HashiCorp closes a door

Welcome to Runtime! Today: inside HashiCorp's decision to stop providing software under an open-source license, why a different kind of chip was the talk of Black Hat in Las Vegas this week, and this week's enterprise moves.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Turn out the lights

"Open source has always played a critical role in infrastructure software and that trend has recently only accelerated," HashiCorp's founders wrote in their 2021 IPO prospectus. Less than two years later, that trend is heading in a different direction.

HashiCorp announced Thursday that it is switching the license that governs the use of eight open-source projects under the company's wing from the Mozilla Public License to the Business Source License (BSL), a so-called "source available" license that does not meet the traditional definition of open source as described by the Open Source Initiative. Under the BSL, users of HashiCorp projects like Terraform and Vault will be able to view and modify the source code associated with those projects but will not be allowed to use the code as part of a commercial service that competes with HashiCorp's commercial versions of those projects.

• "Given the sort of capitalistic incentives these other companies have, I don't think asking them politely is going to change their behavior," said Armon Dadgar, co-founder and CTO of HashiCorp, in an exclusive interview with Runtime.
• But capitalistic incentives also powered a generation of open-source enterprise infrastructure companies.
• As noted in HashiCorp's IPO letter, releasing software under permissive open-source licenses was almost standard practice over the last decade among enterprise tech startups.
• They hoped to encourage developers to kick the tires on interesting technologies they wouldn't have otherwise paid to try out and then sell support contracts and additional services to those developers once they realized the software could play an important role in their tech stack.

Those days appear numbered. It's becoming clear that the romantic notion of community-supported software simply does not work the way it used to in the modern cloud-centric enterprise tech landscape, and changes are coming.

• "One trendline has more commercial open-source vendors, most typically single-entity projects rather than collaboratively developed efforts, moving away from open-source licenses," wrote Stephen O'Grady, principal analyst and co-founder of Redmonk, in an email interview.
• "On the other hand, many open-source foundations continue to expand the number and reach of their open-source projects," he wrote. "But at a minimum, we're likely to see more complicated mixes of noncompete licenses each with varying restrictions that are incompatible with one another."
• Open-source purists often point to the benefits of a community-driven approach to building software, but for many companies — including HashiCorp — creating open-source software is an internal affair.
• More than 95% of the code in a new release of one of the eight projects under HashiCorp's wing was written by HashiCorp employees, Dadgar estimated, and he said that trendline dates back to its earliest days.

Still, by deciding to restrict the use of the code that helped make Dadgar and his co-founder Mitchell Hashimoto billionaires at the time of its IPO, HashiCorp is closing one chapter of its history and perhaps ending an era when releasing software under open-source licenses was a given part of an enterprise tech startup's product strategy.

• Dadgar believes that keeping the source code available, as opposed to completely closing it off, provides operational and security benefits for users, which Redmonk's O'Grady seconded.
• But there are obviously commercial motivations behind HashiCorp's decision, with revenue growth declining over a rough 12-month period for enterprise tech in general and its stock down 67% since its 2021 IPO.
• "If your competitors are commercializing your IP, you either stop giving it to them by not making it open, or you stop giving it to them by changing your license," Dadgar said.
• "We're not the first and we're not the last (to make this move)," he said. "And I think that trend is going to continue; there's this sort of fundamental problem that sits at the heart of open source, which is there's a bit of a tragedy of the commons here."

Read the full story on Runtime here.

Count your chips

This week the security community descended on Las Vegas (so lovely this time of year) for the annual Black Hat and Defcon conferences, and chip companies were front and center. Separate vulnerabilities bearing a resemblance to the Meltdown/Spectre fiasco of 2018 were unveiled affecting both Intel and AMD server chips.

Ars Technica had a good summary of the problems outlined by the Downfall (Intel's chips) and Inception (AMD's chips) vulnerabilities, and both companies have already released patches. The two vulnerabilities take advantage of a flaw in the speculative execution technology used by most modern chips to speed up performance, which was the same target of the vulnerabilities from five years ago.

As with Meltdown and Spectre, the patches could impact performance for workloads that took advantage of certain instructions in those processors, but insecure servers are bad too. Cloud providers appear to have already applied the mitigations to their servers, and the good news is the most recent generation of Intel processors are not affected by this flaw.

Enterprise moves

Tarek Robbiati is the new CEO of RingCentral, replacing Vlad Shmunis, who will become executive chairman.

Ankur Jain is the new head of Google Cloud's telecom business, assuming the role after a long career at Google leading its Loon and content-delivery network projects.

James Whitemore is the new chief marketing officer at Celigo, an integration-platform-as-a-service company.

The Runtime roundup

There was a fair amount of security news this week: Rubrik announced plans to acquire Laminar, a cloud security startup, for about $100 million according to CRN's Kyle Alspach.

Check Point bought Perimeter 81, a network security company, for $490 million.

Rapid7 will lay of 18% of its workforce despite hitting analyst expectations for revenue and profit during the last quarter.

Slack unveiled a major redesign that more than a few people noticed bore a striking resemblance to Microsoft Teams.

Thanks for reading — Runtime is off camping again this weekend, this time in the Mount Hood National Forest — see you Tuesday!