This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/blog/2023-08-23-my-hobby-became-my-job/item.md
Tana M Berry 562496f1cd
website/blogs: blog re job to hobby (#6611)
* blog re job to hobby

* Optimised images with calibre/image-actions

* new image

* tweak

* further tweaks

* Optimised images with calibre/image-actions

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana Berry <tana@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-08-24 11:08:57 -05:00

7.2 KiB
Raw Blame History

title slug authors tags hide_table_of_contents image
My hobby became my job, 50% extra pay, just needed to let go of GPLv3 2023-08-23-my-hobby-became-my-job
name title url image_url
Jens Langhammer CTO at Authentik Security Inc https://github.com/BeryJu https://github.com/BeryJu.png
founder
SSO
open source
identity provider
licensing
gpl
mit
security
authentication
false ./image1.jpg

Theres been a lot of discussion about licensing in the news, with Red Hat and now Hashicorp notably adjusting their licensing models to be more “business friendly,” and Codecov (proudly, and mistakenly) pronouncing they are now “open source.”

“Like the rest of them, they have redefined Open as in Open for business”—jquast on Hacker News

This is a common tension when youre building commercially on top of open source, so I wanted to share some reflections from my own experience of going from MIT, to GPL, back to MIT.

"Photo by Caleb Jones on Unsplash"

I started working on the project that led to authentik when I was 20. My original vision was a single pane of glass for emails, domains, applications, hosting, and so on. This was overly ambitious for one person and their hobby project, and I ended up spending most of my time on the SSO part. This became its own project: Passbook (later renamed to authentik due to a naming conflict).

Initially, authentik used the MIT license. When Elastic called out AWS for trademark abuse (offering Elasticsearch as an AWS service without collaborating with Elastic), I changed it to GPLv3 because I didnt like what AWS did in principle, and didnt want it to happen to authentik.

An opportunity, and a compromise

Two years later, Sid at Open Core Ventures (OCV) contacted me about creating a company, building on the features and functionality of authentik. It was a dream opportunity: work full time on my hobby project and make 25% more in the process. But I had to let go of the GPL license.

With an open core model customers are usually using code from both the open source and proprietary codebases. This necessitates a dual license structure, meaning customers need to accept both licenses.

The drawback of building commercially on top of open source software using GPL is that the copyleft aspect can put some people off. Not every person or business wants to have to expose their code for every minor change or bug fix they may add, and they will sooner find a competitor with a more permissive license than adopt your software. This is obviously not ideal when youre trying to get traction and grow a business.

OCV proposed we switch back to MIT.

Considerations and tradeoffs

I was very conflicted about reverting to MIT because we had chosen GPL for a reason, but the circumstances had changed. As a company and a real legal entity, we would have recourse if something like AWS/Elasticsearch were to happen—it wouldnt just be me trying to defend myself while also doing my day job. The decision forced me to reflect on what it means to build a company on top of an existing open source project.

For me, it was an opportunity to work full time on a passion project, with more resources to invest in building and maintaining the open core of the project. The opportunity came with tradeoffs to be made, and a responsibility to be a good steward of the open source project.

I know how volatile startups can be. I had put so much time into authentik already, and my biggest concern was around what happens if things dont work out. I wanted to make sure that the open source version stays free, vibrant, and open for use by all.

A license isnt the only way to guarantee good behavior

With a permissive license, the risk of bait and switch is always there. A commercial company needs to become profitable and there is precedent for changing to more limited licenses when it suits the business. People naturally see this as a dichotomy: you either have a copyleft license and therefore your intentions are enshrined in the license, or a permissive one and cant be trusted to uphold open source ideals.

There is a third path though, which is the route we eventually took with Authentik Security, the company we were building on top of the project. We incorporated as a public benefit company, which means that we are legally bound by the terms in the OCV Public Benefit Company Charter. This includes commitments to keeping open source products open source, and ensuring the majority of new features added in a calendar year are made available under an open source license. Being a public benefit company means we are still held accountable, just through a different mechanism than the license.

The process of changing the license

Changing licenses is a sensitive issue. I consulted with the top contributors to authentik to hear their feedback while we were in the process of setting up Authentik Security. Nobody objected, so we switched back to MIT and announced the change in the company announcement post. I think I was surprised there wasnt a backlash or accusations of putting profit over principle (we have all seen how impassioned people get about open source and ideals). I like to think that people saw the pragmatism in the decision: that MIT lets us further the work of authentik.

Reflections

While a copyleft license is one way to hold companies accountable to upholding the principles of open source, with Authentik Security we struck a balance between commercial viability with the more permissive MIT license and the values I wanted to entrench with becoming a Public Benefit Company. I now get to work full time on my hobby, and the core of authentik is still open source.