Mittwoch, 24 Oktober 2023

HashiCorp's Licensing Shift: A Closer Look At The Open Source Controversy

Andreas Mondel

General Counsel

In the ever-evolving world of technology, the debate around open-source licensing has taken a new turn, thanks to HashiCorp's recent decision to change its licensing model. This move has sent ripples through the tech community, leading to discussions, debates, and concerns about the future of open-source projects and their commercial viability.

A Brief Overview of HashiCorp's Journey

HashiCorp, renowned for its infrastructure-as-code offerings, has been a beacon in the open-source community. With products like Terraform and Vault, the company has built a robust ecosystem around its open-source strategy. Terraform, in particular, has become synonymous with infrastructure automation, gaining such popularity that it's often referred to as a verb in tech circles.

However, on August 10th, 2023, the company dropped a bombshell: HashiCorp announced its decision to transition from the Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL) v1.1. The center of the debate is the wording of the Additional Use Grant: “You may make production use of the Licensed Work, provided such use does not include offering the Licensed Work to third parties on a hosted or embedded basis which is competitive with HashiCorp's products.” This sudden shift has left many in the community feeling blindsided and concerned about the implications for the broader open-source ecosystem.

The transition to BSL is not just a simple licensing change. It represents a fundamental shift in how HashiCorp interacts with its community and commercial partners. Under the new license, any entity deemed a commercial competitor by HashiCorp would be required to pay for BSL licensing rather than leveraging the free open-source versions of its products.

This move has raised several red flags:

1. Potential Legal Risks: The new licensing model introduces legal complexity for businesses. The vagueness of the term "competitive" leaves companies in a state of uncertainty, wondering if their use of Terraform and other HashiCorp products might suddenly become a legal liability.

2. Threat to the Open-Source Ecosystem: There are genuine concerns that the vibrant community built around HashiCorp's open-source products might wither away. As developers and companies re-evaluate their tool choices, there's a growing sentiment that they might lean towards alternatives that remain genuinely open-source.

3. Broader Implications for Open-Source Projects: HashiCorp's decision has broader ramifications for the open-source world. It raises questions about the sustainability of open-source projects and the potential for sudden license changes that could jeopardise community trust.

HashiCorp's Defense - The Community Strikes Back

HashiCorp, on its part, has defended its decision, citing concerns about vendors exploiting open-source models for commercial gains without giving back to the community. They argue that the shift to BSL is necessary to ensure that commercial users contribute fairly to the ecosystem.

In response to HashiCorp's announcement, a group known as Open Terraform (OpenTF) emerged, advocating for an alternative solution. This group, representing a significant portion of the community, has "forked" Terraform, creating a new open-source codebase with its distinct licensing and management structure. Their "Open Terraform Manifesto" (Link) is a testament to the community's commitment to keeping Terraform open-source and highlights their concerns about HashiCorp's new direction.

Subsequently, to avoid any trademark-related issues with HashiCorp, OpenTF underwent a rebranding and became OpenTofu before finding a patron in the Linux Foundation. This initiative aims to offer a genuine open-source counterpart to Terraform, ensuring the tool's continued community-driven development, free from the overarching influence of any singular corporate entity.

OpenTofu's mission is clear: to function as a drop-in-replacement for Terraform, while also introducing novel features. This endeavor is being championed by companies such as Spacelift, Gruntwork, Harness, Env0, and Scalar. All of these entities operate within the Terraform ecosystem and are staunchly backing OpenTofu, pledging resources to foster its evolution.

Legal Implications of the Licensing Change

HashiCorp’s shift from the Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL) v1.1. legally prohibits the embedding of Terraform in products that compete with HashiCorp. This change has significant implications for the DevOps community. While businesses not embedding or distributing Terraform remain unaffected, others must reassess their reliance on Terraform, potentially seeking alternatives or custom licenses from HashiCorp. In more detail:

Open Source Users: Generally, non-commercial users might not be impacted. However, seeking legal counsel is advisable.

Enterprise Users: Tools like Flux and tf-controller are believed to align with HashiCorp's conditions. Companies potentially competing with HashiCorp should consult legal experts.

Cloud and SaaS Users: Those relying on a SaaS integrating with Terraform might face challenges, especially if they present alternatives to HashiCorp Terraform Cloud.

In-house Automation: Companies using Terraform for internal automation purposes are likely unaffected. However, this is only true as long as HashiCorp does not make all Terraform use cases paid in the future.

DevOps Product Companies: Businesses embedding Terraform in their products face substantial risks, as many DevOps tools have Terraform integrations.

DevOps System Integrators: System integrators distributing pre-baked Terraform modules should consult HashiCorp to ensure their platforms aren't viewed as competitive, possibly necessitating a custom license.

Non-DevOps Companies Using Terraform: Companies outside the DevOps realm but embedding Terraform in their products, especially those with foundational dependencies on Terraform, should consider obtaining a custom license from HashiCorp.

The Wider Implications and Community Response

HashiCorp's licensing controversy and OpenTofu's subsequent rise underscore the intricate equilibrium between commercial aspirations and the tenets of open-source software. As firms endeavour to monetise their products, they run the risk of distancing the very communities that were instrumental in their initial success.

OpenTofu's positioning as a "safe harbour" for businesses and developers worried by Terraform's licensing transition is indicative of the open-source community's resilience and adaptability. At the Open Source Summit Europe in September 2023, David Béjar, Head of Software Engineering at Allianz, emphasised that the shift to OpenTofu was not merely technical but also strategic, ensuring a secure future with a focus on innovation, flexibility, and safeguarding customer interests.

OpenTofu's Envisioned Future

OpenTofu's strategy is clear-cut: to provide a reliable and genuinely open-source alternative to Terraform. The project's rapid development has been bolstered by the Linux Foundation's patronage, benefiting from its open-governance expertise, technical steering committee, infrastructure, and legal counsel.

OpenTofu's long-term ambition is to become a project under the Cloud Native Computing Foundation (CNCF). The first stable release of OpenTofu is on the horizon, with its public GitHub repository already accessible for experimentation (Link).

The “Delicate Balance” between Open Source and Commercial Use

OpenTofu's emergence and rise in reaction to HashiCorp's licensing changes offer an insightful look at the intricate dependencies of open-source software and its commercial exploitation. As Gruntwork Co-Founder Yevgeniy Brikman pointed out a few weeks ago (Link), there is a delicate balance to be upheld between providing high-quality, free, open-source software to a community of thousands of developers and - at the same time - running a sustainable business.

On the one hand, you want (and need) to commercialise some parts of your project to cover the development and maintenance costs, first and foremost your employees that create and maintain such a project. On the other hand, if you commercialise too much of your project, you’ll have problems growing - or in HashiCorp’s case maintaining - the very community that uses and supports your project.

HashiCorp's future now hangs in the balance. It may well successfully transition to a more traditional commercial enterprise model, or the backlash from its community may lead to a decline in its influence and relevance. Only time will tell.

Marcin Wyszynski’s thoughts on the situation

We reached out to Marcin Wyszynski, one of the members of the OpenToFu steering committee and CPO at Spacelift, to get his thoughts on the situation:

“As OpenTofu, our decision is not to focus on the past, and on the merits or ethics of HashiCorp's decisions: we thank HashiCorp for their past stewardship of the project, we acknowledge their right to make a difficult business decision, and we promise to carry the FOSS torch for years to come in the interest of the entire community.”

On a Personal Note

We at Nexode Consulting have decided to transition all our legacy, current, and future Infrastructure-as-Code projects from Terraform to OpenTofu to safeguard our customer’s interests and eliminate any (potential) licensing ambiguities.

Nexode Consulting is a strong believer in the open-source concept and supports OpenTofu wholeheartedly. That is why we pledge to use OpenTofu for all future Nexode projects and why we implore all former Terraform contributors to follow suit.

Nothing has shaped software development more significantly and has brought more value to so many people than the open-source concept. It is up to us, to community behind open source, to make sure the success story of open source continues!

Share this article!

NEXODE CONSULTING GmbH

OBERWALLSTRAßE 6

10117 BERLIN