What was HashiCorp thinking?

Welcome to Runtime! Today: the messy politics of a high-profile open-source fork, the latest on the SiSense customer data leak, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Throwing a knife at a fork

HashiCorp's decision last year to restrict the use of future versions of the various open-source projects created under its direction, most notably Terraform, wasn't all that surprising in the larger context of how business models behind open-source enterprise tech companies have changed over the last several years. Its decision last week to threaten the organization creating a Terraform fork — based on very little evidence — was quite surprising.

The OpenTofu project responded strongly on Thursday to allegations that it had copied source code from the restricted version of Terraform in creating its fork of the project. Here's a quick recap of the latest episode of the never-ending soap opera that is open-source software.

• OpenTofu was first accused of copying the code by Matt Asay, vice president of developer relations at MongoDB, in his regular column at Infoworld published last week under the headline "OpenTofu may be showing us the wrong way to fork."
• That same day, in a remarkable coincidence, lawyers representing HashiCorp privately sent the OpenTofu project a cease-and-desist letter, writing "OpenTofu has repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp’s intellectual property rights," according to a copy of the letter posted by OpenTofu this week.
• Asay did not cite anything for his claim other than a cursory comparison of the OpenTofu code and the BSL-licensed code at issue, and did not address whether or not he had talked to anyone from HashiCorp or OpenTofu before lodging such a serious accusation.

That accusation circulated across social media and in forums for more than a week before OpenTofu, which is backed by the deep pockets of the Linux Foundation, posted a side-by-by comparison of its code, the BSL-licensed code, and code that was previously available under the permissive Mozilla Public License used by HashiCorp until last year.

• "The code in question can be clearly shown to have been copied from older code under the MPL-2.0 license," OpenTofu contributors wrote, and showed their work in a detailed comparison of hundreds of lines of code across the projects.
• That seemed to be enough for Infoworld, which inserted an editor's note at the top of Asay's piece saying "based on these documents, it appears that the OpenTofu community did not misappropriate HashiCorp’s intellectual property" (emphasis theirs) but otherwise left the headline and copy of the article intact.
• Why a venerable enterprise tech publication continues to give a vendor marketing executive the space to write basically anything he wants, especially about a subject where he has an enormous conflict of interest given the similarities between MongoDB and HashiCorp's open-source licensing strategies, remains inexplicable.
• For its part, HashiCorp declined to comment on the whole affair, and its stock — which rose sharply last month after Bloomberg reported it was exploring a sale — fell almost 6% Friday.

Forks are by definition messy in the early innings, and the authors of the original project — whether they are $5 billion companies or weekend warriors — are never going to be happy about seeing someone else take their concept in a different direction.

• There are legitimate legal concerns that a company like HashiCorp can have about the code used in a newly forked project, said Joe Duffy, founder and CEO of Pulumi, which is a direct competitor of HashiCorp.
• Duffy worked at Microsoft in the aftermath of the battles between Sun Microsystems and Microsoft over Java in the early 2000s, and said Microsoft enacted a "clean room" strategy when developing the .Net framework where Microsoft engineers were told to never even look at Java documentation over fears they would inadvertently implement a .Net feature in the same way Sun added something to Java.
• "It's really dangerous territory if OpenTofu is trying to maintain feature-by-feature parity" with Terraform going forward, he said. "If I were them, I would ignore anything Terraform is doing from here on out."

But the only reason to threaten the OpenTofu project in such a vague and easily debunked way is to sow good old-fashioned fear, uncertainty, and doubt among companies thinking about adopting an open-source version of Terraform, a tactic that has been part of enterprise marketing for decades.

• After all, most forks fail on their own, as Duffy pointed out, and without smoking-gun evidence that OpenTofu stole its code any intimidation attempt by HashiCorp looks a little desperate.
• And if license changers like HashiCorp and MongoDB try to weaponize the legal system against good-faith attempts to fork projects that were previously open, we'll have entered a whole new period of open-source drama.

Analyze this

SiSense customers are not happy about the lack of details they've received since the initial disclosure that the data analytics company suffered a breach that potentially exposed a lot of sensitive customer information, according to The Record, and it's much easier to reset passwords than to reset trust.

Brian Krebs reported Friday that his sources believe SiSense was breached through its Gitlab account and the attackers stole access tokens, which allowed them to access its storage buckets in AWS's S3 service. "... Depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials," Krebs wrote.

BigPanda, an ITOps service provider, warned customers Friday that it detected "some suspicious activities from an unidentified threat actor" that it believes was related to its use of SiSense. It said that it rotated its user access keys per SiSense's instructions, but it might be a long weekend for other SiSense customers.

Quote of the week

"Will it be the most important thing? Time will tell. I’ve learned to never make a forecast in technology." — Google Cloud CEO Thomas Kurian, asked by Ben Thompson whether Google's AI investments might one day make more of an impact than its search technology.

The Runtime roundup

Salesforce is in "advanced talks" to acquire Informatica, according to the Wall Street Journal, which means Marc Benioff apparently got tired of staying on the deal-making sidelines following activist-investor pressure to rein it in.

Google Cloud is providing its services directly to the Israeli military, and has been angling to get a bigger piece of that business since last October, according to Time.

Sophia d’Antoine, founder of cybersecurity startup Margin Research, died last week after she was hit by a car in New York City.

Palo Alto Networks warned customers Friday that hackers are exploiting an unpatched vulnerability in its firewalls, and that patches may not be available until Sunday.

Thanks for reading — see you Tuesday!