MongoDB, the developer of a popular document-oriented distributed database server by the same name, has updated the open source license that applies to versions of its software published after October 16, 2018.
Previously, the MongoDB software was licensed under the GNU Affero General Public License v.3 (“AGPLv3”), which is a “strong copyleft” license. Strong copyleft licenses, among other things, require that the source code for the licensed software (including any modifications) be made available to the public, typically when the software is distributed to third parties. AGPLv3 goes further than other strong copyleft licenses in that the obligation to make source code available is triggered not only when the software is distributed, but also when it is accessed over a computer network, such as the Internet.
In an apparent response to attempts by users of MongoDB to architect their services so as to avoid the obligation to make their source code modifications available under AGPLv3, MongoDB has created a modified version of AGPLv3 (see here for a redline comparison) with broader disclosure and licensing obligations. The new license is called the Server Side Public License v.1 (“SSPLv1”).
SSPLv1 differs from AGPLv3 in two primary ways.
- First, the copyleft effects of SSPLv1 are triggered not just when a user interacts directly with the software over a network, as in AGPLv3, but whenever the functionality of the software is made available to third parties as a service, including by (a) offering a service “the value of which entirely or primarily derives from the value of the” software, or (b) offering a service “that accomplishes for users the primary purpose of the” software. SSPLv1 § 13. This change appears to target companies that run MongoDB as a service, but behind a thin API or similar middleware layer such that customers do not access MongoDB directly over a network.
- Second, SSPLv1 also requires the licensee to make available the source code for all programs “use[d] to make the Program or modified version available as a service.” SSPLv1 § 13. This obligation extends to any “management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software” used in making the licensed software available, “such that a user could run an instance of the service using” that source code. SSPLv1 § 13.
According to TechCrunch, MongoDB stated that it adopted the new license in response to it being “too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community.” This resonates with the stated intent of strong copyleft licenses like GPLv3 to ensure the development and perpetuation of an intellectual property “commons,” consisting of software that can be freely (i.e., with freedom, but not necessarily without cost) reused, modified, and redistributed without fear of violating third party intellectual property rights. AGPLv3 was specifically designed to close a loophole in GPLv3 that allowed users of GPLv3-licensed software to make the software and their modifications available as a service (i.e., Software-as-a-Service) over a network, which is not a distribution that would trigger GPLv3’s obligation to make the source code for their modifications publicly available. By one view, SSPLv1 is a logical extension of this philosophy, ensuring that those who benefit from use of the MongoDB software remain obligated to contribute their improvements to the software back to the open source community.
On the other hand, while the development of a digital commons has undoubtedly fostered the development of the technology industry, copyleft licenses have also created significant concerns among commercial entities that wish to preserve the proprietary nature of their software, who fear that if their employees combine open source software that is licensed under a copyleft license with the companies’ proprietary software, the open source license may compel those companies to release their proprietary software under the open source license. Some companies, including MongoDB, offer paid commercial licenses to the same software that they otherwise make available under copyleft licenses, to allow companies to avoid this concern.
Companies previously using MongoDB under AGPLv3 may wish to examine their use of the software under SSPLv1, in order to evaluate whether they are comfortable with the new SSPLv1 license. If not, alternatives are to obtain a commercial license from MongoDB as noted above, or to switch to a different database platform. MongoDB says that the SSPLv1 license applies to both new versions of the software and any patches to existing versions of its software, where such new versions or patches are released after October 16, 2018.