The project license at time of writing GPL-3+-with-additional-terms-1 is non-ideal. rationale: [1]
While that license makes sense, it’s a non-standard license, while DFSG approved, not (directly?) OSI / FSF approved, not compatible with REUSE compliance / SPDX license identifiers.
(A)GPLv3(+) seems to be a strong enough license as the usual cloud companies are not daring to touch it. references: [2]
This change has been discussed privately with current major code contributors and there have been no objections. (Also for the previous license change there were no objections.)
The rationale for this is preventing cloud companies from hosting a cloud version of Whonix (or Kicksecure where this will also change) without releasing the source code for their changes. No existing users that we know about will be affected.
There was at least (probably small) cloud company that was interested in hosting Whonix in the cloud. (related: [4]) Nothing materialized at time of writing.
Does this mean that servers running Whonix (or Kicksecure) need to Open Source all their source code? While this isn’t legal advice or a legal statement (because no legally solid (non-risky) statements can be written without the help of a lawyer)… No, this is not the case. That would be the case if it was the SSPL (Server Side Public License) (which is not approved by either OSI, FSF or DFSG). This is probably why eleasticsearch didn’t feel their AGPL is sufficient. See also AGPL vs SSPL. There is also AGPL(v3)(+) software in Debian so if this was an issue, this would probably be already widely known.
AGPLv3+ is of course a FSF, OSI and DFSG approved license.
Should AGPLv3+ be an issue for some software by Kicksecure / Whonix, then these cases can be discussed. For example, recently for apparmor-profile-everything a license change was suggested which I will very most likely grant. [3]
related:
[1]
[2] War on the GNU General Public (Copyleft) License
[3]
[4]