Tooling

Source-Available vs OSI/FSF Open Source

BSL, SSPL, FSL, Fair Source — why these are not open source, and how to talk about them honestly.

The 2023–26 wave of relicensings has muddied the word "open source" badly. This page is the canonical "what counts and what doesn't." Pair with OSS License Selection, License Relicensing Wave, and OSS Business Models.

The two definitions you need

  • OSI Open Source Definition — the OSI-approved license list is the canonical source of truth. Free to read and cite. If a license is not on this list, it is not open source.
  • FSF Free Software Definition — gnu.org's "four freedoms"; substantially overlaps with OSI but is stricter on copyleft / freedom framing. Free.

Both are free / non-profit; both are happy to be cited by name.

What is not OSI-approved (flagged loudly)

  • BSL — Business Source License (HashiCorp Terraform/Vault/Consul 2023, CockroachDB 2024, Sentry 2019, MariaDB MaxScale). Source-available with a "non-compete" clause that converts to Apache 2.0 after a fixed time (typically 4 years). Not OSS.
  • SSPL — Server Side Public License (MongoDB 2018, Elastic 2021 → reverted to AGPL/Elastic 2024). AGPL-shaped but with a viral "you must also open-source your management stack" clause. OSI explicitly rejected SSPL as not meeting the OSD. Not OSS.
  • FSL — Functional Source License (Sentry 2023, Keygen). 2-year time-bomb to Apache or MIT. Not OSS during the FSL window.
  • Fair Source License — umbrella label Sentry coined for FSL-shaped licenses; sometimes confused with the older 2014 "Fair Source License" by Sourcegraph. Not OSS.
  • Elastic License v2 — Elastic 2021–24; Elasticsearch is now dual-licensed AGPL/ELv2 again, but ELv2 alone is not OSS.
  • Confluent Community License — Kafka Streams ecosystem; not OSS.
  • Redis Source Available License (RSALv2) / SSPL — Redis Labs 2024; not OSS (Redis OSS continuation lives on as Valkey under BSD).
  • Server Side Public License + Commons Clause add-ons — any "Apache 2.0 + Commons Clause" combination is not OSS because Commons Clause removes the right to sell.

What is OSI-approved (and copyleft-leaning, often a real OSS alternative)

  • AGPL v3 — closes the SaaS loophole without leaving the open source umbrella. The honest choice if your worry is "AWS hosts my project without contributing." Used by Grafana (pre-2024), Mastodon, Nextcloud, MinIO, and Plausible.
  • GPL v3 / LGPL v3 — strong / weak copyleft; both OSS.
  • Apache 2.0 — permissive but with explicit patent grant; the most common "neutral foundation" license.

Honest take (2024–26)

  • The relicensing wave is real and accelerating. HashiCorp, Elastic, Cockroach, MongoDB, Sentry, Redis, MinIO have all moved off OSI-approved licenses at some point in the last 6 years. See License Relicensing Wave.
  • OSS forks usually appear within months. OpenTofu (Terraform), Valkey (Redis), OpenSearch (Elasticsearch), ferretdb (Mongo). These now matter.
  • Vendors marketing "open" without the OSI label is sometimes deceptive. Push back. The OSI list is your shield — link to it.
  • The Open Source Definition is exactly 10 short clauses. Read it once — it'll save you years of confusion: opensource.org/osd.
  • GitHub's license field uses SPDX IDs; SPDX explicitly tags BSL / SSPL / FSL as non-FSF / non-OSI. Use that signal in CI gates.

How to talk to your team / users

  • In docs: "We use the BSL 1.1, which is source-available, not OSI-approved open source. After 4 years each release converts to Apache 2.0."
  • In RFPs / procurement: if a vendor calls a BSL/SSPL/FSL product "open source," cite the OSI list and ask them to correct the term.
  • Internally: a license-gate in CI (see License Auditing Tools) should flag non-OSI licenses with a WARN and require a legal-approved bypass label.

Pick this if…

  • You want a permissive OSS license that's foundation-friendly: Apache 2.0.
  • You want SaaS-protection without leaving OSS: AGPL v3.
  • You're considering BSL / SSPL / FSL: be honest in your README — call it source-available, link to OSI, expect a community fork. Many users will choose the fork.
  • You're auditing a vendor calling itself "open source": check the OSI list. If the SPDX ID isn't there, it isn't OSS.

On this page