Open source is at the heart of nearly all software today: A staggering 96 percent of applications contained open-source code and 90 percent of companies leverage open source in some way. It’s no surprise that the adoption rate of open source is sky-high. It provides companies with incredible perks like greater speed of innovation, agility, and flexibility—all at a lower cost. Opensource empowers companies to innovate on their own terms—faster than ever before—so they can stay competitive and keep customers happy.

But not all open source is created equal. There are a number of open source imposters out there, and companies should know how to identify them to avoid getting locked in to restrictive licenses that are masquerading as “open.”

What is “fake” open source?

Fake—or captive—open source can be defined as software that is released under a license that is not truly open. In order to be considered legitimate open source, licenses must be approved under the Open Source Initiative (OSI), which ensures the software can be freely used, modified, and shared.

One example of captive open source is Mongo’s move from a GNU Affero General Public License (AGPL) to a Server Side Public License (SSPL), which is not OSI-approved and poses significant disadvantages to the user. Similarly, Cockroach moved from a recognized open source license (Apache) to a Business Source License (BSL) which is also not recognized by OSI.

These types of software are marketed as open source because the code can be inspected and contributions are possible. But the license is held by a single company, and the degree of freedom regarding what can be done with the code is miniscule compared to a true open-source project.

When companies opt to use captive open-source software like the examples above, they become locked in to one vendor. This is risky because that vendor can change its license cost at any time, choose which features users get access to (and at what price), and disappear at any time should the company go under.

Another major downside of fake open source? Since these projects are captive to one company, there is little to no community support. For an enterprise that has adopted and is betting on that software, it’ll be difficult to find talent because contributors are limited. True open source like Linux or PostgreSQL (also known as Postgres) is a talent magnet because it revolves around a robust community of contributors and is completely open to inspection and influence. The last Postgres version, for example, had over 140 companies contributing. If users want to see a feature added, they can go ahead and propose it to the community.

Developers love innovation: They want to move fast and be at the center of where breakthroughs and change are happening—and open source is that place. Unlike captive projects, true open source is independent of any one vendor, so if for instance a database vendor that uses Postgres were to go belly up tomorrow, Postgres would continue on unaffected.

Companies stand to gain a lot from open source: The ability to innovate faster, a larger talent pool, community support and contributions, lower costs, and no risk of vendor lock-in. It’s imperative that companies learn the signs of captive open source projects so they don’t waste their time and resources on software that doesn’t give them the flexibility and benefits they need.

How to spot fake open source: A checklist

Recognizing fake open source can be tricky, but by staying vigilant and examining the following items when vetting software, companies can avoid getting locked in to captive projects.

  1. Is the software license OSI-certified? One of the easiest ways to determine whether an open-source project is legitimate is to look at its license. If it doesn’t meet OSI standards, reconsider or proceed with caution.
  1. Is the project community driven? Choose software that is backed by a robust community versus driven by a single company. Do your due diligence here: There are even Postgres look-alikes out there that are years behind Postgres innovation because—you guessed it—they’re driven by a single company.
  2. What’s in the project’s release notes? There should be many—we’re talking dozens—of contributing companies mentioned. This indicates a vibrant community behind the project. Look at which companies and developers are contributing to the project: Do you know of them? If so, do you believe in them? You’d better, because you’re betting your company’s future on it. And when in doubt, always go with the major open-source project and don’t take a chance on a fringe project.
  3. What’s the rate of innovation? How often are new releases and features coming out? Regular updates are a good indicator of an innovative project that is constantly improving. For example, Postgres releases major versions annually with around 180 features, in addition to quarterly minor releases that contain many small improvements and fixes. 

Open source has transformed the world of software development and unlocked new opportunities. By knowing how to identify captive open-source projects, companies can ensure they’re investing in software that is a safe bet and will propel them forward, not slow them down.