惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
人人都是产品经理
人人都是产品经理
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
N
News and Events Feed by Topic
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
V
V2EX
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
小众软件
小众软件
A
Arctic Wolf
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
G
GRAHAM CLULEY
罗磊的独立博客
T
Tor Project blog
C
Cisco Blogs
美团技术团队
博客园 - Franky
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
有赞技术团队
有赞技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Security Latest
Security Latest
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
Spread Privacy
Spread Privacy
J
Java Code Geeks
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
阮一峰的网络日志
阮一峰的网络日志
雷峰网
雷峰网
Project Zero
Project Zero

Danb Blog

Cheaper Sodastream Gas with a Big Tank June 2026: What I've Been Working On · Danb Blog Running Snyk On Forgejo/Codeberg Actions · Danb Blog Tuta & Proton: An Open Source Client Does Not Result in an Open Source Service · Danb Blog May 2026: What I've Been Working On · Danb Blog 3D Printing Parts for my Greenhouse, Round 2 · Danb Blog Great Devices: Nexus 7 2013 · Danb Blog R36S Console RetroArch Stuck Menu Issue · Danb Blog April 2026: What I've Been Working On · Danb Blog Basic OpenCode Sandboxing with Docker · Danb Blog Games Played in 2025 · Danb Blog March 2026: What I've Been Working On · Danb Blog Shivam Mathur's "node-docker" Images are Awesome for PHP CI · Danb Blog February 2026: What I've Been Working On · Danb Blog Your BookStackApp project was assigned as a project for my Software Architecture course · Danb Blog My Sovol SV08 3D Printer Setup in 2026 · Danb Blog January 2026: What I've Been Working On · Danb Blog Epson Printer: The administrator password you entered was not recognized · Danb Blog Pressure to Follow Process · Danb Blog Online Shopping Email Notifications · Danb Blog My HomeLab Setup in 2026 · Danb Blog Linux Label Printing with the Phomemo D30 · Danb Blog Reporting to the CMA: Google Android Developer Verification · Danb Blog OPNsense & Dnsmasq: Responding with specific DNS servers · Danb Blog An Impromptu Introduction to ZFS Drive Replacement at 1am · Danb Blog Experience with UK Medical Cannabis for Ankylosing Spondylitis · Danb Blog Copyright Takedown for Linking to the "State of Open Source" Report · Danb Blog No, Gumroad Did Not Become Open Source Today · Danb Blog Scripting Monitors (KDE on Fedora) · Danb Blog Amber flags in Open Source & Self-Hosted Projects · Danb Blog LLMs are Directing Open Source Licensing · Danb Blog Games Played in 2024 · Danb Blog Common Misconceptions of the AGPL · Danb Blog Adapting GitHub action PHPUnit tests for Codeberg/Forgejo · Danb Blog Lessons from the Allotment · Danb Blog Futo, Please don't attempt to create your own Open Source Definition · Danb Blog Material You (Dynamic/Adaptive) Colors in Legacy Android Apps · Danb Blog Scripting Monitors (Gnome & Wayland on Fedora) · Danb Blog Retaining a Greenhouse Roof with 3d Printing · Danb Blog Games Played in 2023 · Danb Blog Lessons From Growing Food Indoors · Danb Blog Why the Distinction Between "Open Source" and "Source Available" is Important · Danb Blog Raspberry Pi Camera Module 3 Timelapse · Danb Blog Removing the Rear Seats on a Volvo C30 · Danb Blog Reporting Google's WEI to the CMA · Danb Blog Controlling Default GRUB Boot Option via USB · Danb Blog Creating a Video Home for FOSS Projects · Danb Blog Paying for Search · Danb Blog My Favourite Static Site Deploy Method · Danb Blog PhpStorm (JetBrains IDE) 2023 Linux Scaling · Danb Blog Synology Hibernation with Active Backup for Business and Tailscale · Danb Blog My 2023 HomeLab Setup · Danb Blog Redefining Open Source via "Commercial Open Source" · Danb Blog Moving to Mastodon · Danb Blog Gaining Sponsors · Danb Blog "This is a Low Maintenance Project" · Danb Blog Upgrading my CPU, Ryzen 2600 to 5800x · Danb Blog Migrating Google Photos to my Personal NAS · Danb Blog Scheduling Proxmox Storage to Reduce Disk Activity · Danb Blog Why the Term "Open Source" is Important · Danb Blog Lessons From Working for Myself (9 Months In) · Danb Blog Misrepresenting Open Source for Business Benefit · Danb Blog Cat Images in WebP · Danb Blog My 2022 Workstation Setup · Danb Blog Leaving my Job to Focus on Open Source (For a bit) · Danb Blog Quickly Getting Placeholder Images With Unsplash Source · Danb Blog A Thanks to Laravel for the LTS Releases · Danb Blog A Quick Overview of Unix-Style Permissions · Danb Blog The Power of currentColor · Danb Blog Dealing With Ankylosing Spondylitis Flareups · Danb Blog Hugo Verbose Dates With Suffixes · Danb Blog
Beware of Poison in the Source · Danb Blog
2024-10-24 · via Danb Blog

Bitwarden found itself caught in a spot of drama last week introducing non-free and non-open code into their desktop client. I don’t use Bitwarden myself, but in a similar vein I remember they launched their “Passwordless” project as open source while under non-open terms.

This event got me thinking more about an increasing trend I’m seeing where projects are advertised as open source, but actually rely on non-(free or open source) code to build/run/function for their advertised value. I mention advertised value since some open source projects are built to depend on or use proprietary code (think OpenRCT2 for instance which requires a copy of the original Roller Coaster Tycoon 2) but generally, if I see a web application advertised as open source, I expect to be able to build/run that using code licensed in a way which meets the OSD and therefore provides open use, open modification & open distribution as a whole. I’ve written before about the why I think the “open source” term is important here.

To demonstrate this trend, I’m going to present some examples of web projects I’ve come across that each advertise as “open source”, while depending on their own non-open proprietary licensed code, while also showing responses from authors when this has been raised to them.

Note: I am not a legal expert by any means, and it’s possible that I have misunderstood how these projects are set-up (and I’d be happy to amend the below if so) but generally each of the below have had a response from the author which has indicated that assumptions, or tests regarding the license/build structure are valid. Additionally, I have nothing specifically against authors being able to choose licensing options to protect their own efforts, my main concern is when this is done in a potentially misleading or opaque way.

Formbricks

Website - ⭐ 8.3K - ⚖️ Mixed AGPLv3 - 💸 OSSC

I queried this on Reddit here, with my impression of the response being that this is done for convenience and not felt to be an issue. Responses included:

[…] So the EE licensed code is packaged into the Docker image but only gets activated with a valid license. […] (ref)

[…] if someone would like to deploy Formbricks without the EE licensed code, that’s definitely possible, it just requires a bit more work on their side […] (ref)

😂 (ref))

Cal.com

Website - ⭐ 32K - ⚖️ Mixed AGPLv3 - 💸 OSSC, Seven Seven Six

This was queried by a GitHub user squatica. Responses included:

[…] we never thought about being able to completely remove the /ee folder. (ref)

The EE folder is not meant to be removed. The license specifies on not using code from it. This decision was also made to avoid spending resources on having to develop and maintain two separate codebases. So as far a you don’t actively use enterprise features you would still be honoring the license. (ref)

On a Reddit thread where I had mentioned the used of mixed open/proprietary code a co-founder stated:

[…] - we are partners and work very closely with opensource.org (OSI – the organisation that knows the most about licensing and has the best reputation). Not only do they approve our project as open source, they are also using Cal.com for their own scheduling. […] (ref)

So I guess it’s okay, they’ve got OSI approval. I hadn’t heard about the OSI bestowing validation to specific projects like that so I did reach out to the OSI regarding this but failed to get a direct response to this (although I haven’t chased it up since initial messages in April).

Papermark

Website - ⭐ 5.2K - ⚖️ Mixed AGPLv3 - 💸 None found

I queried this on Reddit here where the author indicated that the non-open code was not needed, but did not follow up when I queried this again after attempting to build the project with the non-open code removed. Responses include:

[…] You are correct that we are providing a dual license product. However, instead of other projects that have a Pro Edition and Community Edition, we make all the source code available under different licenses. […] (ref)

[…] Correct, you can run the open-source application without the /ee/ folder. You can comply to our open-source license by deleting the /ee/ folder. […] (ref

Budibase

Website - ⭐ 22.5K - ⚖️ Mixed GPLv3 - 💸 SignalFire

I queried this in a GitHub discussion here but received no official response, but other users did report issues attempting to build the project from source.

Tolgee

Website - ⭐ 1.8K - ⚖️ Mixed Apache 2.0 - 💸 Flying Founders

UPDATE - 2025-03-11

Tolgee founder Jan has since reached out to advise they’ve addressed the below issues, which appears to be true from a look over the project, where there are now open stubs for non-open-parts and build checks in CI. Thanks to Jan and Tolgee for making improvements!

I queried this use of setting arbitrary limits in the code on Reddit here. The author responded with the following in regards to a user’s suggestion of a fork:

Go for it. Just heads up: Remove all the ee code, before you do that. (ref)

When I queried the relied upon “ee” code in response to that, they stated:

Yeah, you would have to fix these issues. (ref)

Documenso

Website - ⭐ 8.3K - ⚖️ Mixed AGPLv3 - 💸 OSSC

I queried this in a GitHub discussion here and am yet to receive a response but this was only opened a few days ago so they may have just not found the time to respond yet.

Why does this matter?

In most of these cases the companies encourage/allow free use of their software regardless of these mixed sources, so you may wonder why this matters. In my view, this matters for the following reasons:

  • Users may be thinking they’re using/depending on open source software, since it’s advertised as such, without knowing they’re using/relying on code under more complex/limited terms that do not afford open rights of use, modification & distribution.
  • The deeper this runs, the harder it could be for users to exercise their rights of open source to fork a project away to new leadership & authors.
  • Users may not be aware that in many cases they’re technically agreeing to comply with additional terms and requirements.

Thoughts

I included the GitHub star count for these projects since many portray or use these as a sign of reputation and/or maturity, but I wanted to indicate that even highly-starred popular projects can have this kind of unclear licensing mix in play.

You’ll also note that many of these projects use and are distributed under the label of the AGPLv3, an often misrepresented & misunderstood license. This can bring into question the validity of mixing licensing terms in a lot of cases here, since section 7 of the AGPLv3 license allows removal of many additional terms:

All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.

This may mean that in many scenarios users could just ignore the extra “enterprise” license terms, making them redundant, but doing so may introduce legal questions & risk since it’s likely against the author’s wishes (and potential lack of understanding in regards to their own license).

Within this list I also included the main investors I could find from a quick search. From my experience, most licensing confusion I come across have some VC/financial backing, although I haven’t yet assessed if that’s just bias towards the communities I watch & see projects advertised within.

We do see OSS Capital as a common thread here. Again, this could be some selection/market bias but it’s potentially an indicator of shared strategy between projects, OSSC strategy for achieving “commercial open source”, or lax attitude to open source in general. Another thread is that all of these, apart from Budibase, are part of the “OSS friends”, an initiative by Formbricks to gain backlinks for SEO, which may indicate these patterns & ideas for licensing spread within communities as projects take notes from eachother.

UPDATE - 2025-03-11

Joseph Jacks, founder of OSS Capital, did reach out to me in November to state they don’t heavily influence their companies’ strategy here.

Overall, it’s up to users to consider how important these licensing scenarios are to their usage, but unless you’re a licensing pedant like me it might be hard to know that such license mixes are at play in “open source” advertised software. I think in most of these cases it’s done due to not thinking it matters relative to the effort of properly organising/building/distributing an “open core”/mixed-license codebase but the negative impacts are not on the authors, but on the users, although it can go unnoticed to users until the time it matters.


Updates

  • 2025-03-11: Added notes about improvements made by Tolgee, and added a note regarding OSS Capital based upon the feedback from Joseph Jacks.