Infrastructure
Why HashiCorp's threats to a Terraform fork fell flat, and might have made it stronger
Forks are by definition messy in the early innings, but without smoking-gun evidence that OpenTofu stole its code any intimidation attempt by HashiCorp looks a little desperate.
HashiCorp's decision last year to restrict the use of future versions of the various open-source projects created under its direction, most notably Terraform, wasn't all that surprising in the larger context of how business models behind open-source enterprise tech companies have changed over the last several years. Its decision two weeks ago to threaten the organization creating a Terraform fork — based on very little evidence — was quite surprising.
The OpenTofu project responded strongly on Thursday to allegations that it had copied source code from the restricted version of Terraform in creating its fork of the project. OpenTofu was first accused of copying the code by Matt Asay, vice president of developer relations at MongoDB, in his regular column at Infoworld published on April 3rd under the headline "OpenTofu may be showing us the wrong way to fork."
That same day, in a remarkable coincidence, lawyers representing HashiCorp privately sent the OpenTofu project a cease-and-desist letter, writing "OpenTofu has repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp’s intellectual property rights," according to a copy of the letter posted by OpenTofu this week.
Asay did not cite anything for his claim other than a cursory comparison of the OpenTofu code and the BSL-licensed code at issue, and did not address whether or not he had talked to anyone from HashiCorp or OpenTofu before lodging such a serious accusation.
That accusation circulated across social media and in forums for more than a week before OpenTofu, which is backed by the deep pockets of the Linux Foundation, posted a side-by-by comparison of its code, the BSL-licensed code, and code that was previously available under the permissive Mozilla Public License used by HashiCorp until last year.
"The code in question can be clearly shown to have been copied from older code under the MPL-2.0 license," OpenTofu contributors wrote, and showed their work in a detailed comparison of hundreds of lines of code across the projects.
That seemed to be enough for Infoworld, which inserted an editor's note at the top of Asay's piece saying "based on these documents, it appears that the OpenTofu community did not misappropriate HashiCorp’s intellectual property" (emphasis theirs) but otherwise left the headline and copy of the article intact.
(Why a venerable enterprise tech publication continues to give a vendor marketing executive the space to write basically anything he wants, especially about a subject where he has an enormous conflict of interest given the similarities between MongoDB and HashiCorp's open-source licensing strategies, remains inexplicable.)
For its part, HashiCorp declined to comment on the whole affair, and its stock — which rose sharply last month after Bloomberg reported it was exploring a sale — fell almost 6% Friday.
Forks are by definition messy in the early innings, and the authors of the original project — whether they are $5 billion companies or weekend warriors — are never going to be happy about seeing someone else take their concept in a different direction.
There are legitimate legal concerns that a company like HashiCorp can have about the code used in a newly forked project, said Joe Duffy, founder and CEO of Pulumi, which is a direct competitor of HashiCorp.
Duffy worked at Microsoft in the aftermath of the battles between Sun Microsystems and Microsoft over Java in the early 2000s, and said Microsoft enacted a "clean room" strategy when developing the .Net framework where Microsoft engineers were told to never even look at Java documentation over fears they would inadvertently implement a .Net feature in the same way Sun added something to Java.
"It's really dangerous territory if OpenTofu is trying to maintain feature-by-feature parity" with Terraform going forward, he said. "If I were them, I would ignore anything Terraform is doing from here on out."
But the only reason to threaten the OpenTofu project in such a vague and easily debunked way is to sow good old-fashioned fear, uncertainty, and doubt among companies thinking about adopting an open-source version of Terraform, a tactic that has been part of enterprise marketing for decades.
After all, most forks fail on their own, as Duffy pointed out, and without smoking-gun evidence that OpenTofu stole its code any intimidation attempt by HashiCorp looks a little desperate. And if license changers like HashiCorp and MongoDB try to weaponize the legal system against good-faith attempts to fork projects that were previously open, we'll have entered a whole new period of open-source drama.
(This post originally appeared in the Runtime newsletter on April 13th, sign up here to get more enterprise tech news three times a week.)