Last week, the OpenTofu project was accused of infringing HashiCorp’s copyright in Terraform by incorporating newly BSL licensed code without permission. Those accusations now appear to be unfounded.
OpenTofu is a fork of the Terraform project. A fork occurs when development of a codebase diverges from a common root. This is a key fact to remember as we analyze the claims made by HashiCorp and OpenTofu’s response.
OpenTofu branched off from the open source version of HashiCorp’s Terraform project when HashiCorp changed its license to the Business Source License (BSL) in August 2023. Unhappy with the changes, a coalition of HashiCorp competitors formed the OpenTofu project, partly to ensure they could continue to build their own products on an open source core. It’s fair to say that HashiCorp was not pleased by this development, predictable though it may have been.
HashiCorp’s Claims
On 3 April 2024, lawyers for HashiCorp sent the OpenTofu project a cease-and-desist notice outlining the company’s claims of copyright violations. In a remarkable coincidence, InfoWorld published an article by contributor Matt Asay covering these claims the same day.
As well as more general claims, the notice made specific claims relating to a new feature of both OpenTofu and Terraform called removed blocks. HashiCorp claimed, in essence, that the OpenTofu code so closely resembled HashiCorp’s proprietary Terraform code that it must have been copied without permission. These were quite serious allegations that, if true, could have threatened the OpenTofu project’s existence, and the GitHub accounts of contributors.
The cease-and-desist notice also stated “In light of these instances of infringing reproductions and distributions of HashiCorp copyrighted code, we are concurrently sending DMCA takedown notices to Github[sic] to ensure the offending materials are removed, and any repeat infringers’ accounts are disabled.” The Digital Millenium Copyright Act (DMCA) provides a mechanism for copyright owners to request a service provider to take down infringing material or risk secondary liability for assisting with copyright infringement.
OpenTofu’s Response
After a week of no doubt careful deliberation, the OpenTofu project provided a detailed explanation of the situation on 11 April 2024.
“The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp’s BSL code. All such statements have zero basis in facts,” the statement reads, in part.
The project provided a detailed analysis of the source code origination, its processes for accepting contributions, and its commitment to honoring the intellectual property rights of others. The source of the code similarities was, the project claimed, due to the common origin of both OpenTofu and Terraform in the pre-BSL licenced version of Terraform.
Specifically, the removed block implementation was said to be derived from the pre-existing moved block implementation. Many similarities were, OpenTofu explained, due to both parties basing their new code on the same, common base.
The implementations of both parties were also constrained by the Go programming language’s requirements and standard conventions. Thus constrained, it is common and expected that independent parties will, at times, create code that is very similar, if not identical.
In the most material aspects, OpenTofu explained that its implementation was independently developed and that this is reflected in the divergent logic of the code as well as its written expression. Thanks to the open source nature of OpenTofu and previous versions of Terraform, most of these claims can be tested by reviewing the code development process itself.
To his credit, Asay has since updated his article to lead with the following paragraph:
Update: Since this article was published, HashiCorp sent OpenTofu a cease-and-desist letter on April 3, 2024, expressing in greater detail the concerns raised in this post. On April 11, 2024, the OpenTofu maintainers responded with a detailed analysis of the claims made about the removed block. Based on these documents, it appears that the OpenTofu community did not misappropriate HashiCorp’s intellectual property.
Commentary
My own analysis concurs with OpenTofu’s explanation. It is logically consistent and aligns with the available facts. We are fortunate that open source development now uses extremely transparent processes that allow us to test various claims against what anyone can see for themselves.
When the issue first became public, like many people I also looked at the files noted in Asay’s InfoWorld article. I noted that there were substantial differences in the logic of OpenTofu’s implementation compared to those in Terraform. I also noted some troubling similarities that bore the hallmarks of potential copying.
I can understand how a quick scan or superficial review of the code could lead someone to suspect that copying may have occurred. This should have been the beginning of an analysis, not its conclusion. More careful review would have been needed to determine if these suspicions were warranted and sufficiently supported with facts. Unfortunately, it now appears that any such review by HashiCorp or its lawyers was not sufficiently careful, given the gravity of the claims.
HashiCorp has taken a heavy-handed approach here to what now appears to be a simple misunderstanding of its own codebase, possibly due to a lack of review by technical staff with sufficient familiarity with it. It is, I am sad to say, somewhat embarrassing.
The open source community has a long tradition of preferring to be on the side of the underdog. With this incident, HashiCorp has positioned itself—perhaps unwittingly— as an aggressive bully. This is unfortunate.
It also provides more evidence that, as I have previously suggested, OpenTofu represents a serious threat to HashiCorp’s commercial success. Why risk drawing attention to a competitor and providing them with essentially free advertising if they are not?
Missteps like this will inject more energy into a project full of those who traditionally enjoy the feeling of righteous struggle against a perceived oppressor. Far from taking out a competitive threat, HashiCorp may have instead improved its prospects.
Time will tell.