There has been another round this month of a story we keep telling ourselves we have learned from: a maintainer changes the licence on a popular project, and a sizeable chunk of the ecosystem discovers it has been quietly depending on goodwill it never paid for. The specifics vary each time. The shape does not. Someone gives away years of their evenings under a permissive licence, watches large companies build on it without so much as a thank-you, and eventually decides the terms should change.
I am not going to pretend I sit cleanly on one side of this. I have shipped things on top of MIT-licensed libraries and never once contributed back. I have also maintained a small project and felt the particular flavour of resentment that comes from a bug report filed by someone using your work in production at a company with a market cap larger than a small country. Both feelings are real, and they do not cancel out.
What interests me less is the moral argument and more the mechanical one. A licence is not a vibe, it is the legal basis on which your dependency graph stands. When a project relabels itself from a permissive licence to something with a commercial clause or a copyleft requirement, every downstream user is suddenly running on a version they may no longer be allowed to use the way they were using it. Most of the time you are fine, because you pinned a version and the old terms still apply to that release. But the next time you bump it for a security fix, you have quietly accepted new terms, and almost nobody reads the diff on a LICENSE file.
The honest problem is that we built an industry on the assumption that "it's open source" means "I never have to think about this again". It does not. It means someone decided, for now, to let you use their work under terms they chose, and terms can change at the boundary of any release. The trust that breaks is not really trust in the maintainer. It is the comfortable fiction that a dependency is a fixed object rather than an ongoing relationship with a human being who has had enough.
The practical takeaways are dull, which is why we ignore them until a story like this lands. Keep an SBOM, or at least a list of what you actually depend on and under what terms. Have your CI fail the build if a licence in the tree changes to something on your no-fly list, because a tool will read the LICENSE diff even when you won't. And if a project is load-bearing for your business, consider whether the maintainer would notice money arriving, because the cheapest insurance against a licence change is a maintainer who is not desperate.
None of that fixes the underlying tension. The people doing the work and the people profiting from it are still mostly different people, and no licence text resolves that. But it does mean the next change catches you reading the terms rather than reading the headline.