On September 7, Lightbend announced license changes for the Akka project:
If you exceed a certain revenue threshold, you will need a commercial license to use future versions of Akka (2.7+) in production.
Within hours of the announcement, several people contacted the Flink project to worry about the impact on Flink because we were using Akka internally.
The purpose of this blog post is to clarify our position on the matter.
Please note that this topic is still fresh and things may change. If there are any material changes, we will revise this blog post and notify you through regular channels.
There is no immediate danger to Flink, and we will ensure that users are not affected by this change.
Flink’s license will not change; It will maintain the Apache license and include only dependencies that are compatible with it.
We will not use the version of Akka with the new license.
Now, we will continue to use Akka 2.6, which is currently the latest version and can still be used under the original license. Historically, Akka has been very stable, and coupled with our limited use of features, we don’t expect this to be a problem.
At the same time, we will
Watch how the situation develops (especially the WRT community fork)
Look for an alternative to Akka.
If we create a community fork (which seems possible at the moment), we will switch to that fork within all possible ranges of 1.15+.
That’s a big unknown.
Although we will be able to upgrade to 2.6.20 in Flink 1.17 (obviously the last planned version of Akka 2.6), the unfortunate reality is that 2.6 will no longer be supported from then on. If CVE is later discovered, it is unlikely to be fixed in Akka 2.6.
We can’t provide a definitive answer as to how to handle the case, as this depends on what CVE is and/or whether a community fork already exists at the time.
Update – September 9: Akka 2.6 will continue to receive critical security updates and critical bug fixes under its current Apache 2 license until September 2023.
Will critical vulnerabilities and bugs be patched in 2.6.x? Yes, critical security updates and critical bugs will be patched in Akka v2.6.x in Akka v2.6.x according to the current Apache 2 license.
Akka is used in Flink’s coordination layer
Exchange status messages between processes/components (for example, JobManager and TaskManager),
Enforce certain guarantees for multithreading (that is, only one thread can change the internal state of a component)
Observe if the component crashes unexpectedly (that is, notice and handle TaskManager thread crashes).
This means that we use very few Akka features. Also, our use of Akka is an implementation detail that the vast majority of Flink code doesn’t know, which means we can replace it with something else without having to significantly change Flink.