HashiCorp's claims of code theft dubbed "embarrassing" episode for the open source community
HashiCorp claims OpenTofu used its code in a manner that violates licensing terms, undermining Hashicorp’s intellectual property rights in the process
A heated exchange between HashiCorp and OpenTofu over accusations of copyright infringement has raised questions around the nature of ownership across open source projects.
HashiCorp maintains that OpenTofu has used code in a manner that violates the terms of its Business Software license (BSL), undermining Hashicorp’s intellectual property rights in the process.
OpenTofu has claimed that the code in question was originally derived from sources publicly available under the Mozilla Public License (MPL).
In a cease and desist letter on April 3, HashiCorp claimed that OpenTofu had “repeatedly taken code” and used it outside the bounds of its license. It also claimed that OpenTofu had gone as far as altering or changing HashiCorp’s code to circumvent infringement claims.
“In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp’s code to make it appear as if it was made available by HashiCorp originally under a different license,” HashiCorp said in the letter.
The software company then went on to threaten further and more severe legal action if OpenTofu failed to comply with its demands of a written response.
“If OpenTofu does not comply, we reserve all rights, including the right to send DMCA takedown notices to Github or any other third party hosting or source code repository provider, and the right to initiate litigation to stop further violations,” HashiCorp said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
OpenTofu made the letter public before issuing a written response almost a week later.
OpenTofu posted to LinkedIn that it “vehemently denied” the claims, while members of the open source community, such as Cloud Native Computing Foundation (CNCF) CTO Chris Aniszczyk, were quick to voice their reactions.
“Embarrassing to see a company light all of its hard earned developer reputation on fire, on top of attacking open source, ” Aniszczyk said in a post sharing OpenTofu’s statement.
OpenTofu’s defense, which it covered in more detail in a formal letter addressed to HashiCorp on April 9, centered on its claim that HashiCorp had in fact conflated code under BSL and MPL.
Where HashiCorp claimed that OpenTofu “improperly appropriated” code under the BSL, OpenTofu explained that the “appropriated” code was derived from publically available “pre-fork MPL-2.0 files”.
“The more accurate explanation, however, is that both the OpenTofu files to which you refer and HashiCorp’s Terraform files to which you compare them are both derived (at least to some degree) from … code that was made publicly available,” OpenTofu said.
The company argued that HashiCorp has fundamentally misrepresented the history and origination of the OpenTofu project’s source code, and therefore its accusations are baseless.
In a subsequent blog post on April 11, OpenTofu made both letters publicly available, along with a further expression of denial and a reiteration of HashiCorp’s mistake.
License changes don’t bode well for the community
The current tension at play here, between a software company and an open source platform, is one uniquely borne out of a change in business-focused change in license structure.
When HashiCorp itself swapped to the BSL, there was widespread upset in the open source community, with former Percona CEO Peter Zaitsev even going so far as to brand the move “hostile”.
While the firm claimed its decision to be in the spirit of the community - as a defense mechanism against other vendors taking unfair advantage of the open source license - HashiCorp’s recent fallout with OpenTofu suggests otherwise. HashiCorp now has to defend the ownership of its source code with a level of commercial intent, pitting it against the community it used to be part of.
The waters are also considerably muddied in terms of ownership. Throughout the legal exchange between HashiCorp and OpenTofu, there is a clear sense of confusion about how and where the code had been changed.
George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.