The HashiCorp BSL Move
On August 10th, 2023, HashiCorp announced that they have adopted the Business Source License (BSL) for all future releases of core HashiCorp products, switching from the Mozilla Public License (MPL 2.0). The wider community and, understandably, vendors that are building their commercial offerings on these products, reacted negatively.
A fork of the latest MPL 2.0 version of Terraform, one of the most widely used of HashiCorp products and open-source projects, has been announced on August 25th, 2023 by the OpenTF. They aim to submit this project to the Cloud Native Compute Foundation (CNCF).
Three core questions arise:
- What is the commercial reasoning for this move by HashiCorp?
- Is it advisable for individual companies to continue to use HashiCorp related open-source projects?
- What are the wider implications for open-source projects going forward?
To answers these questions, we will look at the current financial position of HashiCorp and some key competitive pressures, what the BSL means for enterprises and then the wider implications of the license change.
The Commercial Reasoning
A Look at HashiCorp’s Financials and Customer Base
To understand the commercial pressures and risks HashiCorp are under, we first look at their quarterly earnings releases.
HashiCorp, like many of the companies in the cloud native space who IPOed between 2019 and 2022, has never turned a profit. In the low interest rate era up to mid 2022, growth was all that mattered. But since that time, we have had a marked shift in investor sentiment from growth to profitability.
As of the end of HashiCorp’s Q1FY24 (SEC 10Q filing, investor relations presentation , June 2023) ,HashiCorp revenue is hugely concentrated into two products (Terraform and Vault). These generate 85% of their revenue. Moreover 89% of HashiCorps revenue comes from customers with over $100K ARR, who represent just 19% (830 of 4392 customers as of Q1FY24) of their paying customer base. On top of this, revenues are also highly geographically concentrated, with 71% of sales in the United States.
This dependence on a small subset of enterprise customers is not unusual for firms like HashiCorp. What is more challenging from a HashiCorp perspective, however, is having several competitors explicitly targeting one of your core products while using a project you are the major contributor too within their products. That is, however, a direct trade off from developing software under an open-source license.
Indeed, HashiCorp, and in turn investors, are more than aware of this. Hashicorp has included the following statement in their all their financial filings, including the initial S1 prior to IPO:
“Because of the permissive rights accorded to third parties under our open-source and source available licenses, there are limited technological barriers to entry into the markets in which we compete and it is, and may continue to be, relatively easy for competitors, including public cloud operators, to enter our markets and compete with us.”
At same time HashiCorp acknowledge that the open-source nature of their projects, and the community associated with them, is a key customer acquisition strategy.
An Interesting Market?
As noted above, 85% of HashiCorp revenue comes from Terraform and Vault. However, most of the competitive action has been around Terraform, and it has attracted some VC interest.
Many companies have emerged around the Terraform ecosystem. While the majority are of these companies deliver professional services, a few have product offerings and have attracted VC funding. Overall, this market is still in a nascent stage, but Env0, SpaceLift and Digger collectively received $52.8M in funding between 2020 and 2023. Scalr received a series A much earlier, back in 2016. There are also several bootstrapped companies, Gruntwork being the most well-known among them.
The common thread with the four VC funded vendors mentioned above is that they compete directly with Terraform Enterprise and build upon the opensource Terraform project. This also means they are competing for the highly concentrated customer base that HashiCorp has developed in recent years.
The ins and outs of exactly how many community contributions HashiCorp has received is a topic for others debate. However, HashiCorp state they received less than 5% of the overall contributions from the community to the core projects. In contrast, several orgs have pointed out that they tried, and were unable, to contribute.
The wider Terraform ecosystem is extremely vibrant. Terraform is designed to be extensible, and the provider, modules and additional tooling ecosystem has a wide variety of contributors.
But with all of that said, HashiCorp’s R&D spend for Q1FY24 was $54M alone — more than then the total amount of VC funding highlighted above. Obviously, only a subset of this goes directly to Terraform, but GitHub commits alone do not tell the full story of any project.
Ongoing Usage
Enterprises generally have a list of approved open-source licenses, managed out of some form of Open-Source Program Office (OSPO) and/or approved by procurement and legal teams. Getting a new open-source, or restrictive, license approved is a non-trivial task in most enterprises.
HashiCorp have been very clear in their FAQs about the license change that the target for this change is other competitive offerings. If, for example, you are using Terraform in your CI/CD pipelines internally, your risk profile is unlikely to change significantly by continuing you to use it.
Whatever your philosophical thoughts on this, if you are already using products like MongoDB or ElasticSearch, your legal, procurement and OSPO teams will have already done their due diligence on the overall framework of the BSL license, and you are unlikely to have any legal concerns about this change. The one thing to be crystal clear on is that the BSL is not an open-source license.
So, what does the change to BSL mean for most enterprises using an existing HashiCorp project? Business as usual for now.
Industry Implications
The wider implications of HashiCorp’s relicensing are more profound for the technology industry. Over the last decade we have seen a large amount of “single company” open-source projects emerge. Open-source in and of itself has become a key marketing component and adoption funnel, something which HashiCorp acknowledge in their quarterly financial reports.
Relicensing to the BSL changes this approach. As my former colleague, Stephen O’Grady at RedMonk, recently noted:
“Generally, what they are trying to sell you is a license that allows them to have their cake — the immensely successful and popular brand that is “open source” — and eat it too, which is to say the benefits without any of the costs of open source. Typically this means the addition of the ability to restrict a behavior, use or model that they feel impinges on their ability to exclusively monetize an asset… “
Sometimes a project appears, and a company emerges around it. Other times it is, intentionally, the opposite direction. Or, as in HashiCorp’s case, a project starts (Vagrant, initially released in 2010), a firm emerges later (HashiCorp, founded 2012) and then other projects appear (Terraform, initially released in 2014). Terraform falls squarely into the single company open-source pattern.
A large and vibrant community has developed around TerraForm, in part due to its open-source nature and extensibility, but also as it provides a solution to one of the key challenges in cloud — the consistent provisioning of infrastructure. But HashiCorp has always retained control of the source and required contributor agreements from any external parties contributing to the project that assigned the contributions ownership and copyright to HashiCorp. To be clear, they are far from the only company with this model.
However, this model also requires a lot of trust on the side of the contributors and the wider community. Where Terraform differs from many other projects with this model is the size of ecosystem developed on top of TerraForm itself. HashiCorp attempted to address this with the license change by keeping APIs, SDKs and Terraform providers under the MPL 2.0 license. It is unclear if this is enough to satisfy the wider community. The OpenTF fork (more below) demonstrates that it is clearly not enough for a significant group.
Prior to the widespread adoption of open-source software, having source code available in escrow was enough of a risk mitigation for many enterprises. This is, in some ways, analogous to having source available under the BSL.
This gives us three (very generic) models:
- Single Vendor, restrictive license, source available
- Single Vendor, permissive license
- Foundation supported (providing corporate structure, IP assignment), permissive license
The longer-term question is if we see more of a shift to single vendor, restrictive, but source available licenses, or foundation supported open-source projects. There are other widely used projects primarily supported by a single vendor that could just as easily go the route of the BSL.
The OpenTF Fork
As of August 25th we now know there will be a fork of Terraform, OpenTF, with a goal to have the project become part of the Cloud Native Compute Foundation (CNCF). The CNCF must of course agree to accept the project.
There is also a strategic question for the CNCF in doing so. As an organisation they have always stated they do not want to choose the winners, but it is also clear that a project that graduates within the CNCF is, to a large extent, an anointed winner in the cloud native landscape.
Up to now, projects may have been competing against each other, but they have not been direct forks of an existing project. If the OpenTF project is accepted (and I do not see a reason for it to be rejected), it breaks new ground for the CNCF. It is far too early to judge if this will have an impact on the overall structures and governance within the CNCF. However, some organizations with projects that are essentially single company open-source, even if under the auspices of a foundation, may have concerns that other forks follow.
Conclusions
It is still too early to see how the move to BSL licenses will play out for HashiCorp. Parts of the Terraform community are clearly upset by the change, but it is also obvious that some are upset for very commercial reasons.
Does the licensing matter greatly? In my opinion it does and for commercial entities trying to build businesses it matters massively. But, turning once again to Stephen O’Grady at RedMonk, when it comes to the definition of open-source, by far the largest group is “those that don’t care”.
Disclaimers
I covered HashiCorp as an industry analyst from 2015 until 2022, at RedMonk and then at Gartner. At Gartner my primary published research touched more on Consul but Terraform and Vault frequently featured in conversations with end user clients. HashiCorp paid for my T&E to several pre-pandemic HashiConf’s.
I covered the cloud native ecosystem, including the CNCF, as an industry analyst from 2015 to 2022 at RedMonk and Gartner. At Gartner Cloud Foundry, Kubernetes, and the wider Kubernetes ecosystem, including numerous projects and companies associated with the CNCF and the Cloud Foundry Foundation featured in conversations with end user clients. The CNCF, Cloud Foundry Foundation and the Linux Foundation paid for my T&E to a significant number of pre-pandemic events.
Paying for T&E is common practice for analysts attending vendor and foundation events.
The opinions posted in this piece are entirely my own.
Edits
Clarified foundation definition thanks to a comment from Matthew Wilson.
