The impact from this is way wider than initially thought β this is sending ripples across the whole tech sector!
A thread that may or may not be a bit paranoid / anxiety-powered π§΅
1/22
twitter.com/HashiCorp/status/1689733106813562880
TL;DR: this was initially perceived as a supply chain attack. It's (debatably) not that, but the concerns it created will persist. I think we'll see some interesting consolidation and some fundamental architectural changes in the next cycle. I could be wrong tho π€·
2/22
Proving yet again they are terrible at actual business, HashiCorp posted the blog post announcing the license change, they posted a FAQ, and then they went silent.
Impact and restrictions are still not clear. Folks using any HashiCorp OSS legitimately panicked.
3/22
Panic like "Shit, we have a team that offers hosted Vault to internal teams and business groups. They can't do that anymore because the new license doesn't allow for it. Maybe? Maybe it's allowed? Fuck, migrating off Vault is a multi-year effort, how will we survive?!"
4/22
Panic like "Fuck, all our infrastructure is built and managed using Terraform. Because HashiCorp is terrible at building actual products we use Spacelift. Can we not use that anymore? Are they impacted? Does this mean we can't do any infrastructure changes anymore?"
5/22
Panic like "Damn, we were forced to fork Terraform due to upstream not wanting or not having resources to review changes that were critical to us. We can freeze the code but now we have to maintain a full project? Is that even legal? Migrating to another IaC would kill us"
6/22
Panic like "Holy anus, we run global jobs for customers and we use Nomad as an orchestrator. That's technically also offered as a managed service by HashiCorp so we now have to pay them a ransom? How much is it and how does it compare with the cots of migrating to k8s?"
7/22
Panic like "Bugger, the US branch of our company builds AMIs using an internal Packer pipeline that's built and maintained by the EU branch. The branches invoice each other. We built and contributed like 50 massive features and now we have to pay HashiCorp to run Packer?!"
8/22
Folks legitimately considered opening up incidents.
Folks legitimately brought in lawyers who were just as confused.
Folks legitimately don't know if they'll have to ruin their whole roadmap because they'll now have to work on eliminating any and all HashiCorp products.
9/22
Sure, there were other license changes in the past β Mongo, Elastic β but those were more focused.
Then Docker changed its license and pricing. That was shocking and impactful (with like a half-year grace period) but it was written off by most as a one-time-weirdness.
10/22
Now HashiCorp is joining the trend and changing licenses in the worst way possible.
This affects multiple highly-popular and critical projects.
This is done with immediate impact, without any advance notice or grace period.
This is somewhat ransom-y.
This is different.
11/22
I won't talk about HashiCorp's business failures here. I won't talk about open-source failures and sustainability. I won't talk about revenue models here.
I won't talk about many things because there are people wiser than me covering that!
12/22
What I will talk about is the fact that this is now officially a trend that can't be ignored: any single-vendor open-source dependency can now suddenly disappear.
There's now a new tech ecosystem with new rules. Businesses have to adapt to this new reality.
13/22
A lot of tech execs are looking at their dependencies now. A lot of architects are terrified of the implications and thinking about how this will impact both existing systems and new systems. A lot of product, sales, and marketing people are π€―.
The future got blown up.
14/22
Considering the rise of ββββ ββββββββββ βββββββ ββ ββ βββ βββββ, the βββββββ βββββββββββββ ββββ βββββββββ, and the disappearance of easy VC money... I think we'll see some consolidation and light feudalism.
15/22
I think this is the last drop in the sustainable software drama. I think this a view into how complex tech supply chains are.
I think we'll soon have some very different development approaches and some wildly divergent architectures.
But I don't wanna expand on those here
16/22
I think that any open-source project that's 1) not under an independent foundation and 2) that's not supported by multiple vendors will be seen as a huge risk.
Folks will be very reluctant to use any such projects and that will create some scary dynamics.
17/22
This is already a concern for big corps; see for example AWS' Karpenter and how Azure really wants to implement that too but they can't implement it until it's out of AWS and into the neutral CNCF.
Now *everybody* will care about this!
18/22
We all joked that every single startup and every single OSS project wants to donate itself to CNCF, but that is CNCF's role: to be a neutral foundation that enables different companies to collaborate on open-source projects.
That's a heck of a lot more critical now!
19/22
"Why use open-source project X from company Y if in 2 years they'll decide to blackmail us into paying them π°?"
"Why allocate dev time for work on open-source project X when all that effort will be stolen by company Y since they own X?"
... and so on.
20/22
It's fuzzy, but I think we'll see a bunch of changes.
Some will be good, like more paying vendors for support guarantees.
Some will be bad, like "AWS X sucks, but at least they won't pull the rug from under me so I'll use that and not even consider other vendors".
21/22
I didn't expect this and I certainly did not expect this to ripple so much throughout the whole tech ecosystem.
22/22