Why isn't FusionAuth open source?
dan last edited by dan
Why isn't FusionAuth open source like some of the alternative user identity management systems?
The simple answer is that there are pros and cons to making our intellectual property open source. At this point we have chosen a closed source model for the core product but open source many components as well. All of the docs, website, client libraries, jwt library, mvc, and domains are open source.
We continually discuss this strategy internally and evaluate what is best for the longevity and quality of the product. From our perspective there is a misconception that open source equates to longevity. While it is true that anyone could fork and maintain FusionAuth if it was open source, many open source projects die because there is no maintainer. It is also possible that a company such as IBM - that now owns KeyCloak / RedHat could choose to no longer support KeyCloak, or change the source code licensing model. In other words, the licensing model does not necessarily mean it will be supported or properly maintained.
We understand this is a sensitive topic for many and we do certainly see positive aspects of making the entire platform open source. However, there are no current plans to modify our licensing model.
Is there a sunset provision of sorts that if the company were to fold the project would become open source so those who do depend on it can continue to maintain it or at least keep it going until we could migrate away? That right now is my last big concern.
who do depend on it can continue to maintain it or at least keep it going until we could migrate away
You could continue to run FusionAuth, self-hosted, until you were able to migrate away. The software wouldn't stop running if the company was no longer functioning.
Does that address your concerns?
@dan Slightly? The issue would still be there should you stop supporting it/company stops existing and then while people are trying to plan out a migration a large vulnerability is found and then unfix-able. It would leave the attack vector open until a migration could occur which could be a while with small teams.
I got an answer for you about sunset provisions.
We have discussed source code escrow options with clients in the past. We can also offer a source code release clause (in the event FusionAuth goes out of business). However, these are only options if you are on an Enterprise plan with a custom contract.
Hope that helps you make the right decision for your application(s).