>When we discuss open source business models with other founders, there are three complaints that come up again and again. These are:
- People might criticize my messy/bad/unfinished code
- Hackers will find and exploit security holes
- Competitors will steal my Intellectual Property
I think they are missing a 4th item which is "Amazon/AWS will commercialise and sell a service based on my code and not pay me anything."
That is covered further down in the "Late stage" paragraph. Basically, you are already winning if the big ones try to emulate you, though some advanced planning to mitigate this is needed. But it should not be the focus nor worry at the start, if I interpret the article correctly.
I would suggest (and I've run zero companies and I'm just going by what I read on here) that if you want to open source your project, from the start pick a license so that big cloud companies can't commercialise your product for free.
People seem to get really salty when companies change their license further down the line to prevent this.
Those licenses aren’t open source.
People get salty because those license changes are from open source to source available (like the BSL).
Some of us (myself included) even consider licenses like the AGPL to be nonfree.
Free software can be used for any purpose, including competing with the original authors. If you can’t do whatever you want with the software, it’s not free software.
If you want to open source your software but you want to put restrictions on what people can do with it, then, well, you don’t want to open source your software (and IMO the free software community would be better off without your free software cosplay).
But as a commercial consumer, I still value source available offerings quite a lot. I can debug my own issues with them, I can see how well they're built and I know thousands of eyes are looking at them.
Depending on the software, I agree it's not as good for me as free software, but it's not worthless.
It’s not worthless, but I try to avoid supporting proprietary software companies.
Being selfish isn’t a good look, especially when starting out as free software (Docker Desktop, I’m looking at you).
I even strongly dislike actual free software releases with companies that have proprietary stuff alongside (so-called open core). It means that the people doing it don’t give a shit about software freedoms, otherwise they’d never consider releasing nonfree software. Mattermost is in this category (and further demonstrates their disdain for software freedoms by shipping nonconsensual spyware in their foss stuff and closing PRs that remove it).
It’s really shady to position yourself as an open source company and then release any proprietary software.
Do you carry this philosophy through to your professional life? As in, do you only work for companies that produce open source software? If so it's an admirable stance, and I hope you're successful.
I imagine it's tricky (or at least unstable) to earn ones living working only for entirely open source companies, but maybe there are more opportunities out there than I'd realized.
It’s not strictly absolute (I still use and even occasionally buy proprietary software) but yes, generally speaking, I either only work for companies that release free software, or strongly advocate for my clients to build and release only free software. I’ve convinced (or been part of the process that convinced) several projects to release free software that otherwise would not, including some famous ones that have been on the frontpage of HN recently.
I am personally responsible for at least 3-4 startups never making/releasing anything but open source stuff. I advocate for the basic idea of software freedom in all contexts.
Usually “business guys” try to interfere, but it’s almost always from the misguided idea that the code is somehow valuable. People get this weird idea that their source is worth money (it never is). Most companies are valuable because of their ability to execute, not their code (which is rarely reusable outside their org anyway, and even if it is, not in their market).
Think about it: if your code were valuable, how is it that a few people were able to make it from scratch in a few months? It’s obviously your staff who are valuable, not the code (which someone else could also make from scratch for low cost if they needed to, just like you did).
It’s the same misguided emotion that makes people think startup ideas are inherently valuable. It’s the ability to execute, not your so-called “intellectual property” that is where the value is.
That's quite thought provoking!
I don't agree with you on that code isn't valuable – it varies by product complexity, essentiality of the software as part of the business, etc. – but in of itself is the distillation of solved problems, which generally takes years (not months) to work out.
Still, I appreciate you taking the time to break it down, and it's something I'll think about.
I can’t speak for everyone, but I’m at a point in my career where I can be a bit more picky about the jobs I take.
I’m currently looking for a new SWE position and I prefer places that have active open source projects.
I’d take less pay to work at somewhere that maintains and releases free software.
Are you free to work for me... For free? :-)
They clearly meant free as in press, not costless.
I think they were conflating both notions. But alas...
I'm confused how someone would generally consider the AGPL to be non-free, but still perceive the GPL as a free license.
In either case you don't have to pay for the software, can modify it however you'd like, and run it wherever you want. You just have to share the modified source code.
If anything, the AGPL is the modern incarnation of the ideals of the GPL. If SaaS business had been a big thing in 1989 I'm sure the original GPL would have contained wording similar to the AGPL. It's just that back then nobody though of people hosting software as a threat to the free flow of software improvements.
Not clear.
Stallman already carved out exceptions for "appliances" that had computer chips, like microwaves. Stalllman wanted is own general purpose computer to be libre, not freedom to control other people computers (Cloud).
So, I think yours is a reasonable position. I hear it and integrate it into my thinking.
I have two thoughts on what you bring up, the first is a story I remember about Stallman being really frustrated with firmware on a printer (not drivers on a “general computing” device). I think reading this story[0] should be reasonably self-explanatory and not require additional exposition or warrant in this HN thread.
My other thought is that increasingly, our “general computing” applications are moving to web apps / cloud apps, and not stored on our devices. So while you may be correct about RMS, and maybe he wouldn’t have cared today about the concerns AGPL addresses, I personally wonder that he would, and think its at least reasonable for many people to generalize his FSF philosophy to cover general computing experiences that aren’t hosted locally but are still part of the primary computing interface that we use to interact with our current general computing devices.
0: https://www.fsf.org/blogs/community/201cthe-printer-story201...
This entirely
Free software theoretically is against EULAs and about empowerment of end users.
AGPL is an EULA that is additionally really badly written, especially compared to clarity of GPLv2-only.
The AGPL is the GPLv3 with only the addition/modification of section 13. Outside of section 13, there are only 5 words changed in the rest of the terms of the license and those 5 changes are the introduction of the word 'Affero' between 'GNU' and 'General Public License'.
Section 13 only states that someone/something interacting over a network is considered a user (and that you can combine GPLv3 and AGPLv3 works). That is the only change compared to GPLv3. It does not otherwise change what rights the user has or what is considered a corresponding source (i.e. what the licensed work contaminates). Those are word for word identical between the GPLv3 and the AGPLv3.
If you have an issue with what rights/restrictions the AGPLv3 provides a user of the software, that issue is with the GPLv3, not the AGPLv3.
I'm not sure why the downvotes.
Yes, the AGPL was essentially intended to plug the SaaS (maybe it was still being called application service providers at the time) loophole seen by some whereby delivering a network service wasn't considered distribution--and therefore didn't trigger copyleft provisions--with the GPL (either v2 or v3).
A lot of work went into GPLv3 and a lot of legal niceties were added as well as the watered-down TiVoization language but really isn't a lot of practical difference between GPLv2 and v3.
As a private person and startup founder the things I value about open source from a practical perspective are
- being able to just read the source to figure out what's going on
- being able to fix bugs
- being able to add features I need
- being able to upstream those changes so others can profit and help maintain them
- being able to self-host the software
Open Source ticks all those boxes, whether it's on the "laissez-faire" end of the spectrum (BSD) or the "Stallman" side of the spectrum (AGPL). (though the more "Stallman" a license is the fewer situations where I can use it). But the BSL also ticks all those boxes. I get it's not as ideologically pure, but it still meets most of the ideals of the original open source/libre software movements.
BSL doesn't necessarily allow you to self host. Without additional grants, it doesn't allow production usage until the license converts.
If I make a paid twitter clone using a BSL-licensed database under the hood, I'm allowed to self-host the database for this purpose, in both production and dev environments.
What the BSL prevents me from doing is offering paid hosting for others, or offering a product that competes with it (e.g. if postgres would be BSL, supabase couldn't use postgres under the hood since the products kind of compete with each other).
You can't use BSL software in production without an additional usage grant:
https://mariadb.com/bsl-faq-adopting/
In practice are there any BSL adopters that don't give a usage grant for production use? All those I've encountered only forbid stuff like hosting to compete with the original software creator, not actually using it in production.
It may not be common, but I did find these (fairly popular projects) which don't appear to allow production usage: https://github.com/fingerprintjs/fingerprintjs/blob/master/L... https://github.com/exaloop/codon/blob/develop/LICENSE
Here are some others: https://github.com/search?q=%22Business+Source+License%22+%2...
You are right for the pure BSL. I was misremembering because e.g. Hashicorp just give a blanket Additional Use Grant for production use that doesn't compete with the licensed product [1]. MariaDB is a lot less generous, e.g. restricting you to less than three production servers for MaxScale.
So the ability to self-host BSL code depends a lot on the chosen Additional Use Grant. I don't mind Hashicorp's, but the one publicly offered by MariaDB is pretty restricting.
1: https://www.hashicorp.com/bsl
To me AGPL is still very open, but it sure limits stuff. Gotta be even more careful with it in an enterprise setting than GPL. Can deploy it internally, but must be internally and it’s a constant risk.
I haven’t found a reason to deploy one yet. One use case I have seen is to have some sort of commercial/AGPL double distribution, perhaps with the AGPL release lagging behind.
Sorry, so I must have misunderstood AGPL then? Assuming a well written software, your configuration values can still be secret, right? As long as you give all your users the source code you got and the changes you made to the code (not the configuration), you should be ok? It is crazy to expect someone to ask for things like your database password or your exact configuration like sync intervals.
No you are right. I just meant that if you deploy a GPL service internally and the service somehow makes its way outside the organization, you don’t have to distribute the source code or anything.
But with AGPL, you now have to. Ensuring compliance is costlier.
Why is compliance costlier? There are companies that don't comply with GPLv2 for months and there is no cost as far as I can tell
previously on HN, https://news.ycombinator.com/item?id=31713525
Compliance is costlier if you actually spend resources trying to comply. What you are referring to is the cost of non-compliance.
Maybe the joke swoshed by me. :)
That's like saying a free society can only be free when individuals are free to do anything they want including harming/limiting freedoms of other individuals. Well, no, most free society limits your freedom to harm other people or bans you from limiting other people's freedom. The AGPL prohibits you from limiting other people's freedom.
Which definition of free do you use?
You may have valid criticism against AGPL but non-free isn't one. It's free according to the free software definitions and the open source definition. It's recognized as free by the two organisms providing relevant definition (OSI and GNU) and by all the relevant actors, including Linux distributions and even big proprietary companies (including GitHub).
I think you are misunderstanding the meaning of "for any purpose". It only applies to what you do with it when you run it. It does not mean you can do anything you want with the source code. It is very important to understand this aspect correctly when developing software or for a free software / open source enthusiast.
AGPL is absolutely free software as long as the GPL is considered free software and should not be put into comparison with licenses like the BSL.
The only real limitation on the AGPL compared to the GPL is section 13 which states that you need to make the sources for said AGPL program available to any user who interacts with it. Otherwise the license is practically identical. Otherwise the license is essentially identical to the GPL.
If you diff the licenses, you'll see that other than section 13 and s/GPL/AGPL/g, the actual license terms are identical (if you diff sections 0-12, only the addition of the word Affero to the first line of section 0 will come up). The preamble and afterwords are different but they aren't actually part of the license (only the sections between the lines `TERMS AND CONDITIONS` and `END OF TERMS AND CONDITIONS`). As for the differences in those sections, the preamble provides context for why the license exists compared to the GPL and the afterwords provide a recommendation as to how to provide source access.
So in effect the AGPL is identical to the GPL with the addition of requiring that you make sources available to any user "interacting with it remotely over a computer network". Contrary to popular belief this doesn't mean you need to provide sources for everything that touches it over a network, just that anybody/anything that interacts with it over a network be granted access to the AGPL source (and corresponding sources). The requirement for what is considered part of corresponding sources is exactly identical.
That requirement:
TLDR: The only practical change in the licenses for a piece of hosted software is that under the GPL the user is the server operator/host and under the AGPL the user is the actual user/client. Whether a given piece of software gets "contaminated" by a AGPL work is no different than if said AGPL work was licensed under the GPL instead.
I get your philosophical point point and I'm not enough up on various licenses to debate the AGPL.
I'm coming more from a "build a company and feed your family" point of view but everyone has to balance their own priorities/ethical positions.
I guess at least if the license is set at the outset people can choose to engage or not, rather than having what they may percieve as a "rug pull".
I was with you up until this point.
I honestly don't get why more people don't just use the AGPL.
Mastodon et al prove it works.
I would hesitate to characterize a service running on grants and donations as a good model for your typical startup to imitate.
Why not? It is one of the most sustainable models if you want to maintain quality and avoid enshittification.
The VC-oriented financial model (that is, your typical startup) is fundamentally incompatible with Mastodon's non-profit financial model. As a result, very different choices around licensing, funding, and business structure are good fits.
Each tool has its use and serves its specific purpose. What works for Mastodon might not work for others trying to advance different goals.
Nobody should take VC money unless they absolutely have no other option.
The primary goal of a startup is to make money through acquisition or IPO, and the primary goal of business more generally is to make money selling a good or service. Grants and donations don't really fit into that, and isn't the topic of this whether or not to open source the code of a commercial venture?
For my money, dual licensed AGPL is the way to go. All source is available under the AGPL, but also available via a paid commercial non-open source license.
The only real drawback is ensuring any outside contributions can be utilized this way, such as with a CLA.
That's what I ended up doing recently [1]. I'm doubtful I would even know if someone did end up breaking the license agreement though.
[1]: https://pl.aiwright.dev/about/license/
That's the thing. You can dual license however you want. But if no one from the outside actually contributes what have you accomplished really? (Other than being able to say you're open source.) Of course, a great many open source projects in general are one person or one organization.
It's a legal mess that doesn't work if your application isn't a website, and even then it's a problematic thing.
Honestly, for considerable portion of its use, it works mainly because nobody looks too closely or trieso actually enforce it.
The other considerable portion was/is bait&switch schemes involving dual licensing and having developers sign copyright transfer forms to parent org, which benefits from selling commercial license when someone runs afoul of compliance.
Well, Mongo decided it doesn't really work. At least not for them, anyway. This is one of the most notorious case of relicensing from Open Source to source available cases, so it might be interesting for you to look into the reasons (it happened around 2018).
In the end, the AGPL is huge but not a silver bullet.
I think a lot of people get salty when a company changes their license to a source available license but still try to call it open source and free ride on the goodwill that open source software engenders.
Don't call a license open source if it isn't and reasonable people will be fine with it.
I did say pick a license from the start. I'm not criticising people for having different philosophical positions on licensing.
I was addressing the point about the "saltiness" when licenses change. I wholeheartedly agree that making a thoughtful choice the company can live with from the start is the best policy.
I agree that when a big cloud company tries to emulate you, you are already winning on a normal company. But maybe not for a venture-backed/big-exit-strategy startup. And probably, those early investors are the ones recommending against fully open-source business models.
And the main one:
It's really hard to make any money by giving your product away for free...
If you open source your product, your business product becomes hosting / maintenance / consultancy.
Has it ever worked, i.e. Is there any company which could pay market rate salary without any extra funding or being subsidized by other parts of company? Docker, terraform, elasticsearch, many DBs etc tried it but it never generated good revenue to pay developers outside of VC funding. See their revenue after they begin removing free stuff[1].
Even supabase is an awesome product but they needed $116M of external funding[2] to support their development which looks like unsustainable model for open source.
[1]: https://prismic-io.s3.amazonaws.com/sacra/fc6f34f9-d598-4b53...
[2]: https://www.crunchbase.com/organization/supabase
Yes, I work for XWiki [1] which works exactly like this. It's been running since 2005. Don't expect FAANG salaries, the company is small and doesn't have investors, but the salaries are decent and the working conditions are great.
To my knowledge we don't have any competitor that takes XWiki and provides support and/or consultancy. I don't think it would be possible to freeride on our product because it would require expertise they would only have if they contributed to the project and it also requires brand recognition. We are of course the reference, people trust us because we are the main developers.
Many features have also been sponsored by customers so we do receive money to develop big parts of the product itself.
[1] https://www.xwiki.com/
Looking at the pricing page[1], it looks like open source is missing many features like LDAP and extensions. Is that correct?
[1]: https://xwiki.com/en/pricing/
Everything we do is open source, including the LDAP feature ("custom" consultancy aside, where the highly specific parts are often not public). Most extensions are free, some are paid (including the convenient LDAP app), but all are open source, including the paid ones. XWiki is not open core.
In particular, the core code for dealing with LDAP is there [1], open source and gratis, and the paid app that provides a nice UI for it is... paid but also open source under LGPL and the code is here: [2].
You can actually clone the code, strip the license management, compile it and install it on your own instance, but people usually just pay and they also get support.
It's pretty much like OSMAnd Plus, which is paid on the Google Store, but the actual source code is still free software.
So yes, we actually sell free software (and free ≠ gratis has its full meaning with us), and it turns out convenience makes it so that it works out.
Usually organizations big enough to want to use LDAP can usually fork off a few bucks and will be glad to support us.
Of course it would be nicer if it were free and it's always a delicate balance to decide what should be a paid app / feature, but at least it's always open source , with all the relevant rights to users it implies: the right to take the code, adapt it and/or go find someone else if they are not happy with us.
As someone convinced that free software is the right way to do software, I think this is a sane way to fund free software, and good to take.
It's also way easier to handle than donation for an organization that would like to send us money, it's easy to justify.
[1] https://github.com/xwiki-contrib/ldap/
[2] https://github.com/xwikisas/application-activedirectory/
Ionic seems to be doing OK.
Ionic has raised $25M from external funding.[1]
[1]: https://www.crunchbase.com/organization/ionic/company_financ...
Yes that's what you sell but if you also have development costs and your freeriding competitor doesn't, how often do the finances of it work out?
It may be difficult to freeride, you still need to know in depth how the product exactly works if you want to provide consultancy and support.
Freeriding would break on the first tricky support ticket or the first feature you'd need in the product that isn't there yet. You get to know the product well enough if you start contributing and interacting with the main contributors, at which point you stop freeriding and you become a partner instead.
The other way to do this would be to get an agreement from the main developers so you can be supported on your consulting and support activities, in which case you also become a partner.
I tend to think both outcomes as beneficial to the main devs, who can always stop collaborating if it turns out they are not.
Now, if your product is something for which nobody needs support or consultancy, you risk having the MongoDB-Amazon issue.
...So, that is the problem isn't it?
Basically, well-written software and documentation are meant to reduce the amount of support and consulting needed by users. Assuming your point is true, then for a company that sells support and consultants, enriching documentation, etc. would be an action in direct conflict with its own interests, wouldn't it?
The MongoDB people are very passionate and have built a great software, documentation and user community... to the point where they no longer need to sell their own support. Therefore, it is my understanding that Amazon has decided to use their "support".
(If you're saying that it doesn't matter to the users if the company lives or dies when there is already functioning software and community, that may be true)
Yep, it is a risk, but it's also not applicable in every case. Now, I'm not an expert and I'm not sure what are the exact boxes to check to avoid the issue but we for sure don't have it. It is definitely something to carefully consider when creating an open source business. I guess Amazon wants to provide nice developer tools and improve its cloud offer to attract people to its cloud solutions, but our product is not for such developers. Amazon is not interested in providing support and consultancy for XWiki (we know this for a fact since they use XWiki and sponsored important features). It does not scale that well, unlike providing MongoDB.
One could think this, but it's not actually the case. I guess we already have enough support work that's not related to a lack of documentation such that we don't need to increase it artificially. We are actually incentivized to reduce our support work. Companies will usually need to be reassured by a support contract in any case.
We are big users of the documentation ourselves and we have every incentive to write good documentation because of this. Lack of documentation actually increases our cost of operation, because all of a sudden, if you need to know something, you need to find out the relevant developers, who might have left (but probably not because people usually stay), and wait for their reply, or wait for someone to look into the relevant code.
There's also no policy of keeping any documentation secret. On the contrary, we are encouraged to publicly document what we do. So when we document, we do it publicly, except for internal processes.
Our documentation is far from perfect, but it's because of a lack of time or diligence, not because we are incentivized to keep documentation secret.
What's more:
- a good documentation is a good look for someone who seeks to adopt our product
- the same values that push us to do it the open source way pushes us to also publicly document things.
- when documentation is lacking or help is needed, you can always reach us on our public chat and our public forum, and the product team is in reality usually quite responsive. And so if the documentation is good, there are fewer questions to answer. Of course, there are limits, questions that look like support questions will be invited to talk to our support team. Unless someone else in the community does answer the questions for free.
Open sourcing your code doesn't necessarily mean that you're giving your product away for free.
The value in a lot of businesses (most?) is in the distribution and my core argument in the post is that being open source actually gives you an edge here, especially in markets where your competitors are unwilling to take this approach.
Business value only matters if you can capture it.
Probably poor word choice from me but when I reference superior distribution I'm assuming 'value-capture'.
I thought you were saying you'd have greater distribution if you give stuff away free, but in that case it's much more difficult to capture value from it. Everyone wants free stuff.
As someone who has created and maintained open source projects (most recently Willow[0]) for two decades I get a kick out of this.
Of course when interacting with users and feedback I keep it polite but in my head I'm thinking "You like to talk. I actually DID this. Shut up or submit a PR".
Surprise surprise they almost never do.
Keep actually producing and shake the haters off!
[0] - https://heywillow.io/
What is the financial backing that affords you the ability to offer your product for free? Everyone still has bills to pay AFAIK
Two prior successful startup exits.
I also do consulting and advisory work in adjacent spaces so this is pretty much my lifelong dream - spend my other time just doing open source projects I think are interesting.
You could just pick a better license like the GPL or AGPL. Cloud companies eating other open-source products up is purely the inability of those products to choose licenses that actually protect their work.