[aragilar]

I'm not sure how Kubernetes is high risk, given the CLA is to CNCF. Similarly, CLAs to the Apache Foundation, the FSF or similar are probably pretty safe (in that they have a long term interest to be good custodians for the IP), and could be safer than projects that lack a CLA but don't have (or only a few) outside contributors.

To me, the obvious questions are who owns the IP, and what are their incentives to maintain the current licensing.

[8organicbits]

This is a good critique. Measuring intent of an organization may be difficult to do methodically and impartially, so it's not currently covered. Personally I was surprised to see Redis change license after Redis Labs promised not to change the license. I think that promise was made with good intent but overwhelming financial pressure that emerged later on swayed them.

[aragilar]

I'm pretty sure most instances of relicensing have had a previous claim that wouldn't happen, so I wouldn't assign too much weighting to that (if anything, it should be a red flag to look into what the IP situation is).

I think there are a bunch of questions you can ask:

* Why is the software open source (if licensing/contractual requirements make it so, that's more likely to keep the status quo vs. corporate claims of "we <heart> open source")?

* Who owns the copyright/IP (and what's their reputation)?

* What would happen if the the license changes (is there an ecosystem that relies on it being open source, or is it a black box)?

* Who cares what the license is (e.g. BerkeleyDB was relicensed, which got old versions frozen in linux distributions, so no-one upgraded to newer versions, and replacements were written)?