Open edX Dependency Licensing Problems
Several dependencies of Open edX have been relicensed since they were originally chosen, which has made continuing use of them potentially problematic. The issue in all these cases is that the (previously) open source project was maintained by a corporation with a business model that was threatened by changes in the technology ecosystem. In most cases, they attempted to address the problem with a license change that stifled competition while trying to avoid undue impact to their most valued users (companies paying for hosting and individual developers who want to tinker without paying license fees). The key problems for Open edX in these cases is as follows:
The new licenses are incompatible with the AGPL, which most of Open edX uses. They don’t even qualify as “open source” licenses according to https://opensource.org/ :
Individual Open edX installations may be able to continue legally using these dependencies, but it’s murky enough that even lawyers seem to be struggling to make a clear determination on this.
A common cause of relicensing is “AWS is driving us out of business with a competing hosted offering”, and many Open edX installations were set up to depend on those AWS offerings. AWS typically responds to these relicensings with a fork, which fractures the ecosystem of related code and services, often making it difficult to make any upgrade path viable.
MongoDB
Old license: AGPL 3.0
New license: Server Side Public License
Date changed: November 8, 2018
First version impacted: 4.0.4
edx.org uses version: 4.2.14 (upgrade from 4.0 in late 2021 driven by security concerns, nobody believed a rapid migration away from it was feasible)
Tutor uses version: 4.4.22
Other notes: With release 4.4, alerting and backups were removed from the hosting tier that edx.org uses to pressure upgrades to a significantly higher-cost offering.
Planned response: https://discuss.openedx.org/t/adr-for-removing-mongodb-from-edx-platform/6001 (slow progress is being made, completion date unclear)
Elasticsearch
Old license: Apache 2.0
New license: Server Side Public License
Date changed: January 14th, 2021
First version impacted: 7.11
edx.org uses version: 7.10 (hosted on AWS, which is providing security patches indefinitely only for that hosted offering)
Tutor uses version: 7.17
Planned response: https://github.com/openedx/public-engineering/issues/16(largely stalled due to high difficulty and low incentive on 2U’s end to change the status quo).
Terraform
Old license: MPL 2.0
New license: Business Source License 1.1
Date changed: August 10, 2023
First version impacted: 1.5.6
edx.org uses version: 1.3.7
Tutor uses version: N/A (Harmony provides example Terraform code but recommends no particular version)
Planned response: None yet. Not truly an Open edX dependency, although many installations use it to manage their infrastructure. May not be an issue for current usage, but we need to be careful about recommending it for new use cases.
Docker Desktop
Old license: Proprietary but “free as in beer”
New license: $0-$24 per user per month depending on relatively complex conditions
Date changed: August 31, 2021 (grace period ended January 31, 2022)
First version impacted: Impacts all versions
edx.org uses version: devstack recommends it on macOS, but no particular version (just needs at least Docker Engine 17.06 from mid-2017).
Tutor uses version: Effectively just says “you need Docker”; in practice, this historically meant Docker Desktop in the context of macOS.
Planned response: Probably recommend OrbStack and/or Colima instead. More context in https://github.com/edx/edx-arch-experiments/issues/93#issuecomment-1690981665 and Container Runtime Comparison . Only impacts development environments, not Open edX production deployments.