DevOps platform company Perforce is forking Puppet, the open-source configuration management technology it acquired in May 2022. Fondly thought of by those who value its infrastructure as code capabilities as a core DevOps function, Puppet enables engineers to see the “context of changes” in any given codebase and view their impact on infrastructure before applications go into production.
Perforce’s own press portal continues to concentrate on its main platform developments (the company has recently achieved a new ISO certification for its Helix Core version control platform). However, this development has been flagged on the Puppet blog and by external practitioners and commentators.
According to GitHub member Antoine Beaupré also known as Anarcat “Perforce will stop producing publicly available binary packages [of Puppet] and will stop publicly distributing the source for that software. They claim to not change the license of the software, but that’s really an insignificant detail because, effectively, the source code for Puppet, as produced by Perforce, will no longer be publicly available.”
Disgruntled Anarcat notes that Perforce (in town hall meetings with the developer cognoscenti) has encouraged software engineers to maintain the community and open-source versions of Puppet.
Hardened Puppet To Come
The Puppet Labs license will remain on the Apache 2.0 license. However, Perforce has also noted that it will move hardened Puppet releases to a new location and slow down the frequency of source code commits to public repositories.
For completeness here, Puppet has been offered in two forms for some time now and the commercially supported Puppet Enterprise version has always been built on top of the Apache open-source code base.
“In early 2025, Puppet will begin to ship any new binaries and packages developed by our team to a private, hardened and controlled location. Our intention with this change is not to limit community access to Puppet source code, but to address the growing risk of vulnerabilities across all software applications today while continuing to provide the security, support and stability our customers deserve,” blogged Tzvika Shahaf, VP of product management and David Sandilands, community and developer relations lead & principal solutions architect, both at Puppet by Perforce.
Why Change Now?
Perforce Puppet directors have further noted that the enterprise team will continue to look for and drive “points of collaboration and ongoing communication” with the community as it now looks to create longer-term demand and confidence in the Puppet ecosystem, all of which Perforce promises will still benefit community versions. The changes themselves have come about due to high-severity vulnerabilities with upstream impacts that are typical to many open-source projects.
“In the summer of 2024, we experienced and mitigated a potential misconfiguration in some of our GitHub repositories. OSS security risks are a growing concern and we are putting these controls in place to increase security hardening and stability for Puppet downstream. Our intention is to provide the support and stability our customers deserve. Security risks will only increase as platform automation complexity grows, and we need to harden our processes and systems for safety,” confirm Shahaf and Sandilands.
Looking to the future of the enterprise edition of Puppet, the team envisages a degree of reimagining with the use of AI; failure to do so would not sit in line with the wider AI hypecycle currently pervading through the industry. It will also expand the functionality for multi-cloud use cases and introduce the next generation of platform automation, desired state and compliance with Puppet.
While it’s clear that the community would like to keep hold of the name, Libre Office has done arguably well under its new moniker, although there is a suggestion here that the new open-source Puppet is not able to make use of the word puppet in any form, so the already created GitHub repository known as OpenPuppetProject will have to be renamed.
New Name Nominations
Community discussion over a new name for open-source Puppet has thrown up suggestions including OpenDCM (Open Declarative Configuration Manager in full), Manikin (a twist on the word mannequin), Dolly, Openvox and the surely very appealing Muppet.
