, the question was like,

All right, is it a foundation’s responsibility to solve that? And I think there are two answers to that. One is, look, they have to make a core value proposition to encourage new donations, right? They have to provide some return in return for what they’re getting, right? And so every foundation is going to have to come up with, all right, here’s what you get, Here’s what we can promise. Here’s the benefit.

to the cost of sort of giving up sole control. And that’s very hard, What could you do and how do you fund it? And we have had conversations, least I have, and we can’t speak for the other monks. I know that the Linux Foundation and its subsidiaries like the CNCF catch in some cases rightfully so a lot of flak for the amount of money and so on. But when we talk to vendors,

they will say things like, Hey, look, I may or may not love the LF or I may or not love the CNCF, but they helped me put on events or they helped me do X. They helped me do Y. And that’s why they get a good share of my, dollars. Right. And so again, as a software people, we can agree or disagree with that. But the fact is, is that, companies are continuing to contribute, to these foundations.

and they’re doing so in many cases because they think they’ll get a return and some get a better return than others. and that’s unfortunate, which brings me to the second part of the, foundation question, which is, I think there are people who want foundations to solve this problem. And so, you know, foundations cannot solve the fundamental systemic issues of open source writ large. No one can. Right. There’s no one party. There’s no one entity. There’s no one body that can say, okay, I’m going to figure out how to

make sure that every project gets the amount of money it deserves, regardless of sort of the commercial hooks or incentive in terms of people might have for paying for it. I don’t know. I guess the problem I have in these is that the conversations around this are nuanced and require nuance to interpret. they just are never, I shouldn’t say never, they’re very rarely treated that way. It’s most often treated as a foundation’s good, foundation’s bad. And it’s like,

you know, there’s good, there’s bad. And yeah, that’s just not necessarily a conversation. It’s certainly with the recent kerfuffle. It’s not certainly not conversations that I was seeing.

James Governor (16:08)
I think the CNCF has obviously been quite successful in many terms. if we think about the LF banner, mean, there are other sub-foundations that are not as successful as the CNCF, and that success, the CNCF comes in a few different vectors. Some are, just financially speaking, the hyperscalers do fund, and will…

continue to fund a foundation that supports Kubernetes, OpenTelemetry, so on. I think there is this very good point. It’s quite different when it’s single vendor, smaller vendors. think those are the ones that have, or primarily single vendor, those are the ones I think that are least happy. yeah, sorry, other aspects of success is just yes, financially, know, the LF is well funded.

organizations around the planet are adopting Kubernetes at scale in production. All sorts of different kinds of organizations, AI companies, startups of all sort of shapes and sizes, enterprises. There are lots of,

ways we can talk about, I think, the success of the CNCF. And I think it’s interesting that it isn’t just Kubernetes anymore either. I mean, mentioned OTel. OTel is obviously just a tremendously successful project vis-a-vis observability. seems like observability is the sort of the next act of the CNCF. If we look at the events, if we look at what all is going on there, it does seem like, yeah.

Rachel Stephens (17:06)
Thank

James Governor (17:29)
It was great fun building out this Kubernetes infrastructure, but we’d better be better at managing it. I think that’s kind of where OTel is coming in. That’s going to be further investment. We certainly see every observability company in market coalescing around that idea. So yes, plenty of success there. I think for the smaller vendors, you know,

The CNCF has at times been a little bit sort of, it’s interesting for an organization that’s as commercially astute as they are. Sometimes they almost come across a little bit academic. Their care for good reason is for the project. It is not necessarily for the producers of them in a sense. And in and around branding, for example, if you’re

And this is partly the challenge we’ve got as Adam Jacob talking about the value being in the trademark. Well, if you can’t link your company name trademark very effectively on CNCF properties and the ecosystem at large, so that people know that you are the vendor behind the project, yeah, I think that there are some tweaks.

Yeah, Steve, undoubtedly look, the CNCF is not going to solve all known problems in this area. But could they tweak it to help smaller companies and independent companies become more financially successful by a little bit of making it clearer who’s doing the work? Maybe some of it, don’t get me wrong, they will, you know, give people awards for making contributions. But yeah, I think there is some stuff that we may… that they may want to… in fact, they almost certainly are thinking about given this current shit show.

Because nobody wants the threat of that legal aspect that you’re talking about Steve and yeah I mean if you look at William from Buoyant, I mean he was pretty clear he felt the Synadia thing was not great But he himself he said some of the aims goals Made sense to him So I think it’s how you do it as you say when you go in you have to know what it is But I do think the CNCF is gonna have to probably clarify a little bit

Yes, there are benefits, but if we could just be a little bit clearer what they were and make it clearer who’s building the software, people are using it. think that linkage is one that the indies are going to probably be pushing for and we’re likely to see, or we may see some changes at CNCF accordingly.

Steve O’Grady (19:48)
Yeah. And I think that the frustrating thing in having these dialogues too, right? I said this is that they always come out black and white. And I know Rachel said on the Oxide podcast, like, Hey, we did, I put in the uncomfortable position of being the defender of foundations. And it’s, I, know, to me, at least I don’t see it as much as defending the foundations as much as having like a conversation that includes nuance, right? Which is that are they making mistakes? Is their value proposition perfect? You know, should it be refined? Sure. Right. All of, all of the above, but it’s like, to me, it’s a yes. And

Rachel Stephens (20:06)
Eheh

Steve O’Grady (20:16)
⁓ And, it’s just a conversation I just don’t see happening. So, sure, by all means, you know, they…

Rachel Stephens (20:16)
See you.

James Governor (20:21)
Are you, Steve,

you, wait, are you arguing there is a lack of nuance in modern discourse?

Steve O’Grady (20:26)
Yeah

Rachel Stephens (20:27)
Weird.

James Governor (20:28)
I’m

Kate Holterhoff (20:28)
You

James Governor (20:28)
frankly stunned. I I had not come across this as being an issue.

Steve O’Grady (20:30)
Yeah.

That’s a weird thing,

Kate Holterhoff (20:36)
think the thing that jumped out to me in this whole situation is where community sits in the CNCF right now. Because what Derek was arguing is that Synadia is, by and large, doing all the commits to NATS right now. And it sort of made me question, like, where is community? If the value prop of the CNCF is that it gathers a lot of folks together who want to see a project succeed, he’s arguing at the same time that

Synadia doesn’t have that community, but instead it’s like they’re doing everything on their own and they’re sort of carrying everything on their shoulders. But then at the same time, to, I guess, continue with this nuanced conversation, it felt like the CNCF is bringing that community with it and that is the value prop. And so any community that they have

they can thank the CNCF for helping that along, for bringing that enthusiasm and making sure the folks who attend the KubeCons are there getting excited about NATS. So I guess if I’m thinking about what is the existential issue that this whole situation is bringing to the fore, to me it’s what is community and how does it relate to these particularly smaller projects when it comes to the CNCF?

Rachel Stephens (21:46)
I’m thinking and think about community two ways. So like the first way you’re thinking about community is like a community of developer committers, which I think in Synadia’s letter, they said they had like 92 % of the commits were coming from Synadia themselves. I believe something in and around there. A couple of other projects I’ve talked to that I can’t name were definitely upwards of 90 themselves. So some of these small ones, the projects are owned by the

Kate Holterhoff (22:00)
Wow.

Rachel Stephens (22:13)
basically, like the commits are coming from the company that submitted the project. So if you’re thinking it from that perspective, they are not getting a diversity of committers from coming in from the CNCF. Where you are seeing community hopefully from these things is your project is getting attention and marketing and you are getting put in front of.

hundreds, millions, thousands, I don’t know, a whole bunch of people you’re getting on stage, you are getting attention, and then you are getting, hopefully, pulled into projects, enterprises, you are getting used, and then hopefully, at some point, some of these users are pulling you into your work, and then hopefully some of these people convert to paid users, then hopefully it’s kind of like that top of the funnel ecosystem that filters down. So I think you have to think of community in two different ways. And so…

Yes, ideally some of those users would funnel into being people who are then filtering back commits. But I think the other thing about the CNCF in particular is a lot of these are ops and infra projects. A lot of these people are not necessarily going to be throwing together commits. They’re going to be people who want to hold the project in and have it. I’m not sure that necessarily everyone here is.

Kate Holterhoff (23:10)
Producers, yeah.

Rachel Stephens (23:28)
pulling the project in and wanting it to be or necessarily wanting to be writing code to pull it back or push it back into GitHub. I’m not sure there’s necessarily persona overlap there.

Steve O’Grady (23:40)
Yeah, and that’s the thing like for me, and I think Rachel’s exactly correct, I think, to look at the diversity between the community of committers versus the community of downstream consumers. And I think from a commit standpoint, look, we know, all of us, that every project is different. The community quote unquote behind say Linux is different than the community behind.

I what I referred to earlier, SSH, right? Those are not the same things, right? They’re not going to attract, retain the same size communities because of the nature of the project itself. And so, I think the difficult reality, particularly for infra projects, is that it is difficult in many cases to attract people who are going to help advance the cause of that software.

unless there’s a clear commercial interest in it for them. So we look at the case of Kubernetes. Kubernetes has essentially become, it’s taken the place of what used to be called middleware. Certainly when I was coming up, it’s essentially the new middleware. And therefore it offers commercial opportunities, large commercial opportunities for a wide range of organizations. Unsurprisingly, therefore, it’s able to attract quite a bit of commit attention from

different providers who want to do different things with it and advance the project in different ways because it serves their commercial interests. For a lot of smaller projects, same level of sort of commercial interest and opportunity simply isn’t there. And so, yeah, so they’re not going to be able to attract necessarily the same levels of commits that other projects are just by nature of what they are and what they do. It doesn’t mean that they’re bad. doesn’t mean that it’s not a judgment call. It’s more of a reality that

like I said, in a perfect world, all infrastructure software that we rely on, would be remunerated appropriately. But, like I said, we rely on this almost house of cards, at times, right? In other words, I how long ago was left-pad? Left-pad is not typically, you know, it’s not a

phenomenal technical achievement, and yet you remove that and all hell broke loose. Right. And so, I guess what I’m saying is, that from a project standpoint, projects aren’t all created equal and some projects, unfortunately, are just not going to attract the, the contributor side, you know, from a, ⁓ you know, in terms of community.

James Governor (25:44)
And also the question,

they may not even, I mean, it’s an interesting one there because like, did the team really want a bunch of external contributions? ⁓ Because, know, a lot of that is a very different model. It in effect slows you down. Then of course we do get into the fact that, everyone and their dog thinks that their

Rachel Stephens (25:54)
Yeah, that’s a fair point.

James Governor (26:07)
pull request should instantly get the attention that they feel it deserves. But yeah, mean, not all projects are amenable to. Certainly, with commercial backers, they’re not even looking for external contributors. So like, don’t know. Here, I’d be a little bit cautious. But given, frankly, Synadia’s Chops at just building software,

I mean, were they really out there trying to get third party contributors? I mean,

Rachel Stephens (26:33)
I’m not going to assign intentions to Synadia or not, but I do know that lots of people say, like, accepting commits from third parties can take so much more effort than writing your own to try to go through and get it. Like, it’s a lot of work to review to get it in your style to make a match.

James Governor (26:43)
Right.

And so community is great, but

Steve O’Grady (26:48)
Well… ⁓

James Governor (26:49)
community has a cost.

Steve O’Grady (26:50)
Yeah.

James Governor (26:50)
I think, and again, that’s a funny one. Had there been a bunch of external committers, then they would not have been in position to do what they just did at all because it would have been, I mean, then other bad things were likely to happen. but yeah, that’s what I think. Where again, it’s this question, what is community? Are you even looking, you know, some projects are looking for external.

Contributors, others are not. And when we look around, as Steve says, every open source project is different. Every commercial company doing open source is doing it slightly differently. And look at the data products and sort of the relicensing. Do people care? If there’s a lot of external contributors, then yeah, they’re definitely gonna care. That’s where the problems arise. That’s where you’re likely to see a fork.

If it’s all single vendor, it’s not so much of an

Steve O’Grady (27:38)
Which actually might

be a good segue to talk about the AGPL stuff. There you

Rachel Stephens (27:40)
Segue to Redis!

James Governor (27:42)
Ayyyy

Steve O’Grady (27:42)
Yeah.

Yeah, so.

James Governor (27:44)
Who

Go ahead, Steve.

Steve O’Grady (27:45)
Yeah. I think there’s, there’s, again, I think there’s the, the, um, the micro and macro threads here. So, right. So the micro thread is essentially the Redis relicensed itself again. Um, for the, don’t know how many times it is now. anyway, a bunch. And so they essentially stepped down from, uh, the SSPL, which is a license written in, what did I say? think it’s 2019, 2018, 2019, um, by MongoDB.

and I think I had to describe it shortly. So, so the AGPL, which is what governed Mongo at the time, is essentially the GPL, but it counts in a network context. And what that means is that if you have AGPL, which is AGPL and GPL are both copy left software, but the GPL stops in a network setting. So in other words, I can host a, a customized version of the Linux, kernel, which is governed by the GPL.

I can host that in a network setting and the license doesn’t matter. Like I don’t have to distribute my, my changes. The AGPL says, no, the network does matter in fact. And if I’m modifying software and hosting it on a network, I have to make any of my changes, modifications, fixes, improvements, whatever made available under exactly the same terms. Okay. So, the AGPL is what governed Mongo up until 2018. And Mongo was ⁓

extensively facing issues from US cloud providers. That was a lot of the rhetoric at the time. In retrospect, it seemed clear that in fact the problem as it were, were large Chinese cloud suppliers. I won’t go into it like, suffice to say the AGPL protected Mongo from the Mongo code base from being implemented by AWS.

AWS essentially took a look at the license said, nope. And we’re going to re-implement a, we’re going to stand up our own document database using the Mongo API, but using none of Mongo’s code. anyhow, so Mongo sort of came up with this, this license that’s like the AGPL, except that it goes further. It says not only, any changes to the project itself, but you have to make any adjacent software monitoring software.

a logging software, everything else available under the same terms. So practically speaking, it’s effectively impossible to comply with. And they tried to get it through the OSI, that failed. Well, in part because the process, there are a lot of bad actors in that process at the time. But in part because it just, in my view, at least it’s fundamentally not compatible with the open source definition. So Mongo had this license in SSPL introduced in 2018.

it governs the project to this day in recent years, other open source databases have taken it up. Elastic took it up. Redis took it up. And, interestingly, both of them have now deprecated it. Both of them have now said, well, you know what? This is, this is not an open source license. It’s not approved by the OSI. So we’re having some issues with adoption in certain settings, where, adoption is restricted to license that are approved by the OSI.

So they looked at the AGPL and said, well, this gives us, 95 % of the protection that we need is also approved by the OSI. So we’re going to move forward with this license instead. We have also seen, let go back and look them up, other commercial companies that have made that move from Apache. So Grafana did this, MinIO did this. They went from Apache to the AGPL. Zitadel, meanwhile, did the same thing last month, two months ago.

So anyway, the gist of it is that it’s early and these are just a couple of data points, but the data points collectively suggest that we may be arriving at sort of something of a detente in terms of, don’t, companies were gonna basically face a choice, right? When they wanted additional protections, they could either stick with an open source license or they could go the source available route, So SSPL.

or BSL, know, it’s a bunch of different versions where the source is available, it’s restricted in either some technical or business way. And what seems to be happening, again, just from a couple of data points is that companies, even companies that have already gone the source available route, are looking at it and saying, you know what, no, we actually want to be open source. And we’re going to go back to the most protective open source license in existence, which is the AGPL.

So there are a lot of people who are not fans of license. The license still is not widely adopted by many projects, particularly networking company or network large internet companies hate it because they have to make all of their changes available as we discussed. And yet it is just short of source available. So from an open source standpoint, sort of win.

right? In the sense that you’re keeping projects that otherwise might not be, you are maintaining them as open source projects. They’re heavily restricted, but they are still counted as open source or have come back to open source from being source available. And so it is, like I said, it’s just a couple of data points. we’ll see if the trend holds, but if it does, this could be something of a win for open source moving forward.

James Governor (32:33)
I did not have the AGPL being the license du jour in 2025 on my dance card. But, you know. ⁓

Rachel Stephens (32:38)
So.

Steve O’Grady (32:39)
Yeah, same.

Well, it’s interesting because

we’ve gone through cycles, right? it’s cycles that are, I sort of joked about this, this is a famous quote of James’s, the technology industry is a fashion industry. And licenses have really been almost fashion trends. So in other words, if you go back to the early 2000s, overwhelmingly licenses were copy left and GPL specifically. when you talk to people, when you talk to developers writing these projects, you’d say, oh, hey, did you

Rachel Stephens (32:44)
So, you.

James Governor (32:46)
100 %

Steve O’Grady (33:09)
think through this and pick this license for a reason. It’d be like no, Linux and MySQL are GPL, so we figured that’s the one to pick, right? And more recently over the last decade or so, certainly during the last decade, there was a pronounced shift to permissive licenses. So that’s Apache, BSD, MIT, et cetera, largely driven in part by Kubernetes and a lot of the other CNCF back projects who went for these

James Governor (33:26)
100%.

Steve O’Grady (33:36)
sort of very permissive licenses allow you effectively to do anything. And, they don’t pose any of the copy left restrictions of reciprocity, the GPL and its family do. And so we had this shift, to permissive licensing. And like I said, commercial open source projects seem to be gravitating more towards more heavily restricted projects in the AGPL

And so

James Governor (33:59)
permissive

licensing cringe? Is that?

Rachel Stephens (34:02)
No.

Steve O’Grady (34:02)
Okay. Yeah, yeah, you’re.

Kate Holterhoff (34:03)
you

James Governor (34:03)
Sorry, I have three kids. I’m in that whole,

you know, I mean, if I’m to talk about, you know, tech as a fashion industry, mean, Gen Z laughing at millennials because they hide their socks in their sneakers is just super funny. Yeah, no. Gen Z, they wear their socks, they pull their socks up. They don’t ever wear like the, you know, uh, the ones that are just like inside your sneakers. No, you got it. You got it.

Kate Holterhoff (34:12)
You

Yeah, ankle socks.

Mm-hmm.

James Governor (34:28)
Gen Z, you have

to see the socks, otherwise, you know, it’s cringe.

Steve O’Grady (34:33)
Okay. I will accept your explanation.

Rachel Stephens (34:34)
So,

all right, so James is saying MIT license is no show socks, AGPL, tall socks. Okay.

James Governor (34:39)
I mean, yeah, think that, I think, mean, no, I think, I

Kate Holterhoff (34:41)
Share those socks.

All the way up.

James Governor (34:43)
think, I think MIT, see, that’s what I’m saying. I think maybe, maybe that was like a millennial thing. And, you know, the shift here is into, you know, socks, socks pulled up, AGPL is trending. Yeah, absolutely. Now, it’s not at all generational in that sense. Or, yeah, well, I don’t know, but it is a fashion.

Rachel Stephens (34:49)
Yeah!

Yeah, yeah, AGPL, socks pulled up. Yep.

James Governor (35:05)
And is a change, and I think Steve’s right to identify the AGPL as, if not in the ascendant, it’s definitely having a bloody good year, or a good six months. And you know, mean, Steve, how many times have we advised people to not do the AGPL?

Steve O’Grady (35:16)
Well, I mean, to be fair, you we should should disclose this like

James Governor (35:18)
How many times have we

advised people not to relicense with a proprietary license? Even more times.

Steve O’Grady (35:22)
Yeah. Well, we’ve done that. also,

this is an important, you know, going back to our earlier conversation, right? It’s worth saying, we have had I have no idea, but the number it’s a large number. We have had a lot of conversations with companies who are creating an open source project, donating something to open source. It’s a big part of what we do from an advisory standpoint. And we’re pretty skeptical. In other words, like

You know, when we, you know, I think I put this on, on Bluesky, but like we have a, there’s a slides that we use internally prep for VC portfolio companies and companies that want to do open source. The first question is, are you sure? The second question is, are you really sure? All right. Because, open source is, is great and wonderful and so on, but it is, as we discussed, it’s very, very difficult to build a business around. So as much as, we personally want to see.

more open source software in the world and we want that world to continue to grow, when you’re thinking about it as a commercial company, there are hard questions you need to ask, right? And, for some of the companies at least, what they think they need is the additional protections of the AGPL. And to be clear, that doesn’t mean that any of large clouds, to pick examples, can’t use it.

it, what it means is that if they are running any modified version of that code, they have to make any of their changes available on a precisely the same terms. So, if you are small company, A running a, a, AGPL project and large cloud B comes in and uses your thing and changes it makes improvements and so on. You, in theory, get to benefit from whatever changes they make to the source. And that’s the implications of license. So, it is at a minimum having a moment.

And we’ll see if that moment turns into a larger trend moving forward.

Kate Holterhoff (36:58)
And if we’re thinking about trends in open source in 2025 to sort of collect all of these thoughts, we haven’t even mentioned OpenTofu, we kind of alluded to Valkey. So the popularity of the AGPL is a big part of this. Some kerfuffles around foundations. Anything else that we’re following when it comes to open source this year?

Steve O’Grady (37:19)
⁓ I think one

James Governor (37:19)
Jesus,

let’s not talk about AI, because that’s obviously… we’re not going to do that.

Steve O’Grady (37:22)
No, I’m not going to mention AI. The thing that I’m,

I have a piece sort of half written on this that’ll come out hopefully the next week or two. But one of the things I think is going to be the next frontier for me is going to be APIs, right? So in other words, Oracle v Google essentially established that it is perfectly permissible to re-implement an API, via a distinct code base, right? So that is now

effectively the law of the land. And I think when projects hit a certain level of popularity, historically what we’ve seen is large cloud companies say, well, here’s, we’re gonna pick this up and run with it. And that’s why the Mongos of the world are governed by the SSPL. And it’s why companies like Elastic have gone from Apache to SSPL, now back to AGPL, to protect themselves quote unquote from these large clouds.

And I think one of the things that we’ll see moving forward are explorations of, all right, forget the code base. I can figure that part out. I want to re implement the API and thereby gain access to, give a database or whomever, right? I get a gain access to their client by essentially cloning the API, the gateway into that product. So, like I said, I think there’s, there’s more on that to come.

I guess it’s the simplest way to put it.

James Governor (38:33)
Yeah, imitation

is the sincerest form of flattery. And definitely if you want to steal someone’s customers, it is an ideal way of going about things. And everybody loves the Mongo API, that’s for sure.

Steve O’Grady (38:44)
Mm, yep, it’s one of them.

Kate Holterhoff (38:46)
Well, at the risk of talking about AI, something that has been interesting to me is the role of SBOMs in our AI code-assisted present, I guess. It seems like there’s a lot of companies that are worried about that.

James Governor (38:55)
you say of f-bombs? i mean

that’s something i’m quite famous for so with the rule of f-bombs i can i’m happy to drop an f-bomb i mean sorry i did you say SBOM yeah i mean

Rachel Stephens (38:57)
Thanks.

Kate Holterhoff (38:59)
Well, why don’t you pick that one up then, James? What are you following?

Steve O’Grady (39:05)
He’s making an F-bomb joke.

Kate Holterhoff (39:07)
I got it.

tried to, maybe I failed.

Steve O’Grady (39:11)
Yeah, just

for that, James, gotta articulate SBOMs go.

James Governor (39:15)
Well, mean, look, software bill of materials. think, you know, where we are as an industry right now, we’re, or as a, just as a culture right now, people are concerned about the provenance of things. Where did things come from? Can we trust those things? You know, we are, that provenance is becoming ever more questionable in an age where we’re vibe coding.

God, I can’t believe I said that. Anyway, let’s say in an environment where we’re making lots of changes all at once without fully understanding them and focusing more on what the code does rather than how it does it, how it works, and how it can be sustained going forward. Actually, on that note, was one of the folks from TurinTech

Kate Holterhoff (39:39)
You did it.

James Governor (40:02)
she recently just put forward, she said from vibe to viable coding. And I thought that was quite smart. So yeah, if we’re moving forward, I think it was Annie. Anyways, if we’re moving forward to viable coding, yeah, the provenance matters. Geopolitics continues to be a thing. So whilst the big vendors are sort of offering indemnification, if someone’s code makes its way into their code bases and so on.

There is no doubt whatsoever that in the age of AI, certainly need to have really good tooling that is much closer to the developer is gonna be super important, know, in and around. I don’t know, I’m not sure that SBOM is a market per se

in monetary terms, I mean, we certainly saw Chainguard as they move forward to hardened images were able to make a ton of money, whereas selling SBOM not so much. But I don’t think we can deny their importance. But I’m also sort of slightly, yeah, like I think from an open source perspective, it’s exactly that. All the code is out there. We’re going to be generating code that is likely to have snippets of that. And yeah, that’s going to be a concern for people.

Um, was that, mean, I mean, is that good?

Kate Holterhoff (41:14)
That’s good. That’s good.

Rachel, do you want to close this out with any things that you’re following for the next year?

Rachel Stephens (41:21)
it. think there’s lots of going to be projects that are, when you talked about Valkey and OpenTofu, I think there going to be these projects that have splintered off of projects like Redis and we’re going to have to watch what happens with those communities as the license has pulled back. think we’ll see what happens with IBM. So OpenTofu forked out of Terraform was then, and that was pulled into IBM.

And then Valkey is a fork of Redis, which was then now just pull back into an open source license again. And so we’ll see what happened to both of those communities now that there are kind of differences in how those main communities are running. That’s definitely something we’re watching. Seeing how things continue to operate in this ever crazy world.

Kate Holterhoff (42:04)
I’m glad we snuck some, you know, forks in here, at least at the end, right?

Rachel Stephens (42:09)
and for a full circle

Kate Holterhoff (42:15)
Hocus Pocus.

Rachel Stephens (42:16)
Hocus Pocus, Hocus Pocus, we need a full circle Hocus Pocus, which is definitely amock, amock, amock, amock, which is definitely, just definitely what this podcast was. Anyways, subscribe for more amock, amock, amock, amock.

Steve O’Grady (42:19)
No we don’t. No.

James Governor (42:26)
that’s amazing. OK, great. That’s fantastic.

Kate Holterhoff (42:27)
Such a great movie.