Open edX Dependency Licensing Problems

Several dependencies of Open edX have been relicensed since they were originally chosen, which has made continuing use of them potentially problematic. The issue in all these cases is that the (previously) open source project was maintained by a corporation with a business model that was threatened by changes in the technology ecosystem. In most cases, they attempted to address the problem with a license change that stifled competition while trying to avoid undue impact to their most valued users (companies paying for hosting and individual developers who want to tinker without paying license fees). The key problems for Open edX in these cases is as follows:

MongoDB

  • Old license: AGPL 3.0

  • New license: Server Side Public License

  • Date changed: November 8, 2018

  • First version impacted: 4.0.4

  • edx.org uses version: 4.2.14 (upgrade from 4.0 in late 2021 driven by security concerns, nobody believed a rapid migration away from it was feasible)

  • Tutor uses version: 4.4.22

  • Other notes: With release 4.4, alerting and backups were removed from the hosting tier that edx.org uses to pressure upgrades to a significantly higher-cost offering.

  • Planned response: ADR for removing MongoDB from edx-platform (slow progress is being made, completion date unclear)

Elasticsearch

  • Old license: Apache 2.0

  • New license: Server Side Public License

  • Date changed: January 14th, 2021

  • First version impacted: 7.11

  • edx.org uses version: 7.10 (hosted on AWS, which is providing security patches indefinitely only for that hosted offering)

  • Tutor uses version: 7.17

  • Planned response: Move away from Elasticsearch · Issue #16 · openedx/public-engineering(largely stalled due to high difficulty and low incentive on 2U’s end to change the status quo).

Terraform

  • Old license: MPL 2.0

  • New license: Business Source License 1.1

  • Date changed: August 10, 2023

  • First version impacted: 1.5.6

  • edx.org uses version: 1.3.7

  • Tutor uses version: N/A (Harmony provides example Terraform code but recommends no particular version)

  • Planned response: None yet. Not truly an Open edX dependency, although many installations use it to manage their infrastructure. May not be an issue for current usage, but we need to be careful about recommending it for new use cases.

Docker Desktop