HashiCorp: Is Open Source a Defect or a Feature?
Table of contents
“You have to keep learning if you want to become a great investor. When the world changes, you must change.” That’s right out of Warren Buffett’s annual letter which serves to both enlighten and update investors. Slow change is tough to monitor, and past beliefs must be challenged in order to anticipate the “creative destruction” that happens when systems change. That brings us to our long-held belief that open source is an advantageous business model for software companies to adopt. But what happens when open source starts to work as an advantage for the competition?
The Open-Source Movement
“Free software” doesn’t refer to kyping whatever goodies happen to be on your favorite file-sharing program. If you know what “warez” means (and how to pronounce it), you’ll remember the days of public-domain software which could be freely copied and used by anyone. Typically, these software programs were built by small groups of programmers whose communities supported them by reporting defects or suggesting future enhancements. When the community wanted to get more hands-on, open-source software emerged.
The source code is the DNA of a software program which developers can manipulate, provided they’re given access to it. Source code hosting facilities like GitLab (itself open source) allow multiple developers to collaborate on a single piece of software and the resulting efforts (including support, defect fixing, and enhancements) form an open-source software (OSS) solution. Since OSS can’t be owned by anyone since it’s free to use, how can a company built around an open-source business model make money? There are at least five ways according to the smart folks at Timescale:
- The support model, also known as the “RedHat” model, supports businesses deploying the project in production.
- Hosting means offering a fully managed version of your project, so users can spin up a remote server with the software in just a few clicks
- The restrictive licensing model creates a legal reason for users of open-source software to pay such that anyone using the software in production is highly incentivized to strike a commercial deal with the vendor.
- Open-core has quickly emerged as the most popular way for open-source companies to make money. The majority of the code base is open-source, while a smaller percentage (targeted at production or enterprise users) is proprietary.
- A hybrid licensing model which is the newest one on this list and resembles your typical freemium value proposition.
Most open-source companies will make money using a combination of the above five models which brings us to the topic at hand.
HashiCorp makes money by selling proprietary features on top of their open-source products that include collaboration modules, governance and policy modules, enterprise use cases, and premium support and services.
Credit: HashiCorp S-1
So, what happens when other companies decide to start using the same open source software to compete against HashiCorp?
From Open Source to BSL
Terraform (infrastructure provisioning product) and Vault (secrets management and data protection product) are HashiCorp’s most established products generating collectively over 85% of our revenues for each of fiscal 2023 and 2022. We’re not told what the breakdown looks like, but we’ll assume Terraform is a key component of their solution. So, some individuals were understandably flustered when HashiCorp moved to a Business Source License (BSL) for all their products. A detailed FAQ from HashiCorp says this change will not impact end users, integration partners, and commercial customers. However, “organizations providing competitive offerings to HashiCorp will no longer be permitted to use the community edition products free of charge under our BSL license.”
There are other vendors who take advantage of pure OSS models, and the community work on OSS projects, for their own commercial goals, without providing material contributions back. We don’t believe this is in the spirit of open source.
Credit: HashiCorp
Our last video on HashiCorp prompted numerous commentators who pointed to HashiCorp’s BSL migration as a potential problem. Indeed, 734 individuals and 148 organizations signed a manifesto asking HashiCorp to keep the open-source license. When Hashicorp didn’t respond, the group forked the source code so that you now have two versions – 1) the original for which nothing has changed and 2) the forked version (called OpenTofu) which will now remain truly open source. A number of OpenTofu supporters have committed to funding the cost of engineers to work on the project, and HashiCorp investors are now left wondering what this all means.
The BSL Backlash
Terraform has clearly been a useful tool as evident by the 4,217 paying customers they have. That number is down from 4,392 the quarter prior, meaning 175 customers no longer have active contracts. At the same time, the number of customers paying HashiCorp more than $100,000 increased by 21 this quarter, while net retention rate dropped from 127% to 124% (keep an eye on this). Each of these metrics implies something different, but collectively there’s nothing to be overly concerned about.
The BSL change is likely to lose them some customers, and we’ll assume that the 148 organizations that signed that manifesto won’t be customers of HashiCorp for much longer (if they were to begin with). A cursory look through the names listed on the manifesto doesn’t uncover any notable companies that might be spending large sums on HashiCorp’s platform, while the small number of objectors (148 organizations) would represent no more than 3.5% of their entire client base. Now you have two flavors of the same software package being developed concurrently, with the advantage going to the flavor that has more resources dedicated to it. That would be HashiCorp’s version.
What HashiCorp did isn’t new. An article by The New Stack spells out the history a bit more.
…this really started in 2018 when MongoDB and Redis Labs added new terms to their licensing agreements that restricted the ability to resell their code. Several others followed suit, including Cockroach Labs, Confluent, and Sentry. Notably, in so doing, Sentry created the Business Source License (BSL) that HashiCorp just adopted for Terraform.
Credit: The New Stack
Some familiar names can be found in the above list, and the logic behind not allowing your competitors to license a product you spend all your time working on makes sense. Understandably, many users viewed this as going against the entire open-source philosophy. As investors, we only have two main concerns.
- What’s the impact on current customers (if any)?
- Does the net effect of all this result in a bigger moat for HashiCorp?
HashiCorp weighed the pros and cons of this decision before announcing it on August 10th in an accompanying blog post. When they released Q2-2023 earnings three weeks later, full-year guidance was raised by 1% on the lower end, but the range narrowed showing their confidence is increasing.
Investors should hope that net retention rates stay above the 120% threshold while the year’s revenues come within the latest range the company provides.
A Second Opinion
Fintan Ryan covered HashiCorp as an industry analyst from 2015 until 2022, at RedMonk and then at Gartner. His blog post on The HashiCorp BSL Move provides a hot take from a subject matter expert that we can compare to our own findings. All of HashiCorp’s filings warn that it is “relatively easy for competitors, including public cloud operators, to enter our markets and compete with us,” while also acknowledging that “the open-source nature of their projects, and the community associated with them, is a key customer acquisition strategy.” In the past several years, a number of VC-backed startups have emerged around Terraform and “compete directly with Terraform Enterprise and build upon the opensource Terraform project.”
Ryan concludes that it’s “still too early to see how the move to BSL licenses will play out for HashiCorp. Parts of the Terraform community are clearly upset by the change, but it is also obvious that some are upset for very commercial reasons.” While he describes those who disagree as a “significant group,” he concludes that “when it comes to the definition of open-source, by far the largest group is those that don’t care.”
Conclusion
In software development, engineers who don’t want to fix a defect will simply call it a feature. That’s “as designed,” they’ll tell you haughtily in response to whatever BSOD has reared its ugly bug head. While the open-source community may see this decision as a defect, HashiCorp sees it as a way to deepen their moat and make it more difficult for competitors. While still it’s too early to tell, we’re not overly concerned with the contingent of objectors and hope this move will keep HashiCorp’s competitors at bay while they continue taking advantage of the multi-cloud movement.
Share
What’s the point of another article on Hashicorp in 5 months while other stocks have no updates for 2 years or more ?
The article addresses an important event that has Hashicorp investors understandably concerned. We use a variety of factors to determine which of the 460 stocks we cover to write about.
OK, now I see the article is quite interesting ..
BTW: I am surprised HashiCorp lost 30% of value since May (first Nanalyze article).
I have only a tiny position. so it is not a big problem.
Now the question is: is it a good idea to double the position now or not ..
However in this article Nanalyze does not provide info if it is bullish on HashiCorp or not.
We have to keep something private for Nanalyze Premium subscribers who are always alerted when we buy or sell stocks.