Search
Close this search box.

Source Available Software: Is It Dangerous?

Source Available Software

In the world of software, the debate between open-source, proprietary, and source-available software models has taken on new significance. Source Available Software (SAS) sits in a unique position between fully open-source projects, where the code is free for anyone to use, modify, and distribute, and proprietary software, which keeps its source code entirely private. SAS offers a degree of transparency by making the source code viewable, yet often restricts how it can be modified, distributed, or used commercially.

This article explores the risks and limitations of the Source Available Software model, using Umbrel OS and Coldcard Firmware as case studies. Both are prominent SAS examples in the bitcoin industry today: UmbrelOS has gained popularity for its plug-and-play approach to personal servers, while Coldcard Firmware is a respected choice among advanced bitcoin hardware wallets. However, as these examples illustrate, SAS introduces critical challenges, including limitations on modification, security concerns, and dependency on the parent company for updates and fixes.

The Shift to Source Available Licenses in Commercial Open Source Projects

Aaron Dewes, a former Umbrel developer, now building a FOSS alternative called Nirvati, highlighted that many once-open-source projects have recently adopted non-open-source licenses to protect their revenue streams. Projects like Terraform, Redis, ElasticSearch, and MongoDB all transitioned from fully open-source licenses to restrictive licenses.

Many commercial open source projects are switching to non-open-source-LICENSES: – Terraform – Redis – ElasticSearch – Sentry – MongoDB Some of these call themselves “Fair source” (https://fair.io/). The goal is always: Protect their ability to earn money. – Aaron Dewes

In some cases, this is known as “Fair Source,” which, despite the name, is not recognized as open-source by the Open Source Initiative (OSI). The main reason behind this shift is financial—companies seek to protect their commercial interests while still allowing limited source code visibility.

However, these licenses often hinder the very collaboration and innovation that make open-source software powerful. Terraform’s switch from FOSS to a restrictive license, for example, prompted many in its community to leave and create OpenTofu, a fully open-source alternative. This highlights a key issue with SAS: restrictive licenses may foster a degree of transparency but often at the cost of reduced community involvement and stifled innovation.

Umbrel OS: A Case Study in Source Available Software

UmbrelOS

Umbrel OS is a home cloud operating system that originally used a GNU open-source license but later switched to the Polyform Noncommercial License 1, which places strict limitations on commercial use. While Umbrel remains “source available,” it’s no longer truly open-source. Umbrel markets itself with phrases like “Built in the open,” or “self-host open source apps,” but despite this language, the Polyform license restricts redistribution, modification, and commercial use, disqualifying it as open-source or free software according to the OSI and Free Software Foundation (FSF).

Why UmbrelOS’s License Poses Risks

A critical risk with Umbrel’s SAS model is its centralized control over software updates, especially in sensitive applications like the Bitcoin Core app. In the event of a controversial Bitcoin soft fork proposal that Umbrel disagrees with, the company could decide not to update their software, leaving users running outdated nodes and potentially isolating them from the broader network. Previously, community-driven projects like Citadel forked Umbrel to maintain independence. With the current licensing, this is no longer possible, leaving users fully dependent on Umbrel’s decisions and roadmap.

Furthermore, SAS limits the ability for independent verification and adaptation, meaning users cannot fork, modify, or distribute their own versions if they disagree with Umbrel’s direction. This lack of freedom centralizes decision-making and could prevent users from exploring new paths or consensus changes, ultimately stifling innovation and eroding user autonomy.

Coldcard Firmware: A Restricted Model in Bitcoin Security

Also the Coinkite Coldcard firmware also falls under the SAS model, allowing users to view its source code but restricting modification, redistribution, or independent compilation. This setup can be concerning in the bitcoin industry (Bitcoin’s protocol code is instead free and open-source), where transparency and control over one’s assets are paramount. Unlike fully open-source wallets, Coldcard users cannot recompile or modify the firmware independently, which raises trust issues around binary verification.

While Coinkite provides a binary verification process, allowing users to confirm their firmware matches the source code (not without some difficulties, see screenshot above), users must still trust Coinkite to manage updates and distribute secure, untampered binaries. If Coinkite were to discontinue support, delay updates, or make controversial changes, users have limited options. This reliance on a single entity introduces vendor lock-in, where users are bound to the company’s roadmap with minimal recourse.

Additionally, SAS models, like Coldcard’s, often lack the transparency provided by open-source projects. For example, reproducible builds—a process where users can independently compile and verify the software—are not the primary goal with SAS. SAS also often lacks the build instructions and CI configurations that allow full verification. These limitations can leave users vulnerable, as they are unable to fully confirm that the code they view is what actually runs on their device.

The Potential of Copyleft as an Alternative

An alternative many don’t consider are copyleft licenses: These allow anyone to modify as much as they want, but require changes to be open source too. This in most cases is a good option for companies wanting to actually build open source software. – Aaron Dewes

As Aaron suggests, copyleft licenses offer an alternative path for companies wanting to build sustainable yet open projects. Copyleft licenses require that any modifications be shared openly, creating a balance where companies can still control their software but contribute to the broader open-source ecosystem. This approach fosters collaboration, as seen with Chromium, an open-source browser project run by Google that also benefits from contributions by Microsoft.

True open-source licenses encourage multi-company collaboration and allow broader community input, which enriches software quality and security. Unlike source-available licenses, copyleft licenses facilitate community contributions without imposing significant restrictions, ultimately enabling more resilient and innovative software.

Conclusion: Weighing the Pros and Cons of Source Available Licenses

Source Available Software is often positioned as a middle ground between open and proprietary models, but it carries significant limitations. While it offers visibility, it restricts modification, community contributions, and independent verification. Projects like Umbrel OS and Coldcard Firmware illustrate these challenges, showing how SAS models can hinder user control, innovation, and even security.

For users and developers alike, understanding these distinctions is essential. SAS may be enough for certain applications, but in cases where autonomy, transparency, and community involvement are crucial, fully open-source or copyleft licenses are preferable. These models ensure the freedom to adapt, improve, and verify software independently, allowing communities to foster innovation and contribute without restriction.

At DTV Electronics, we believe in giving users the freedom to run any software they choose. Our CmRat carrier board, equipped with interoperable Compute Modules, supports a range of options—including source-available platforms like Umbrel. However, we remain dedicated to true FOSS solutions like Nirvati and are committed to publishing and open-sourcing our hardware schematics. Check out our store for the latest in fully open-source products designed for complete user freedom.

Leave a Reply

Your email address will not be published. Required fields are marked *

Close

GET 10% OFF

Enter your name and e-mail address to receive 10% off your first order.

We respect your privacy.