Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Maybe you missed my last sentence. I've been hacking on and off for a couple years on a side project I'd like to monetize, to capture some of my value add, while also giving back. (It's sorta "if you build it they will come" at this point tbh so I don't necessarily expect it to work). My project is sort of "OSS platform as a service" only I just deploy it for you and teach you to run it yourself, while jumping on a call occasionally if you need SRE for it, and continuing to iterate on tooling as well as make PRs to the tools as it makes sense. Vault and consul (as a vault backend only) are components I've used for that (via cert-manager so they're replaceable tbh) and I'm no longer sure if that's viable.

And generally as a contributor to the vault codebase, however small, I'm not thrilled they want to capture more value from it themselves while not offering me a miniscule chunk of that.

The whole cloud provider argument really feels a lot like Displaced Aggression. You're probably punishing the people smaller than you a lot more than you are the billion dollar cloud providers who can afford both expensive lawyers and can very easily afford to fork your codebases as we see with OpenSearch vs ElasticSearch.



If so, you can check out Infisical (https://github.com/Infisical/infisical) as an open source alternative to Vault. The absolute majority of our codebase is licensed under MIT and we have no intentions to change that.

Disclaimer: I'm one of the founders.


I'll definitely check it out. That said, I'm starting to feel a lot more skeptical of the ability for even founders to manage stuff like this. I would say the same of my own OSS as a "founder," but if my company controls it in some way then I'm not sure there's a reasonable way for me to ensure that continues in perpetuity. At least not via a split model like a lot of these recent news stories have revolved around.

From what I've seen of Mitchell as well, at least in the past, I kind of doubt this is something he would have gone through with on his own.


I think the easiest way to manage it is essentially to do nothing. Accept open source contributions without a contributor license agreement and their copyright locks in future maintainers, yourself included. Extricating those contributions eventually becomes impossible without a cleanroom rewrite that is usually economically impractical and way too risky to a business with revenue.


This requires a copyleft license, and can be bypassed if all contributors agree to sign away their code to a company trying to relicense and monetize the code (as the Audacity contributors did for some reason).


> we have no intentions to change that

I suspect that Hashicorp would have said the same thing a couple years ago.


I am absolutely a huge fan of your company providing 30 minute walk throughs of the codebase for new contributors, I have never seen that before!


> The absolute majority of our codebase is licensed under MIT

What is not MIT licensed?

When you self-host, do you have access to every features for free?


But your contributions stopped being "your" contributions the moment you signed off on them being merged into the vault codebase. Why would they owe you anything when you already indicated you were cool with the fact that you didn't want anything in return by contributing?

This change protects the project from getting outright shut down because huge companies use it to extract value without some of that value going into guaranteeing the project stays supported. If you contributed to it, the minuscule chunk you get is "it keeps existing and you get to keep using it" instead of "this is not worth our time, we're sunsetting this".


I guess you can chalk that up to naivety on my part. I've always assumed there is a social contract on top of the CLA I probably signed, that the software I wrote would continue to be available and maintained via contributions from both the company and community. And since they very obviously benefit from a plethora of OSS themselves, including the language they've used to build their products and the platforms they undoubtedly run on.

I guess I'm always free to fork the codebase I care about under its current license and try to build a community around that. But I think we all know that's not as viable.

Anyway, I'll just be reconsidering my use of software open sourced by companies, I guess, regardless of how permissively it's licensed. The free lunches I thought we collectively agreed were awesome and ought to keep helping each other provide, are apparently ending as money gets tight.


Just because they have the legal right doesn't make it ethical, and even if someone makes the argument that it is ethical that doesn't change that it's a bit of a slap in the face to the open source community. You're allowed to be annoyed by this.


So, I don't understand -- had you known that this license change to prevent competitor use of their product, would you not have bothered to add the functionality you contributed?


No idea. I contributed 8ish years ago when vault was a significantly smaller project (it was 9mo old at the time) and IIRC there was nothing like hosted hashicorp back then. I just wanted to put into vault a CA keypair I used easyrsa to generate and that didn't work without a good deal more crypto plumbing, and I tried to make it a bit more futureproof while I was there. I had no real idea that 8 years down the road I would be tired of corpo life and tired of having to fight to contribute to OSS and might want to earn money in that sphere.

Today, absolutely. I would simply choose another piece of software to build on and contribute to. Or build my own if I thought something open enough and good enough didn't exist yet.


You can ask them to license vault to you under different terms, they go quite in-depth about this in their FAQ.

Don't know how much will come of it, but it is worth a shot.


> I've been hacking on and off for a couple years on a side project I'd like to monetize

OK so you want to use their software, make money off it, and give nothing back.

if thats the case, you cant do that any more. you can either stick to personal use, or purchase a commercial license from them.


Seems like you missed the part where I literally typed "giving back." Or that I literally contributed part of the hashicorp codebase, specifically vault. And it's been hard continuing to do that at $DAYJOB consistently, so I've hacked on a side project in my spare time (also open sourcing plenty of useful tools during that hacking) as a means to the end of eventually finding ways to keep giving back directly and teaching others to do the same.


with all due respect, unless "giving back" means giving them money, its probably not worth what you think its worth. I maintain some small projects, and most of the people "giving back" contribute such a tiny amount of code that its almost not worth mentioning.

that might not be your situation, but I know as a maintainer, in most cases I would much prefer a monetary contribution than a pull request. edit, 2015, ouch:

https://github.com/hashicorp/vault/commits?author=andrewstua...


> edit, 2015, ouch:

> https://github.com/hashicorp/vault/commits?author=andrewstua...

Not sure what you're getting at with your edit. I'll try to assume positive intent.

I maintain quite a few projects as well, also pretty small. Code to me means a great deal more than a small amount of money. The money is nothing compared to what I've made in my career thanks almost entirely to the code that exists publicly and my ability to run and modify it as needed to learn. I am glad to get code because it tells me something is useful enough for someone else to bother, which to me is what giving back is all about.


> The money is nothing compared to what I've made in my career

right, but thats not the case for everyone. you have been fortunate, but for many they cant even pay their bills with the tiny donations that come in. hence why the need arises for a license like this. to force people to either go away, or pay up.

as you've noticed, its not ideal. in a perfect world I would license my code without restriction, but I need to pay rent like everyone else.


Imagine that someone see your open-source code and creates a competitor product by assimilating it... Imagine that this entity is much bigger than you even...

I don't think you'd be happy, would you?

I know I wouldn't be... :-)


People downvote but from a strategic point of view it makes no sense at all.

It's all good because usually open-source is an investment for bigger companies that they can recoup somewhere else.

But for small-players, it makes absolutely no sense to create a business and also make it easy for competitors to compete or even for competitors to appear.

But people probably realize that otherwise there wouldn't be so many debates.

Who funds open-source? (not talking about source-available but the most permissive Open-Source licenses)


Like Free bad?


Should be FreeBSD, damned Auto correct




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: