Elastic didn't really relicense ElasticSearch. It forked it.

🧵 A thread.


There's a lot of talk in the open source community about the cost of forking.

- "Forking is best avoided."

- "Forking is a last resort option."

- "Forking is like a nuclear weapons. It's a defensive threat."

Forking is seen as impractical and extremely expensive.

And that's a Really Good Thing(tm).

It's a forcing function for figuring out solutions that are broadly acceptable across the community.

The thing is, the cost of forking is mostly a function of three things:

1⃣ the size of the community that you can bring along with you,
2⃣ whether you need to rename your fork (who owns the trademark), and
3⃣ how much infrastructure you need to rebuild.

When that "community" is your employees, when you own the trademark, and control the infrastructure, then forking is really cheap. You just tell your employees to now contribute to your new fork, and you're done.

So the whole forcing function that the threat of forking has on the community is essentially lost. You don't get your way, and you fork.

Of course, with GPL, you can't just fork and close-up the source code, unless you've secured re-licensing right from all of your contributors. This is why the GPL+CLA combo is so prevalent with FOSS vendors.

With permissive licenses, there is no such need. You can literally embed the software into anything that is proprietary. As long as you give proper attribution and keep the open source license around FOR THAT PART OF THE CODE ONLY.

No one can stop me from forking Node today and releasing it as proprietary software.

What I can't do however is:

1⃣ move all of its community to contribute to my proprietary fork overnight,
2⃣ use the "Node" trademark, and
3⃣ leverage all of the existing infrastructure that isn't mine.

So the problem with Elastic forking ElasticSearch isn't the CLA, or its new license.

It's that it:

1⃣ *is* the community,
2⃣ owns the trademark, and
3⃣ controls the infrastructure.

So from the very start, none of what would have made forking costly was ever an issue for Elastic. At any point in time, Elastic could have forked at practically zero cost.

Of course, that's a powerful weapon and an incredible power imbalance in a community.

A key element of community stability (the shared threat of forking) was lacking from the get go.

The lack of open governance, of community trademark ownership, and of a genuine community of contributors beyond Elastic employees, are at the heart of the problem.

Folks like @beep and @adactio have started calling this "nominally open source."

I think it's more "Schrödinger open source."

Despite the license, you don't really know whether it is open source or not until you open the envelope and find out the cat is dead. 😿

With that framing in mind, ElasticSearch was never really open source. It was always in this unstable, "quantic" state of being both open and close, up until a decision was made and it was no longer open.

I've said it before and I'll say it again. We really need to start looking beyond licensing to understand open source and really assess the risk of buying into an open source project.


Licensing clearly is a factor, but community health, governance, and trademark ownership are just as important.

It's time we truly recognize this.


More from Tech

Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details):
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha

I've read it so you needn't!

Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.

The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.

Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.

You May Also Like

Making a thread of makers & entrepreneurs who inspired me, and what they taught me.

Strong marketing game, super hard work, can stream for 24 hours and currently leading a new streamer movement with the #24hrstartup challenge.
Make it bigger than yourself.
👉 @thepatwalls

Made the awesome
https://t.co/lBYn9nP3KJ which works perfectly and saved me hours and hours.
Make a simple, helpful product.
👉 @gvrizzo

Making the stylish @threader_app looking for maximum integration with Twitter (it might even become part of Twitter one day...)
Raise the bar for quality, look for seamless integrations.
👉 @marie_dm_ + @yesnoornext

Successfully monetized a tiny social network @wip without screwing his users, focusing on the maker community.
A small engaged community is enough.
👉 @marckohlbrugge