Source-available is not open source: SSPL, BSL, and the relicensing trap
Source-available licenses publish the code but withhold freedoms a real open-source license guarantees. What the SSPL and the Business Source License actually restrict, why the OSI approves neither, and the relicensing cycle that keeps producing them.
In this series
Open source licenses explainedA source-available license lets you read the code but withholds one or more of the freedoms a real open-source license1 guarantees. The source is published; the rights are not all there. These licenses exist for one reason — to stop cloud providers from reselling a project as a managed service — and they look open enough to fool a casual reader. They are not open source, the OSI approves none of them, and the difference is not pedantic: it changes what you're legally allowed to do.
🔗 Learn more — 1 What is an open-source license?
What "source-available" withholds
Open source means all four freedoms are present, including the freedom to use the software for any purpose — including competing with the author. Source-available licenses carve out exactly that: you can read, often modify, sometimes use it in production, but you may not use it in the ways the author wants to reserve for themselves (typically: offering it as a service). Because a freedom is removed, the license fails the Open Source Definition. The code is visible; the commons is fenced.
SSPL — the entire-stack condition
The Server Side Public License (SSPL), written by MongoDB in 2018, is built on the AGPL2 but goes much further. Its Section 13 says that if you offer the software as a service, you must release the source not just of the program but of the entire service stack used to offer it — "management software, user interfaces, APIs, automation, monitoring, backup, storage, and hosting software." That requirement is so broad that no cloud provider could realistically comply, which is the point. MongoDB submitted the SSPL to the OSI for approval, then withdrew it in 2019; the OSI's position is blunt — "the SSPL is not an open source license." The withheld freedom is the freedom to offer the software as a service, so it isn't open, however much it borrows AGPL's structure.
🔗 Learn more — 2 Copyleft and the GPL family
BSL — open source, just not yet
The Business Source License (BSL/BUSL), authored by MariaDB, takes a different and more honest tack. Its own text says plainly it "is not an Open Source license." The mechanic is a time delay:
- An Additional Use Grant permits some production use immediately (the author defines the limit — typically "anything except offering it as a competing service").
- A Change Date — by default the fourth anniversary of a version's release — after which that version automatically converts to a real open-source license (the Change License, which must be GPLv2-compatible or later).
So BSL code is proprietary-with-source for about four years, then becomes genuinely open. The SPDX identifier is BUSL-1.1 — note that BSL-1.0 is the unrelated Boost license, a common mix-up. HashiCorp moved Terraform to BSL in 2023; the four-year clock means each version eventually frees itself, which is more than the SSPL ever offers.
The relicensing trap
These licenses keep appearing because the same situation keeps recurring: a project is released under a permissive or copyleft license, a cloud provider builds a lucrative managed service on it, the original company sees the revenue going elsewhere, and it relicenses to source-available to claw that revenue back. The pattern, version by version:
- MongoDB → SSPL (2018), from AGPL
- Elastic → SSPL/Elastic License (2021) — then added AGPLv3 back in 2024
- HashiCorp → BSL (2023), from MPL-2.0 — later acquired by IBM (~$6.4B, closed 2025)
- Redis → RSALv2/SSPL (2024), from BSD — then added AGPLv3 back in 2025
The relicense protects the company's revenue and, in the same motion, forfeits the community's freedoms — which is why each one triggered a fork (Valkey from Redis, OpenTofu from Terraform, OpenSearch from Elasticsearch) that carried the open community forward under the original terms. Notice the repeated reversals: Elastic and Redis both added a true open-source license (AGPL) back once the forks had taken root. The source-available move bought less than it cost.
The practical takeaway is simple. Treat source-available as proprietary. If you depend on it, you depend on a single vendor's terms, which can change again. If you're tempted to adopt one to protect your own project from a cloud, the honest open-source answer to that fear already exists — it's the AGPL — and the full argument for why forkability, not a restrictive license, is what actually keeps a project alive is its own story.