The License Maze
July 3, 2026
By Erik Bethke · also on erikbethke.com
We open-cored Bike4Mind today. Cutting the repo loose was grep and grind — a bug bash, a scrub checklist, a week of mechanical work. The thing that actually kept me up at night was one file: LICENSE.
Because I've watched this industry run both failure modes, live, with money on the table. I watched Redis, Elastic, and HashiCorp flip the table on their own communities — the rug-pull, in slow motion, each one swearing it would never happen right up until the board meeting where it did. And I've watched the opposite corpse too: gorgeous MIT projects with six-figure star counts and zero revenue, while a hyperscaler sells managed hosting of their own code back to their own users. Getting strip-mined by AWS is not a business model. Neither is being loved.
Here's the thing thirty years of shipping games — Starfleet Command, FarmVille, MMOs — beat into me: a license is a ruleset, and rulesets get min-maxed by the most ruthless player at the table, not the nicest. You don't write rules for the community you're hoping for. You write them for the griefers you are absolutely going to get. Every economy I ever shipped got exploited within a week by someone smarter and hungrier than my design doc, and a license is just an economy with lawyers.
So I built this decision the way I'd build a dungeon, and I'm handing you the torch. Walk it. The dead ends aren't filler — the dead ends are the argument.
The five walls
Before I opened a single door I carved five rules into the entrance. Not aspirations — load-bearing walls. Any license that cracks one of them is a wipe, no matter how good it looks on the tin:
Hold those five in your head. Here's the territory.
The map
The permissiveness frontier A two-axis map. Horizontal axis: freedom granted to builders. Vertical axis: survivability for a bootstrapped business. Closed SaaS sits top-left. MIT and Apache sit bottom-right: maximum freedom, business starves. AGPL sits middle: less builder freedom than it looks, legal departments flee. SSPL and Elastic sit upper-middle: business safe, never converts to open. BSL with the default four-year clock sits high but short of the corner. BSL 1.1 with a generous grant and a two-year Apache ratchet occupies the top-right corner: the frontier point. freedom granted to builders → bootstrapped business survives → the frontier Closed SaaS — safe, and nothing is yours MIT / Apache-now — adored, unpaid ✗ AGPL — less free than it looks ✗ SSPL / Elastic — never opens △ BSL, default 4-yr clock △ BSL 1.1 + generous grant + 2-yr Apache ratchet ✓ The corner point exists. Most projects never find it because they enter the maze through the wrong door.Now let's actually walk it.
The maze
Pick a door. Every one of these is a door I genuinely stood in front of.
⌂ THE ENTRANCE
You are a bootstrapped founder holding a codebase your customers pay real money for. Torchlight flickers on four doors. Each has a plaque.
The MIT / Apache-now Room
Beautiful room. Sunlit. Forty thousand stars painted on the ceiling by a project that monetizes approximately zero. MIT-now is unilateral disarmament — you walk into a gunfight, hand your iron to the biggest guy in the room, and hope he's feeling sentimental. He is not. He's AWS, and he has a managed-hosting SKU with your project's name on it before your launch post cools. Ask Elastic. Ask Redis. Ask Mongo — every one of them had to relicense later, under fire, against their own community, which is just the rug-pull with extra steps and worse press.
In MMO terms: this door donates your entire loot table to the richest guild on the server and calls it community-building. Apache-now only works as a VC-fueled land grab — spend someone else's hundred million to buy the market, monetize never. That's wall #2, and I built that wall on purpose. I already turned down that money.
Cracks walls 1, 2, and 5. Somewhere behind you, the exit breathes.
The AGPL Room
I camped in this room. AGPL is real OSI open source AND it's built to stop SaaS strip-mining. On paper it clears the board. Then your torch finds the two skeletons.
Skeleton one is wearing a tool belt. AGPL is a paladin's oath — righteous, binding, and it binds your allies hardest. Its copyleft means every builder who forks my engine to ship a product must open-source their product. My entire pitch to builders is build on this and SELL it — keep your loot. Read that twice: on the one axis my players actually care about, my "source-available" license out-frees the official open-source one. The strangest true thing in this whole dungeon.
Skeleton two is wearing a general counsel's suit. AGPL is garlic to enterprise legal. They don't evaluate it; they reject it at the door — and regulated enterprises are exactly who pays for wall #1.
And here's the kicker: the oath doesn't even stop the rogue. AWS ships AGPL software today — you can comply by publishing modifications and keep right on selling. Grafana took the oath and still fights managed competitors every morning.
Cracks walls 1 and 5 — while looking noble doing it.
The SSPL / Elastic-2.0 Room
A bunker. Three-foot walls, stocked larder, the business utterly safe inside. Then you notice what's missing: there is no clock in this room. Nothing in here ever converts to open source. Not in two years, not in ten, not ever. You win the siege and lose the war — you wanted to be the counterweight to closed AI and you built yourself a slightly friendlier closed vendor with extra paperwork. And SSPL specifically means inheriting MongoDB's forever-war without MongoDB's war chest.
Wall #4 demands the open promise be structural. This room never makes the promise at all.
Holds walls 1, 2, 5. Fails the only one that makes any of it worth trusting.
The BSL Room (factory settings)
Now we're close. BSL 1.1: source-available, self-hostable, with a Change Date when each release converts to a real open-source license — written into the license text itself. Automatic. No future board meeting. No trusting future-me. HashiCorp, Redis, and Elastic all drifted toward closed; this mechanism makes drifting toward open the default state of the universe.
But the factory default Change Date is four years, and four years in AI is a geological era. And the default grant is stingier than it needs to be. Two more decisions and you're out of the maze.
BSL 1.1 + generous grant + 2-year Apache ratchet + covenant
The door out, and every wall intact:
The grant is the headline: read it, run it, self-host the whole thing, and build & sell your own products on it. One carve-out only — you can't stand up a competing hosted Bike4Mind service. That single reservation is what pays the engineers. (Walls 1, 2, 5.)
The ratchet is the anti-rug-pull: every release converts to Apache-2.0 on a two-year clock, per release, automatic, irrevocable — and a signed covenant ships alongside so we can't quietly amend our way out. (Wall 4.)
And ~15% of the codebase — the model adapters, MCP, the RAG pipeline, the self-host shim — is plain Apache-2.0 today, where openness costs the service nothing. (Wall 3: contributions have a real open home, but the business never depends on them.)
And the caveat, out loud, same as everywhere we say it: source-available is not OSI open source, and I won't insult you by pretending it is. What I offer instead of pretending is a conversion clock I cannot stop. Pinky promises got this industry rug-pulled three times; clocks don't renege.
The ratchet, drawn
The mechanism that makes the exit trustworthy deserves its own picture.
The license ratchet conveyor Releases travel left to right along a conveyor belt. On the left, releases are BSL 1.1, source-available. Each release crosses a conversion gate labeled 24 months and becomes Apache-2.0, fully open, on the right. The conversion is automatic, per release, and irrevocable. the 24-month gate written into the license text v2026.07 BSL 1.1 v2025.01 BSL 1.1 v2024.07 Apache-2.0 v2024.01 Apache-2.0 source-available: run it, fork it, sell on it fully open — automatic · per release · irrevocable Time only moves one direction on this belt. That's the point.The anti-ratchet
One more exhibit before the scorecard, because it's the most instructive room in the whole dungeon — and it isn't even in my maze. It's next door, wearing the open-source halo.
Dify — the biggest "open source" agent platform on the board — ships a modified Apache license that bars you from running a multi-tenant service without their written permission, forbids removing their logo from your own product, and, in its own words, reserves the right to "adjust the agreement to be more strict as deemed necessary." That's a direct quote. Go read it — reading the license instead of the logo is the entire sport here.
Look at what that clause is: a ratchet, pointed the other way. Mine turns toward Apache on a clock no board vote can stop. Theirs turns toward stricter, whenever they deem it necessary, and they had the foresight to write the deciding-otherwise into the license itself. Open until we decide otherwise isn't open. It's a trial with good marketing.
I'm not saying they're bad people. I'm saying they built a trapdoor into the floor and I built a conveyor belt out the front door, and you should know which one you're standing on before you build your product on it.
The scorecard
Every door, against every wall:
| License | 1 · Real business | 2 · No VC subsidy needed | 3 · No OSS-labor reliance | 4 · Rug-pull impossible | 5 · Service protected |
|---|---|---|---|---|---|
| MIT / Apache now | ✗ starves | ✗ needs the war chest | △ invites, then depends | ✓ nothing to pull | ✗ wide open |
| AGPL | ✗ legal depts flee | △ | △ | ✓ | △ leaks (AWS complies) |
| SSPL / Elastic 2.0 | ✓ | ✓ | ✓ | ✗ no promise made | ✓ |
| "Open" + stricter-at-will clause (Dify-style) | ✓ | ✗ VC-backed | △ | ✗ the opposite — reserved in writing | ✓ |
| BSL 1.1, 4-yr default | ✓ | ✓ | ✓ | ✓ but slow | ✓ |
| BSL 1.1 + grant + 2-yr ratchet + covenant | ✓ | ✓ | ✓ | ✓ on a clock | ✓ |
The three knobs I could still turn
Even at the exit, there were settings. Here's where I left them and why:
The clock: two years, not one. One year sounds more generous until you run the tape: enterprise deals take about a year to close, so a one-year clock hands a funded competitor my near-current code while my own deals are still sitting in someone's legal queue. That's not generosity — that's shipping an exploit against myself and calling it virtue. Two years is the number Sentry already battle-tested with the FSL.
The carve-out: surgical. The real generosity of a source-available license lives in how narrowly you define the forbidden thing. Ours is one sentence — a competing hosted Bike4Mind service — defined by primary value proposition, not by component reuse. Tight definition means the gray areas default to allowed.
Contributions: steered, not solicited. Wall #3 spares us BSL's ugliest optic — we're not asking volunteers to enrich a license they don't hold. The Apache layer is the natural home for anyone who wants to contribute anyway, and it's real open source the day it ships.
Out of the maze
I couldn't find a more permissive license that still leaves a business standing. So we shipped the most permissive one that does — and put the conversion to Apache on a clock we can't stop.
The rug-pull isn't prevented by our character. It's prevented by the license text.
Read it, run it, fork it, build on it — keep what you kill: bike4mind.com/open. And if you think I took a wrong turn in this dungeon, prove it. The whole point of the arrangement is that you can check my work: every claim survives a git clone.
— Erik