HashiCorp, Terraform, and OpenTF

Over the years, there have been multiple examples of open-source software that, suddenly, was no longer open source; on August 10, some further examples were added to the pile. That happened when HashiCorp announced that it would be switching the license on its products from the Mozilla Public License 2.0 (MPL) to the Business Source License 1.1 (BSL or BUSL). At least one of the products affected by the change, the Terraform infrastructure-automation tool, has attracted an effort to continue it as an open-source tool in the form of a fork that would be maintained by the nascent OpenTF Foundation. That seems like a sensible reaction to the move, but it also helps serve up yet another reminder that code which is controlled by a single entity is normally always at risk of such adverse changes.

As with other companies that have taken this path, HashiCorp has evidently felt an economic pinch that it believes it can solve by forcing "other vendors who take advantage of pure OSS models, and the community work on OSS projects, for their own commercial goals" to commercially license its products. But it does so at the risk of alienating (or completely chasing away) the community that has built up around its products. That community provides at least some of the benefit that comes from HashiCorp's products, of course. HashiCorp is either convinced it can go it alone or believes that the community will simply have little choice but to continue even in the face of the change.

The intent of the move, which is further described in a lengthy FAQ, seems relatively benign at some level; it only targets those companies that are "providing competitive offerings to HashiCorp". The FAQ goes on to explain that such an offering "is a product that is sold to third parties, including through paid support arrangements, that significantly overlaps the capabilities of a HashiCorp commercial product". It is certainly true that there are problems and inequities in sustaining FOSS, but it is not at all clear that running away from FOSS entirely is a viable path to sustainability either.

It may be hard to muster up much sympathy for companies that are directly competing with HashiCorp using the software that HashiCorp has developed, but that is, of course, just what the MPL (and other open-source licenses) allow. Beyond that, the community that has arisen around the work that HashiCorp has done has provided a great deal of value as well. But the MPL applied to every non-HashiCorp entity equally, so people using Terraform in a non-commercial fashion were playing by the same rules as $BIGCORP (or $SMALLCORP, for that matter) that are being targeted by the change. HashiCorp is trying to assure those who are using its products in the ways that it—currently—likes, but those likes can change as well. In fact, they just did.

The ability to change from MPL to BSL (or, perhaps, something else entirely down the road) comes because HashiCorp has required all of its contributors to sign a contributor license agreement (CLA). The original CLA and the current version share the same legal terms section, but some of the surrounding text has changed; in particular, the introduction said that the CLA was meant to "ensure that our projects remain licensed under Free and Open Source licenses", but the latter part has changed to "source code-available licenses" in the new CLA. Among other things, each contributor has agreed:

You hereby grant to HashiCorp and to recipients of software distributed by HashiCorp a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.

That language, which is pretty typical for CLAs, allows HashiCorp to set any terms it wants on those contributions. Today those terms are the BSL, which is a time-limited license that reverts to the MPL after four years. But there is no real reason to believe that the license will not change again, especially if the proceeds from licensing to those "competitive offerings" do not reach the desired levels—or the levels themselves change. That may seem harsh, but the reality is that companies change their "minds" regularly; in addition, the management, ownership, and goals of a company can change in a heartbeat, which could hasten further licensing clampdowns. In the final analysis, HashiCorp sits in the catbird seat and its community can only wait for the next shoe to drop—or strike out on its own.

It is against this backdrop of uncertainty that OpenTF has formed. In the "OpenTF Manifesto" on the web site, which has been signed by nearly 100 companies, ten projects, and 365 individuals at the time of this writing, the group makes it clear that there is a thriving open-source community around Terraform: including "thousands of users, contributors, customers, certified practitioners, vendors, and an ecosystem of open-source modules, plugins, libraries, and extensions". That landscape changed with little or no warning:

Overnight, tens of thousands of businesses, ranging from one-person shops to the Fortune 500 woke up to a new reality where the underpinnings of their infrastructure suddenly became a potential legal risk. The BUSL and the additional use grant written by the HashiCorp team are vague, and now every company, vendor, and developer using Terraform has to wonder whether what they are doing could be construed as competitive with HashiCorp's offerings. The FAQ provides some solace for end-customers and systems integrators today, but even if you might be in the clear now, how can you build confidence that your usage won't violate the license terms in the future? What if your products or HashiCorp's products change? What if HashiCorp changes how they interpret "competitive"? What if they change the license again? As a result, everything that uses Terraform is on shaky ground.

Beyond the direct risks for those using or building on Terraform, there is a more systemic risk that the manifesto describes. These kinds of moves harm other open-source projects that are also "owned" by a single company via a CLA. "Every company and every developer now needs to think twice before adopting and investing in an open-source project in case the creator suddenly decides to change the license."

Return to open source

The overall goal of the manifesto is "to return Terraform to a fully open source license". It asks "HashiCorp to do the right thing by the community" by switching Terraform back to an open-source license "and commit to keeping it that way forever going forward". If that does not happen, the signers are planning to fork the MPL-licensed Terraform and maintain it going forward in a multi-stakeholder foundation, "ensuring the tool stays truly open source and neutral and not at the whim of any one company". In its FAQ, OpenTF notes that if a foundation is needed, the group prefers "joining an existing reputable foundation over creating a new one".

While the request to HashiCorp seems reasonable, it is a bit hard to see how the company can put the toothpaste back in the tube. If it chose, HashiCorp could switch back to MPL, say, and promise not to ever change the license again, but that is not really an ironclad guarantee. A change in ownership could void any such commitment, for one thing; it is not at all clear that HashiCorp would be willing to constrain its options down the road, either, even if it had a change of heart. It is a publicly traded company that is ultimately accountable to its stockholders who might well balk at such a commitment.

Any company that requires a CLA which gives it more power than its contributors is doing so because it wants to be able to act independently of said contributors if it deems it necessary. Such a company is clearly setting out on a course that can lead to exactly where Terraform users and contributors are today. Over time, that course can—probably will—lead further away from open source. The BSL license and HashiCorp's FAQ about the change are not entirely clear, presumably on purpose, about the interpretation of "competitive" products. It leaves plenty of room for alterations of that interpretation should the need arise.

The OpenTF manifesto mentions both the Linux kernel and Kubernetes as projects that are maintained by multi-stakeholder foundations, which is what protects them from single-company whims. But it seems to miss the fact that part of what protects Linux from problems of this sort is that it has no CLA which grants some organization the ability to relicense contributions. The copyrights of Linux are widely dispersed among its tens of thousands of contributors, both individual and corporate. That means that it is effectively impossible to change the license terms under which Linux is distributed, which could someday turn out to be a problem, but it certainly makes it impossible to upend the Linux community as was done with Terraform's.

Kubernetes is, perhaps, a little less secure in that regard. It is run by the Cloud Native Computing Foundation (CNCF), which is part of the non-profit Linux Foundation (LF). But Kubernetes does have CLA (actually two, one each for individuals and corporations). The LF, thus CNCF, are organized as trade associations (i.e. 501(c)(6) organizations in the US), which means that they gather up competitors to collaboratively work on something beneficial for their shared industry. Kubernetes fits into that picture well, but it is not completely out of the realm of possibility that the landscape changes so much—or the control of the LF/CNCF do—that a change in license terms would make "sense".

There are, of course, other organizations that have a CLA (or other agreement, such as copyright assignment) for the code that they shepherd or maintain. For true charity organizations (e.g. US 501(c)(3) organizations), such as the Free Software Foundation (FSF) or Python Software Foundation (PSF), the "public benefit" nature of their charters would likely make it impossible to change their code to a non-FOSS license. It would not be easy for either type of entity to switch to a non-FOSS license, but it would seem slightly easier for a trade association—a corporation, on the other hand, will not meet any legal resistance at all.

Concluding thoughts

Though it does not really fit the strict definition, this kind of license change feels a bit like a bait-and-switch scheme: build up a large community that becomes dependent on the FOSS nature of the code, then switch to another license to try to capture some "lost" revenue. As we are (perhaps) seeing with OpenTF, however, the community does have the "big hammer" of a fork at its disposal. Given the size of the community, as evidenced by the number of manifesto signers, and its impact on the Terraform ecosystem, as reported by OpenTF, it seems like there should be enough resources to keep a FOSS Terraform rolling. Time will tell.

Meanwhile, this change is rippling through the industry. Projects (such as Kubernetes) need to figure out how to deal with the license change so that they do not inadvertently pass on license woes to their downstream users. At some point, though, FOSS projects and FOSS-oriented developers need to recognize that single-entity, CLA-encumbered projects are only FOSS for as long as that entity deems it in its interest. That could be "forever", but that increasingly looks like a sucker bet; healthy FOSS projects are those that will remain FOSS, even in the face of adversity.