Page MenuHomeDevCentral
Create Task
Maniphest T1938

Non open-source infrastructure software policy
Open, WishlistPublic
Actions

Description

All the code written by Nasqueron is open source. Same for all the software we used in the past. But now, with Sentry then Vault switch to a closed source license, situation has evolved.

There is no policy inside the Operations SIG about the kind of software we can install on our infrastructure.

Do we want to restrict it to only open source? If so, what we use to replace Sentry and Vault?
What about VMWare ESXi used as hypervisor?

Chapter I. The not-open-source-anymore software

Redis, Sentry and Vault are currently installed on our infrastructure.

No more open source

Those products were open source at first:

  • Vault uses BSL with 4-years-lag translation to MPL.
  • Sentry used BSL, now switched to FSL, with 2-years-lag translation to Apache 2.0. The FSL has been imagined as a response to BSL critics to only restrict the use by competitors.
  • Redis is released under SSPL, a derivative of GPLv3 with provisions to publish source code for SaaS providers, without any translation to an open-source license. BUT Redis 8 is back to AGPLv3.

Those new licenses are NOT open source, only make their source code available.

Forks

As software widely used in infrastructures, both have been forked from the last open source code:

Vault has been forked by IBM / OpenFoundation as OpenBAO, but primarily to be used as part of the Open Horizon stack: https://github.com/openbao/openbao/tree/development starting back from Vault 1.14.1 source code. No release currently.

Some Wikimedia teams (but not for MediaWiki errors itself) use a reimplementation of Sentry called GlitchTip, https://glitchtip.com/

ValKey is a fork of Redis, maintained by one of the main Redis developer. Alternatively, we can now upgrade to Redis 8.

Finally, we already use OpenSearch, the Elastic fork for that reason.

Chapter II. Hypervisor

VMs have always been hosted on VMWare ESXi hypervisors. With few machines, a full OpenStack deployment is illusoire. Yet, this hypervisor is NOT open source neither.

Chapter III. The open source you can't distribute (RHEL)

RHEL downstream is used for production Docker engine, while the upstream CentOS Stream is used for development Docker engine.

Red Hat absorbed then killed CentOS, has been bought by IBM and now forbid to redistribute their packages sources to fight the RHEL downstreams.
GPL requires to provide source code with the binaries, the Red Hat position is it's legal to forbid further redistribution.

Do we accept that?

If not, our options are:

  • keep our Docker engines to CentOS Stream / Rocky
  • move to another OS, Debian or a containers-optimized OS

If so, as an open source project, we can have RHEL licenses for our infrastructure, so there is no reason not to directly use it. See
https://www.redhat.com/en/blog/extending-no-cost-red-hat-enterprise-linux-open-source-organizations.

Out of scope questions

This discussion is about our servers infrastructure, as managed by the Operations SIG.

Some questions could be of merit but are out of scope in this discussion:

  • The licenses of the content hosted on the services hosted on the servers
  • The development server and shellserver user content, which are in several cases a mix of open source and personal stuff

Related Objects

Event Timeline

dereckson created this task.Jan 6 2024, 17:53
dereckson updated the task description. (Show Details)Jan 10 2024, 22:23

Added RHEL question.

dereckson updated the task description. (Show Details)Jan 10 2024, 22:30
dereckson mentioned this in T1945: Deploy a simple Nagios or Naemon to have a reference implementation.Jan 16 2024, 23:40
dereckson moved this task from Backlog to Nasqueron Operations SIG on the discussion board.Aug 4 2024, 17:24
dereckson triaged this task as Wishlist priority.Aug 4 2024, 17:35
dereckson updated the task description. (Show Details)Sep 26 2024, 18:13

Added Redis to the list, with the ValKey fork supported by the Linux Foundation.

dereckson mentioned this in T2040: Supersede Vault by OpenBao.Oct 3 2024, 15:21
dereckson mentioned this in T1762: Deploy NetBox.Oct 27 2024, 01:13
dereckson added a comment.Thu, Sep 18, 22:36

AGPL

AGPLv3 is an open source, we don't see any objection to it.

  • Redis 8 is relicensed under AGPLv3
  • Same for ElasticSearch and Kibana, without clear view of what that means "for a subset of Elasticsearch and Kibana source code". Current role uses OpenSearch.
  • Grafana itself was always open source, but switched from Apache License v2.0 to AGPLv3 in 2021.

Still non open-source

Sentry itself and HashiCorp products are still released under source available, non open-source licenses.

dereckson updated the task description. (Show Details)Thu, Sep 18, 22:38
dereckson updated the task description. (Show Details)
dereckson added a comment.Fri, Sep 19, 01:03

We're testing OpenTofu and Terraform. We've a problem with providers: opentofu registry doesn't compile everything for FreeBSD...

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator