This article brought to you by LWN subscribersSubscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible.
The free and open-source software (FOSS) movements have always been
about giving freedom and power to individuals and organizations;
throughout that history, though, there have also been actors trying
to exploit FOSS to their own advantage. At Configuration Management
Camp (CfgMgmtCamp) 2026 in Ghent, Belgium, Richard Fontana described
the "exploitation paradox
" of open source: the recurring
pattern of crises when actors exploit loopholes to restrict freedoms
or gain the upper hand over others in the community. He also talked
about the attempts to close those loopholes as well as the need to
look beyond licenses as a means of keeping freedom alive.
Fontana is a lawyer who is well-known as an expert on FOSS
licenses. He has worked for Red Hat for much of his career, and now
works directly for IBM since it absorbed Red Hat's legal department in
early 2026. He said that this would be an unusual talk for CfgMgmtCamp,
as it was not about configuration management—though he had provided legal
support to people working on related projects such as Ansible and
Foreman. He would not be
speaking for Red Hat or IBM in his talk, however, though he said it
did draw on his work experiences over the years. "I'm on
vacation, seriously. I wanted to go to Ghent
".
Infrastructure and freedoms
He said that he might look at open source differently than many in
the audience, and that he had been struck by how there were periodic
crises and disagreements related to "legal stuff going
wrong
". These periodic flashpoints are not totally random, he
said, they have underlying features in common; the thing that varies
over time is what he called the infrastructure. "I don't mean like
'servers', I mean the current state of play that software is situated
in
", from a technical, cultural, and social
perspective. Basically, everything that shapes where power
concentrates and how freedom can be exercised.
![[Richard Fontana]](https://static.lwn.net/images/2026/2026-Richard-Fontana-sm.png "Richard Fontana")
Our definitions of freedom are anchored to an earlier technological
world, he said. For example, the Free Software Foundation's four
essential freedoms: the ability to run, study, modify, and share
software all relate to the early days of software development. There
is also "the other normative definition that doesn't use the word
freedom
", the Open Source Definition
(OSD) by the Open Source Initiative (OSI). Those definitions can be
thought of as sort of a constitutional foundation for open source.
Fontana observed that the "state of play that software is
situated in
", everything that is relevant from a technical,
social, economic, and business perspective, keeps evolving. Each time
that it does, there are new tensions and power dynamics that pop up;
but the definitions that underlie our understanding of free software
and open source stay the same. They have not been revised to change
with the times. This is in part because the gatekeepers for those
licenses ("and I've been one of these gatekeepers in the past
")
do not want to revise the definitions. In a sense, he said, open
source is a conservative domain because it is tied to unchanging
definitions even while other conditions do change.
When infrastructure changes, there are new opportunities to exploit open source—to exercise power, to create new business models, to make a profit—that did not exist previously. When that happens, people tend to reach for legal fixes to address the exploit, which in turn can create new control points. To illustrate, Fontana said he would walk through some of the history of open source to give examples, beginning with the first flashpoint: the invention of copyleft.
Copyright and copyleft
Originally, developers were able to share code because it was not
obvious that copyright even applied to software. "All software was
inherently free. It was a commons.
" And then it became clear in
the late 1970s that copyright did apply to software after all. That
was an infrastructure shift that made it possible to exert control
over software by stopping people from making and distributing
modifications to software.
Copyleft, in the form of the GPL, was a response to that new
control point. "It, famously, uses copyright law to create a
different type of license that tries to keep software free.
" It
was a well-intentioned attempt to use a legal tool to improve
conditions brought about by legal changes. But despite it being
well-intentioned, it was controversial in software-developer
communities, Fontana said. Even today there is still a schism between
copyleft proponents and those who prefer permissive licenses, such as
the BSD, MIT, and Apache licenses.
The GPL also opened up a new, unintended, control point in the form
of the dual-licensing model. "And this is really interesting,
because the GPL is designed to prevent software from being exploited
through copyright.
" Dual licensing was used to make proprietary
licensing effective by giving one party control over copyright, but
not others. "You're the one copyright owner of a GPL-licensed
code base and you provide a proprietary version for a fee.
" That,
too, was controversial, but it took time for people to develop the
vocabulary to explain why they were concerned about it, he said.
Instead of the motivations being to perpetuate the free software commons, you have people using the machinery of copyleft licensing in a certain sense to move code out of the commons. Even though, in a formal sense, it's still there, and there's nothing in the GPL that says this is wrong.
Dual-licensing is the first example of "a phenomenon that
repeats itself throughout the history of open source. This feature is
asymmetry.
" Anyone can exercise the freedoms under the GPL, but
only one actor has the freedom to use proprietary licensing. To
implement this asymmetry, the copyright holder needs to implement a
copyright-assignment system or contributor-license agreements (CLAs)
that give more power to the maintainer of the project.
SaaS loophole
The first attempt to use asymmetrical power in open source to make
money "in a way that is somehow divorced from the ideals open
source is founded on
" was dual-licensing, but it was not the
last. Businesses continue to use the freedoms granted by open-source
licenses to "introduce new forms of scarcity in some way or
another
".
Fontana said that the audience had probably heard of what he called
the Software-as-a-Service (SaaS) loophole, which "kind of breaks
open-source licensing
". In particular, it breaks the GPL and
copyleft licensing, because the legal foundations of those licenses
rest on distribution, which does not happen when the code is used
in a SaaS context. "You sort of escape the intended obligation
under the GPL even though you're doing things that are sort of similar
to what distributors do
". Since there is no binary distributed,
the requirements in the GPL are not triggered. In a SaaS context,
"the copyleft GPL software becomes equivalent to permissive-license
software
".
Once again, some people responded to this change with concern about
the integrity of open source and an attempt to fix the problem. In
particular, it led to the creation of the Affero GPL (AGPL), "sort
of an attempt to patch the GPL
", so that deployment of a service
becomes a trigger for releasing source code. "I would argue that
the AGPL was well-intended, but I don't know if I would say that it
was well-designed to combat the problem it was created to deal
with.
"
The AGPL is another example of trying to make a fix to a license when a problem emerges, but licensing does not solve the problem very well. In fact, Fontana said, the AGPL is often used by businesses in a dual-licensing context.
Brand identity
The value of open source as a brand identity is another sort of
infrastructure shift; there is value in labeling something "open
source", but it is problematic for the community because there is no
way to protect that brand. The Open Source Initiative tried to
trademark the term "open source" but failed to do
so. That has led to various parties stretching the definition of
open source, often toward more restrictions, "really stretching the
normative foundations [of open source] or kind of entering into public
conflict with them
". Those parties have taken advantage of the
ambiguity around what open source is, and turned it into an asset
that can be monetized.
Open source has become a misused term, without any clear way to
combat its misuse. "Open source became this valuable brand, and in
some ways it became more valuable than the substance it was supposed
to represent
." One form of this that Fontana described is the
creation of source-available licenses "mostly used by startups
that got built up around a popular open-source project
". The
familiar narrative, after a few years, is that the startup does not
like the way that people are using the freedoms they were given
through the open-source licenses. For example, cloud providers can
often operate services based on open-source projects better than the
startups can, which leads companies to decide to use licensing against
their competitors.
The source-available licenses are designed to look like open-source
licenses, and the projects are often hosted publicly and allow some
of the freedoms that users expect. Those licenses do not comply with
the OSD, though, because they discriminate against at
least one class of users. "They're ultimately sort of aimed at
competitors, without saying, 'if you compete with us, you can't use
this software.' They're not honest, in that sense.
"
Fontana used the example of HashiCorp switching its
license from the weak-copyleft Mozilla Public
License (MPL) to the Business Source License
(BUSL). That license "basically says 'you can use this, but not in
production'
", and then converts to an open-source license after
several years.
The BUSL is not the worst kind of source-available license,
he said, and admitted he does not like source-available licenses, in
part because they exploit confusion about what "open" means. If a
person is not "really clued into this stuff
", then they might
be confused and misled into thinking it was open source. Sometimes
companies will even continue referring to the project as open source,
even while using a restrictive license:
There's no question that part of what gives power to these licenses, and the business models enabled by these licenses, is the existing confusion it is exploiting around what 'open' means and what 'open source' means. So source-available licenses just exacerbate some of these problems we've seen historically around asymmetry and so forth.
Around the same time source-available licenses became a problem, he
said, a "splinter movement in open source
" started up as well:
the ethical-source
movement. He described that movement as believing that normative
definitions of open source are flawed because "open source allows
you to do all sorts of bad things
". Fontana noted that the
ethical-source movement did not fit exactly with the model of
exploiting open source for profit, but it "sort of should, in a
sense
".
The concern that open-source software could be used for
"nefarious purposes
" has been around for a long time, of
course. And it is true, he said, that it is morally neutral because
the freedoms are available to everyone. "You can't discriminate
against users, or you can't say the GPL is only available as long as
you're a good person.
" The JSON license from 2002, which is
basically the MIT license with a provision added that the software
"shall be used for Good, not Evil
", was a forerunner to the
ethical-source licenses.
There are problems with the ethical-source licenses, too. They do
not fit with the accepted definitions of open source, because they
discriminate against specific use cases such as "you can't use the
software for any use case that violates human-rights law
", or
similar. Though Fontana did not say this explicitly, enforcing such
licenses would also be difficult, if not impossible. His slide
described those licenses as "principled, but misdirected
". (The
full set of slides is available on the CfgMgmtCamp site.)
Open-source developers realized that bad things are happening with
their software and feel they have to do something to stop it. But,
how? "You're not empowered to write new laws. You're just a
software developer [...] so the only tools you know how to use are
licenses
" because those are the foundational tools of the whole
system. Ethical licenses, he said, are their own infrastructure shift;
they are designed to allocate power to certain people and deny it to
other people. This time the attempt to create an asymmetry of power is
not for profit, but to try to do good.
AI
The most recent infrastructure shift is AI. Fontana said that that
there are "all sorts of asymmetries around what we're calling AI
now, and they're more extreme than anything we've seen before
". He
said he was tempted to say that AI has nothing to do with open source,
but that isn't quite accurate. "AI in the modern sense is built on
a foundation of lots of important open-source projects
", which
includes authentic open-source projects built up around the use of AI
models.
But within the world of people creating AI models themselves,
"the term 'open' is used extensively, but it's used meaninglessly.
And then people using the technology repeat this problem
". The
ambiguity around open source just gets worse in the AI era; "open
source" in the AI context just basically means that model is
public. "It is actually worse than what we have with source
available, it's just a signal with no substance
".
Misuse of "open" in this context, he said, was openwashing. The
models, if thought of as software, do not meet the normative
definition of open source. There is no source code, in this case
training data, published, and often even information about the training
data is not disclosed. "So there's this kind of extreme
non-transparency in a context where the term 'open source' is being
widely used
", which is unfortunate.
So you might say, "why can't we solve all this by creating a new license?" And you know by now my answer is that licenses are not good at solving these problems.
Some people are angry about AI and have proposed creating licenses
that basically forbid using software to create a new model. Those
licenses, Fontana said, would violate the OSD pretty clearly, and it's
not even clear that those licenses could solve the problems. Licenses
are "very brittle tools
" that can't do much. They were
effective for the limited purpose they had in the 1980s and 1990s, but
the problems of today are too complex for a single type of tool to
solve.
Licenses aren't the solution
Fontana said that when he was discussing the talk with one of the
organizers, he was asked to be inspirational: "I'm not used to
doing that, I mostly just like to complain about stuff
" he
deadpanned. He was, however, willing to try.
The problem that he identified was that the way open source is
conceptualized is rooted in the past, and it does not get updated for
new problems. His suggestion is that we should try to reframe
open-source freedoms "in a way that is more dynamic or adaptive or
mobile
". He displayed a slide (reproduced below) first with the
classical freedoms and then with his concepts for new freedoms:
reproduce, verify, participate, exit, and stewardship.
![[Slide: Classical freedoms must remain mobile]](https://static.lwn.net/images/2026/2026-classical-freedoms.png "Slide: Classical freedoms must remain mobile")
He ran through the new freedoms quickly. The right to reproduce
"is not an original idea in any sense, kind of a generalization of
the work done on reproducible builds
". The GPL is designed to
allow users to rebuild software from source, but systems are more
complex now and "being able to rebuild source code is not
enough
". There is a need for a more robust ability to rebuild and
verify software. As an example, he said, someone claims to be running
a service based on open-source software, but perhaps they've modified
it in a substantial way without publishing the modifications. "How
can you verify the claims they make about those things?
"
He mapped the right to modify software to a new concept of a right
to participate in development of software. "If you are dependent on
a project, there's a sense in which you should have some way of
ideally participating in its governance
." Modification is a local
freedom, whereas participation is more of a collective freedom. He
said it was not a radical proposal for open-source development to
become a free-for-all with no standards for contribution, "but it's
sort of elevating participation to the level of the original
freedoms
."
Everybody talks about how the right to fork is a fundamental aspect
of open source, but "it turns out in practice, and this has become
increasingly true over time, you can't easily fork projects in most
cases
". It is actually too costly to practically exercise, so he
felt that open source should explicitly state that it is built on
"the right to compete
" which could make it more practical for
participants to exit a community that no longer serves their
needs. That, of course, is directly in conflict with the
source-available licenses.
Finally, stewardship "corresponds to the
work you need to do to sustain projects and the community
" and
should be "elevated to the foundational level for what open source
means
". Open source is a human endeavor, Fontana said. The
freedoms that he was articulating correspond to real human activities
that are important to consider when thinking about the ideals that
open source ought to meet.
So, the right to reproduce is based on curiosity. The right to verify is based on integrity. The right to participate is related to the notion of solidarity. The right to exit corresponds to the concept of courage. And stewardship, of course, corresponds to care. So these are all human forms of these kinds of reframed definitional freedoms.
He was not proposing, he said, to replace the existing freedoms or
the notion of what an open-source license is. Those are still a
foundational part of open source. But he felt that we need to have a
bigger and more expansive sense of what open source means that
is not simply rooted in a "static checklist of permissions of 1980s
and 1990s kinds of concepts
."
Asymmetry is inevitable in open source. It is a feature of
infrastructure shifts; there will always be changes in the field of
play that create new power relationships and leverage points. What we
can do, Fontana said, is make sure that power does not become
ossified, "and that's what this notion of mobile freedoms is sort
of aimed at
". We cannot eliminate asymmetry, he said, but we can
continue to work around it.
There was time for one question. An audience member wanted to know
if he was referring to the Open Source AI Definition (OSAID) in
his talk. Fontana said that he had not mentioned the OSAID in the talk, but
had been a critic of the definition. The OSI came up with something that
was too complicated and impractical "and also didn't make anyone
happy because it has this big compromise built into it
". It tried
to address the problem of undisclosed training data, but it does so in
a way that has "kind of a hole in it
". It was, "sort of
pointless, frankly
" and maybe shows that trying to come up with a
definition similar to the open-source definition is not the right
approach to address the problem. "But I'd have to think about that
more.
"
With that, time elapsed. The new freedoms proposed by Fontana seem interesting, and could do with more detail on how to implement them, but his point that licensing alone is insufficient is certainly valid. It would be useful for people and projects to be thinking beyond licensing to new ways to retain the ideals of open source as the world keeps changing.
[Thanks to the Linux Foundation, LWN's travel sponsor, for funding my travel to Ghent to attend CfgMgmtCamp.]
| Index entries for this article | |
|---|---|
| Conference | CfgMgmtCamp/2026 |