November 7, 2024

Our Plans for Open Source Puppet in 2025

Community & Open Source
Products & Services

In early 2025, Puppet will begin to ship any new binaries and packages developed by our team to a private, hardened, and controlled location. Our intention with this change is not to limit community access to Puppet source code, but to address the growing risk of vulnerabilities across all software applications today while continuing to provide the security, support, and stability our customers deserve.

We want to provide transparency around these choices to help you understand how they impact your use of Puppet. This post will provide clarity on what’s changing in early 2025, why we’re making these changes now, and what won't change.

Back to top

What’s Changing?

In early 2025, Puppet will begin to ship any new binaries and packages developed by our team to a private, hardened, and controlled location.

Community contributors will have free access to this private repo under the terms of an End-User License Agreement (EULA) for development use. There will be no license changes for the open source version of Puppet.

Puppet users will continue to have full access to Puppet source code in the same location available today, under the current Apache 2.0 license.  

The new development license is an EULA that allows developers free access to our hardened Puppet releases (up to 25 nodes). Capacities higher than 25 nodes will require a Puppet Labs Support Commercial License. We will share more details on this new license option in early 2025.

Back to top

What's Not Changing?

You may have seen other companies attached to open source projects taking steps similar to the ones explained here. But we're taking a different approach than some of the companies who have gone through similar changes.

To that end, we want to be very clear on what is NOT changing about Puppet when these changes go into effect in 2025. 

OSS License

Puppet Labs license will remain on the Apache 2.0 license, one of the most permissive open source licenses in use.

Community Engagement and Support

Perforce will continue to engage with and invest in the Puppet community. We’re also reinforcing our support with a number of key investments:

  • We’re setting up an Ecosystem Advisory Board (EAB) to gather information and feedback on the evolution of Puppet. 
  • We’ll be reaching out to community leaders to create dialogue about how we can continue to support each other and grow together. 
  • We’ll also be continuing the conversation in-person with community events. 

These efforts will continue to be led by Puppet Community and DevRel lead David Sandilands.

Forge and Module Content

The Puppet Forge and module content hosted there will remain freely available. 

We'll continue to support the Forge as the Puppet community’s go-to resource for discovering, downloading, updating, and sharing Puppet modules and content. 

OSS Contributions

Perforce development teams will continue to support Puppet Labs. 

We will release hardened Puppet releases to a new location and will slow down the frequency of commits of source code to public repositories. 

Developer Access

Community developers will continue to have access to binaries and packages for development purposes under a new developer license (EULA).

Security Standards

Perforce is guided by a commitment to maintaining the highest standards of security for our products and our customers.

Back to top

Why are These Changes Happening Now?

Changes like these deserve context. To give you an indication of our thought process, here are a few major factors that contributed (and continue to contribute) to our decision to change the way Puppet-developed binaries and packages are committed.

These Changes Ensure Security & Stability for the Long Term

First, like many OSS projects, Puppet has been susceptible to high-severity vulnerabilities with upstream impact. In summer 2024, we experienced and mitigated a potential misconfiguration in some of our GitHub repositories. OSS security risks are a growing concern, and we are putting these controls in place to increase security hardening and stability for Puppet downstream. Our intention is to provide the support and stability our customers deserve.

Security risks will only increase as platform automation complexity grows, and we need to harden our processes and systems for safety. Given this and the size and scope of our team, we knew something had to change in our current internal processes around open source contributions if we want to continue to innovate while maintaining compliance and security.

These Changes Help Puppet Adapt to the Changing Infrastructure Management Landscape

The landscape of infrastructure management is rapidly evolving. In today’s IT environments, flexibility, scalability, and automation are paramount. Traditional systems and processes are no longer enough to meet these dynamic demands.

As a team of engineers and builders, we need to prioritize innovation and acceleration of the delivery of our product direction. One of the ways we know we can do that is by reducing the frequency of commits to open source code. This shift will help us focus more on innovation in a rapidly changing market.

Our technology team will use that focus to invest in projects that drive innovation and accelerate our product vision without sacrificing the stability or security of our commercial offerings. Key areas of investment include reimagining Puppet with the use of AI; expanding the functionality and innovation for multi-cloud use cases; and introducing the next generation of platform automation, desired state, and compliance with Puppet.

Back to top

What Now?

These changes will happen in early 2025. As we get ready to roll them out, we’re committed to working closely with the Puppet community to gather questions and provide more details on how these updates could impact your usage of Puppet.

If you have questions on these changes, you can reach out to us directly at puppet-community-questions@perforce.com.

Back to top