Another week, another project I depend on quietly swapping its licence for something that isn't quite open source any more, and calling it open source anyway. The specifics differ each time, the wording in the announcement is always careful and always reasonable, and the effect on those of us downstream is always the same: a small jolt of "wait, can I still use this the way I've been using it?", followed by an afternoon I didn't budget reading licence text I'm not qualified to interpret.
I'm being deliberately unspecific about which one, because by the time you read this it'll be a different project and the same story. The shape is what interests me. A company builds something genuinely good, releases it under a permissive licence, gathers a community and a great deal of free contribution and goodwill, becomes the default in its category, and then watches a cloud provider package the exact same software as a managed service and make money the company feels should have been theirs. So the licence changes. SSPL, BSL, "source-available", some bespoke thing with a clause about competing services. The code is still on GitHub. You still can't quite trust it the way you did on Monday.
Why this is a trust problem, not a licence problem
The licence is downstream of the real damage. What an open-source licence actually provides, beyond the legal permissions, is a promise: the rules under which you adopted this software will not be changed underneath you. You can build a business, a homelab, a ten-year deployment on top of it, and the terms you accepted on day one will still be the terms on day three thousand. That promise is what lets a community form. It's why people contribute patches to code they don't own, why companies bet their architecture on a dependency, why any of this works at all.
A relicence breaks that promise even for the people it doesn't legally affect. I might be entirely within my rights under the new terms. My homelab isn't a competing cloud service; nobody's coming for me. But I've learned something I can't unlearn, which is that this project's licence is a thing the company will change when its commercial interests point that way. So now I read every new dependency's licence with one eye on "and what happens when they decide they want the money back".
I have some sympathy, which is the awkward part
Here's the bit that stops this being a simple morality tale. The companies aren't wrong that the situation is unfair. They do the hard work, the expensive work, the years of engineering, and a hyperscaler with effectively infinite distribution wraps it in a console, charges for it, and contributes back roughly nothing. The permissive licence allows exactly that, by design. "Anyone can use this for anything" includes "a trillion-dollar company can resell it and out-compete you with your own code". When you put it like that, the relicence is a rational response to a genuine asymmetry.
So I don't think the maintainers are villains. I think they're caught between a licensing model that assumed good faith from everyone and a market that contains at least one party with no incentive toward it. The BSL, for what it's worth, is the most honest of the new licences: it says plainly that the code becomes properly open after a few years, and it's specific about what it restricts. That's a defensible compromise. The ones I dislike are the ones that keep the words "open source" while quietly removing the thing that made it open source, because they want the goodwill of the label and the protection of the restriction at the same time.
The contributors are the ones who get the worst of it
There's a group in this story that rarely gets mentioned and gets treated worst of all: the people who contributed to the project for free under the old licence. They wrote patches, fixed bugs, answered questions on the issue tracker, built tutorials and integrations, all on the understanding that they were improving a piece of genuinely open software. Then the licence changes, and the thing they donated their evenings to becomes, in part, a commercial moat for a single company. Their work is still in there. They just can't use the result on the old terms any more, and nobody asked them.
Legally that's usually fine; the contributor licence agreement they signed years ago, often without reading, granted exactly the rights that make a unilateral relicence possible. But "legally fine" and "the thing I thought I was joining" are different, and the gap between them is where the goodwill leaks out. The next time that company open-sources something and asks for community contributions, the community remembers. You can only spend that trust once.
What I actually do about it
Practically, not much, and that's the uncomfortable conclusion. I can't audit the corporate strategy of every dependency. What I have started doing is weighting genuinely foundation-governed or genuinely permissively-licensed-and-likely-to-stay-that-way projects more heavily when I choose what to build on, and treating single-vendor open source as a thing with a hidden expiry date. Not unusable. Just not something I'll architect a decade around without a fork in mind.
The internet was built on the assumption that the foundations stay where you put them. Every relicence chips a little at that, not because any single one is wrong, but because they accumulate into a lesson: read the licence, watch the cap table, and never quite forget that the rug is rentable. I miss not having to think about it. That, more than any specific clause, is what's been broken.