> companies like Amazon abuse FOSS licenses to stand up their own hosted versions of open source projects

This is not an abuse of FOSS licenses. If developers have a problem with this, there are open source licenses that would make this use case less attractive for Amazon, like the AGPL.

That licence tends to have the dual effect of dissuading otherwise valid users from using it, because a lot of devs and corps see “something something GPL” and just shut down.

That's where dual-licensing comes in like Artifex' AGPL + commercial licensing. But yes, most large Tech companies have a blanket ban on AGPL.

> most large Tech companies have a blanket ban on AGPL

sounds like it's doing its intended job well then?

Exactly, which is why all these companies that claim they can't survive without their shiny new I-can't-believe-it's-not-open-source licenses deserve all the scorn they get. I've flipped the bozo switch on Hashicorp.

Or, like HashiCorp Adopts Business Source License

> Just because nobody has tried yet doesn’t mean that it won’t ever happen.

That nobody has tried suggests paranoia at best.

> Companies are doing this precisely because companies like Amazon abuse FOSS licenses to stand up their own hosted versions of open source projects.

The AGPL exists and already fully addresses that.

I'm thinking that AGPL is, indeed, the Ebola of viral licenses, but it does not cover the case where a large cloud vendor simply takes an AGPL-licensed product and offers it as a cloud service. AGPL does not cover that case. Nothing the cloud vendor does challenges any of the AGPL's terms.

The cloud vendor issue is license agnostic. ElasticSearch comes to mind. For the AGPL side, MongoDB and Neo4J come to mind.

Recall that AGPL came into play by way of a hole in the GPL terms, the one where you can modify a GPL codebase but you don't have to say anything unless you publish it. GPL was weak in therms of the definition of "publish". AGPL closed that hole.

But, that hole only becomes toxic the moment you modify the code or plug proprietary stuff into it. Cloud vendors don't do that.

Cloud providers build a proprietary control plane to deploy copies of the program and it could be argued that such code is a modification of the program itself and thus has to be released. That's why they won't touch AGPL code.

AGPL doesn't infect you code unless you don't link with AGPL-licensed one. Control planes rarely do this. That's why Amazon was absolutely OK with MongoDB being under AGPL.

> but it does not cover the case where a large cloud vendor simply takes an AGPL-licensed product and offers it as a cloud service

Because it doesn't need to, nor should it. That's only a competition issue if the upstream developer is actually offering a managed version themselves - and in that case they already have "we actually developed this software so we're the best option for supporting it in The Cloud™" as a selling point that even the likes of Amazon and Google cannot replicate (not without themselves participating in the actual development of the software in question). They should lean into that selling point and offer a better managed offering than what any cloud vendor could ever hope to offer.

Plus, as I've mentioned in sibling comments, large cloud vendors probably don't have much interest in reselling Hashicorp's products anyway. Why resell Terraform when you're trying to lock customers into CloudFormation? Why resell Vault when you're trying to lock customers into Secrets Manager? Why resell any of Hashicorp's products when the thing for which they're marketed - avoiding vendor lock-in - is literally antithetical to your business model of maximizing vendor lock-in?

> But, that hole only becomes toxic the moment you modify the code or plug proprietary stuff into it. Cloud vendors don't do that.

Sure they do. If they didn't modify their managed versions of FOSS applications to integrate tightly with the rest of their offerings, then why would anyone bother to use the cloud-vendor-managed versions in the first place? If there's no benefit integration-wise relative to just slapping the vanilla version on some EC2 instance or EKS container or whatever, then what's the point?

SSPL is much worse than AGPL. At worst AGPL demands you to license your own code under same terms. While SSPL demands you to license third-party code from backup solutions to operating system and firmware. Good luck publishing source code of Linux kernel or even Windows under SSPL.

> That nobody has tried suggests paranoia at best.

That's hardly paranoia. Why wait until you need to change it under pressure from one of the big CSPs (a la Elastic/AWS)? It is proactive at best.

AWS in particular already has its own competing services that predate or otherwise do not derive from Hashicorp's offerings (CloudFormation, Secrets Manager, etc.). Same with pretty much every other major cloud provider. The whole point of going with Vault or Consul or Terraform or what have you is to not tie oneself to a particular provider's offerings.

Put simply: Hashicorp's target market for a given product is largely not going to be interested in a cloud provider's locked-down equivalent, and a cloud provider is not going to be interested in deprecating its own tightly-integrated product in favor of customizing some third-party offering.

And again: if this was a legitimate fear, then the AGPL already fully addresses it.

Scalr and Spacelift come to mind.

Spacelift is a significantly better product than Terraform Cloud, and since they apparently can't compete on quality they're going with this instead.

If you call that abuse.. using "open source" as a marketing gimmick to attract developers and users is abuse as well.