calcifer 🧯

Welp, #opengrep (https://www.opengrep.dev/) is a great example of something that seems like it was a reasonable thing to do, but put together by people who do not understand community relations or messaging.

It's pretty clear that what really happened is that Semgrep moved some features from their LGPL-licensed open-source core into their proprietary-licensed "pro" product (and there were some license changes around community rules, but those were never open-source anyway, so that's whatever).

A bunch of companies that compete with Semgrep at some level relied on those features. They had pretty limited choices to respond, and decided to fork semgrep-oss into opengrep, and commit to giving it to a foundation to defend against future license changes. This is the least-bad outcome for the community (more on that in 🧵 ).

However, the way they made the announcement tries to cast Semgrep as a "bad guy" and act like the opengrep cabal is somehow a champion of open-source -- which is precious because they contributed very little to the open core as it was.

Opengrep - The open-source code security engine

Jan 30, 2025 at 4:28pmWeb
Show threadcalcifer 🧯Jan 30, 2025

Here's what #opengrep should have said, IMO:

"Semgrep has made the decision to move some previously-open-source features under a proprietary license for any future development. This left us with a problem to solve, as our customers -- and other users of semgrep-oss -- rely on those features.

We respect Semgrep's business decision. Nevertheless, our concern about this decision and the message that we can't rely on their "open core" to continue to provide popular features has led us to exercise our rights under the LGPL and create Opengrep. We're committed to changing our products to use this fork in order to preserve the features our customers rely on, and intend place governance of the project into the hands of a non-profit foundation to ensure that no single vendor can change licenses or remove features in the future.

We believe that there's a place for both opengrep and semgrep-oss, and are hopeful that good ideas can cross-polinate between the projects."

Show threadcalcifer 🧯Jan 30, 2025

The reality is that these vendors, if they don't want to screw over all the custom rules they wrote and all the features they rely on, only had a handful of ways to respond:

  • maintain a private fork; LGPL makes this complex, and you end up with a myriad different engine variants. This is expensive and locks away any future innovations.

  • stay on an old version with the open features; this is insanity -- there's no path to upgrade, which means no path to fix any discovered security vulns either.

  • pay semgrep to license the tech commercially; while this would be a good outcome for many participants, it's also not likely. Semgrep considers many of these companies competitors and cited that competition as the main reason to wall off features.

  • create a community fork and give it to a foundation, which is what they chose.

    • None of these are good options, but the thing they chose keeps features available to the community and protects against future license changes by taking that decision out of a single vendor's hands. The risk is that opengrep doesn't get maintained well, but in that case the community isn't any worse off, the fork just fails to improve matters.