Your Open Source Project Needs a License Update (Or It Doesn’t)
Let’s cut the fluff. If you’re still slapping an MIT license on every new GitHub repo because “that’s what everyone does,” you might be shooting yourself in the foot. Hard.
The open source licensing landscape has shifted dramatically over the past 24 months. And I’m not talking about lawyers fighting over GPLv3 interpretations. I’m talking about real, practical changes that affect how your code gets used—and abused—by corporations running AI workloads.
How We Helped a US Fintech Startup Survive a 10x Traffic Spike Without Burning Cash
How We Helped a US Fintech Startup Survive a 10x Traffic Spike Without Burning Cash It was a… ...
Here’s the thing nobody says out loud: MIT and Apache 2.0 are becoming the “free training data” licenses for AI companies. And a growing number of projects are fighting back.
The Three Big Shifts You Can’t Ignore
1. Server Side Public (SSPPL) Got Real Teeth
Remember when MongoDB switched to SSPPL in 2018 and everyone screamed? That scream has become a chorus. In 2025, we saw HashiCorp move Terraform to BSL, Sentry relicense under FSL, and a dozen smaller projects follow suit.
Why Your Multi-Agent System Hangs (And How to Fix It with Timeouts, Retries, and Circuit Breakers)
Why Your Multi-Agent System Hangs (And How to Fix It with Timeouts, Retries, and Circuit Breakers) You’ve built… ...
Why? Simple. Cloud providers were packaging their open source work, slapping a managed label on it, and making millions. The original maintainers got nothing. Worse, they couldn’t compete because their own license let AWS or GCP undercut them.
The data doesn’t lie: According to a Tidelift survey in late 2025, 38% of commercial open source projects have adopted a restrictive license in the past two years. That’s up from 12% in 2022.
2. The “AI Training Loophole” Is Real
Here’s a story from our team in Ho Chi Minh City. One of our devs contributed to a popular MIT-licensed code generation library. A major AI startup scraped the entire repo, trained a model on it, and started selling a SaaS product built on that knowledge. They didn’t violate the license. They didn’t have to. MIT lets you do almost anything.
The original maintainer? He got nothing. Zero. His 3,000 hours of weekend work became someone else’s revenue stream.
This isn’t theoretical anymore. Projects like Redis, CockroachDB, and Elastic all made license changes explicitly to prevent cloud vendors from eating their lunch. Expect more to follow.
3. The “FSL” Compromise Is Gaining Traction
The Functional Source License (FSL) is interesting. It’s not pure open source according to OSI definitions, but it allows most uses while blocking SaaS competitors. Projects like Sentry have adopted it. It’s a pragmatic middle ground.
I’m not saying FSL is perfect. But it’s better than watching your code get ingested into someone else’s profit center without attribution or compensation.
What This Means for Your Project
Let’s be practical. Here’s how I think about licensing decisions now.
| Use Case | Recommended License | Why |
|---|---|---|
| Personal project, don’t care about commercial use | MIT | Dead simple, everyone understands it |
| Library you want widely adopted in enterprise | Apache 2.0 | Patent protection + corporate-friendly |
| SaaS product with cloud competitors | BSL or SSPPL | Prevents AWS from cloning your API |
| Tool that could be used for AI training | FSL or BUSL | Add “Additional Use Grant” clause |
| Infrastructure component | MPL 2.0 | Balances openness with protection |
The hard truth: If you’re working on a project that replaces a service someone could sell, don’t use MIT. You’re just feeding your future competitors.
Practical Actions You Can Take Today
First, audit your existing repos. If you have projects with 100+ GitHub stars, check their licenses. Are they still appropriate? Do you even have a license file? (You’d be surprised how many projects don’t.)
Second, consider a dual-license strategy. Keep the permissive license for non-commercial and small-scale use, but require a paid license for enterprises or cloud operators. It’s more administrative work, but it’s how companies like MySQL and SQLite have survived.
Third, update your CONTRIBUTING.md. If you’re changing licenses, tell your contributors explicitly. We’ve seen projects die because maintainers relicensed without community buy-in. Don’t be that person.
Code Isn’t Free Anymore
I talk to CTOs weekly who are building production systems with open source components. Most of them have no idea what licenses their dependencies use. That’s a lawsuit waiting to happen.
Honestly, the era of “code wants to be free” ended when AI companies started treating GitHub like an all-you-can-eat training buffet. The new reality is pragmatic protection.
So here’s my question: Have you checked your license file this year? Not just the one you copied from another repo five years ago. Actually read it. If you haven’t, you’re not maintaining your project. You’re just hoping nobody exploits it.
—
Frequently Asked Questions
Can I change my project’s license after people have already contributed?
Yes, but only if you own the copyright to all contributions. If you accepted PRs without a Contributor License Agreement (CLA), each contributor holds copyright on their changes. You’d need their explicit permission to relicense. That’s why smart projects add a CLA from day one.
Does using BSL or FSL mean my project isn’t “open source”?
Technically, yes. The OSI hasn’t approved SSPPL, BSL, or FSL as open source licenses. But in practice, most developers consider source-available licenses “open enough.” The distinction matters for enterprise procurement teams—some companies have strict policies requiring OSI-approved licenses.
Will AI training use cases really affect how I license my project?
They already do. Several popular npm packages have added license clauses specifically prohibiting use for “training artificial intelligence models without express permission.” You can enforce this through copyright law in most jurisdictions, though enforcement is still messy.
What’s the safest license for a new open source project in 2026?
If you want real protection and broad adoption, use Apache 2.0 with a “Additional Use Grant” that excludes competitors and AI training. If you want simplicity and don’t care about commercial exploitation, MIT still works. Just don’t assume MIT protects you—it doesn’t.
Related reading: Vietnam Outsourcing: Why Smart CTOs Are Ditching India for Southeast Asia’s Tech Hub
Related reading: Why Outsourcing Software Development in Vietnam Is the Smartest Move for Your Startup (and Your Sanity)
