portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Sentry and the Business Source License

posted on Friday 8th of November 2019 in , ,

One of my go to tools for nearly every application, Sentry, changed their license to BSL like CockroachDB did some time ago. This obviously sparked a discussion about Open Source Software, sustainable business models and as expected there was someone claiming Sentry got big on OSS and now betrays everyone. Armin Ronacher posted a good take on the whole situation which is also worth reading.

Personally I appreciate Sentry moving to a license which protects the company from AWS and the likes. Chances that they simply start offering a hosted service for a price a sustainable company cannot compete with are too high – and we have seen this happen over and over in the past. Having some protection and a sustainable business means the software will continue to exist, evolve and serve me well. And considering that after three years the code transitions to an Apache 2.0 license makes the whole thing even better.

Open Source hardliners rightfully claim that Sentry cannot be considered OSS anymore and I agree. And they are quite open about it, even if they try to sugar coat it in half of a sentence.

Although we’ve come to refer to the BSL as eventually open-source since it converts to an OSI-approved license at the conversion date, due to the grant restriction, it is formally not an open-source license.

Sentry announcement post

But the impact is what I am interested in and it basically does not exist. I can still self host Sentry. I can still look at the code if I run into some strange bug I cannot explain – talking about you SAML and Google SSO integration. I appreciate and support OSS as good as I can, but I also understand the business interest of protecting a company and making sure the development of a project which grants users so much freedom is done in a sustainable way. SaaS and hosted services changed the game for OSS, but we only start to see reactions to this change the last few years.

There is only one part I strongly disagree with.

The BSL lets us hit our goals in a clean and low-impact way: it won’t change anyone’s ability to run Sentry at their company

Sentry announcement post

Most companies I worked with all had a set of permissible software licenses. This means that any library or software releases on a permissible license can be used – obviously with some common sense and most likely some form of internal approval of the engineering team or leads – without additional approval. One of the most straight forward ways I have seen is approving all licenses which can be included in an ASF project.

With the BSL not meeting this criteria many teams will now need their legal department to review the BSL and explicitly approve it. Depending on the company size and the legal team this can become a multi-month process. A painful multi-month process. This is a side effect which hopefully is only a temporary problem. At some point the BSL will likely become common enough that lawyers know about them and have a good understanding of the intent and reasoning, so approving them becomes as straight forward as approving an MIT license.

After reading some of the discussion I feel like I should add that I do not believe in a secret agenda. “They try to push people from self hosting to their expensive, hosted service” Yeah… Just no. There would be far better ways to do this. And the only difference is, worst case, some approval process you have to go through. This would actually be the worst execution of such a plan and having talked to some people from the Sentry team I am certain they would not be too stupid to execute such a plan if they wanted to.

OSS projects with a commercial offering need a way to protect their company and income. In my opinion Sentry is doing this in the best possible way, especially since it hardly changes anything for its current and future users. The only thing I would advice you to do if you self host Sentry is running the BSL by your legal team for approval. Otherwise the next audit might have some unnecessary unpleasant conversations.