All that I get from this is that HashiCorp is no longer an open source company.

> However, there are other vendors who take advantage of pure OSS models, and the community work on OSS projects, for their own commercial goals, without providing material contributions back. We don’t believe this is in the spirit of open source.

This is 100% in the spirit of open source. If this is a problem for them, why not adopt an open source license that compels developers to open source their code instead, like the AGPL?

This is purely a way for HashiCorp to ensure they are the only ones who can commercialize these formerly open source projects. Which is fine. But just go closed source, then, and own that, instead of trying to have it both ways.

That's pretty disappointing. I personally haven't used much beyond vault (I've used but not enjoyed or built anything on terraform), but this is pretty diametrically opposed to what I appreciated most about hashicorp products. Heck, I've even contributed a chunk of the code I use the most from vault (Cert management) and now I'm going to have to reevaluate whether I can attempt to use that service for customers going forward, and whether I will contribute ever again.

It definitely feels like the whole era of VC drying up is bringing out the worst possible future for some of these non GPL/similar licenses. Which is unfortunate for any of us who have deliberately learned only OSS and operations around it, giving back the whole time, with dreams of building services that leverage that knowledge someday as a chance to be our own boss while also utilizing and giving back to the OSS that got us this far.

> As a result, we believe commercial open source models need to evolve for the ecosystem to continue providing open, freely available software.

To imply that a non-open-source license like the BUSL is part of such an evolution of "open source" models (commercial or otherwise) betrays either severe confusion or a deliberate attempt to mislead.

Like, has anyone of any significance used a Hashicorp product to meaningfully compete with Hashicorp?

Funny how @mitchellh has decided not to join the conversation. Pretty sure he had the ultimate input on this decision, and historically he's engaged with HN directly. Hmm.

Overall it seems like a loser move. Look what happened to Elasticsearch - to me and most others, ES no longer exists. I've happily moved on to OpenSearch and not looked back at poor kimchi. Due to their own actions, Elasticsearch is no longer relevant.

Will Hashicorp's move spur a similar effort to fork the last open-source license version of Terraform and other Hashicorp tools? What other choice is there when the creator gets petty and insecure, and goes hostile against the open source community that helped create it? Extremely disappointed with the Hashicorp leadership team. MitchellH and your little sidekick Armon Dadgar - you owe your community better than this.

I interviewed with Hashicorp back in 2016 and ended up turning down the job. I used to have a small amount of regret about this decision, but now that true colors have been revealed, I know I made the right call.

What's that saying about trust?

Trust takes years to build, seconds to break, and forever to repair.

It's surprising to learn that people I thought were so smart could turn out to be this dumb!

Inevitable end for every open source company since the free money ended. What bothers me is that wording is vague enough.

> HashiCorp considers a competitive offering to be a product or service provided to users or customers outside of your organization that has significant overlap with the capabilities of HashiCorp’s commercial products or services.

So, consider there is no cost estimate service and you built a thing that got popular (https://github.com/infracost/infracost). Then after 2 years Terraform Cloud catches up. What happens? Are you out of business?

From https://www.couchbase.com/blog/couchbase-adopts-bsl-license/ it says:

> BSL provides a Change Date usually between one to four years in which the BSL license converts to a Change License that is open source, which can be GNU General Public License (GPL), GNU Affero General Public License (AGPL), Apache, etc.

So to me the most important question is what is the change license and how long does it take? If it's 1 year then it goes MPS 2.0: okay that's fine. But if it's much longer and more restrictive than it's a real about face and means the opensource version is really not workable as it's too far behind the head.

--- EDIT:

> 4 years, MPL 2.0

https://www.hashicorp.com/license-faq#What's-the-difference-...

4 years is basically "of historical interest" only especially when security is involved.

Dunno about others, but I always ask myself where these companies would be if their software was under non free license from the start.

This is hostile to end users, small people an companies, not just big megacorps wanting the "steal" the code and run it as a service. Be successful in running and using Hashicorp's software, and they decide to shut you down if you are deemed a competitor.

HashiCorp's CLA page from two months ago (https://web.archive.org/web/20230610041432/https://www.hashi...):

"We require our external contributors to sign a Contributor License Agreement ("CLA") in order to ensure that our projects remain licensed under Free and Open Source licenses such as MPL2 while allowing HashiCorp to build a sustainable business.

HashiCorp is committed to having a true Free and Open Source Software ("FOSS") license for our non-commercial software. A CLA enables HashiCorp to safely commercialize our products while keeping a standard FOSS license with all the rights that license grants to users: the ability to use the project in their own projects or businesses, to republish modified source, or to completely fork the project."

It's disappointing that the non-legal text on the page repeatedly suggested that signing a CLA would help keep HashiCorp projects open source when the actual text of the license agreement made no such claims.

We built our OSS company (Apache 2.0) with Nomad at its core. We provide game server orchestration with a handful of services around it, which could be misconstrued to be considered providing a "competitive offering to HashiCorp." Needless to say, we'll be freezing our Nomad version at the last MPL version because of how vague the license is (intentionally).

We also use CockroachDB which uses BSL, but we're not providing a remotely competitive offering.

I'll likely continue to recommend HashiCorp products (Nomad, Consul, Terraform, and Packer) to anyone who asks my advice, but it's disappointing to hear this change.

We maintain a rudimentary SBOM for anyone curious: https://github.com/rivet-gg/rivet/blob/main/docs/infrastruct...

Nothing wrong with this imo. I actually hope more open source projects start with a business source license if their ultimate goal is to become a SaaS platform.

I think we've seen time and time again large enterprises abusing the spirit of open source for their own monetary gain, contributing nothing back, and just acting in bad faith.

> Why is HashiCorp making this change? > > We strongly believe in the value of openly sharing source code and enabling practitioners to solve their problems, building communities, and creating transparency. HashiCorp provides feature-rich products to the community for free, and that development is made possible by our commercial customers who partner with us. By shifting to this license, HashiCorp can better manage commercial uses of our source code and continue to invest in our thriving community of practitioners, many of whom are contributors, in a manner that will not impede their work.

i strongly appreciate the FAQ but this part felt weak/not the whole truth. What is not being said? who is hashicorp afraid of? there wasnt a doubt in my mind before and now there is.

indeed i just saw a startup demo today show off a feature that they admitted was just Vault in a wrapper (they even called their thing Vault haha) and that was it, but i would not have thought Hashicorp would mind them at all (its a very new startup)

It is important to understand that there are two kinds of open-source software:

- Software made by startups that are precious to HN. In this case, building a business on top of them is "freeloading" and it's deeply immoral. Examples: Elastic, HashiCorp, Mongo

- "Public good software", there's nothing wrong with profiting from it, in fact, it's encouraged. Examples: Linux, Postgres, Nginx, Apache

At this point if you are actively spending time and effort contributing to any open source project while not being affiliated with (and getting paid by) the company that manages it, know that you are being taken for a ride. Your contributions are eventually going to be moved under a non-open license so the company in question can secure their revenue stream and you can do nothing about it.

I love hashicorp's software. I just wish their enterprise licensing models weren't so outlandishly expensive for small to medium companies. I wouldn't go so far as to call their vault pricing outright predatory, but it comes close.

I’m really loosing faith in Hashicorp recently.

Moving away from the easy-to-predict flat rate Team pricing and to a new model based on number of managed resources ($0.000004 per resource per month or something like that) was just wacky…

… and now this “you can’t make money from the software you helped write” BS.

Bait and switch. Don't sign CLAs.

https://drewdevault.com/2023/07/04/Dont-sign-a-CLA-2.html

This is the first time I hear of BSL. So here's my problems with it (and the article).

1. The article doesn't link to the actual text of the BSL in use. Link it please!

2. In my understanding, all BSL 1.1 are different, and differ by 2 factors: Additional Use Grant and Change Date. Those are both reasonable ideas but I wish they went a step further and the license would be formatted like Creative Comons. That one also provides versions that differ from use to use but you can instantly tell from the title which version is applied. I wish there was an official "BSL 1.1 4year non-compete" name for this with a good general definition of "non-compete" (and a few other common commercial uses to be granted).

I’m a full time engineer, working on OSS for more than a decade.

As much as I love open-souce, I get the point that there are a bunch of freeloaders using stuff and not contributing back.

Scalr Founder/CEO here.

There are a few realistic paths forward from here, to be confirmed when Hashi releases the full license they intend to use.

1. The Terraform community is large and talented, and we care intensely about open source. There will be a fork that remains open, and I'm hoping we can get all the commercial vendors and interested parties to be joint custodians of it. Like joeduffy says, their arguments are disingenuous, and their taking down of previous videos on their open source philosophy is too.

2. There is likely a Bring-Your-Own Terraform path, letting users supply their own Terraform for executing their code, and a commercial ecosystem that dispatches code and processes response with their own secret sauce. Just like you'd do with GitHub Actions.

3. Meanwhile, Terraform up to 1.5.5 is still open source, it's still amazing, and can still be used with the dozens of commercial tools out there.

All this implies is that Hashicorp is no longer an open source company. Many of Hashicorp's actions like this one run completely against the nature of open source software. Another example is `Hashicorp Vault Secrets` - which they just launched as a closed-source SaaS only tool.

I'm obviously very biased, but take a look at Infisical as an open source alternative to Vault: https://github.com/Infisical/infisical (we run under MIT + some enterprise features).

Honestly, I've been pretty disappointed with HashiStack for a while. It always seemed like they didn't really take any minor contributions unless requested from a customer (i've been waiting for terraform to support a 2-3 year old vault PKI keys for a while). They also dark patterned their website recently to make download links and documentation hard to find.

I've seen one quote when we wanted to buy Vault Enterprise for peace of mind (we did not need namespaces), and well, it was completely out of reach. Moon prices. No wonder people turn to someone else hosting these products for them.

Boost Software License 1.0 - BSL-1.0 [0]

Business Source License 1.1 - BUSL-1.1 [1]

0. https://spdx.org/licenses/BSL-1.0.html

1. https://spdx.org/licenses/BUSL-1.1.html

Meh.

Sure, it's hard to make money in open source. I spent 20 years doing it. It ain't easy.

But here's the thing: open source also helps you accelerate a business you might not otherwise be able to build. You get market validation by giving away a free thing, and then you hope to be able to collect some revenue on the backend once you've got a large enough user base, a proven product, and maybe even some contributors. Maybe even a whole ecosystem. You think VCs would have thrown all that money at a thing with no users?

Want to throw it all out? Fine. That's your right. But it's not gonna stop companies from forking the last open source licensed codebase and taking your cookies.

Open core is a thing. You can be good at it, and users understand and respect it. You would think that Mitchell would have learned after his failure to monetize Packer that he needed an actual proprietary value prop to build around before he built Hashi. Guess not.

You can't have it both ways.

This happens because our companies basically want vendors with open code, not open source.

Open source implies a model of collaboration between different organizations. A single vendor, even with an OSI license, does not an open source project make. And we have only ourselves to blame. Most companies can’t spare their developers for open source development - it’s time consuming and frankly open source is the outlier in how we think about code ownership and development. It’s hard to be a good steward. It’s hard to pitch the upside of such an abstract investment. In the end, actually want vendors, strongly opinionated solutions, managed by a single entity, but vendors we hire to let us treat their code as open and extensible.

I wonder if this era of single-vendor “open source” will be looked at not because it redefined open source but because it changes how we think about vendors, expecting certain types of code access and transparency.

Over the years, I think most people came to understand "open source" as something closer to "free software". However, that's clearly not the case for projects controlled by a single entity that require copyright assignments from contributors.

Copyright assignments are put in place for exactly this (allowing a single entity to relicense the whole codebase unilaterally based on their own interests), and we should maybe come up with a better term than "open source" for projects in this situation.

HashiCorp’s problem is not competition. I started using Terraform Cloud three years ago for my small department. Prior, I had introduced Terraform Enterprise at a large company. I was initially excited at how much easier it was to get going on TFC than TFE. Of course, that’s often the way of Saas.

For the next two years, HashiCorp provided virtually no enhancements to TFC except cosmetic changes. I submitted feature requests for small and large challenges. Sometimes I was even met with argument. Meanwhile, several competing services were born, likely out of necessity of their own founders. Ultimately I had to switch and about halfway out the TFC door they announced their bizarre pricing model changes.

HashiCorp had years and years to build a quality commercial product on top of Terraform but squandered the opportunity.

At first this reminded me of the Docker arc but it may be more like Chef.

It’s really interesting when someone takes contributions under the MPL license for years only to relicense later under a restrictive license.

IMO they should just avoid open-sourcing the cloud platform if they want to sell it.

Also, why not just have gone with GPL since the beginning to at least benefit from the repackaging too?

The so-called "Business Source License" always seemed like a huge crock of shit. What criteria is used to determine if another project is competitive with Hashicorp? Ansible modules exist to create cloud resources, and they exist in an actually open ecosystem without being built on terrible DSLs.

To be honest I'm not a huge fan of the wringing about the OSI definition, but it exists for a reason. This whole article is just another example of corporate gaslighting. If you don't define this and prevent that definition from being acquired, you're going to keep having CEOs define open source on how they 'feel', and you won't have the 'spirit' of open source at all.

I mean it's literally the BS License. You really can't even make that up.

As others have pointed out, businesses should just ditch FL/OSS licenses as a whole and be a closed source product from the start.

There's a pattern here that, person builds an open source product, gets corporate sponsoring, funds a company, then suddenly the open source product steers away from open source because it's upsetting the corporate sponsors.

If you're so bothered by others using your work and not giving back (something that is ENTIRELY allowed by FL/OSS licenses), why make it open in the first place?

It kinda passes the image that these companies want to benefit from free work, but the moment someone uses their product for free and doesn't give back, it's just a nuisance for them.

as always, the hobbyist linux hacker is the problem (/s)

Quick reminder that open source is not a business model. If you can't compete on service, you will always end up doing this to try to slow down your competitors.

On an unrelated note, I've always loathed their antagonistic approach to users and hope their company dies so the industry can standardize on less crappy cloud configuration management tool. But unfortunately incumbents take a very long time to defeat.

I don't know if I've ever seen so many useful Open Source software products go proprietary at once; Vault, Consul, Terraform are all useful parts of many people's stacks, that they chose specifically because of their licence.

Hopefully they all get forked (or existing forks take off), and it is just a matter of the community converging on the winner that we all use in the future.

Did they have to get signoff from all contributors to relicense? I can't imagine this was a popular move for the people who contributed outside of hashicorp.

While I do understand the reasoning in their FAQ on the subject (https://www.hashicorp.com/license-faq). I however failed to noticed those intentions in their license text (https://github.com/hashicorp/nomad/commit/b3e30b1dfa185d9437...).

Specifically the part in FAQ which says "internal production use is fine", but then license says that "non-production use only" and then "You may make production use of the Licensed Work, provided such use does not include offering the Licensed Work to third parties on a hosted or embedded basis which is competitive with HashiCorp's products.".

IANAL, but even to me this statement is full loopholes. WHO do we consider 3rd party? WHAT do we consider "hosted or embedded basis"? WHEN do we consider it "competitive with Hashicorps products"?

I fully support hashicorp’s prerogative to be paid for their hard work, but I am also glad I did not enter the ecosystem.

Looks like it stays k8s + pulumi + ansible for me.

I do think they’ll be able to benefit from this though — serious businesses that derive value from their offerings should be comfortable paying more/something for the value they’re receiving.

Honestly speaking, I'm not surprised, not because it's HashiCorp, because they are moving away from BSD/MIT style license to a much more restrictive source-available style license.

"Open Source" software always have been loved by companies because it provided extreme flexibility (closed forks, forks for customers, secret sauce addition, etc.), plus announced the message that their code is free for all, given there's no warranties.

These companies have skipped more nuanced licenses such as Apache, MPL, EPL even GPL in some cases, trusting that every actor in the software landscape is rational and ethical.

The idea was nice, but it involved humans.

After a couple high caliber forks, HashiCorp indeed felt the pain, and reflexively they moved to BSL.

What they forgot is their initial license has been designed to allow this in the first place. MIT/BSD/Expat is not suitable for monolithic code bases of this size, but people won't listen.

On the other hand, the code is HashiCorp's. They can do whatever they want with the code they write and put out there. They decided to change the terms they share their license, and nobody can say anything about it.

Is it ethical? No. Were the forks were ethical? Depends on motivation.

These things happen when you choose a license without much consideration for the future.

Maybe we shouldn't abuse Open Source software this much and embrace "Free Software" more, but this is just me.

So, at the end, "market forces" abused HashiCorp and, HashiCorp reacted. This is a normal impact/response event. Nothing extraordinary.

Edit: While one may argue that this is also similar with RedHat/IBM, The impact of the change, the number of broken promises, ecosystem dynamics and the motivation behind it make it different, yet I don't want to double the size of this comment.

Luckily I've just remembered I don't need to maintain or contribute to terraform providers anymore.

Well, the timing is right: env0 just raised 35m in CV and now Hashicorp says you cannot offer something similar to Terraform Cloud anymore.

> However, there are other vendors who take advantage of pure OSS models, and the community work on OSS projects, for their own commercial goals, without providing material contributions back.

Vendors like Hashicorp, that take advantage of contributors who give away their work(PRs) under the MPL, only to then have this work relicensed to a different license?

Hashicorp could just request the source code from those "vendors" (after all, the MPL has copyleft) and integrate their changes. (They have to be users first but this shouldn't be that big of a problem).

I wonder who the freeloader really is. CLAs should not be accepted. Ever.

It’s a pity that it has become a business model.

1. Build a nice product, scream open source everywhere. 2. Get users to buy in on all the niceties, perhaps even nice contributions in terms of integrations and such(that people probably would not have cared for if it was some niche closed source product with much fewer users) 3. Once they are established enough, and people have gotten used to the learning curve, change the license and try to lock in as many users as they can and ignore the loud few who scream foul.

Some other product comes out to fill the void and they do the same as above..

Example license (for Vagrant) here:

https://github.com/hashicorp/vagrant/blob/main/LICENSE

Looks like it converts to the Mozilla Public License after four years:

> Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.

This is very sad but also not very surprising. It's notoriously hard to sell an 'open core' product (mostly, against yourself OSS) and structure the entire GTM and the org properly for scale. Having built a successful 'open core' company before & judging from the first-hand experience - this looks like an extremely desperate move, indeed. (Btw, we never changed the license, but discussed it often, ofc.) It's also all very disruptive, destructive and hostile to the community - it's 'we aren't open source anymore,' so I'm surprised they are trying to convince people otherwise (gaslighting, eh?) I'd expect the 'open core' enthusiasm of the past few years to decrease dramatically, and I wouldn't recommend an 'open core' path to anyone who's trying to build an actual big company around their OSS. I remember the time when 'open core' was a taboo word, post-MySQL/Oracle. I was doing the company launch and accidentally told a reporter we were doing [something like] open core - that didn't work nicely :) It's ironic and sad, BSL comes from the very same folks who basically invented 'open core', then spoiled it forever. It's been also always thought-provoking to me, too, those folks never build more - or differently - after MySQL.

Another week, another rugpull.

>We don’t believe this is in the spirit of open source.

Open source seems to be evolving from being truly open source to being a variant with financially driven contingencies. HashiCorp have created great OSS over the years and am grateful for it. I understand their intention behind this move, but having a financially driven motive drive their OSS is not a good thing. I'd rather they not open source any of their code than put such limitations on it with these licenses.

The licensing changes seem to imply that if they have a service and you also build a similar service, but offer it for cheaper, then (if they want to) they can price you out of the market with licensing fees.

One of my weekend projects https://tfstate.com is intended to aid with statefile configuration drift detection. Which (I've since discovered) is also something that Hashicorp offers as a service.

I feel worried.

Anyone know if a community fork is underway?

I've built an open source clone* of terraform cloud. Will it contravene BSL?

1. Under the hood, it runs the terraform binary.

2. Receives API calls from the terraform binary.

3. Uses a modicum of code from the terraform cloud SDK.

I think I've answered my own question with (1), which may constitute "hosting" or "embedding" a Hashicorp product.

* https://github.com/leg100/otf

It's funny/sad that they require Terraform providers to be FOSS.

Well, that simplifies a lot the choice between Nomad and Kubernetes.

License ethics discussion aside, this is going to cause mayhem! :D

I know of at least one massive global company using vault in production, for free as a backend to their own password manager frontend.

My own $dayjob was just going to set it up actually, I guess we'll have to re-evaluate that now.

I can't even imagine how many companies use vault in production.

The last four companies I worked at have spent a fortune on SaaS, not just AWS but a host of providers for observability, management etc.

They've all used Terraform extensively but always rolled their own means of deploying IaC, with solutions more clunky than CloudFormation which let's face it isn't brilliant.

Why did Hashicorp fail to win this business? I think their pricing just seems too outlandish and is based on paying for the value of software they've already open sourced rather than being tied to the cost of providing a good service plus reasonable margin.

Their strategy appears to have failed, exacerbated by the macroeconomic landscape. I doubt their chosen solution - Microsoftification of their open source project - is going to do them any favours.

Bought HCP at the IPO, took a massive paper loss when the tech bubble in the market burst, but held onto the stock as a long-term hold because I believed in the core of the company. Fuck this, I'm selling just as soon as the market opens. It's clear that Hashicorp's internal culture has moved 180 degrees away from where they were in the Terraform 0.x days.

IMO Terraform providers should've never been free. It should've been open-core, whether you are running on prem or on the cloud. There are multi-billion dollars companies using Terraform and pay exactly 0$ (yes, some that are generous are paying for support, great but you don't build a business on charity). Maintaining 3000 APIs for GCP, AWS, and Azure is costing at the very list $20M/year - trying to drive everyone to the cloud offering instead of charging for whatever people already use is the wrong way around imo. You can charge less but charging nothing doesn't gonna work. Heck, even a restaurant is charging a bit less for food and then charges more on beverage but it never gives the food for free.

Somebody should point out to them that there's an error in their Parameters:

https://www.hashicorp.com/bsl

The "Licensed Work" parameter should refer to what they are licensing. Right now it reads "The Licensed Work is (c) 2023 HashiCorp, Inc."

I don't see how a corporation itself is copyrightable content to which a license may be granted.

> You may make production use of the Licensed Work, provided such use does not include offering the Licensed Work to third parties on a hosted or embedded basis which is competitive with HashiCorp's products.

Having your use of something important hinge on this one awkward sentence seems kind of scary. It's unclear to me whether, if you use (say) terraform for production infra, and someday HashiCorp releases a new product competitive with yours or merges with your competitor, your use of TF is then in violation of the license. "Offering the Work" is not defined and seems like it could be interpreted in different ways.

How do you interpret their Additional Use Grant?

https://github.com/hashicorp/terraform/blob/main/LICENSE#L8-...

The weird part is that Hashicorp doesn't have a single core product that is valuable by itself. Their stuff is infrastructure built to enable an ecosystem. It's a hub, all the plugins, providers etc. are the spokes. The real value, the wheel so to speak, comes from building on top of all of that. If they can't compete on that level, well, so be it. Now forcing everyone to pay them for building the hub, the core part, means the ecosystem will crumble. No hub, no spokes. Also it makes Hashicorp the villant, not their competitors.

I've had this conversation a few times with people today so I may as well have it publicly here now too.

I feel especially privileged to have lead the Heroku Add-ons/Ecosystem team at a pretty pivotal time in devtools history. There was a sudden emergence of people/companies inventing entirely new things (e.g., databases, logging systems, telemetry, etc.) and so much of it was OSS. The overwhelming majority of these companies took the approach of "we'll make this thing free and successful, and we'll build a business off the back of enterprise support contracts and maybe some feature discrimination in a private 'enterprise' version" (e.g., clustering/HA support). I think in part it was because back then the only open source success story anybody had as a reference was RedHat, and cloud adoption wasn't as ubiquitous as it is today. Certainly not in the enterprise segment. So in the vacuum that was left emerged a whole industry of smaller startups that would provide said technology as a managed service. Go check out the Heroku Add-ons Marketplace circa 2012-2015 to see what I mean. Belatedly the creators of these technologies realised the enterprise support contract business was a terrible business to be in, and realised managed services was where they should have been all along. Absolutely none of these companies had any problem muscling in on the ecosystem of managed providers that had contributed to their success in a meaningful way. Some of the startups got acquisition offers on pretty lowball terms, others were essentially forced to accept partner terms that were so onerous it was doubtful they could ever turn what they'd built into a successful high growth business now. Many saw the writing on the wall and found an exit at a larger cloud/platform company that could roll them into their broader product portfolio.

Fast-forward a few years and AWS starts offering some of these technologies as a managed offering (disclaimer: I later worked at AWS for a couple of years). Suddenly these same companies don't like having similar market pressure exerted on them, and so begins the slow trend of license changing away from APL/MIT/whatever towards something that is trying to neutralise a legitimate competitor. Rules for thee, not rules for me.

My time at AWS gave me some new perspective on this whole sorry saga though, some things I'd observed but couldn't quite articulate why it didn't feel right. AWS taught me that at a certain level of scale almost everything ultimately becomes a logistics challenge. Trying to ensure that the infrastructure that's supporting tens of thousands of customers globally is constantly running, highly available, able to support the continued growth, etc.? It's as much a problem of capacity planning and co-ordination as one of software. And the more successful you get the less the problem becomes the specific nuances of running a given OSS product and the more it skews towards just knowing how to coordinate millions of anything.

What this surfaced for me is that in the vast majority of cases that I was personally familiar with, the companies in question barely used their own products. I don't mean in way that suggests they didn't believe in their value. It's just that their day-to-day needs of building said product very rarely intersected with the need to be the most sophisticated user of said product. They had very limited experience at operating it at scale, they all had customers (or managed service partners) who had orders of magnitude more experience about the realities of operating it. And high on their own hubris they'd decided that because they'd invented the technology they were now suddenly expected to be the world leaders at running it. They weren't. And they were never going to be, because the moment you hit that inflection point of success AWS/Microsoft/Google/so many others are better at running software than you are... and a license isn't going to change that reality. The "we'll run this for you" is just a bad business to be in.

A better business is "we'll provide you a UX and workflow and features _on top_ of that thing that makes it even better". There's a whole industry of companies who exist solely to make your AWS bill comprehensible, because AWS are organisationally incapable of providing good UX for most things. In it's most reductive and cynical take Heroku is "just" a UX on top of the core AWS commodities, one that has been largely unchanged for 5-10 years depending on who you want to ask (the slow decline there is a whole separate topic).

Which is why I was excited to take on a product leadership role at HashiCorp to help launch Terraform Cloud a few years ago (I left last year). Here you had an OSS product with a big community, and a set of features and capabilities that extended that to try and make it even better. Especially in situations where you're having to work with other people or across multiple teams. The fact that Spacelift, Scala, Harness, Pulumi, Terrateam, etc. existed didn't bother me much. If they copied what we were doing it was often good validation, if we lost a customer to them it was a good data point for things we were lacking or needed to fix, in some cases they just had wildly different takes on fundamental things which were a great reason for some self-reflection and to question why our conviction on a different way was so strong... were we right? How did we know?

OSS is good for so many reasons, but as a product person one of the things I loved most was the way it could help shape what the product could be in the future. Because of the ecosystem that erupts around it. You've already got such a huge advantage as the steward of the project, the most recognised brand in the ecosystem you created, the brand recognition in an enterprise conversation, and so with all of that head start I felt like we should just win on our merits. And if you can't win given all of that advantage then maybe you don't deserve to.

I think there should be a foss license that acknowledges trillion or billion dollar companies are a threat to freedom and so it’s okay to exclude certain commercial uses (revenue or user count over 9 digits)

Most of the comments on this thread make it appear that everyone will be affected by this change. The vast majority wont be affected at all.

This only affects people who are directly competing with hashicorp using hashicorps code. That sounds like a reasonable thing to want to prohibit.

Why should hashicorp have to spend tens of millions on product development only for a competitor to spend zero but be able to offer the same product? That sounds like a net negative for the whole industry as it disincentivizes R&D

Also see:

GlobeNewswire report... https://news.ycombinator.com/item?id=37082263

And...

https://news.ycombinator.com/item?id=37086136

https://news.ycombinator.com/item?id=37086031

https://news.ycombinator.com/item?id=37085382

This shows a problem in today's open source ecosystem: we have too many who profit from other people's work without giving back. In particular large corps should not be allowed to do that, and in fact by their very own Code of Conducts they are required to do the ethically right thing - to contribute and/or pay back to the community. That is especially true when they earn money by providing OSS as a service.

We're the folks behind tf-controller, a nifty GitOps tool bridging Flux and Terraform. We just wanted to clear the air that our tf-controller project happily coexists alongside HashiCorp's offerings, with no intention to compete.

More here: https://www.weave.works/blog/statement-for-terraform-hashico...

I don't think it's good news, but why is anyone surprised? Nobody wants to pay for open source.

Companies want it for free, and individuals don't have enough luxury time to be able to do it themselves.

Prove me wrong and help patch or fund https://github.com/purpleidea/mgmt/ and you'll have an even better replacement for terraform!

I wonder how this affects Pulumi

It is surprising to see so many people here being shocked that a publicly traded company operates its projects for profit rather than altruism.

Feels like this could be a big issue for companies like https://www.scalr.com/ - I wonder if they have a commercial license already.

I've been tempted to try and put together a terraform cloud alternative myself - whilst I enjoy using it, the pricing is pretty expensive if you have many state files.

> However, there are other vendors who take advantage of pure OSS models, and the community work on OSS projects, for their own commercial goals, without providing material contributions back. We don’t believe this is in the spirit of open source.

There's a license that actively prevents this. It's called the GNU GPL.

Has anyone here identified any forks that predate the license change?

Why are people so hostile towards BSL? Paying/asking money for great products is fine and if the product's source code is in git, the better.

Not everything has to be _free_. The major benefit of OSS for many is that you can read the source code. The major benefit of paid SaaS is that things just work and you pay for that. BSL can be the perfect combination of these.

What's idiotic is that even Nomad was licensed as BSL but Hashicorp doesn't even offer Nomad as a managed cloud service...

how this works from the point of view of current license? They can't just take MPL code and modify license terms in my reading of FAQ (Q9 in https://www.mozilla.org/en-US/MPL/2.0/FAQ/)?..

Considering this change I want to remove consul from my adoption strategy but I would still like to know of a replacement.

Does anyone know of a similar tool?

I'm interested only in the ability to manage environment variables with a web UI, and have processes restart gracefully on change, everything else consul provides is not of use to me.

Any suggestions?

This one is interesting to me. I've been a big fan of Hashicorp ever since the only thing they had was Vagrant over a decade ago. The core of my usage has remained all of the CLI tooling, i.e. Packer, Terraform. It's more or less impossible to create any kind of competitors by trying to steal from these as they're free to begin with, plus they provide virtually no value on their own and rely on a universe of a providers and plugins to actually do anything, some of which are created by Hashicorp, but many of which are not. One of the more extensive foolaround tools I ever made was vaguely inspired by Packer, years ago when there wasn't a plugin to support Hyper-V and I wanted automate creating machine images for my Windows laptop to run various flavors of Linux so I could work on Linux from Scratch over and over without having to copy/paste everything at the command line. It was only "architecturally" inspired, though. I didn't even look at their source code and wrote everything from scratch entirely in Powershell since it was only for personal use and only intended to run on Windows.

I guess the signal here is they care more about and have pivoted business-wise to their own hosted offerings. I admit I'm not entirely sure what those are. I don't anyone that uses Terraform Cloud, but I guess someone must. So I guess Consul, Nomad, and Vault, but again, does anyone use the hosted versions of these? The big sell to me has always been all of their products can be self-hosted. Professionally, my use has mostly been with defense and intelligence customers offering behind an air gap who couldn't use the cloud offerings if they wanted to.

By far the biggest value add has always seemed to be Vault. Consul and Nomad have very clear competitors that still command more mindspace, but Vault seems to reign supreme if you want to self-host a secrets manager. On this front, though, as great of a product as it is, how much of that is even due to Hashicorp itself? The security is provided by implementations of open encryption algorithms, Shamir secret sharing, fips modules in the OS, and HSM support, but they don't make the HSMs. HA is provided by the Raft implementation of the Paxos family of consensus voting, but again, they didn't invent that. The fact this product exists at all is because they stood on the shoulders of giants who did all the heavy lifting in creating these secure and robust algorithms in the first place, and then shared them and allowed others to build commercial offerings on top of them. Your entire company exists because of other people's open source efforts, and then you close off and say no one else can build on top of your work, when if the OGs had done that, your product would never have been a viable business.

Published an article about the new Hashicorp's BSL license that combines some the thoughts in this thread: https://infisical.com/blog/hashicorp-new-bsl-license

I always thought that OSS was supposed to be a loss-leader. By being the author you have more credibility for offering services. Sure someone else can do it, but are they really gonna know how to offer support in some rare crazy edge case that is blowing up production right now?

Actual full license seems to be here: https://github.com/hashicorp/terraform/blob/e94ce2dd3877096b...

If GitHub lets someone run "terraform apply" in a GitHub action. Is GitHub a competitor?

CEO: Let's do a business license to profit off community contributions over these past 10 years.

Employee A: But what about the community?

Employee B: ..Aaand it's gone!

I want a MIT/Apache license that guarantees it’s not going to be modified in the future.

Locked them comments down quick on the PR: https://github.com/hashicorp/terraform/pull/33661

BSL Conditions:

You may make production use of the Licensed Work, provided such use does not include offering the Licensed Work to third parties on a hosted or embedded basis which is competitive with HashiCorp's products.

I like how the Hashicorp staff is addressing concerns here /s

AFAIK the official Crossplane providers for AWS, GCP & Azure are built on the respective Hashicorp owned Terraform providers; so I'm not sure how this is going to impact them?

Someone should fork and maintain Vagrant with an MPL open source license:

https://github.com/hashicorp/vagrant

Yeah, time to fork terraform. I'd contribute.

Wonder what this means for gitlab-managed terraform state

Since Vagrant is currently under the MIT license rather than the MPL, does that mean it won't be changed? It says "All Products".

[dead]

[dead]

[flagged]