HashiCorp, the maker of widespread open source infrastructure as code (IaC) tooling such as Terraform and Vault, announced last week that it is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License v1.1 (BSL 1.1) on all future releases of HashiCorp products. HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0. The initial community reaction has primarily been negative.
BSL 1.1 (often acronymized, perhaps more correctly, to BUSL 1.1) is a source-available license that allows “copying, modification, redistribution, non-commercial use, and commercial use under specific conditions”. Armon Dadgar, co-founder and CTO of HashiCorp, stated in the announcement blog post that other vendors have made similar changes in licensing:
With this change we are following a path similar to other companies in recent years. These companies include Couchbase, Cockroach Labs, Sentry, and MariaDB, which developed this license in 2013. Companies including Confluent, MongoDB, Elastic, Redis Labs, and others have also adopted alternative licenses that include restrictions on commercial usage. In all these cases, the license enables the commercial sponsor to have more control around commercialization.
Dadgar continued by stating the current goal is to “minimize the impact to our community, partners, and customers”. The HashiCorp team will continue to publish source code and updates for their products to their GitHub repository and distribution channels.
The primary friction points within the community related to this licensing change revolve around the “commercial use under specific conditions” clause and production usage of future BSL-licenced HashiCorp products. The announcement blog post makes clear the intention of the license change for “competitive services”:
End users can continue to copy, modify, and redistribute the code for all non-commercial and commercial use, except where providing a competitive offering to HashiCorp [...] Vendors who provide competitive services built on our community products will no longer be able to incorporate future releases, bug fixes, or security patches contributed to our products.
Discussion of the license change announcement on HackerNews included responses from many vendors building on top of HashiCorp’s OSS products or providing competing solutions. There were several calls to create an open source fork of Terraform, although others quickly pointed out that it was too early to implement this. Similar discussions could also be seen on Twitter/X.
Alexis Richardson, CEO of Weaveworks, noted on Twitter that most of the community discussion is focused on Terraform and its integration into the broader ecosystem rather than the other HashiCorp products and their influence:
There wouldn't be half as much shouting if [HashiCorp] had switched vault to BSL but left Terraform as open source
Why?
Terraform has become a standard, distributed and remixed by 1000s of tools. Now they're all interwoven with BSL and no one knows what that really means
A related GitHub issue has been opened on the Cloud Native Computing Foundation (CNCF) repository, “Investigate MPL -> BUSL Changes/Impact”. The CNCF hosts many widely adopted and influential projects within the domain of cloud native software delivery platforms and tooling, including Kubernetes. Benjamin Elder, a Kubernetes maintainer, noted that while “[K]ubernetes core doesn't depend on any [HashiCorp] libraries, plenty of subprojects do”.
Reacting to the news, several people on Twitter/X and Hacker News cautioned of the adoption of open source software when a single vendor is acting as maintainer and steward of the community. Hacker News user, alexandre_m, commented:
If a project on GitHub only has maintainers from the corporate side, you can be certain that they will ultimately drive the product for their own interest solely.
We should always pay close attention to the governance model of projects we depend on or that we wish to contribute to.
Adam Jacob, CEO of the System Initiative, discussed the untapped potential of the community and business motivations for making such a license change:
If HashiCorp had developed their open source community into a diverse and broad one, they would have been the lingua franca of the cloud. But since they failed to do that, the only rational move is to extract as much money as possible from what remains.
Others, including Chris Aniszczyk, CTO at the CNCF, highlighted that donating open source projects to vendor-neutral foundations can hedge against issues related to a single vendor project:
Corporate open source that is controlled by a single vendor and not in a neutrally owned open source foundation is part of the problem here… this wouldn’t [have] been an issue if the projects were in [the Apache Software Foundation] ASF or @CloudNativeFdn
Several organizations have issued statements responding to the HashiCorp licensing changes, including Weaveworks, Pulumi, Spacelift, Gruntwork, env0, and Upbound.
HashiCorp has published a licensing FAQ for readers interested in learning more.
Update 16th of August, 08:00 UTC: The OpenTF Manifesto has been published and contains an initial list of 80 co-signatories: "Our aim with this manifesto is to return Terraform to a fully open source license. BSL is not open source, so this would mean moving Terraform back to the MPL license, or some other well-known, widely accepted open source license (e.g., Apache License 2.0)."