Update for Chainguard Images users on HashiCorp license changes

TL;DR

• Paying Chainguard Images customers will receive six extra months of security patches to the MPL-licensed Hashicorp tools from Chainguard, free of charge.

• All users will have access to the BUSL licensed versions soon, as well as a community fork when it emerges.

‍

On Thursday, August 10, 2023, HashiCorp announced that it was switching its products from the Mozilla Public License (MPL) v2 license to a “Business Source License” (BUSL). In this blog post, we’d like to address how this impacts Chainguard Images customers and open source users.

‍

Why is the new HashiCorp license important?

BUSL 1.1 includes language that blocks users from providing competitive services built on the BUSL-licensed code. HashiCorp’s announcement stated “Vendors who provide competitive services built on our community products will no longer be able to incorporate future releases, bug fixes, or security patches contributed to our products.” We highly recommend reading the HashiCorp blog post and associated FAQ for more context.

‍

So what is changing?

Chainguard does not compete with HashiCorp open source or commercial products, but we do offer hardened, container image versions of their popular open source images including Terraform, Vault and Consul in our Chainguard Images catalog. All of our Chainguard Images are based on Wolfi, the community un-distro, which means they’re hardened by default, a fraction of the size, and aim to meet our standard zero-known CVE SLA through daily updates and patching.

‍

At the time of writing this, our images are 22% smaller and contain zero CVEs compared to the two in the upstream version.

‍

Public Users

In order to comply with the BUSL 1.1 license adoption for all HashiCorp products, Chainguard will no longer provide new BUSL-based HashiCorp images for free in the Chainguard Images public catalog, effective immediately. The latest version available for download will be the last version of the binaries released by HashiCorp under MPL (Vault v1.14.1, Terraform v1.5.5 and Consul v1.16.1).

‍

HashiCorp will continue to provide security updates to the MPL based codebase until December 2023. Chainguard will maintain those patches in the available versions of Chainguard Images.

‍

If your team has made the decision to move ahead with the BUSL change and are interested in continuing to use the tools, we’re working to make them available from a location outside of the Wolfi distribution. We will share more details on this in the coming weeks.

‍

Customers

For existing customers who rely on Chainguard for hardened, secure-by-default Images for HashiCorp products, we will continue to support and maintain them by providing patches to MPL based images for as long as HashiCorp provides security updates.

‍

Chainguard will continue patching and fixing CVEs in these MPL based images for the next six months. During this time, we will work with our customers to determine the best course of action for their workloads and work with them to transition to the best alternative.

‍

What the fork?

On August 25, a group of companies and community projects announced it was developing an open source fork of Terraform, called OpenTF project. The group has stated that they plan to become part of the Linux Foundation with the end goal of having OpenTF as part of the Cloud Native Computing Foundation (CNCF). As a result of these decisions, the fork has not yet been released and we do not have a solid understanding of the timeline for when this project will be made available for use. Once the fork is released, we will ship that fork as part of Wolfi. For more information please reach out via support@chainguard.dev.