The only thing you are losing is (perhaps) the ability to continue to receive free patches and updates from the project. This is no different than if the company went out of business completely. You can still make your own updates to the last OS version, and you are free to solicit contributions from others to your fork.
Is Hashicorp switching to a BSL any more disruptive to users of the software than if Hashicorp went out of business?
Want to keep running that old package? Cross an ubuntu versioning chasm and now you also need an ancient version of glibc which won't run on your Zany Zamboni fleet because your other requirement of libxml 5 won't work with it. Find a security problem? Well there's a newer version that's only been out for four minutes why aren't you on that already anyway? Oh we don't publish packages for your 4 week old npm yarn bower neonode, who still uses that?
use the win32 binary under Wine
What these companies are doing is basically abandoning the open source code they developed with the support of a huge community. They're developing new software, using OSS contributions, giving a middle finger to the OSS community.
If you don't care, fine. But to me this is a considerable deal.
These are typically very unbalanced relationships between the project "owner" and any contributors - the "owner" may require CLAs and copyright assignment, and reserve the sole right to relicense the code under any license they see fit - but for these sorts of more restrictive relicensing exercises and for an exclusive rights to sell under non-open/copyleft "commercially friendly" licensing.
The anger and frustration usually come from thinking that even though the relationship was unbalanced, there was an understanding and social contract where both a community member and the commercial enterprise got value. The relicensing is unbalanced - it removes value from the community member without providing any new benefit. Sure, they can quit the community, but that also removes the sources of their value.
In the most extreme cases, there have been successful attempts to create entirely new communities (strangely these are predominantly around Oracle-owned projects like MySQL, Hudson, OpenOffice). There is interest in creating a community Redhat-like distribution in the face of RHEL changes, and the HashiCorp change has prompted some to consider new efforts like OpenTF.
To your question, BSL provides additional legal ammo and changes some contributors to competitors, so it is indeed quite different than if the company going out of business.
So really you have until HashiCorp changes the interface between TF core and the providers, which would mean something like a Terraform v2.0.
Yes. If they went out of the business, the software development would probably grind to halt before/unless the community manages to rescue the project.
But if they don't, and instead they "just" change to a license which states you cannot be a competitor and use the project, then that runs the risk of you being sued and pulled into legal battles with another company, usually something you'd like to avoid.
So imagine I today use nomad for something, and Hashicorp doesn't have any hosted version of nomad, so I'm in the clear. But who knows what will happen in the future? As soon as Hashicorp does anything that could look like competition to what I already offer, my usage of nomad is now at risk, and in addition my entire business is at risk because they would sue me unless I remove nomad quickly.
It would be stupid not to move far away from any BSL projects as soon as you can, unless your entire business model is to get into legal battles with others.
Eh. Forking a still-OSS version is an actual fork, where taking over development if they got bus-factored wouldn't be.
All of the company's work to date remains available free and in perpetuity. The complaint can only be that the company has changed course and will not commit to providing future new stuff for free. The only way this complaint is valid is if there was a bait and switch - the company pretended that their new stuff would also be free forever. Without intimate kniwledge, I'd venture that Hashicorp never said anything of the kind and they're just trying to make a buck like the rest of us.
The more this happens, the less people will hold the naive view that for-product entities will by default keep providing stuff for free forever. Capitalism baby.
There is a bait and switch, just not the one you proposed. If Terraform had started off under the BSL, it would have significantly less adoption.
As is, people adopted it under evaluation of the old terms, and are now being told the terms are changing going forward.
Since the previous code is still available, this will likely hurt newer, smaller players more than larger established players - if you are offering a large commercial offering on terraform today, you will likely justify maintaining a vendor fork going forward, or contributing to a genuine new fork project like OpenTF.
> The more this happens, the less people will hold the naive view that for-product entities will by default keep providing stuff for free forever. Capitalism baby.
Historically the successful companies had a clear view of what was free and what was charged - e.g. Redhat binary and source distributions were free, but enterprise distributions, commercial support, professional certifications as well as custom software/professional services were all revenue channels.
The rise of more asymmetric licensing terms (e.g. sole corporate copyright with publication under AGPLv3) has been an ongoing change as companies have wanted the freedom to change where they get their money over time, and defend from other members in the community potentially competing against them.
This is true, but depending on the company, they may shutdown their distribution of the older releases, so if you don't have an archive, you're out of luck; possibly very quickly with zero notice. Had they gone out of business, chances are there were signs that might have lead you to start an archive ahead of time. git makes things a bit easier, as it's an archive by default, but if there were useful documents outside of git, that's an issue.
Is this generally considered a truism? Has about zero influence on me, or with director level decision makers at companies I've worked with.
For myself, I only contribute to FOSS just because it is FOSS. If I know it won't be FOSS in the future, I wouldn't contribute to it.
I'm not interested in spending my time working for free for some company if I think they'll end up saying "Hey, actually, this thing you've contributed to, we've decided not everyone should equally be able to run this, so it won't be FOSS anymore, but thanks for the help".
> or with director level decision makers at companies I've worked with
That makes sense. I don't think there is a ton of "director level decision makers" people who are actually involved in writing FOSS on a day to day basis, and also aren't the ones carrying the ecosystem on their back.
It isn't just Hashicorp that could relicense all of their products from now forward - you could too, for your own personal editions.
So, mostly no need to add the F to OSS when talking about this particular danger. Although moving to later GPLs has definitely upset people in the past, moving to proprietary (or ideosyncratic) licensing is different. The disputes about moving to later GPLs are about what code people will be forced to share in order to continue using the software in the way they're accustomed to, not about making competition a license violation.
Thats nice but realistically paid labor gets more done than free labor.
A lot of FOSS dies through neglect that wouldnt happen if someone was paid to work on it.
For which a business model is required.
The fact that hasicorp changed their license has precisely zero impact on me using OpenSSL in my next project.
I think the key problem word is "community". 99.999% of OSS users are not in any concept of "community". They just run software. Firefox users aren't a "community" - they are just people browsing the Web.
So no, companies can change to BSL licenses all day and you can count all the people in the world who care in one HN thread.
I'm at the point where I will not contribute to projects with copyright assignment, especially those under more restrictive licenses like GPLv3 or AGPLv3.
It is a sign of a person or organization which has not figured out how they want to make their money, and wants to reserve the ability to take someone else's good idea.
That doesn't mean I wouldn't _use_ such software, but I look at it more as a piece of software where the installer is instead potentially leveraging CMake or autotools. There's rarely value in trying to participate in such a "community", which also tends to push further in the project being more of "published source" rather than a collaboratively driven effort.
Of course, a piece of free software means that I suddenly could lose future support, and software consuming free services means I could lose current support rapidly and even be potentially strong-armed into commercial licensing as a result.
This way, all external contributors own a small part of the copyright to the project. This makes changing the license almost impossible, as it would require either seeking permission from all those contributors or removing all of the code that they wrote.
Whether a company uses a DCO or CLA should be the litmus test of how they really feel about open source. I'd strongly reconsider making your business dependent on any products from the latter.
I might be mistaken, but I believe this would only apply to copyleft licenses? Permissive licenses allow redistributing under a different license, as long as the attribution and original copyright disclaimer are retained.
For my part, I have thousands of lines of code in Terraform for which I have never signed a CLA or copyright assignment. Nothing stops MPLv2-licensed files being used in a commercial source tree, provided the terms are compiled with.
If that is true, Hashicorp can't change the license on any of the files that contain such code from MPL to BSL, as far as I understand. IANAL, but from what I understand of the license, it doesn't prevent them from distributing a binary with the BSL, but they would need to continue distributing any files with such contributions under the MPL along with any modifications to those files. And keeping track of which files would have that limitation sounds like a nightmare.
People don't need to sign a DCO, or any other document, for that to be the case.
Ouch. Looking at Nomad has been on my ToDo list for ages.
What's the better alterative?
…with that being said, I will say that I welcome companies like Pulumi to the IaC landscape. IaC makes a lot of sense conceptually, but unlike a lot of HN (from my perspective), I strongly dislike terraform and HCL and most Hashicorp products. There’s also enough of an impedance mismatch between TF and cloud providers that I’d be poised to just use cloud formation or ARM or something native over tf, which was never cloud agnostic anyway like their marketing claims.
But I don't think either not-fully-free-but-related-to-open-source model is as disappointing as the rug-pull of a license change itself.
Aside: I think BuSL can be a great license for software that's not part of any customer/user's way of earning a living. Id Software basically used to informally use a similar scheme for all their game engines (and maybe still do?), where the engines get released as F/OSS some number of years after the game comes out, and that has ended up enabling the development of lots of good open-source games and game engines.
It can basically undo the damage caused by our insanely long default copyright terms. Not the same thing as providing open-source code up front, but still a very pro-social thing to do.
https://www.hashicorp.com/license-faq
This all should be incorporated into the BSL, as the current terms are clearly vague enough that they require a separate (not legally binding) FAQ (as it can be changed at any point...)
"Our goal with the BSL license was to make it short and simple. This means the FAQs play an important role in providing interpretive guidance to our users. We view the guidance in these FAQs as binding, so users of our software should feel assured in relying on them as our official positions now and in the future."
https://www.hashicorp.com/blog/hashicorp-updates-licensing-f...
When a company gives you a license that has terms written in it, that license is binding... on them as well as you. When a company gives you a document that refers to an FAQ that they can change on the fly to meet their needs, and make changes to it, that is a signal that they do not view the license's terms as binding on them. Only on you (the user / developer working on an integrated or derivative work.)
The license that grants you permission to use the software as long as you remain on the right side of this line, which we can move as we deign it necessary to move the line is not much of a license grant. I just heard it called "bullshit license" and I think that's the best explanation for what BSL actually stands for now.
I support Hashicorp's right to make money from their business, but I think these lawyers are in over their head. It doesn't make much sense to me. We'll have to see who gets a license grant from Hashi and how much they're going to pay for it.
You change the license once, everyone gets to read it, reflect on it, speak to their lawyers if they're not sure about it, and move on. Using the mutable FAQ in lieu of an immutable license is just a sign that the interpretation is purely based on the vendor's (mutable) business goals, and you should be very careful building on any particular "binding" version.
[0]: https://opentf.org
Disclaimer: Work at Spacelift
[0] https://oxide-and-friends.transistor.fm/episodes/fork-in-the...
Companies will switch to the open alternative, just like they did with Pekko for Akka. SaaS providers will offer two versions - the Terraform one and the open one - they won't really have a choice.
Interested if this actually picks up steam.
Pekko is playing catchup right now. Also, they're a bit of a small crowd. (As in .. under lightbend Akka has developed a crowd.. but Pekko has to struggle to form now)
TL;DR: In September 2022, Lightbend changed Akka's license from Apache 2.0 to BSL 1.1
It's open - somebody else can pick up where they left off, if they really care (like OpenSearch did for Elasticsearch).
I do appreciate it, in the sense that I am saddened they are throwing away that value and their good-will.
There are almost certainly enough commercial interests in terraform to join together on a community fork. The nature of terraform providers in particular means that the community fork would almost certainly then become a primary target for providers.
I suspect nowadays many people using the project don't even realize that the Jenkins CI system was actually a fork of another popular system at the time named Hudson. It was forked due to claims being made by Oracle legal, and even after they straightened things out and made Hudson an open project (with assignments to Eclipse foundation) the damage was done and Hudson died off.
I also appreciate that the article on staying open source and maintaining trust is written by a VC firm. That's really putting your money where your mouth is.
We agree to license the Contribution only under the terms of the license or licences which We are using on the Submission Date for the Work in which the Contribution is included or the following additional licenses ...
This would let the company re-license to selected other open source licenses for compatibility/strategy, etc, but not allow BSL, etc
The point of open source is to allow people (giant corporations) to take the code and do whatever they want with it.
Depending on the license, a party without copyright may be able to create a derived work that incorporates the original. The derived work may have a different license as long as the incorporation satisfies the original license. This is what people normally think of as using open source licensed code, and it does not include re-licensing code.
Essentially, because the software is so close to the company it's hard to be certain that the project is independent, sure you can fork it but look at what it did to openelastic. Not much.
Instead if it's maintained by a foundation then it's much harder for a company to assert full control.
It doesn't solve freeloaders but it's I think a big reason for freeloaders existing.
Their own words https://github.com/hashicorp/terraform/blob/ad634f60a5acbaad...
> open-source _community_
Listen to the Hashi CEO talk about community @18m
And mint it did, billions, in the IPO. And now, abandoning its ideals for the sake of money, I feel a lot less optimistic about open source going forward.
Also makes me question OSS promise when w/e I build will be captured by CloudProvider or cheaper alternative.
Why I would build anything OSS if my time will never pay off ?
Having followed Mitchell Hashimoto’s work on Vagrant, I felt like he and Armon were truly value driven and not purely money oriented.
But it’s true, dollars corrupt and billions of dollars corrupt absolutely.
1) The license allows bundling of licensed code with code under alternate licenses. This kind of is the point of many business friendly licenses such as the widely used Apache 2.0 and MIT licenses. I don't see this as a bad thing.
2) Alternatively, the company simply owns the copyright to the entire code base and insists on copy right transfers for any outside contributions. Elastic did this. And they were using Apache 2.0 as their license as well.
The best way to insure against companies re-licensing and controlling a code base is by diversifying the community of contributors. Most long lived open source projects have so many contributors across the industry that anyone taking the source code and closing it would just amount to a weird isolated fork that probably won't get much traction. Perfectly legal under some licenses. If you want a BSL licensed version of Apache httpd. You can just take the source code and start layering your BSL licensed patches on top. But there's very little point in doing that as everybody else will just keep on adding to the upstream OSS code base.
Other licenses are designed to prevent this entirely. Which is where copyright transfers become relevant. Any company using AGPL v3 and insisting on copyright transfers is basically just trying to coerce people to buy their proprietary licensed version instead. It's a common strategy among some OSS companies. I don't think it works that well for many companies. Mostly you just throw away the baby with the bathwater. You alienate a lot of potential users as well as contributors.
I use a few simple rules:
- I avoid anything licensed under the AGPLv3. Just not worth the legal headaches. Luckily, this is easy because there isn't a whole lot of software under that license that I particularly care about. If I need a lawyer to figure out if my intended use of a given bit of software is allowed, morally justified, etc., I'm not interested. The attitude with a lot of users of this license seems to be leaning towards communism in the sense that all form of value creation is frowned upon and seen as profiteering. So, I respect that attitude by just ignoring anything under that license for personal or company use. No exceptions.
- I don't contribute source code if there's a copyright transfer involved or if the software is not under a proper open source license. If you want to own your software that's fine, but that means you are responsible for fixing it as well. So, anything BSL or similarly licensed is not going to get patches from me. I might file a bug but I won't lift a finger to close it. A hard condition for me coding anything is either financial compensation or a proper OSS license.
- I avoid using non open sourced software as much as I can. That future proofs what I do. I tend to gravitate to things with active communities. This put me a bit in a dilemma with Elasticsearch when they went closed their source and fractured their community (opensearch is the OSS fork). I still deal with Elasticsearch professionally. But I'm gradually shifting my attention to Opensearch. And my observation is that they fractured their customer base and that new users are defaulting to Opensearch. Hashicorp is likely to end up facing a similar situation.
- For my own oss projects, I use the MIT license. Maximizes my user's flexibility to do whatever they need to do without limiting mine. Including creating valuable closed source products. That's a feature, not a bug. Go for it. I want you to create value and benefit from my software. More power to you. That's part of the OSS contract. Contributing back is appreciated but not required.
Companies that value having active developer communities are mutually exclusive with overly restrictive licenses. What's nice about things like Linux is that the community is lots of companies taht build commercial and proprietary products on top of it. And they end up contributing back. It's this commercial success of Linux that drives its success and keeps its community healthy and diverse. GPLv2 was a happy accident that it contained enough loopholes for this to work.
The only open source license that preserves your right to repair (of both the contributor and the user) is the variants of the GNU Public License (GPL). Every other open source project with more permissive license can one day be "close-sourced". The GPL requires that source is always available with the distribution. That is why I feel contributing to any non-GPL project is an unproductive venture as your own source code could one day be denied to you (which I find ridiculous due to the free labour involved).
Linux is a very good example of this - many corporates in the US and China have been forced to share the Linux source code they customised for their device due to the GPL. This has helped developers and new features and / or users maintain the software for their devices longer (even after the product reached end-of-life - see https://thenewstack.io/the-open-source-lesson-of-the-linksys... for a good example of this).
The only reason the corporates aggressively advocate for non-GPL permissive opensource license is because that is the only way they can freely convert it to "close-sourced" versions, ensuring that you have to depend solely on them for future development. To me, that trumps the real benefits of the open source philosophy.
I'm doing what I can to nip that typo in the bud: it's b*U*sl https://spdx.org/licenses/BUSL-1.1.html
Yeah, yeah, context matters, Hashicorp did not switch to Boost Software License, but it would be so much better to be accurate than "you know what I meant"
People bought into the product based on various factors, one of which may have been the license. They put hundreds or even thousands of hours into integrating that product into their environment. Then someone pulls the rug out from under them.
That Hashicorp were accepting community contributions from people who will never see a monetary return on that investment —- while Hashicorp makes money on their work —- adds insult to injury.
Businesses who use that kind of tactic are not high on my list of people to give my money to.
It creates a moat around monetising the tool, not using it. I certainly see the argument around free loaders.
This is a balanced article and I definitely agree about being clear on what constitutes competition. A few questions:
1. Does Gitlab see much competition from hyperscale providers like AWS?
2. Given that Gitlab has a thicker proprietary crust and a relatively smaller open source core (compared to hashi), is Gitlab more insulated from these types of issues?
I don't see what locking corporations into future open releasing does to solve the general problem.
The problem is fueling and operating maintenance and development for as long as those costs remain worthwhile. There are no perpetual motion machines. We have multiple data points from companies suggesting the rules of the game being played today create an inflection point away from universal permissive licensing. Restricting an organization's freedom of operation might maximize the time it holds out in forlorn hope on a pure, doomed model. It might also grind it to a halt when it could have kept going by compromise.
A project steward going bust can send a clear signal to former free riders that they need to step up and organize or switch off. But in the meantime, what's to stop some other firm, without charter restrictions, stepping in to try the model the restricted firm wasn't allowed to? What's to stop the engineers at the restricted firm jumping ship?
On the level of implementation, I wonder at the need for public benefit corporation structure, with all its vagueness, expenses, and complications. Are the feel-goods really worth the complication?
You can put corporate-powers limitations in a "regular" corporation charter. That's a key part of how we turn C-corps into tax-exempt charities and business leagues. The restrictions we put in, say, 501(c)(3) charters also read vague, but they're statutory language we've been fighting about and refining by law over time. Conversely, putting eight novel, vaguely worded restrictions into a corporate charter, with or without line-by-line statements of intent, is putting a whole lot of fluff in the very beating heart of a governance structure. Who settles interpretation fights there, a judge in a shareholder derivative suit? I think the hullabaloo of the OpenAI Charter might be instructive.
I shared a similar sentiment here [0]. The future of open source companies is taking a serious posture for it and clarifying as best as possible to all stakeholders involved what this stance is. Love this piece.
