HashiCorp accused the OpenTofu community of stealing Terraform code, but something went wrong

On April 3, the InfoWorld website published an article by the famous publicist on the topic of Open Source and lawyer Matt Asay entitled “OpenTofu may be showing us how not to fork” The leader paragraph in the article is quite harsh:

Don't agree with the license? Just fork the project, but don't throw away its code – say that it was always available publicly. Compare the HashiCorp code and license with the OpenTofu version.

The author, using phrases like “maybe” and “apparently,” rather harshly accuses the OpenTofu community of including in their project part of the Terraform code, which is only available under the BUSL license and cannot be freely reused, in fact blaming the developers of the free project theft.

Let us recall that in August 2023, HashiCorp changed the license for Terraform from MPLv2 to BUSL, which does not meet the criteria of the Open Source Initiative. After this, a number of market players forked the still free version of Terraform and launched a project that eventually became known as OpenTofu. After some time, the project was transferred to the Linux Foundation and has since developed under the wing of this organization.

Below are the main thoughts of the author of the article (we tried to maintain the style).

OpenTofu is an extremely promising but difficult project to implement. So complex that OpenTofu may have illegally borrowed HashiCorp code to keep up with Terraform.

OpenTofu appears to have removed the Terraform code associated with the new block-related feature removed, first implemented in Terraform version 1.7, which was released under the Business Software License (BUSL) – a few months after the creation of OpenTofu itself. That is, the OpenTofu developers took this code, removed the headers, and tried to relicense it under the Mozilla Public License (MPL 2.0).

Guys, that's not how open source works. You may not agree with which license the copyright holder has chosen, but you do not have the right to take someone else's code and then copy it and change the license.

OpenTofu launched in September 2023 to much fanfare and “official guarantees” of support from more than 140 organizations, including Cloudflare, Harness, Oracle and GitLab. Of course, the main custodians largely came from HashiCorp's direct competitors (Spacelift and env0), who built their businesses on Terraform and were upset by HashiCorp's license change. Fair (here the author is clearly using sarcasm – Note. ed.).

By January, the project was making a big deal about OpenTofu being available, even though it was mentioning features that weren't yet implemented in Terraform and would come later in OpenTofu itself. However, despite the optimistic start, the team soon began to realize the complexity of implementing this feature. Security is complicated. (Perhaps the guys at HashiCorp weren't idiots after all.) If this speed of development sounds too good and unrealistic, especially considering that the project is backed by a hastily assembled group of relatively small companies (and none of the major cloud providers), perhaps it was. After all, no matter what anyone thinks about HashiCorp's license change, the company spent a decade building the product. The engineering prowess behind such efforts will not emerge for several months, no matter how lofty the ideals of the founders.

In Terraform version 1.7, HashiCorp introduced an important new feature: automating the removal of resources from state using a block removed, which allows Terraform to better manage resource removal. Think of it as a configuration-based approach to terraform state rm. It is important to note that this feature was introduced at the end of November 2023, that is, after HashiCorp switched to BUSL. If anyone wanted to use the block removed to automate the removal, he could not use this feature as if it had been released under the MPL.

By the end of February 2024, OpenTofu released functionality similar to HashiCorp's remote lock automation. Not only in terms of what it does, but also in terms of the code written to execute it. Take a look at these repositories and tell me if you don't see the same thing:

Copyright law is complex. I am a lawyer by training, but I do not practice, so I cannot be considered a very good lawyer. More importantly, OpenTofu appears to have removed some comments in several files. They may have also changed a few lines in a few places. Perhaps one could even argue that OpenTofu did not actually use the Terraform code licensed by BUSL. Maybe.

However, this argument becomes less convincing when you look at the OpenTofu headers in the files. Here is the header that HashiCorp used in their block code files removed:

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

And here is the header that OpenTofu used:

// Copyright (c) 2023 HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

See the problem? OpenTofu admits that it uses HashiCorp code, but pretends that the code is licensed under the MPL. Only it's not like that. At all. All of this code was released after Terraform was migrated to BUSL. At best, the OpenTofu community is wishful thinking, desperately hoping that it can retroactively magically turn BUSL-licensed code into MPL-licensed code. In the worst case scenario, the OpenTofu developers fraudulently misused HashiCorp's intellectual property and attempted to appropriate it for themselves.

Despite what the OpenTofu developers may think, this behavior runs counter to a positive “community-oriented approach” and certainly does not demonstrate the “value of open source” as the Linux Foundation press release proclaims. This looks very much like a violation of HashiCorp's intellectual property. It’s quite logical for OpenTofu not to accept HashiCorp’s new license terms and fork the project; however, it is also completely illegal for them to take HashiCorp's code and apply whatever license they want to it.

And it also looks painfully like a failure in management. There's no way Cloudflare, Oracle, and other companies could sign up for this kind of community behavior, but that seems to be what they're getting.

Three facts add piquancy to this article:

• Matt Asay leads the DevRel direction at MongoDB, another Open Source project that recently changed its license to non-Open Source.

• The article was published before the official announcement that HashiCorp lawyers had sent a complaint to the OpenTofu community. The question arises, where did DevRel, with a legal rather than technical background, dig up all these facts? In the article, by the way, there is not a word about this. The meme with Kiselev from the Rossiya channel couldn’t come at a better time 🙂

• OpenTofu is part of the Linux Foundation, an organization that has a high reputation throughout the world, both among engineers and in the business community.

Discussions of the article on the Internet

You can't leave comments on the InfoWorld website itself, so the debate flared up on other platforms:

Moreover, the reaction of almost all commentators was unambiguous:

• The article was written in an overly accusatory tone, and no one asked the opinion of the other side.

• The implementation of the feature is different, and the similarity will be simply due to the fact that the same functions are implemented and they are implemented in Go, and this language does not provide many options for implementing the same logic.

• The file headers include HashiCorp copyright because that's what they do.

Matt, you know everything perfectly yourself. This is exactly what happens when you fork. A fork always retains the copyright notices of their previous project. And I looked at the code [обоих проектов]: The fact that they look similar is simply a consequence of the fact that they implement the same functionality. And what looks different in them, I see as “different SDEs”.

Hey, OpenTofu core team member here.

Copyright headers in new files are necessary because sometimes we have to move code from old files.

More information – in this post.

Letter from HashiCorp Lawyers

About a week after this article was published, the following post appeared on the OpenTofu project's LinkedIn:

The OpenTofu Project recently learned of a letter from HashiCorp's lawyers alleging that OpenTofu is not complying with the terms of the BSL license that governs the Terraform codebase. The OpenTofu Project strongly disagrees with any suggestion that it has misappropriated and misused source code or otherwise violated the BSL license for a HashiCorp product. In fact, we speculate that HashiCorp may be mixing code that was previously open source under the MPL license with fresh code published under the BSL. The custodians of OpenTofu have investigated this matter and intend to release a written response in the coming days explaining their position in more detail.

HashiCorp's claim itself can be viewed link (pdf) – it turned out that the lawyers sent it on April 3.

OpenTofu Community Response

On April 11, the OpenTofu team published long awaited answer – although by that time few people doubted that OpenTofu were not to blame and the accusation was false. The project team has attached detailed analysis controversial code on 46 pages and scan official response to the claim of HashiCorp lawyers.

Excerpt from the article:

The OpenTofu team strongly disagrees with any suggestion that it misappropriated, missourced, or otherwise misused HashiCorp's BSL code. All such statements have no basis in fact.

HashiCorp filed claims of copyright infringement in a cease and desist letter. These claims are completely unfounded.

It can be clearly seen that the controversial code was copied from an older code licensed under MPL-2.0. It appears that HashiCorp itself copied the same code when it implemented its version of this feature. It's all easy to see in our detailed SCO analysisas well as in their own comments, which just point to this.

This article dotted the i's and HashiCorp's claims were rejected.

Apologies Matt Asay

On the same day, Matt Asay posted on Twitter apologies.

But not all subscribers were happy with the result – some continued to ask why he published his article at all, and some expressed regret that instead of developing new functions, the OpenTofu community was forced to conduct a detailed analysis of the controversial piece of code and compile a 46-page document.

In addition, the author of the article added a disclaimer to his material. In it, he reported that, given OpenTofu’s response, it is safe to say that the developers used the Terraform code within the framework of the license and there is no reason to blame them.

Conclusions from this story

• HashiCorp is clearly keeping an eye on OpenTofu and perceives the project as a threat to Terraform.

• Matt Asay's reputation as a publicist may be in serious jeopardy.

• If you are writing an article with serious accusations against someone, it is better to dive into the issue more thoroughly first. Especially if you're blaming a division of a globally respected organization like the Linux Foundation. And you shouldn’t throw accusations until you have found out all the details – it’s better to choose a more neutral and impartial tone.

• The Linux Foundation is a mature organization that has a good reputation in the engineering and business community for good reason. And the communities around her projects are managed by fairly mature specialists who are able to act calmly and calmly even in an emotionally very difficult situation.

• A bit of conspiracy theory: the whole sequence of actions looked as if it was some kind of attack planned by several commercial structures that in the recent past refused Open Source licenses for their products.