Socket
Socket
Sign inDemoInstall

Security News

Developers Burned by Elasticsearch’s License Change Aren’t Going Back, Despite Its Return to Open Source

Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.

Developers Burned by Elasticsearch’s License Change Aren’t Going Back, Despite Its Return to Open Source

Sarah Gooding

September 6, 2024


When Elastic, makers of the search and analytic engine Elasticsearch, abandoned their open source licensing in 2021, many developers were forced to migrate to alternatives that better aligned with open source values. In this case, similar to the recent Redis relicensing, Amazon became the unlikely champion of open source for those who wished to remain compliant and free from potential licensing conflicts.

This move forced a massive exodus to Amazon’s fork, OpenSearch, which had 496 contributors and more than 100 million downloads in its first year. The fork is more tightly coupled with AWS and benefits from being a native AWS solution, making it exceedingly difficult for Elastic to compete.

Meanwhile, Elastic worked to find success with its dual-licensed Elasticsearch (Server Side Public License (SSPL) and the Elastic License), which the Open Source Initiative (OSI) called a “fauxpen” source license at the time, saying that Elastic “threw its cards in.”

Elastic stabbed back by making client libraries incompatible with OpenSearch, which further drove exodus to the Amazon-backed open source fork. OpenSearch responded by committing to creating a set of new client libraries after Elastic began narrowing access so that its open source libraries would only allow applications to connect to Elastic’s commercial offerings.

“Looks like Elastic has sucked all the benefit they could from open source and is now spitting out the bones,” OSI Director of Standards and Policy Simon Phipps said at that time.

Elasticsearch Returns to Open Source Licensing#

It’s been one week since Elastic founder and CTO Shay Banon announced Elasticsearch’s return to open source in a bizarre post with sections titled after Kendrick Lamar songs. In the coming weeks, Elastic plans on adding AGPL, an OSI-approved license, as another option alongside the non-open source ELv2 and SSPL. The AGPL is a copyleft license that ensures modifications and derivative works remain open, which essentially discourages proprietary forks.

“We never stopped believing and behaving like an open source community after we changed the license. But being able to use the term Open Source, by using AGPL, an OSI approved license, removes any questions, or fud, people might have,” Banon said.

The post, which refers to Elastic’s critics as “trolls,” explains the reasoning behind the decision to abandon open source licensing three years ago:

We had issues with AWS and the market confusion their offering was causing. So after trying all the other options we could think of, we changed the license, knowing it would result in a fork of Elasticsearch with a different name and a different trajectory. It’s a long story.
The good news is that while it was painful, it worked. 3 years later, Amazon is fully invested in their fork, the market confusion has been (mostly) resolved, and our partnership with AWS is stronger than ever. We were even named AWS partner of the year. I had always hoped that enough time would pass that we could feel safe to get back to being an Open Source project - and it finally has.

In response to critics who might say that Elastic is backtracking from a mistake, Banon claims the move away from open source had the intended effect.

“We removed a lot of market confusion when we changed our license 3 years ago,” he said. “And because of our actions, a lot has changed. It’s an entirely different landscape now. We aren’t living in the past. We want to build a better future for our users. It’s because we took action then, that we are in a position to take action now.”

On X, Banon clarified that Elastic’s decision to move away from open source licensing in 2021 was not about AWS reselling Elasticsearch but rather a matter of what they believed to be trademark infringement.

“The problem was never on AWS taking Elasticsearch and providing it, it was calling it AWS Elasticsearch and implying that its their service (including stating it explicitly), its a clear trademark infringement, but regardless of how much we tried, we had 1000 lawyers thrown at us,” he said.

Adrian Cockcroft, ex-VP of Amazon Sustainability Architecture, who helped pen AWS’ response to Elastic’s departure from open source licensing in 2021, commented on the most recent news with a different perspective regarding Elastic’s motivations.

"At the time we didn’t think a new license made sense, as AGPL is sufficient to block AWS from using the code, but the core of the issue was that AWS wanted to contribute security features to the open source project and Elastic wanted to keep security as an enterprise feature, so rejected all the approaches AWS made at the time,” Cockcroft said.

“There were several proposals made to Elastic at the time, but their attitude was that they controlled the project and didn’t want AWS to make big contributions to the open source distribution that would reduce their differentiation. They were also mixing licenses in the code base and deliberately making it hard for AWS to use.”

Too Little, Too Late: Elastic’s Return to Open Source Faces Community Skepticism#

In multiple posts and threads across social networking forums on Reddit, Hacker News, Mastodon, and X, it’s clear developers who were burned by this decision have now moved on and do not intend to return to Elasticsearch.

“I’m glad to be off this roller coaster,” @supershinythings commented on Reddit. “Where I worked we ported everything OFF ElasticSearch to OpenSearch specifically to get out of the way of ElasticSearch exec’s random whims around licensing and redistribution. At any time they can just change their minds again. It’s pretty clear they can’t be trusted to keep the licensing terms friendly for customers.

“Obviously they want to monetize but this is NOT the way. Now that we’re entirely off ElasticSearch we have zero motivation to move back to ElasticSearch. As customers and potential sources of license revenue for advanced features, we’re OUT.

“I really enjoyed the ElasticSearch products but having to deal with corporate legal on the licensing changes and then having to pivot all our automation to handle OpenSearch means we now have NO compelling reason to return to ElasticSearch.”

Many others report being in the same boat, having recently migrated dozens of clusters to OpenSearch.

“Too late, IMO,” one Reddit user commented. “Last thing I did at my last job was stand down an elasticsearch cluster, and migrate all that search to an opensearch cluster. A major factor in that was this license kerfuffle. No way they're paying money to go back to ES.”

The threads are replete with short posts where developers expressed the inconvenience of having to move to a new solution when Elastic changed its licensing in 2021. The general sentiment is that there is no compelling reason to migrate back.

“Nope - don't care
Cost me a bunch of time fixing and migrating code when they pulled the plug.
So not going to trust ES again”
LMAO!
Nope, all of my clients already moved to OpenSearch and I don’t think there are any reason we “have” to switch back to ES. Good luck to get another clients back…

Others who contributed to the formerly open source Elasticsearch said the company broke their trust with the 2021 relicensing.

“I also don't think this will inspire a lot of companies or developers to start contributing changes to the Elasticsearch code base again; which is something that ground to a halt earlier,” FORMATION Gmbh CTO Jilles van Gurp commented on Hacker News. “I saw my modest contributions under the Apache license being locked up behind this bullshit license and I learned my lesson: I'm never signing another contributor license again. My trust was violated. Not lifting a finger to help them.”

van Gurp noted how OpenSearch has become the default solution for many developers and companies and predicts it will continue: “I don't see that changing in any material way because of this license change.

“It's interesting that they are doing this though because clearly they are feeling the pressure and basically people using the open source argument was cutting off their stream of new users. I consult in this space and OpenSearch has become the default choice for new users. It isn't even close. Why would you pick Elastic as a first time user? They don't even consider Elasticsearch because it's all closed source and proprietary and Opensearch does the job. I don't think this change is enough to change that.”

Elastic’s Dismissive Response Fails to Convince Developers#

Developers responding to the news took issue with the flippant way the announcement was published, and some characterized the post as something that “Reads like an April fools joke.”

“Super weird announcement that lacks a clear motivation,” one Reddit user said. “And it makes the original non-Open license switch sound like a failed extortion racket agains AWS.”

The unusual tone of Elastic’s announcement, sprinkled with Kendrick Lamar song titles, only deepened skepticism, leaving many developers unconvinced. It is a bewildering mix of defensive justifications and awkward enthusiasm. The references to "trolls" and Kendrick Lamar feel out of place, especially in the context of addressing a significant licensing shift, which was a massive disruption that negatively impacted many developers. The message reads as tone-deaf and disconnected from the frustrations of the community.

Some conjecture this announcement, in which Elastic claims to have predicted this outcome, was written to conceal that they are losing adoption to the Amazon-backed fork, and will continue bleeding customers if they don’t go open source again.

“I think that when they made the original decision to change the license they thought their product had more pull than it really did,” @dangus commented on Hacker News. “They thought customers would leave Amazon’s managed product for their ‘superior’ product rather than Amazon’s ‘inferior’ fork. They thought people wouldn’t trust Amazon to have the expertise to continue development. In reality what customers wanted was a managed solution from their cloud provider, they didn’t really care if it was Elastic or not.”

Participants in the discussion on Hacker News are also not buying the claim that the relicensing has solved the issue of “market confusion.”

“The ‘market confusion’ bit has always struck me as disingenuous,” @skyhopper commented. “The market was never confused about who was offering the old AWS ‘ElasticSearch Service’ or what it was. Elastic's licensing shenanigans and the fork they forced AWS to create have introduced far more long-term confusion. It's certainly not the case that any confusion has been resolved by licensing the ElasticSearch code under three different licenses, all of which are unusual, confusing, and untested in various ways.”

Elastic's official press release says nothing about the motivation to resolve "market confusion" but rather focuses on future opportunities for Elasticsearch with the addition of this third license:

Adding AGPL will also enable greater engagement and adoption across our users in areas including vector search, further increasing the popularity of Elasticsearch as the runtime platform for RAG and building GenAI applications.

By adopting AGPL, Elasticsearch becomes a more attractive platform for building Retrieval-Augmented Generation (RAG) and GenAI (Generative AI) applications, which require efficient search capabilities. While these applications don't require open source licensing, open source projects typically see broader adoption, faster innovation, and stronger community support.

Participants in the discussion also noted that shares in Elastic N.V. plunged nearly 25% after Elastic CEO Ash Kulkarni warned of slower growth ahead in their 2025 first quarter earnings report:

“We delivered solid first quarter results, outperforming the high end of our guidance for both revenue and profitability, and we continued to see strong adoption of our GenAI offerings," Kulkarni wrote. "However, we had a slower start to the year with the volume of customer commitments impacted by segmentation changes that we made at the beginning of the year, which are taking longer than expected to settle. We have been taking steps to address this, but it will impact our revenue this year."

OSI Applauds Elastic's AGPL Shift as a Win for Open Source#

Casual bystanders welcomed this change, grateful to see more open source in the world.

"By 'market confusion' I think he means the trademark disagreement (later resolved) with AWS, who no longer sell their own Elasticsearch but sell OpenSearch instead," Django Web Framework co-creator Simon Willison commented on the news.

"I'm not entirely convinced by this explanation, but if it kicks off a trend of other no-longer-open-source companies returning to the fold I'm all for it!"

Despite its strong criticism of Elastic's license change in 2021, OSI was equally gracious in applauding Elastic’s decision to return to open source. In their latest newsletter, OSI’s Executive Director, Stefano Maffulli commended the move, emphasizing the importance of strong copyleft licenses that both protect user freedoms and maintain project control by developers.

“This decision is confirmation that shipping software with licenses that comply with the Open Source Definition is valuable—to the maker, to the customer, and to the user. Elastic’s choice of a strong copyleft license signals the continuing importance of that license and its dual effect: one, it’s designed to preserve the user's freedoms downstream, and two, it also grants strong control over the project by the single-vendor developers,” Maffulli said.

”We’re encouraged to see Elastic return to the Open Source community. And who knows... maybe others will follow suit!”

Maffulli appeared to be hinting at Redis, which broke its explicit commitment to remain under the BSD 3-Clause License forever, angering contributors who successfully forked the software earlier this year, backed by Amazon.

AGPL’s Rising Popularity Among Open Source Projects#

AGPL is having a renaissance, and is currently used at companies like MinIOGrafanaCitus, and Quickwit. ParadeDB recently published a blog post about why they chose the AGPL license from day one. The startup created ParadeDB as an open-source Elasticsearch alternative built on Postgres. They adopted the AGPL as a future protection for building a sustainable business on top of open source.

"We wanted to protect our IP from cloud vendors early on so that we would never need to relicense,” paradeDB co-founder Philippe Noël said. “Our users should trust that our project will stand the test of time, so they can feel comfortable adopting it for the long term.

“We wanted our project to be true open-source with a license approved by the Open Source Initiative (OSI). We believe that approved licenses incentivize developers to contribute to a project. On the flip side, we've seen many projects that start with an unrestrictive license but switch to a more restrictive license get forked, which fragments the project’s community.”

The AGPL seems to be working well for the startup as ParadeDB is now one of the fastest-growing open source database projects. Noël reported that they are working with several large cloud providers to integrate ParadeDB with their managed Postgres service. They are monetizing through support contracts and issuing commercial, non-AGPL licenses, which also contain a few closed-source enterprise features.

“We observed how Elasticsearch began with an Apache 2.0 license and relicensed years later, which led AWS to create the OpenSearch fork,” Noël said. “Today, OpenSearch has siphoned significant mindshare and business away from Elasticsearch. While this concern may not be applicable to all open source projects, we felt that it was particularly relevant to us since we are building an Elasticsearch alternative.”

In a recent essay On Open Source and the Sustainability of the Commons, Ploum (Lionel Dricot) advocates for using the AGPL in support of protecting the digital commons from exploitation by large corporations and ensuring that all contributors benefit from their work:

If you care about the commons, you should put your work under a strong copyleft license like the AGPL. That way, we will get back to building that commons we lost because of web services. If someone ever complains that a web service broke because of your AGPL code, reply that the whole web service should be under the AGPL too.
We were tricked into thinking that BSD or MIT licenses were "freer" like we were tricked into believing that building a polluting factory next to our local river would be "good for the economy". It is a scam. A lot of unpaid or badly paid developers would probably benefit from switching to a copyleft license but they use BSD/MIT because they see themselves are "temporarily embarrassed software millionaires".

It’s natural that a company like Elastic would want to protect its open source efforts and its ability to continue sustaining the software. There are nuanced corporate and strategic concerns at play here. Elastic’s return to open source licensing is worth celebrating, but the reason this announcement missed the mark is because it lacks a user-centric focus.

Free software prioritizes the rights and freedoms of users, not just the original creators and their corporate interests. Copyleft licensing ensures that anyone who modifies and redistributes the software must pass on the same freedoms they received. It’s about maintaining the open, collaborative spirit of free software, so every user can benefit from and contribute to the collective effort. In the end, free software is truly about empowering users to retain control and freedom over the tools they depend on.

After the massive disruption of the 2021 licensing change, many Elasticsearch users lost their sense of agency in using Elastic’s products and will be hard-pressed to trust this new bridge back to open source, as it appears to be more of a strategic move for Elastic rather than a genuine effort to empower and protect user freedoms.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc