Post-Mortem: OpenTaco using code from OTF without attribution
On September 24, 2025 we introduced Project OpenTaco in a reddit post (now removed by moderators). Then leg100, the creator of OTF - a project that we highly respect and look up to - pointed out in the comments that some of the OpenTaco code was copied from OTF. This is true; this is not OK and should not have happened - especially without attribution. What follows is a post mortem on what happened and steps we are taking to address the concern.
Chain of events
- August 23 - OpenTaco project is started initially as a PR#2110 in the main Digger repo. Never merged because a decision is made to continue in a separate internal repo, mainly for ease of development.
- August 27 - project moved to the diggerhq/opentaco internal repo (now made public) using
git filter-repotool to preserve commit history - September 4 - PR#7 in the opentaco internal repo introduces “stub TFE endpoints” with some code copied or adapted from the OTF project.
- September 16 - OpenTaco moved back into Digger main repo in #PR2139
- September 24 - OpenTaco project is launched in a reddit post
- September 25 - leg100 flags the issue
Specifically, the following pieces were copied or adapted from the OTF project:
| File | Adapted Elements |
|---|---|
internal/domain/tfe_id.go |
The TFEID struct and functions on it, including MustHardcodeTfeID, ParseTfeID, NewTfeID, and NewTfeIDWithVal |
internal/domain/tfe_kind.go |
All the constants that end in Kind within this file have been adapted as enums |
internal/domain/tfe_org.go |
DefaultOrganizationPermissions, TFEOrganizationPermissions, TFEOrganization, and TFEEntitlements structs |
internal/domain/tfe_workspace.go |
Workspace, TFEWorkspace, and all their embedded structs adapted to match the domain model |
internal/tfe/organizations.go |
Entitlements, defaultEntitlements, and GetOranizationEntitlements functions |
internal/tfe/well_known.go |
Structs related to DiscoverSpec and the GetWellKnownJson function adapted for use with Opentaco |
internal/tfe_workspaces.go |
ToTFE and GetWorkspace adapted for use with current Opentaco endpoints |
Five Whys
- Why did Digger codebase copy code from OTF without attribution? - the code was moved as-is from the internal POC repo diggerhq/opentaco (then internal, now made public)
- Why did that repo contain code copied from OTF? - the PR#7 introduced “TFE stub endpoints”, initially thought of as a prototype implementation
- Why was there no attribution added? - at the time of implementation of the TFE stubs in the internal repo, not much thought was given to open source best practices, the project was still treated as a proof-of-concept
- Why was it not flagged at the time of merging into the main digger repo? - we did not have any attribution guidelines and did not follow any ourselves.
- Why was it not flagged at launch? - we were rushing to launch by Hashiconf and completely forgot about code copied from OTF by the time of the launch.
Steps taken to address the issue
- Attributions added for the code borrowed from the OTF project - PR#2262.
- Digger project changes license from Apache 2.0 to MIT - PR#2263.
- Attribution guidelines update to include explicit attribution requirements - PR#2264
Note of thanks to the community
I wanted to apologise for this oversight on behalf of Digger and thank the community - particularly leg100 - for flagging the issue. We hold the OTF project in highest regard and shouldn’t have allowed the code from it into our codebase without attribution. We are putting measures in place to make sure this does not happen again.
We’d love to know if there is anything else that we could / should do to make this right, perhaps there’s some aspect of it that we haven’t even considered. We are hoping to work together with the community on keeping the Terraform ecosystem open.
Igor Zalutski