this post was submitted on 11 Aug 2023
109 points (99.1% liked)

Programming

17405 readers
98 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
top 34 comments
sorted by: hot top controversial new old
[–] [email protected] 48 points 1 year ago* (last edited 1 year ago) (1 children)

This is the 2nd of such moves this year to my knowledge; first there was #Lightbend and #Akka and now this. What a year for #FOSS πŸ˜•

I know for a fact that so many organisations use #hashicorp products for commercial purposes w/o ever contributing back. And I understand how this may feel for hashicorp in these harsh economic times. Though this still is, IMHO, a cheap move: they used an OSS license for a very long time which resulted in a massive user base and a "soft" vendor lock-in, and now they decided to milk that user base.

Looking forwards to solid community-driven forks of their products πŸ’ͺ

[–] [email protected] 10 points 1 year ago

From my reading this wouldn't impact organisations just using the product at all. Only probiders that offer services should be impacted. Similar to what Elastic did with their license.

Note I didn't actually read the license text, just browsed the FAQ a bit

[–] [email protected] 28 points 1 year ago

I appreciate Grafana going in the opposite direction and relicensing under the AGPL. it largely serves the same purpose but it provides a stronger guarantee for users.

[–] [email protected] 17 points 1 year ago (2 children)

The biggest problem I see is that you can suddenly become non-compliant just because Hashicorp decides to release a new service (i.e.they start competing with you, rather than the other way). It can be a huge risk for companies.

[–] [email protected] 2 points 1 year ago

The FAQ covers this:

  1. If I want to build a product that is competitive with HashiCorp, does that mean I’m now prevented from using any HashiCorp tools under the BSL license?

No. The BSL license does not prevent developers from using our tools to build competing products. For example, if someone built a product competitive with Vault, it would be permissible to deploy that product with Terraform. Similarly, if someone built a competitive product to Terraform, they could use Vault to secure it. What the BSL license would not allow is hosting or embedding Terraform in order to compete with Terraform, or hosting or embedding Vault to compete with Vault.

So if you are selling a product and HashiCorp releases a product which competes with yours, you can still use Valut, Terraform, etc the way you had been. I can't see a way for your senario to play out based on their FAQ.

[–] [email protected] 2 points 1 year ago (1 children)

So it would seem it's always a good idea to contact them, get a commercial license or custom licensing terms (they do seem open to that from what I gather here and here) before building a business on top of their software.

[–] [email protected] 8 points 1 year ago

Probably works well if you are an established company, but why would e.g. a startup pick licensing headaches over the competition? I imagine bigger companies would also rather just move to e.g. CDK or ARM if they don't need multiple providers (at least our company started discussing this today).

What kind of "custom licensing" do you anyway think a 5-person startup would get?

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago)

From the blog post:

[...] today we are announcing that HashiCorp is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL, also known as BUSL) v1.1 on all future releases of HashiCorp products. HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0.

BSL 1.1 is a source-available license that allows copying, modification, redistribution, non-commercial use, and commercial use under specific conditions.

[–] [email protected] 10 points 1 year ago

was about to include it in my stack, guess i wont be now.

[–] [email protected] 10 points 1 year ago (2 children)

I understand their reasoning, but am still left disappointed.

[–] [email protected] 8 points 1 year ago

I honestly don't.

AWS and other cloud providers have already proven, eg. with Mongo and Elastic, that they are perfectly happy to either provide an API compatible offering or just fork the product and then offer the service at a lower price point, which proves again that if the only thing you have to compete is price, you don't have a competitive product.

[–] [email protected] 8 points 1 year ago (2 children)

That's where I'm at too. Philosophically its a bummer. For the majority of users of their codebase however, this presents zero changes and the only entity I known of who would be impacted by this change going forward is AWS

[–] [email protected] 2 points 1 year ago (2 children)

So I was trying to figure out what are they getting defensive against. It was clear in redhat's case, but I only really found pulumi as some sort of alternative to terraform and I'm not even sure it relies on it. What is the AWS product that's competing here?

[–] [email protected] 5 points 1 year ago

Service Catalog has terraform constructs built in now

[–] [email protected] 2 points 1 year ago

Pulumi relies on Terraform providers, it can actually "plug in" any Terraform provider. This won't be much of a problem though, as Hashicorp has pushed the work of developing and maintaining providers to its "partners". Even providers under the Hashicorp umbrella like AWS is not actively developed by hashicorp personell so there is really no play here, as is reflected by them not touching the license in those repositories.

[–] [email protected] 1 points 1 year ago

Curious, how will AWS be affected? I'm not familiar with all of Hashicorp's tools. Mostly just Terraform (and obvs AWS had Cloud Formation, then CDK - they even worked with HashiCorp I believe to build CDKTF).

[–] [email protected] 3 points 1 year ago (1 children)

What does this mean?πŸ€”

[–] [email protected] 12 points 1 year ago (2 children)

Given I was recently involved in minimising the impact of Lightbend's similar move earlier this year, AFAIU it means their products will be conditionally open source. They'll be free to use for non-commercial use but you'd need to pay for anything else.

[–] [email protected] 25 points 1 year ago* (last edited 1 year ago) (4 children)

There is no such thing as "conditionally open source." The license terms you describe are just "not open source."

If they actually gave a shit about commercial entities contributing back, they should've gone AGPL3. This is just a money grab and yet another example of how permissive licensing isn't good enough and everything should be copyleft.

[–] [email protected] 3 points 1 year ago (1 children)

It basically means you can view the code, which is the literal by-the-word definition of open source. It's not the common understanding of open source, which would be free-to-use (with some minor restrictions like attribution or publishing derivatives under the same license).

[–] [email protected] 4 points 1 year ago

Only the latter definition is valid!

[–] [email protected] -1 points 1 year ago (2 children)

Its still open source. You can still view the source code. That's what open source is. The change here is the restriction on providing Terraform as a service in the form of a Terraform Cloud competitor. This seems to be a very direct response to Amazon introducing a service for hosting terraform modules, storing terraform state, and applying changes.

I don't love this, but they're also not restricting anyone's comercial ability to develop products using terraform like a banking app, a link aggregator, or a e-commerce platform. All you're restricted on is providing an IaC service where you directly profit from running someone else's terraform for them. This is the same license the MariaDB creators came up with when they felt burned by Oracle but did want people to be able to build closed source products using their database without profiting from providing their db as a service (this is why many self hosted projects use Maria instead of MySQL) which is why AWS can't offer maria RDS instances.

AGPL wouldn't help them keep developing terraform the way BSL would because their business problem isn't that no one is contributing back to the code, their problem is a $1T market disruptor just turned their Sauron eye towards Hashicorp's $5B shire and offered their own shire for less money behind the black gates. All after for many years directly benefitting from Hashicorp's existence and giving them white glove treatment as a result. And yes I'm aware that in this analogy Hashicorp is probably one of the Nazghul being corrupted.

Like I said. I don't love this license change. But like I said. Hashicorp doesn't have a code contributions to Terraform problem. They have a funding their business and development problem

[–] [email protected] 21 points 1 year ago

Its still open source. You can still view the source code. That’s what open source is.

"Open Source" does not, and has never only meant, "you can view the source code". This is the Open Source Definition: https://opensource.org/osd/

Relevant excerpt:

  1. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

The Open Source Definition is very specific, and this license does not meet it. This license is, as it calls itself, "source-available".

If the OSI had obtained that trademark in 1999 on "Open Source", it would be abundantly clear what software really is and is not open source https://opensource.org/pressreleases/certified-open-source.php/

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (1 children)

You can still view the source code. That’s what open source is.

No, it's not. It only counts if it provides the four freedoms listed here:

  • The freedom to run the program as you wish, for any purpose (freedom 0).
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
  • The freedom to redistribute copies so you can help others (freedom 2).
  • The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

And before you say "but that's the definition of 'Free Software', not 'Open Source'," even the latter, misguided as it is, at least still requires freedom 0!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Those are definitions for free software not open source. Open source does not mean free and open source (FOSS). This is still open source (you can see the code) , it's no longer FOSS (you can't freely use the code).

[–] [email protected] -1 points 1 year ago

This is just a money grab

Generating revenue with products they're developing, the sheer audacity

[–] [email protected] -1 points 1 year ago (1 children)

You're conflating FOSS and open source. This is open source just not FOSS anymore

[–] [email protected] 1 points 1 year ago (2 children)

This is plainly incorrect, please see the other responses.
FOSS stands for "free and open source software", but they functionally mean the same thing. So what you're saying is:

This is open source just not open source anymore

[–] [email protected] 3 points 1 year ago (1 children)

You're cherry picking a definition to support your agenda.

[–] [email protected] 0 points 1 year ago

So your claim is that the open source definition by the Open Source Initiative which is battle tested and widely used by distributions, major git hosts and legal enitities is a cherry-picked definition?
Sounds like you're cherry-picking your definition to hide that you simply have no idea :)

[–] [email protected] 2 points 1 year ago (1 children)

This is plainly incorrect but I won't bother saying why either.

[–] [email protected] 1 points 1 year ago

I don't get what you're trying to say here. All terms used have a clear definition and other comments pointed that out already. The definition on open source is very clear.

[–] [email protected] 8 points 1 year ago (1 children)

There's no need to AFAIU when their FAQ explains all the detail, which is that commercial production use is fine as long as you're not using it to build a competitor product to Hashicorp.

[–] [email protected] 1 points 1 year ago

Which is described in ambiguous terms that they can change their minds about at any time. They can decide down the road you are competing, or they can develop a product that competes with you and then use it against you.