- Blog post • 3 min read
Hashicorp's New BSL License – What Changed?
- Published on
- Vlad Matsiiako
Hashicorp's New BSL License – What Changed?
HashiCorp, the company known for creating developer tools like Vault, Terraform, and Nomad, has recently made a big announcement. As reported in the company blog today, it is giving up its previous MPL 2.0 (Mozilla Public License v2.0) in favor of a more restrictive BSL v1.1 (Business Source License, also known as BUSL). In other words, as explained in the official statement, HashiCorp does not consider itself an open source company anymore. Instead of "open source", they will start calling this version of their product "community".
After this announcement, we have had many companies reaching out to Infisical with intentions of moving away from HashiCorp's products. For this reason, we decided to write this guide and answer the most common questions.
What is BSL V1.1?
The Business Source License (BSL) offers an alternative to both closed source and open source licensing approaches. With BSL, the source code is accessible to the public (also known as "source available"). Non-production usage of the code remains free, and the licensor has the option to provide an Additional Use Grant, permitting production use with specific limitations. Importantly, the source code is guaranteed to transition into an open source status at a designated point in time. This transition occurs either on a specified Change Date or upon the fourth anniversary of the initial public release of the code under the BSL, depending on which event comes first. This automatic transition leads to the code becoming accessible under the Change License. Presently, HashiCorp's projects are governed by the MPL 2.0 as the Change License.
Note: BSL v1.1 (Business Source License) should not be confused with the Boost Software License which is much more permissive and does not enforce many restrictions besides the fact that it requires that the same license appears with all copies [including redistributions] of the software source code.
When can you use Hashicorp products for free?
All non-production uses are permitted. All production uses are allowed other than hosting or embedding the software in an offering competitive with HashiCorp products or services.
What is considered a competitive offering?
Hashicorp is being particularly vague about this – not naming exact scenarios of non-competing use cases. As for their definition, competitive offering implies
a product or service provided to users or customers outside of your organization that has significant overlap with the capabilities of HashiCorp’s commercial products or services.
At the first glance, this might sound completely innocent. However, as Sid Sijbrandij, co-founder and CEO of GitLab, pointed out, company scopes change – what might not be competitive right now may become competitive in future if HashiCorp decides so. Not having particular use cases specified by HashiCorp leaves them a lot of wiggle room for future. This is the risk that a lot of companies are not willing to take. In fact, historically, many companies have internally outright banned similar licenses such as SSPL.
Even worse, imagine your company has a freelancer that sets up and maintains a Vault or your infrastructure through Terraform. Now, this person is officially considered a competitor to HashiCorp because HashiCorp offers paid professional services too.
It should be noted, that this change affects only the future releases of HashiCorp products. There have been examples of companies who have decided to freeze their version's of HashiCorp products (e.g., Rivet) – these versions will still be under the previous MPL 2.0 license.
If you are looking for alternatives to HashiCorp Vault, you may find this article on the best secret management tools in 2023 helpful.
Infisical is an open source alternative to HashiCorp Vault. The main difference is that Infisical provides multiple tools inspired by the
security shift left trend. For example, outside of all the traditional secret management features, you are able to perform secret scanning and continuous secret leak prevention. On top of that, Infisical provides automatic integrations with services like GitHub Actions, Vercel, and other secret managers, while giving a simple dashboard, CLI for auto-injecting secrets based on permissions, and much more! You can find the full comaprison of Infisical and vault here.