Keygen is now Fair SourceStar us on GitHub arrow_right_alt

Weaponized Open Source

Thursday, February 13th 2025Avatar for the author, Zeke Gabrielse, Founder of KeygenZeke Gabrielse, Founder of Keygen

Venture-backed startups have turned open source into a weapon. They release software under the AGPL, use that as a marketing tool to gain adoption, and structure everything in grievance to the spirit of open source. It's open source in name, but not in practice.

The license is OSI-approved, sure — but the OSI's stamp of approval is utterly meaningless when the result is vendor lock-in.

For startups, the AGPL isn't about protecting user freedom[1]. Instead, it serves as a veiled non-compete, cleverly used to eliminate competition while masquerading as "open source." This is accomplished through a Contributor License Agreement (CLA), which changes the rules.

"Source-available" licenses, unlike "open source," explicitly restrict use and prevent competitors from using the vendor's software to compete against them. Unbeknownst to some, the AGPL along side a CLA achieves the same result — not explicitly, but through fear, legal ambiguities, and unfair rules of engagement.

Not many hyperscalers will risk integrating with and exposing software under the AGPL alone due to these ambiguities. Many, like Google, have flat out banned the AGPL.

Smaller cloud providers that offer managed hosting of open source software — something that's permitted under open source — are expected to pause at the AGPL. (Some don't.)

Even businesses that simply want to self-host for 'internal-use' are expected to hesitate because the compliance risks aren't worth it. And what I mean by 'isn't worth it,' is that businesses will tend to avoid the AGPL because of the fear and uncertainty around its 'infectious' networked copyleft clause.

And no matter how altruistic you are, most businesses won't — and can't — risk having to open source their propriety code.

Startups revel in this FUD and ambiguity.

VCs bank on the playbook.

So then, functionally — due to these ambiguities — the AGPL acts as a non-commercial license. Combine this with a CLA and it acts as a non-compete as well. It's the perfect license for startups.

These startups claim to offer the core under 'alternative' license terms for those that can't use the AGPL. But in practice, no one ever gets to see those terms. The point isn't to offer the core software under so-called alternative terms like, for example, GhostScript does — it's to ensure their cloud offering is the only viable option.

Finally, they tack on a CLA so that the rules of engagement change — so that the vendor is not beholden to the same infectious copyleft rules as everybody else. They own everything — so they can relicense the code to themselves under different terms.

They can build their proprietary 'enterprise' features for their cloud while nobody else can, and nobody else can use it either.

They can poison their source with their proprietary bits.

They know competition under a CLA is dead on arrival.

This is not real open source.

It's a legal moat built on deception — carefully engineered to prevent competition while maintaining the illusion of "open source."

And it's rampant right now.

These startups rely on the open source label to drive adoption, but the moment they hit scale, the reality becomes clear: the AGPL was never about freedom — it was about self-preservation.

They get the benefits of viral distribution, free labor, and product-led growth while ensuring that no one else can challenge them.

And when they still can't make it work, they resort to neutering and relicensing functionality from the core product.

And when that doesn't work either, they resort to relicensing everything, because the CLA allows them to do so.

At the end, when an open source startup shuts down, the enterprise edition disappears into the ether, along with any proprietary cloud features (remember?). There is no fallback plan. No continuity for customers. In the end, you own nothing.

But that was the plan, after all.

This isn't the spirit of open source. It's reducing open source to a marketing term for vendor lock-in.

Author's note: the above thoughts are for how the AGPL is used in startup-land along side a CLA — not for AGPL in general. The AGPL is a fine open source license for libraries and other infrastructure. The issue I have today is with its deceptive use by COSS startups as a hidden non-compete when licensing their core products.

[1]: I ended up writing more about this here.

© 2016–2025 Keygen LLC – All Rights Reserved – Reach out <[email protected]>