On April 3rd, we received a Cease and Desist letter from HashiCorp regarding our implementation of the “removed” block in OpenTofu, claiming copyright infringement on the part of one of our core developers. We were also made aware of an article posted that same day with the same accusations. We have investigated these claims and are publishing the C&D letter, our response and the source code origin document resulting from our investigation.

The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp’s BSL code. All such statements have zero basis in facts.

HashiCorp has made claims of copyright infringement in a cease & desist letter. These claims are completely unsubstantiated.

The code in question can be clearly shown to have been copied from older code under the MPL-2.0 license. HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments which indicate this.

Documents

To prevent further harassment of individual people, we have redacted any personal information from these documents.

Conclusion

Despite these events, we have managed to carry out significant development on OpenTofu 1.7, including state encryption, “for_each” implementation for “import” blocks, as well as the all-new provider-defined functions supported by the recently released provider plugin protocol.

On that note, we will be releasing a new pre-release version next week, and we are eager to gather feedback from the community.

— The OpenTofu Team


The image in this blog post contains code licensed under the BUSL-1.1 by HashiCorp. However, for the purposes of this post we are making non-commercial, transformative fair use under 17 U.S. Code § 107. You can read more about fair use on the website of the US Copyright Office.

  • hydroptic@sopuli.xyz
    link
    fedilink
    arrow-up
    54
    ·
    edit-2
    7 months ago

    I’ve run into this problem with many open source projects. It’s sometimes really hard to find out what the hell something actually does based on just the project’s own pages. It took a while for eg. join-lemmy.org to actually describe what Lemmy is, for example, instead of just going on about it being open source and secure and federated and blah.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      edit-2
      7 months ago

      That’s just a classic issue with most tech people: they either forget or don’t know how to adjust their speech for a different audience than themselves. Often they don’t even comprehend just how much “common knowledge” isn’t actually common outside their social spaces.

      Then there’s some that are deliberately refusing to help uninformed people understand, or are even outright hostile to them.

      • hydroptic@sopuli.xyz
        link
        fedilink
        arrow-up
        5
        ·
        7 months ago

        Yeah I really don’t know where hostility against newbies (actual or perceived) comes from in nerd circles. It’s been like this for as long as I can remember, and I’ve been eg. using Linux from the late 90’s and fucking around on the Internet for over 30 years now. At least things are way better than they used to be, but it’s still sometimes a bit of a bumpy ride

      • SorteKanin@feddit.dk
        link
        fedilink
        arrow-up
        4
        ·
        7 months ago

        Often they don’t even comprehend just how much “common knowledge” isn’t actually common outside their social spaces.

        I see this literally all the time in the documentation that my coworkers write. I think it’s kinda wild. Like do people really not have this self awareness? Or am I just as bad without realizing it? That’s what scares me.