Skip to content

What 'Open Source' Actually Means (and Why GitHub Is Betting You Don't)

Right now there’s a letter-writing campaign asking you to contact California’s legislature and tell them a pending AI bill would destroy open source software. It’s polite. It’s well-produced. It’s pitched in the language of community defense. And it’s coming from a coalition that includes GitHub — which is owned by Microsoft — alongside Mozilla, Hugging Face, and Black Forest Labs.

Before you pick up that pen, I want to give you something the campaign is quietly counting on you not having: a working understanding of what “open source” actually is. Because once you have it, the whole ask falls apart. Not because these are stupid people making a dumb argument — the argument is clever — but because it only works on someone who’s never looked under the hood of a software license. So let’s look. This is one of those things that seems intimidating and turns out to be simple, and once you have it, you’ll spot this move every time someone tries it on you again.

Supporting democratic accountability for dangerous technology is not the same as trusting the government to get everything right — it’s refusing to let corporations be the only people who get to write the rules.

The law is California’s AI Transparency Act — Business & Professions Code § 22757 — and the fight is over an update to it called SB 1000. Strip away the legalese and it asks a reasonable question: if you’re putting a powerful generative-AI system into the world, should you be able to license it to someone else and then wash your hands of what they do with it?

The bill’s answer is no. It says that if you build one of these systems and hand it to a third party, you have to require — by contract — that they keep the system’s transparency features intact (the disclosures that mark content as AI-generated). And if you find out someone stripped those features out, you have to be able to cut off their access, within 72 hours of learning about it.

That’s it. It’s a transparency-and-accountability measure. It’s not a secret attack on free software. Is it perfectly drafted? No — legislators writing technology law almost never get the details exactly right, and there’s honest work to be done making the language track how software actually functions. But the goal is sound: don’t let the people deploying potentially harmful systems license them out and walk away.

Here’s how the coalition frames it. Open source licenses, they say, are irrevocable — once you grant someone the freedom to use, modify, and share your code, you can’t claw it back. That’s a real and genuinely important property of open source. And a law that forces you to build in a kill switch, they argue, contradicts that irrevocability. Therefore: this bill breaks open source. Therefore: oppose it.

On the surface, that has a ring of truth. Which is exactly why it works. So let’s take apart the two things it depends on.

The part they’re hoping you don’t know

Section titled “The part they’re hoping you don’t know”

Open source licenses come in two broad families, and neither one behaves the way the campaign implies.

Permissive licenses — MIT, BSD, and the like — are the loose ones. They let you do almost anything with the code, including redistribute it under additional terms of your own. That’s the key point: a permissive license already allows a company to layer extra conditions on top. So even if one of these AI systems were released under MIT, the company could add a compliance term and still be fully, legitimately MIT-licensed. The “irrevocability” objection doesn’t even bind here.

Copyleft licenses — the GPL family — are the strict ones, the ones built to keep software free all the way down the chain. And yes, these are irrevocable… as long as everyone keeps complying with the license. Here’s the part that matters: the GPL already anticipated exactly this situation. GPLv3 has a clause (Section 12; it’s Section 7 in GPLv2) that handles what happens when some outside condition — a court order, a contract, a law — makes it impossible to satisfy both the GPL and that condition at the same time. The answer the license itself gives is: then you stop distributing. The “escape valve” is written directly into the license text. The law doesn’t break the GPL. The GPL planned for the law twenty years ago.

In fact — and this is the detail that gives the whole game away — the Software Freedom Conservancy, an actual nonprofit that defends open source in court, points out that SB 1000 changing the word “revoke” to “terminate” makes the law track the GPL’s own language more closely. The amendment the coalition is fighting arguably makes things more compatible with open source, not less.

And then there’s the fact that quietly dissolves the entire argument: the systems in question aren’t open source in the first place.

The generative-AI products at the center of this — the ones actually deployed in California — are proprietary. The model weights are trade secrets. The heavy machinery runs on a company’s servers, reached through an API, and what you install on your own device is a thin front-end. None of the companies raising the alarm has named a single genuinely open-source AI system that the law would harm, because there isn’t one to name.

So the campaign is asking you to defend the freedom of software that was never free — using your real love of something real (open source) as a battering ram against a law that inconveniences a proprietary business model. That’s the shape of the move. Learn the shape, because you’ll see it again: whenever a corporation wraps its regulatory dodge in the language of your freedom, ask whose freedom is actually on the line.

None of this means the state is your friend or that this one bill is a masterpiece. It isn’t. Supporting democratic accountability for dangerous technology is not the same as trusting the government to get everything right — it’s refusing to let corporations be the only people who get to write the rules. You can hold both: the law needs work, and the companies telling you to burn it down are not doing it for you.

If you want to go deeper, read the Software Freedom Conservancy’s full breakdown — it’s the primary source for everything here, and they’ve posted a template letter to Senator Becker if you decide the accountability side is worth defending.

But even if you never send a single email, you walk away from this with the thing that actually matters: you now know the difference between open source as a legal reality and “open source” as a marketing sticker. That difference is going to keep mattering. Hold onto it.