search

finos / compliant-financial-infrastructure

Compliant Financial Infrastructure accelerates the development, deployment and adoption of services provided for AWS, Azure and Google in a way that meets existing regulatory and internal security controls.
Apache License 2.0
127 stars 61 forks source link

Change to TF Licnese #347

Open AdrianHammond opened 11 months ago

AdrianHammond commented 11 months ago

Support Question

Have been with @mcleo-d today and we were having a discussion on if the change to hashicorp license moving to Business Source License from GPL impacts CFI. James recommendation was to check with FINOS legal. Ahead of me doing that I wanted to check your views @eddie-knight @abdullahgarcia

Thanks Adrian

eddie-knight commented 11 months ago

Sounds like a good course of action!

AdrianHammond commented 11 months ago

email sent to FINOS legal team, have cc'd @mcleo-d @eddie-knight @abdullahgarcia

eddie-knight commented 11 months ago

@AdrianHammond @abdullahgarcia

LF Legal is investigating this to take an official stance right now, but there are a few points to discuss in the open as we continue to consider this.

  1. The language provided by Hashicorp appears to be intentionally unclear, as it leaves many critical things undefined (especially the language "embed or host"). It is left to Hashicorp to interpret, and many companies are going on record with concern about whether the interpretation will fluctuate over time.
  2. The documented intent of CFI is to provide policies, infrastructure as code, and validation tooling. The second pillar currently includes some ansible and terraform resources.
  3. There is not currently any risk introduced by the terraform we have currently created (such as https://github.com/finos/terraform-aws-cfi-eks) but there is concern that any maintenance will bring the modules beyond Terraform v1.5.5 and thus subject us and our users to the whims of the BUSL enforcers.
  4. This may be a moot point entirely, irrespective of the license topic. We do not currently have a large contributor base or consumer base for the IaC resources, following the withdrawal of Hashicorp and Codethink from the project. With the creation of CCC, we hope that technology providers will begin creating their own compliant infrastructure and certifying it through the CFI validator.

Considering the aforementioned, I propose that we make all Terraform repositories private for now. Then, we can make any further decisions later based on what we learn in the coming weeks.

abdullahgarcia commented 11 months ago

@eddie-knight

Let's make all Terraform repositories private for now and take action after the "mud" has cleared.

AdrianHammond commented 11 months ago

I agree

eddie-knight commented 11 months ago

Here are the following repositories that we'll be making private: