HashiCorp switching to BSL shows a need for open charter companies

The issue never seems as big a deal to me as others make it out to be… when a company switches the license, it is only for new development going forward. Any versions you were already using continue to have the same license, and you can keep using them.<p>The only thing you are losing is (perhaps) the ability to continue to receive free patches and updates from the project. This is no different than if the company went out of business completely. You can still make your own updates to the last OS version, and you are free to solicit contributions from others to your fork.<p>Is Hashicorp switching to a BSL any more disruptive to users of the software than if Hashicorp went out of business?

There&#x27;s one thing that a company can do if they want to prove to their users that they&#x27;ll always stay open. Ask their external contributors to sign a DCO (developer certificate of origin) instead of a CLA (contributor license agreement.) The latter transfers the copyright to your contribution to the company, the former is merely an assertion that you do own that copyright and are legally allowed to contribute.<p>This way, all external contributors own a small part of the copyright to the project. This makes changing the license almost impossible, as it would require either seeking permission from all those contributors or removing all of the code that they wrote.<p>Whether a company uses a DCO or CLA should be the litmus test of how they really feel about open source. I&#x27;d strongly reconsider making your business dependent on any products from the latter.

On a related note, if you haven&#x27;t seen it yet, make sure to check out the OpenTF Manifesto[0]. More info coming on Friday!<p>[0]: <a href="https:&#x2F;&#x2F;opentf.org" rel="nofollow noreferrer">https:&#x2F;&#x2F;opentf.org</a><p>Disclaimer: Work at Spacelift

<i>However, there’s a negative impact on commercial open source software. The more companies do this, the more the community loses trust. Fewer people will contribute to or adopt commercial open source.</i><p>Is this generally considered a truism? Has about zero influence on me, or with director level decision makers at companies I&#x27;ve worked with.

They also published an FAQ recently:<p><a href="https:&#x2F;&#x2F;www.hashicorp.com&#x2F;license-faq" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.hashicorp.com&#x2F;license-faq</a><p>This all should be incorporated into the BSL, as the current terms are clearly vague enough that they require a separate (not legally binding) FAQ (as it can be changed at any point...)

Im a OSS founder.<p>This is a balanced article and I definitely agree about being clear on what constitutes competition. A few questions:<p>1. Does Gitlab see much competition from hyperscale providers like AWS?<p>2. Given that Gitlab has a thicker proprietary crust and a relatively smaller open source core (compared to hashi), is Gitlab more insulated from these types of issues?

I don&#x27;t see how license changes that don&#x27;t adversely affect the vast majority of users break trust, especially when the noops are effectively communicated. Hashi did a much job better job there than its predecessors.<p>I don&#x27;t see what locking corporations into future open releasing does to solve the general problem.<p>The problem is fueling and operating maintenance and development for as long as those costs remain worthwhile. There are no perpetual motion machines. We have multiple data points from companies suggesting the rules of the game being played today create an inflection point away from universal permissive licensing. Restricting an organization&#x27;s freedom of operation might maximize the time it holds out in forlorn hope on a pure, doomed model. It might also grind it to a halt when it could have kept going by compromise.<p>A project steward going bust can send a clear signal to former free riders that they need to step up and organize or switch off. But in the meantime, what&#x27;s to stop some other firm, without charter restrictions, stepping in to try the model the restricted firm wasn&#x27;t allowed to? What&#x27;s to stop the engineers at the restricted firm jumping ship?<p>On the level of implementation, I wonder at the need for public benefit corporation structure, with all its vagueness, expenses, and complications. Are the feel-goods really worth the complication?<p>You can put corporate-powers limitations in a &quot;regular&quot; corporation charter. That&#x27;s a key part of how we turn C-corps into tax-exempt charities and business leagues. The restrictions we put in, say, 501(c)(3) charters also read vague, but they&#x27;re statutory language we&#x27;ve been fighting about and refining by law over time. Conversely, putting eight novel, vaguely worded restrictions into a corporate charter, with or without line-by-line statements of intent, is putting a whole lot of fluff in the very beating heart of a governance structure. Who settles interpretation fights there, a judge in a shareholder derivative suit? I think the hullabaloo of the OpenAI Charter might be instructive.

Just taking this opportunity to highlight again how stupid BSL licensing for HashiCorp Nomad is when they don&#x27;t even offer their own cloud product for it...

Does anyone know much about OCV? I haven&#x27;t heard much about this firm, but the investment model seems really intriguing.<p>I also appreciate that the article on staying open source and maintaining trust is written by a VC firm. That&#x27;s really putting your money where your mouth is.

As I said the other day, this open charter concept sounds like a suicide pact that removes future options and flexibility. But maybe it will turn out to be a constraint that triggers innovation in business models.

The other option is to use CLAs to try to allow only specific re-licensings. The Harmony CA [1] that states:<p>We agree to license the Contribution only under the terms of the license or licences which We are using on the Submission Date for the Work in which the Contribution is included or the following additional licenses ...<p>This would let the company re-license to selected other open source licenses for compatibility&#x2F;strategy, etc, but not allow BSL, etc<p>[1] <a href="https:&#x2F;&#x2F;harmonyagreements.org&#x2F;comments" rel="nofollow noreferrer">https:&#x2F;&#x2F;harmonyagreements.org&#x2F;comments</a>

&gt; Adopting a non-compete license isn’t problematic in itself, it’s the trend of switching from an open source to a non-compete license after gaining significant success that is causing distrust in commercial open source software.<p>I shared a similar sentiment here [0]. The future of open source companies is taking a serious posture for it and clarifying as best as possible to all stakeholders involved what this stance is. Love this piece.<p>[0]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37215478">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37215478</a>

Let&#x27;s not forget about Lightbend in this with Akka.

I don’t understand the complaints about this switch. Aren’t these companies doing this to protect themselves from the likes of Amazon, Microsoft, and Google cloud services reselling their services and competing with them, not stop the rest of us from using their software?

I tend to think that larger open source projects (large enough to need funding) need to be coming from nonprofit foundations, R&amp;D arms of already-public corporations and educational and government institutions. Companies that want to go IPO is the wrong model.

I would argue the issue I&#x27;d how companies that make open source wants to gave the cake and eat it too.<p>Essentially, because the software is so close to the company it&#x27;s hard to be certain that the project is independent, sure you can fork it but look at what it did to openelastic. Not much.<p>Instead if it&#x27;s maintained by a foundation then it&#x27;s much harder for a company to assert full control.<p>It doesn&#x27;t solve freeloaders but it&#x27;s I think a big reason for freeloaders existing.

HashiCorp hasn&#x27;t been committed to open-source community in years, particularly with Terraform.<p>Their own words <a href="https:&#x2F;&#x2F;github.com&#x2F;hashicorp&#x2F;terraform&#x2F;blob&#x2F;ad634f60a5acbaade1eb8c225564e17ad2267f00&#x2F;.github&#x2F;CONTRIBUTING.md#:~:text=Due%20to%20current">https:&#x2F;&#x2F;github.com&#x2F;hashicorp&#x2F;terraform&#x2F;blob&#x2F;ad634f60a5acbaad...</a>

Open core is just as bad as BSL.

The only way a company can switch the license for a given bit of software if one of two things are true:<p>1) The license allows bundling of licensed code with code under alternate licenses. This kind of is the point of many business friendly licenses such as the widely used Apache 2.0 and MIT licenses. I don&#x27;t see this as a bad thing.<p>2) Alternatively, the company simply owns the copyright to the entire code base and insists on copy right transfers for any outside contributions. Elastic did this. And they were using Apache 2.0 as their license as well.<p>The best way to insure against companies re-licensing and controlling a code base is by diversifying the community of contributors. Most long lived open source projects have so many contributors across the industry that anyone taking the source code and closing it would just amount to a weird isolated fork that probably won&#x27;t get much traction. Perfectly legal under some licenses. If you want a BSL licensed version of Apache httpd. You can just take the source code and start layering your BSL licensed patches on top. But there&#x27;s very little point in doing that as everybody else will just keep on adding to the upstream OSS code base.<p>Other licenses are designed to prevent this entirely. Which is where copyright transfers become relevant. Any company using AGPL v3 and insisting on copyright transfers is basically just trying to coerce people to buy their proprietary licensed version instead. It&#x27;s a common strategy among some OSS companies. I don&#x27;t think it works that well for many companies. Mostly you just throw away the baby with the bathwater. You alienate a lot of potential users as well as contributors.<p>I use a few simple rules:<p>- I avoid anything licensed under the AGPLv3. Just not worth the legal headaches. Luckily, this is easy because there isn&#x27;t a whole lot of software under that license that I particularly care about. If I need a lawyer to figure out if my intended use of a given bit of software is allowed, morally justified, etc., I&#x27;m not interested. The attitude with a lot of users of this license seems to be leaning towards communism in the sense that all form of value creation is frowned upon and seen as profiteering. So, I respect that attitude by just ignoring anything under that license for personal or company use. No exceptions.<p>- I don&#x27;t contribute source code if there&#x27;s a copyright transfer involved or if the software is not under a proper open source license. If you want to own your software that&#x27;s fine, but that means you are responsible for fixing it as well. So, anything BSL or similarly licensed is not going to get patches from me. I might file a bug but I won&#x27;t lift a finger to close it. A hard condition for me coding anything is either financial compensation or a proper OSS license.<p>- I avoid using non open sourced software as much as I can. That future proofs what I do. I tend to gravitate to things with active communities. This put me a bit in a dilemma with Elasticsearch when they went closed their source and fractured their community (opensearch is the OSS fork). I still deal with Elasticsearch professionally. But I&#x27;m gradually shifting my attention to Opensearch. And my observation is that they fractured their customer base and that new users are defaulting to Opensearch. Hashicorp is likely to end up facing a similar situation.<p>- For my own oss projects, I use the MIT license. Maximizes my user&#x27;s flexibility to do whatever they need to do without limiting mine. Including creating valuable closed source products. That&#x27;s a feature, not a bug. Go for it. I want you to create value and benefit from my software. More power to you. That&#x27;s part of the OSS contract. Contributing back is appreciated but not required.<p>Companies that value having active developer communities are mutually exclusive with overly restrictive licenses. What&#x27;s nice about things like Linux is that the community is lots of companies taht build commercial and proprietary products on top of it. And they end up contributing back. It&#x27;s this commercial success of Linux that drives its success and keeps its community healthy and diverse. GPLv2 was a happy accident that it contained enough loopholes for this to work.

Didn’t Pulumi accelerate its adoption by the use of Hashicorp terraform providers? Didn’t AWS use elastic search for free then fork when the license changed? I think there are a lot of challenges around building a sustainable business around OSS that requires a more delicate look than the black or white hot takes around here recently.<p>…with that being said, I will say that I welcome companies like Pulumi to the IaC landscape. IaC makes a lot of sense conceptually, but unlike a lot of HN (from my perspective), I strongly dislike terraform and HCL and most Hashicorp products. There’s also enough of an impedance mismatch between TF and cloud providers that I’d be poised to just use cloud formation or ARM or something native over tf, which was never cloud agnostic anyway like their marketing claims.

It makes me sad that we don&#x27;t appreciate the 10+ years that Hashicorp put into open-source.<p>It&#x27;s open - somebody else can pick up where they left off, if they really care (like OpenSearch did for Elasticsearch).

&gt; switching to BSL<p>I&#x27;m doing what I can to nip that typo in the bud: it&#x27;s b*U*sl <a href="https:&#x2F;&#x2F;spdx.org&#x2F;licenses&#x2F;BUSL-1.1.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;spdx.org&#x2F;licenses&#x2F;BUSL-1.1.html</a><p>Yeah, yeah, context matters, Hashicorp did not switch to Boost Software License, but it would be so much better to be accurate than &quot;you know what I meant&quot;

If you don&#x27;t have the internal resources to use some other tool you should pay up.

When I read about mid-stream license switches like this, the term <i>bait &amp; switch</i> comes to mind. It seems unethical.<p>People bought into the product based on various factors, one of which may have been the license. They put hundreds or even thousands of hours into integrating that product into their environment. Then someone pulls the rug out from under them.<p>That Hashicorp were accepting community contributions from people who will never see a monetary return on that investment —- while Hashicorp makes money on their work —- adds insult to injury.<p>Businesses who use that kind of tactic are not high on my list of people to give my money to.

one strange trick to kill your company

Boy am I happy I never invested too much time in their software.

On further investigation, this has nothing to do with British Sign Language.

So I gather “BSL” isn’t British Sign Language then?

It also shows naked greed. Hashicorp’s founding as an open source company was a bet that a company could open source everything and still mint money.<p>And mint it did, billions, in the IPO. And now, abandoning its ideals for the sake of money, I feel a lot less optimistic about open source going forward.