olly - stock.adobe.com
Confusion mounts amid HashiCorp open source change
Ripple effects from HashiCorp's switch to BSL spread through the industry, raising questions among enterprise users and trepidation about the future of corporate open source.
Enterprise users and industry experts expressed concerns about using HashiCorp software and the future of corporate open source in the wake of the company's plans to move to a business source license.
HashiCorp revealed plans on Aug. 10 to move future releases of all its core products from a Mozilla Public License v2.0 (MPL 2.0) to a Business Source License (BSL). This includes Packer image builder, Vagrant development environments, Terraform infrastructure as code, Vault secrets management, Consul service discovery and service mesh, Nomad container orchestration, Boundary access management, and Waypoint app deployment workflows.
"What we see is a set of vendors who feel that they can take the open source products and effectively commercialize them on their own without contributing anything back to the broader community," co-founder and CTO Armon Dadgar said in a video explaining the change.
However, HashiCorp did not publicly name the vendors targeted by the move, leading to uncertainty about how HashiCorp will decide whether use of its software is competitive.
HashiCorp's blog post and FAQ as well as the video presentation by Dadgar emphasized that HashiCorp's goal is not to be disruptive to existing end users or partners. A HashiCorp spokesperson reiterated this in a statement to TechTarget Editorial this week: "We believe the change we have made is extremely narrow and allows the vast majority of users in our community to continue using our products in the same ways they always have."
But an answer in the original version of the FAQ that stated "the Licensor may make an Additional Use Grant, above, permitting limited production use" gave one user pause last week.
"If you look at TomTom right now, we are heavily using Terraform. And obviously the infrastructure that we build with it hosts our product that we use to make money. Is that a production use? What if we have secrets in Vault?" said Rick Rackow, expert site reliability engineer at the geolocation tech company in Amsterdam, in an online interview on Aug. 11. "I think it is. And for now, it's not competitive, so we should be fine. But what if they change their mind again?"
That portion of the FAQ has since been edited to read as follows.
All non-production use of BSL licensed HashiCorp products is permitted. Assisting a customer with their own use of BSL licensed HashiCorp products for their production environment is also permitted. Embedding or hosting BSL licensed HashiCorp products in an offering to be made available to multiple customers that is competitive with HashiCorp products is not permitted.
When asked about this specific case, a HashiCorp spokesperson told TechTarget Editorial this week that "all forms of production and non-production use are expressly permitted, with one narrow exception. Users cannot host or embed HashiCorp's community products and then offer them to third parties in a manner competitive with HashiCorp's products."
That statement did not explain specifically what HashiCorp would define as competitive, however. No matter what the answer is initially, the specter of HashiCorp changing its mind in the future under the terms of the BSL won't soon vanish from IT pros' imaginations.
"Licensing models like the BSL aim to strike a compromise but can come across as saying, 'We support free speech but only if we agree with you,'" said Andi Mann, global CTO and founder of Sageable, a tech advisory and consulting firm in Boulder, Colo. "The ambiguity of these licenses leaves more than enough room for various stakeholders to debate whether they genuinely foster innovation or if, in practice, they are primarily designed to protect revenue streams."
Competitors in the crosshairs
The news sent waves of discussion and debate reverberating through the enterprise IT industry in online forums, on social media and in press interviews. Some commentators expressed distaste for HashiCorp's decision while others defended it.
Meanwhile, HashiCorp's decision not to name the competitors it's targeting in any public statements so far is a mistake that has heightened this confusion in the market, said Paul Delory, an analyst at Gartner.
"For a lot of people, that's the question: 'Is this vendor still allowed? Is my use case still allowed?' he said. "They haven't really addressed that head on."
Paul DeloryAnalyst, Gartner
HashiCorp would neither confirm nor deny specific examples, but the names of some potentially affected companies have surfaced since HashiCorp's decision. Some of those companies have issued public statements that they are seeking legal advice about how to proceed when the BSL takes effect with future releases. These companies include a few that market products and services based on HashiCorp Terraform, such as Spacelift, Env0 and Scalr.
"Scalr's sales pitch, if you look at their website, is basically, 'We are an alternative to Terraform Enterprise or Terraform Cloud, and if you buy us, you don't need Terraform Enterprise,'" Delory said. "So clearly, that's right out."
A spokesperson from Scalr said, "We are working on an Open Terraform manifesto to preserve an impartial and community-driven path for Terraform."
HashiCorp didn't name specific companies in its post about the license change in part because it's open to negotiating agreements with companies that could be in violation of the BSL, according to a HashiCorp spokesperson.
"The change we made last week isn't really directed at any specific company, and we would want to be certain of how companies are using our products before suggesting they are in violation," the spokesperson said. "We also welcome and expect to have conversations with a number of companies about amicable partnership arrangements."
Pulumi, Crossplane will move away from Terraform providers
The utilities partners use to integrate with HashiCorp products, such as Terraform providers and Vault plug-ins, remain licensed under MPL 2.0. But two vendors that use Terraform providers have vowed to completely replace them in the wake of HashiCorp's open source decision.
"We have the option to use Terraform providers, although … we've moved further in the direction of Pulumi native providers," said Joe Duffy, founder and CEO of infrastructure-as-code vendor Pulumi, in an online interview Aug 11. "The Terraform providers and SDKs are unaffected by the relicense. [But] we have a longer-term plan around a new standard in this space, which we have industry support for, and this relicense will be accelerating that effort."
Similarly, a blog post from Upbound, commercial sponsor of the Crossplane project, indicated it will replace Terraform providers in future versions of its product.
"As Crossplane grows, we believe the community will benefit from having providers being maintained and owned by the cloud and infrastructure vendors," the post stated. "This ensures the highest level of quality and support for their product offerings."
Upbound has also identified performance improvements it can glean by moving away from integration with the HashiCorp Terraform command line interface, according to the post.
End of an era for corporate open source
This type of shift from open source to source-available licensing isn't a new phenomenon, but the pattern is beginning to have strong implications for the future of corporate open source software, said Donnie Berkholz, founder and chief analyst at independent analyst firm Platify Insights.
"The biggest concern is a lot of the earliest adopters or those who see [a project] that could almost meet their needs, but they have to develop it. They have to make changes to it. This could have a chilling effect on those early adopters," Berkholz said. "They don't want to contribute changes back anymore because they don't want to give things to some corporate beast that's just going to take their work and use it for profit."
Throughout the industry, the mismatch between the open source ethos and the need for a viable business model among open core vendors remains an unsolved problem, Delory said.
"A lot of the corporate open source is now suspect, unless it's in a foundation," he said.
Meanwhile, "this is going to get really weird at big companies," Delory said. For example, a multi-national corporation whose German subsidiary builds a utility using Terraform that its U.S. subsidiary -- legally a separate entity -- wants to use finds itself in a gray area for the time being, he said.
"There's going to be all sorts of weird permutations of this that are going to have to be sorted out by lawyers," he said. "That's my standard answer to most of these questions: talk to a lawyer."
In response to this example, a HashiCorp spokesperson said that if the utility in question was only for internal use, it would not be considered competitive under the BSL.
Ultimately, the many-layered nature of most enterprise software may also hold thorny implications in the wake of this move if more project sponsors make similar license changes, Berkholz said.
"If you're doing this, but you're building upon all these dependencies that are open source the next level down, what does that mean if they start doing it too?" he said. "Suddenly you lose that ability to innovate and move faster that open source has been all about for the past 20-plus years."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.