Why we’re changing to the AGPL license

&gt;This is the best way to future-proof the project against bad actors, including ourselves if we become evil at some point. By allowing open source forks and competitors to exist, we are opening ourselves up to healthy competition and accountability from the open source community.<p>Major respect for recognizing that and not doing anything like dual licensing or CLAs (at least as far as I can tell).

&gt; <i>The change will affect corporations that want to take our code and use it to create and sell proprietary tools that directly compete with us.</i><p>Yes, folks, if you don&#x27;t like the idea of a corporation taking your (&quot;software-as-a-service&quot;) code and using it to create and sell proprietary products, then maybe <i>don&#x27;t license your code under the MIT License</i> (or any of the others which <i>explicitly</i> allow exactly that)!<p>I apologize for stating something that&#x27;s common sense but apparently, as they say, &quot;common sense ain&#x27;t so common&quot;.<p>The MIT License is my preferred Open Source License but the AGPL is completely acceptable, too. In fact, if you (intend to) form a legal entity and sell your code as a SAAS product, the MIT License is quite likely <i>NOT</i> the license you should choose!<p>I don&#x27;t blame these guys a bit for switching to the AGPL now but I can&#x27;t stress enough that selecting the proper open-source license is an important decision for any &quot;serious&quot; project. Please make sure that you understand exactly what the terms of your chosen license <i>really mean</i> before you decide on it -- and if your stated goal is to &quot;grow a sustainable open-source project&quot;, well, the MIT License (and similar) is almost <i>certainly</i> not the best choice.<p>--<p><i>ETA:</i> Also, props to Plausible for choosing the AGPL as the license going forward. As mentioned, going closed source would have been the &quot;easy choice&quot;. Alternatively, you could have selected something like the &quot;Commons Clause&quot; or one of the other recent &quot;open-source but not actually open-source&quot; licenses. In my opinion, the AGPL was absolutely the best choice. I&#x27;ve never used your product -- or even heard of it before now -- and probably never will but thank you for your contributions to open-source nonetheless!

One downside they don&#x27;t mention is that the license restricts who can contribute to your project.<p>When I worked at Google (2014-2018), it was easy to get permission to contribute to open source projects as long as the license was BSD, MIT, or Apache 2.0. The more restrictive licenses like GPL 2 or AGPL, I think Google either flat out denied or you had to do a lot more work to get permission.<p>Now that I work for myself, I much prefer not having to ask anyone for permission to contribute to open source, but I generally default to MIT&#x2F;Apache2 unless I have a reason to do otherwise, out of consideration for employees at Google or other corps who may want to participate in my project.

As someone who&#x27;s been trying to figure out a good open source license for my software, I&#x27;ve had to remove AGPL from consideration. This is because I want companies to be able to use the software for their internal use but not be able to create a user-facing product out of it.<p>For AGPL, anything it links to must also be AGPL licensed. If a company such as Microsoft wants to use my project internally, they&#x27;d be taking on a huge liability. Does this mean any project that depends on my project needs to also be APGL licened?<p>Further, the terms on APGL are somewhat vague in a good-hearted attempt to prevent exploitation. What counts as &#x27;use over a computer network&#x27;? If Microsoft developers use network disks to access my software are they screwed?<p>For now I&#x27;m (somewhat unhappily) considering MIT the only option.

Just to be clear, the AGPL still allows a company to take the the software as-is, without any modification whatsoever, and run it for their customers as a hosted service, right? That&#x27;s why MongoDB had to add a new clause into the AGPL and make the SSPL? Why didn&#x27;t Plausible go straight to SSPL?

I&#x27;m really happy to see my favorite license get more and more widespread usage! There&#x27;s already quite a few &quot;famous&quot; free software packages using this license. Go, AGPL!

I was faced with the GPL vs AGPL dilemma when I started working on Typesense (<a href="https:&#x2F;&#x2F;github.com&#x2F;typesense&#x2F;typesense" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;typesense&#x2F;typesense</a>):<p>I wanted to protect future potential commercial interests without stifling the spirit of open source collaboration and development.<p>I asked around for advice and eventually just chose GPL over AGPL because a lot of legal teams seemed allergic to AGPL and some companies even had a blanket ban on it.<p>I also thought that the greatest risk for my project was not an existing or future competitor: it was death by obscurity. To that end, I did not want to slow down adoption by choosing a license that screamed &quot;$$$&quot; or made somebody&#x27;s legal team uncomfortable. In any case, if a big company wants to copy you, they will and can with the resources they can throw at it.<p>On the other hand, there are popular projects that do use AGPL (MongoDB) so it might not be that big of a deal in the real world :)

Good choice IMHO and good explanation of your learning curve, and how to create the values you want. The AGPL and GPL are both well worth a look if you&#x27;re building a software project. Similar to the authors, I recently helped a group move from MIT to GPL-2, for the same kinds of reasons: open collaboration among all users.

<i>We’ve had approaches from large corporations that want us to help them so they can sell Plausible Self-Hosted to their tens of thousands of clients without wanting to contribute anything to our project. They offer publicity in return.</i><p>Something that needs to be said a great deal more frequently than I see it being said: Corporations are <i>not</i> your friend and they routinely prey upon smaller entities, chew them up and spit them out. This is par for the course. It is not some weird anomaly.<p>I have never gotten around to successfully putting together a compendium of examples, which frequently frustrates me because it seems fairly hard to google (at least for me) when I want to talk about this and post an article or two to support my assertion.<p>Small shops routinely talk like getting &quot;some big client&quot; is the small business equivalent of &quot;winning the lottery.&quot; Oh, my god. This is generally the exact opposite of the truth.<p>Small businesses routinely learn this the hard way and many of them either actually go out of business or get smarter and harder just in time to merely have a near-death experience, business-wise.<p>Small businesses routinely have to change their policies after their first brush with being screwed by some large company.<p>This is the norm. This is the norm. This is the norm.<p>This is not some weird anomaly. This is not because you did something stupid or naive. This is how big companies become and remain big companies in far too many cases.<p>I&quot;m not trying to vilify big companies. Doing business means dealing with <i>the public</i> and making money at it and that&#x27;s what they know how to do.<p>I worked for a time at a Fortune 200 company. It was a growth experience and I don&#x27;t regret working for them and I don&#x27;t think they are evil.<p>But when you leave your little cocoon of friends and family and venture forth into a relationship to The Public, this is what you run into and that&#x27;s their forte. So learn from them. Grow. And, yes, spread the word because more individuals need to hear this early and often so fewer small businesses get eaten.<p>I think we have a top-heavy system and we need to do more to protect the survival of small shops and medium shops and micro shops. The degree to which big companies prey upon those companies is part of why our economy is so unstable.

With my open-source product I&#x27;m in a very similar place, and I do _mostly_ the same thing.<p>My product (<a href="https:&#x2F;&#x2F;httptoolkit.tech" rel="nofollow">https:&#x2F;&#x2F;httptoolkit.tech</a>) is a debugging proxy app. The codebase is broken up into a few modules: a desktop shell, a UI, a backend component for the UI, plus a standalone proxy library and a bundle of smaller libraries that do everything from detecting &amp; launching browsers to reparent react components around the DOM (if you&#x27;re interested, they&#x27;re all on github: <a href="https:&#x2F;&#x2F;github.com&#x2F;httptoolkit&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;httptoolkit&#x2F;</a>).<p>All of this is open-source, with some premium features behind a subscription (but even those are open-source, it&#x27;s just you&#x27;d have to fork it to remove the subscription checks, and it&#x27;s not worth the time of any professional to maintain their own fork of the whole project).<p>The core product is AGPL, but nothing else. More specifically, product-unique components are AGPL (the UI, the backend, etc) where there&#x27;s no clear case for ever reusing them other than duplicating&#x2F;forking the product, but everything else is kept under permissive licenses, mostly Apache 2. This is mainly because AGPL really limits practical freedoms in business contexts: It&#x27;s harder to get sign-off to contribute to (A)GPL libraries, even in a one-off script nobody wants to risk using an (A)GPL library and it would become much harder to find contributors.<p>So far I&#x27;ve found this has worked pretty well for me, and I&#x27;d recommend it to others, including Plausible. Put only the core product-specific components under AGPL, but keep everything that might be useful to somebody building a completely different product under more relaxed licenses wherever you can to ensure you can fully engage with the open-source community.

Unfortunately there are lots of companies with Zero AGPL policy. I remember there were some BSD&#x2F;MIT + No Business Clauses license.<p>I wonder if Plausible discovered someone else selling software based on their code?<p>Although my guess is that it shouldn&#x27;t matter much? Most people would want Hosted Analytics. So Open Source is only there for insurance.

The AGPL was a good defensive extension of the GPL, but the landscape has shifted and it&#x27;s falling behind. We need an AGPL++.<p>AGPL tries to target hosted services, preventing cloud companies from taking open source components without contributing anything back.<p>But you know what the AGPL misses? Our data.<p>We need open source licenses that require the systems that make use of them to provide data export and the right to be forgotten. We should encode the GDPR into our licenses. This would prevent Facebook from taking open source and using it to lock away our data.<p>We should also fight back against embrace, extend, extinguish. Apple is trying to take over computing and prevent us from running our own software on our own devices. We should prevent them and anyone else trying to do this from using our software.<p>No right to compute on your platform? Fine. No rights to open source software.<p>We have to defend computing and open source, otherwise we&#x27;ll all wind up using thin clients to access walled silos. And we&#x27;ll be renting the access, too.

&gt; The change will affect corporations that want to take our code and use it to create and sell proprietary tools that directly compete with us.<p>I don&#x27;t get why folks who are scared of competitors start with a permissive license in the first place. They could have easily foreseen this. Think about competition who have invested time and PRs back to this.

Note that this is very restrictive for some interpretations of the AGPL: <a href="https:&#x2F;&#x2F;opensource.google&#x2F;docs&#x2F;using&#x2F;agpl-policy&#x2F;" rel="nofollow">https:&#x2F;&#x2F;opensource.google&#x2F;docs&#x2F;using&#x2F;agpl-policy&#x2F;</a><p>IIUC the intent was to ensure that modifications to Plausible are released as open source. However it isn&#x27;t clear if this also affects tools that use a API or even just Plausible being used internally for a company.<p>The AGPL does have wording saying that in the case software is joined together only the original work has the AGPL requirement, however it is unclear what the difference is between modifications to the original work and other code that uses that original work.<p>FWIW this is non-specific enough that I am not completely comfortable using Plausible personally anymore. Of course you company&#x27;s legal team may have a different opinion.

Why not EUPL? It is probably a good choice for a European based company and has comparable features. <a href="https:&#x2F;&#x2F;github.com&#x2F;holtwick&#x2F;briefing&#x2F;issues&#x2F;75" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;holtwick&#x2F;briefing&#x2F;issues&#x2F;75</a>

Is the analytics script that&#x27;s included in every page also AGPL? Does that mean that the combined work of page+script must also be AGPL? Or are the exculding it from the license change?

I did a similar move last year when I changed the license of my AutoSpotting project to OSL-3, after my MIT code was taken by two startups that built products using it without contributing anything to the development efforts.

Does anyone know the details on switching licenses?<p>For example, how it affects previous versions? Can the copyright owner switch licenses at anytime?<p>If there’s a resource in this I’d love to read more, too.

So tell me, this only applies to newer versions, doesnt it?

There are a few comments in this thread expressing distaste for dual licensing. Can anyone explain what the reasoning behind this might be?

AGPL is a fantastic license. Best for dual-licensing, you still keep your development in the open but you can monetize the code too.

It&#x27;s too bad they went with the AGPL, which is a vague and problematic license. For example, by a strict reading, it would seem that you can make changes, add the relevant functionality to link to the changed source code, then stick a proxy in front that removes the link and be in the clear. It also seems you could give the modified version to someone, and they could offer a service based on it without forwarding the source offer to end users.<p>It&#x27;s also unclear regarding upstreaming, and the &quot;virality&quot; of the source distribution requirement. As far as I can tell, for non-CLA projects, effectively there is no way for upstream to be exempt from the AGPL article 13 provisions, which means any AGPLed project that takes contributions needs to build in the source code offer functionality into the canonical version or else they&#x27;d be violating their own license (read: that of every other contributor, which is why this is a problem).<p>Additionally, unless the software is written so that it can package its own source as-running and distribute it to every user, using the AGPL puts your users at risk unless you make it a proper click-through license that users must agree to before usage. Due to its nature, the AGPL is an EULA, not a free software copyleft license. Unlike other open source licenses, it is not a mere copyright license. Users need to be aware of its provisions of it, as they are liable for violations not strictly only by distribution, but also if they just <i>run</i> AGPLed software and happen to make a trivial modification, like editing a single template. This is, in concept, going into the &quot;you shall not run this software on more than X cores&quot; proprietary territory, because it makes the critical change of imposing on requirements <i>outside</i> of distribution, so users need to be aware of it just like they need to click-through proprietary EULAs.<p>The AGPL really is not a good license. I wish people would stop treating it as a magic cure for the &quot;SaaS loophole&quot;. Using it has deep consequences for your users and how the software must behave, and it isn&#x27;t legally tested in a way that guarantees it even will protect you how you think it will. I hope people using it know what they&#x27;re getting into.<p>Here&#x27;s a personal example of an AGPL problem, and how I violated it (as far as I can tell) by doing nothing out of the ordinary. I run dspam on my mail server. dspam is AGPLed (I did not know this). I use Gentoo Linux, so I just installed it, but due to politics&#x2F;inertia Gentoo considers the AGPL as default-accept (which is supposed to be reserved for licenses that are free enough that users need not be concerned about), so I was not prompted to accept it during package installation (like I would have for proprietary packages). Unfortunately, Gentoo is a meta distro. They also carry patches for dspam. This means that by installing dspam, <i>I</i> was patching dspam and compiling it, thus triggering AGPL Clause 13. This means I was liable to make dspam source offers to all my users. Unfortunately, the definition of &quot;user&quot; is unclear, and it could encompass &quot;anyone who sends me email through SMTP which gets delivered through a dspam filter&quot; (or at least &quot;anyone who has an inbox filtered with dspam&quot;, which includes a few other people on my server). Obviously I was unaware of all of this, and did nothing other than &quot;emerge dspam&quot; and configure it. So now I have potentially violated the AGPL (as have all Gentoo dspam users).

Several of my repositories are AGPL also<p><a href="https:&#x2F;&#x2F;github.com&#x2F;chakravala&#x2F;Grassmann.jl" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;chakravala&#x2F;Grassmann.jl</a>

&quot;We have relicenced our software under a more restrictive licence&quot; does not seem like something to celebrate.

I&#x27;ve come to view use of AGPL as an admission of failure or proof of lack of understanding of how to build a business around open source software. While AGPL is sold as a means for protecting against abuse of a party&#x27;s good-faith open source work, it defacto signals a transition to a bait-and-switch business model. Most large companies do open source to commoditize the cost of non-differentiating software. How you create value over and above what large companies are already willing to do in such an ecosystem is tough, and few have been able to build as non-services-based value prop. Open source software contributions, be it directly through lead maintainership or indirectly through contributions to 3rd party projects, are best viewed as marketing. You have to have something else to sell.