A perspective from Jon Mort, CTO of Adaptavist, on HashiCorp's switch from open-source licences to Business Source License (BSL) and its potential effects on businesses.
Modern software development, at every stage of the value delivery chain, relies heavily on open-source software. The recent decision by HashiCorp to transition many of their open-source projects' licences from Mozilla Public License v2.0 (MPL2.0) to the Business Source License (BSL 1.1) is symptomatic of a larger shift that has happened over the last decade, and not an isolated incident.
"In my role as CTO at Adaptavist, it's my job to anticipate and adapt to changes in our tech sphere, but this shift by HashiCorp certainly gives me pause for thought. It is critical to me, and to The Adaptavist Group as a whole, to understand and work with our internal teams, customers, and partners about the implications of this shift."
Understanding the 'why' of licences in open source brings vital context to this discussion. Open-source licences play a pivotal role in fostering innovation, safeguarding the creators' rights, and preventing the monopolisation of shared intellectual contributions. They are essential to maintain the core ethos of open-source culture: free distribution, source code access, and collaborative modifications. These licences form a social contract of sorts, allowing developers to create and share their innovations freely while determining how others can use, study, redistribute, and modify that work.
HashiCorp's transition may well be interpreted as a shift away from the core ethos of openness, even though it mirrors a wider industry orientation over recent years. A range of businesses, particularly in the tech domain, have used the strategy of creating open-source projects to attract customers to their paid offerings. These companies, often providing software infrastructure tools or platforms, start by building a user base and a community around an open-source project. Their high-quality, freely available software garners attention from developers and companies alike. As users grow reliant on the tool and seek advanced features, security, or dedicated support, these businesses offer premium, paid versions or services.
The licence modification will impact several popular HashiCorp tools like Terraform and Vault. While MPL2.0 is recognised as open source, BSL 1.1 doesn't enjoy that classification. Though the change won't affect HashiCorp APIs, SDKs, and most other libraries, as they will remain under MPL 2.0, it perturbs the open-source ethos HashiCorp was once known for.
It's important to understand that while end-users can still copy, modify, and redistribute the code for non-commercial and commercial use, exclusionary terms apply. If those end-users are delivering a competitive offering to HashiCorp, the equation changes. The usage is further constrained for vendors providing competitive services built on HashiCorp community products. They will be denied access to future releases, bug fixes, or security patches for these products. Worryingly, given the vague 'competing' clause, the possible expansion of HashiCorp into your core business area could inadvertently put you in breach, without any active decision on your part.
Furthermore, while customers of enterprise and cloud-managed HashiCorp products may not witness a direct change, the ripple effects of a licence change from open to closed source could significantly disrupt usage patterns. HashiCorp, which morphed from open-source projects under the Mozilla Public License to a company with a more closed ecosystem, may no longer be viewed as the "good guys" of open source.
The language of the new 'competing' clause is exceptionally vague, leaving much open to interpretation and potentially landlocked negotiations for licensing. There is hefty speculation that the move is targeted towards profit generation and attempts to stem their financial losses. While revenue models are crucial for sustainability, transitions perceived as anti-community can lead to unintended repercussions. We are potentially stepping into a landscape where 'competition' is an ill-defined term and could hinder our strategic efforts.
At Adaptavist, we, as a commercial vendor, are cognisant of the potential effects on our platform usage and development. We use and help customers with HashiCorp products, including Terraform, Vault, and Vagrant, and the surrounding ecosystem of tools that benefit from or improve Terraform, such as Crossplane and Terragrunt. This opaque definition of 'competition' within the new licence terms could introduce unexpected roadblocks in our development roadmap, potentially stalling our stride towards achieving our goals.
From our customers' perspective, the change could cause disruptions. A number of these businesses have intricately woven HashiCorp products into their tech framework, and the effects of transitioning from an open source to a more restrictive licence could have profound impacts.
For the decision-makers—the CTOs, CIOs, CISOs—who might be only now catching wind of this licensing shift or trying to decode what it means for their strategy, this change means reassessing risk profiles, evaluating partnerships, and possibly restructuring tech roadmaps. This becomes even more critical for teams reliant on open-source projects as part of their strategic offerings.
For those lacking in-depth knowledge of open-source licences, this transition presents a challenging time. The implications on compliance, the potential risk to their standard development practices, and the broader risks associated with copyright violations all need careful addressing.
While I've centred on HashiCorp in this blog, the transition is a reflection of broader industry trends we're witnessing—a shift in open-source projects and their business models. Large service providers have been known to leverage open-source projects, leading to significant revenue loss for the originating small and medium-sized businesses. These smaller players, built around open-source offerings, are trying to rally their defences. MongoDB and Elasticsearch are notable examples, having adapted their licence types to protect their commercial interests from giants like Amazon's AWS. It's a complex situation for open-source projects—trying to balance the original ethos of openness and collaboration with protecting their business viability in a highly competitive landscape. HashiCorp’s licence change is yet another chapter in this ongoing narrative.
At Adaptavist, we know that opportunities exist for all organisations, both where there is clarity and uncertainty. We want our partners, customers, and the wider community to understand the potential business implications of these changes, and we are here to provide the needed support. HashiCorp's change of licence has the potential to be a significant disruptive change for many organisations, and we hope it does not spark a cascade of change of licence for open-source projects, putting the brakes on innovation industry-wide. Navigating the change will require the coming together of different perspectives and partnerships to smoothly ride the disruption and grasp the opportunities that arise.
In navigating the implications of this licensing change, remember that your business is not alone. Whether you're part of a compliance team grappling with potential copyright violations, or a senior leader seeking to understand the depth of this change, don't hesitate to reach out. This is particularly important for those who might be new to the complexities of open-source licences. Disruption inevitably brings chances for innovation and change, and we are readily available to support you through this transition. For further insights into this topic, be sure to catch the next episode of our podcast, DevOps Decrypted, which will explore this issue in more detail.
