The Linux Foundation's 'OpenTofu' Project Denies HashiCorp's Allegations of Code Theft

The Linux Foundation-backed project OpenTofu "has gotten legal pushback from HashiCorp," according to a report — just seven months after forking OpenTofu's code from HashiCorp's IT deployment software Terraform: On April 3, HashiCorp issued a strongly-worded Cease and Desist letter to OpenTofu, accusing that the project has "repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp's intellectual property rights." It goes on to note that "In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp's code to make it appear as if it was made available by HashiCorp originally under a different license." Last August, HashiCorp announced that it would be transitioning its software from the open source Mozilla Public License (MPL 2.0) to the Business Source License (BSL), a license that permits the source to be viewed, but not run in production environments without explicit approval by the license owner. HashiCorp gave OpenTofu until April 10 to remove any allegedly copied code from the OpenTofu repository, threatening litigation if the project fails to do so.
Others are also covering the fracas, including Steven J. Vaughan-Nichols at DevOps.com: OpenTofu replied, "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts." In addition, it said, HashiCorp's claims of copyright infringement are completely unsubstantiated. As for the code in question, OpenTofu claims it can clearly be shown to have been copied from older code under the Mozilla Public License (MPL) 2.0. "HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments."

In a detailed source code origination (SCO) examination of the problematic source code, OpenTofu stated that HashiCorp was mistaken. "We believe that this is just a case of a misunderstanding where the code came from." OpenTofu maintains the code was originally licensed under the MPL, not the BSL. If so, then OpenTofu was perfectly within its right to use the code in its codebase...

[OpenTofu's lawyer] concluded, "In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this."

They picked the wrong project to try and bully.

[sg_oneill]

The Linux Foundation has its own lawyers, and their whole reason for being is IP law. This isn't going to end up like Hashicorp thinks it will, Open source law at this point is well established and clarified in legal precedent, not to mention hundreds of years of contract law precedent. If, as it seems, this was all previously MPLed code, Hashicorp haven't got a leg to stand on.

Re:

[Todd Knarr]

The code in question wasn't ever under MPL, it was added by Hashicorp after the license change. Which doesn't matter much, if you compare that code to OpenTofu's code the structural and cosmetic differences are obvious. Note that the articles only link to the code and don't actually show it side-by-side, probably in the hope that people will take the claims at face value and not investigate whether they're correct or not.

Re:They picked the wrong project to try and bully.

[SchroedingersCat]

Commits in question: Terraform [github.com] vs Opentofu [github.com]

Re:

[DamnOregonian]

More so, OpenTofu's implementation of the functionality is clearly based on the MPL licensed "moved block" code, structurally.
They needed a function, and they adapted it from MPL code. I get the feeling that HashiCorp didn't even an SCO analysis of the code in question, which is bizarre since it's freely available. What assholes.

Not copying, IMO

[Todd Knarr]

I compared the two sets of code mentioned. IMO the OpenTofu code is not copied from the Hashicorp code. There are structural differences that point to the OpenTofu code being independently written, along with the obvious differences in variable names and such. The claims seem to me to be a case of someone trying to smear a successful fork to keep it from gaining traction.

Re: Not copying, IMO

[dknj]

ChatGPT, take this code block and rewrite it in the style of a jr developer in college.

BRB going to plagiarize an entire application but make it look structurally different from the original writer

Re:

[techno-vampire]

...along with the obvious differences in variable names and such.

Changing the variable names is trivial and doesn't make any difference in how the code runs. What matters is changes in the structure and underlying logic. There's more than one way to do any task on a computer, and using the exact same way as the program you're accused of stealing is a great big red flag, especially to a jury of non-computer people.

Re:

[innocent_white_lamb]

There's more than one way to do any task on a computer
 
printf("hello world")
 
There's a different way to write that line in C (in a sensible and reasonable manner that someone would actually use)?

Re:

[techno-vampire]

Now you're adding arbitrary restrictions. Who said that it had to be written in C?

Re:

[innocent_white_lamb]

If the rest of the program is written in language X, would it be reasonable to add an new function to it written in a completely different language? You would use the same language the rest of the program is already written in, no?

Re:

[Todd Knarr]

There's usually more than one way to do it, yes, but more often than not there's only one or a very small number of "best" ways to do it and most competent programmers will immediately go for those. For instance, you can iterate through a list/collection type using indexes and a for loop but nobody's going to do that, they'll use an iteration construct (foreach loop or Each() method or an equivalent). Idiomatic code is a thing, and usually the concept makes sense to non-computer people.

Re:

[techno-vampire]

What method is best sometimes depends on what you know how to do, not which one is most efficient. I've seen cases where inexperienced coders, or coders whose only computer education was a coding school, have used bubble sorts on files large enough that more efficient sorts would be better simply because that's the only sort they knew.

Re:

[DamnOregonian]

The SCO agrees with this, and demonstrates it fairly conclusively.
OpenTofu's implementation was a modification of the "moved block" code, which was MPL licensed.

Best acronym ever

[Cronopios]

After the SCO vs. IBM lawsuit, Source Code Origination (SCO) probably is the best acronym ever!

Re:

[Opyros]

"SCO analysis" sounds like something you'd find on Groklaw, doesn't it?

Re:

[quantaman]

After the SCO vs. IBM lawsuit, Source Code Origination (SCO) probably is the best acronym ever!

I tried to propose a different approach but the working group for Nested Attribution Zone Investigation went in a really weird direction...

They got what they wanted

[simlox]

"Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this." That would seem to be the very purpose of the complaint...

Re:

[omnichad]

Just enough to make big companies think twice before using the open source option.

Re:

[Mononymous]

Why wouldn't it make them think twice before using the one with the restrictive license from the litigious company?

Re: They got what they wanted

[reanjr]

Doubtful. Why draw attention to a successful free fork of your product? It just makes Hashicorp look like a bad actor.

Interesting strategy

[caseih]

Let me get this straight. They develop open source software, later relicense the code under proprietary terms, pull all the former code from the internet, and then start suing people for using the open-source code downloaded earlier. As proof of wrong-doing they simply show their relicensed code which is, surprise, identical to the open source code. I sure hope any judge would immediately see the dishonesty. Maybe they are hoping scare tactics will be sufficient. This is certainly an interesting strateg

Re:

[caseih]

Nope I didn't get it straight. That's not the basis of this particular threat. Sorry for the noise.

Ehm...

[LordHighExecutioner]

In a detailed source code origination (SCO) examination

Please, could you use a different acronym ?!? It could evoke evil forces...

So if I read this right

[Revek]

As I see it. The forked commercial version of this project is suing the open source version for having added similar enhancements.
Seems like they will have a very hard time proving the code was stolen and not just similar due to a common design history with the same goals.

Re:

[vbdasc]

IANAL and IMHO, but HashiCorp doesn't have a strong case claiming that some OT code is copied verbatim from their proprietarily licensed repos, as others have stated. They may have a strong case somewhere else, though. They may claim that OT devs looked at their code (which, while not open source, can still be read) and then, using ideas from the code they read, wrote an OpenTofu counterpart. From the available sources, it seems that OT failed to use clean room design [wikipedia.org] technique that would make sure no copyr

Hashicorp are bullies

[BytePusher]

I caught wind of their bullying when I tried to help them fix an issue in Vault. They were actively discouraging contributions by claiming to have someone working on a small fix for three years in their internal issue tracking. Itâ(TM)s clear they are moving everything to a closed source model across the board. I don't know who wants closed source cloud tooling though

Re: Hashicorp are bullies

[reanjr]

Hashicorp was one of those vendors I rejected after reading their documentation for 10 minutes. I couldn't believe how convoluted seemingly basic shit was. It reeked of service contract money pit.

Re: Hashicorp are bullies

[dknj]

When they offered us a license for all of their products for like 100k I noped out of there. They will simply bait and switch and now youâ(TM)re stuck. And guess what they baited and are switching. Wait until they jackuo renewal rates by 1000%

Re:

[volcan0]

I am still sour about the TF Cloud "free tier" replacing the original free accounts.

Who wants closed source cloud tooling ?

[big-giant-head]

Pointy haired manager types who don't really understand the difference between the two.

"Zero" and "Percent" are the Liar's Tools

[BrendaEM]

I am not saying that they did anything wrong, but why use garbage words to protect a psyche from connecting a thought?

Saw this coming when they changed the licensing

[Kryptonut]

Greed. I'm glad they picked a fight with the Linux Foundation - Hashicorp will learn a harsh lesson from it.