Don't get Mongo'd

31 Jul 23

MongoDB is a popular documents-oriented database, the source code of which is licensed under an open source license, the Server Side Public License (SSPL).1

The SSPL is based on the Affero General Public License v3 (AGPL). Until 2018, the AGPL applied to MongoDB source code. AGPL was replaced with the SSPL in response to cloud hosting providers like Amazon making use of a MongoDB clone as a service. The only meaningful difference between the AGPL and the SSPL is the copyleft provision.

AGPL has a copyleft provision that requires the source code of modified versions of the licensed program be made available to all users who interact with the software over a network. That is, if you modify the program and use it in your cloud-bases application or service, you must make those modifications and the program itself available in source code form.

Mongo replaced this copyleft provision with a new version—copyleft on steroids.

This version requires release of the source code of, well everything; not just the licensed program and any modifications, but the whole stack. And the copyleft obligation is triggered on mere use, as well as modification.

13. Offering the Program as a Service.
If you make the functionality of the Program or a modified version available to third parties as a service, you must make the Service Source Code available via network download to everyone at no charge, under the terms of this License. Making the functionality of the Program or modified version available to third parties as a service includes, without limitation, enabling third parties to interact with the functionality of the Program or modified version remotely through a computer network, offering a service the value of which entirely or primarily derives from the value of the Program or modified version, or offering a service that accomplishes for users the primary purpose of the Program or modified version.

"Service Source Code" is defined to mean, essentially, all software that had anything to do with conveying the functionality of the program, including even dev tools and compilers.

“Service Source Code” means the Corresponding Source for the Program or the modified version, and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available.

Many cloud applications and services use, without modification, MongoDB via copies made under this license. They are simply using the database as it's intended to be used. Nevertheless, aren't they "mak[ing] the functionality of [MongoDB] available to third parties as a service"? Aren't they "enabling third parties to interact with the functionality of [MongoDB] remotely through a computer network"?

If so, the companies running these services are in breach of the SSPL and copyright infringers, as none of them have open-sourced their entire software stack as required by the ravenous reach of the copyleft terms of the license. So any day now, MongoDB (the company, a global corporate behemoth headquartered in New York and Dublin, NASDAQ market cap approx. $15 billion) could put these businesses under a dark heavy cloud with a simple cease-and-desist.

The reason this hasn't happened? MongoDB has released a FAQ that has apparently put everyone's minds at ease:

What are the implications of this new license on applications built using MongoDB and made available as a service (SaaS)?

The copyleft condition of Section 13 of the SSPL applies only when you are offering the functionality of MongoDB, or modified versions of MongoDB, to third parties as a service. There is no copyleft condition for other SaaS applications that use MongoDB as a database.

This is actually a thin reed on which to rely in building a MongoDB-based business. Setting aside the ephemeral and ineffectual nature of a mere FAQ, the first sentence is nothing more than a recitation of the first line of the license text itself. The second sentence, because of its use of the term "other" (as in "other" SaaS applications), adds little extra in meaning. It states that those other SaaS applications (ie that are not offering the functionality of MongoDB as a service) may "use MongoDB as a database."

Use of MongoDB in a cloud application will always be susceptible to the argument that such use is offering its functionality as a service. MongoDB the company could at any time decide to withdraw this FAQ or "clarify" its meaning in ways that could expose the businesses that depend on the public source version of the database.

Perhaps one day the company could decide that it should be a much larger player than it is now in the database platform-as-a-service space.

Many dispute the characterization of SSPL as an "open source license," including the Open Source Initiative, because the SSPL discriminates against commercial users.