License compliance clarification for unlisted projects #294
Comments
|
@amye I see that this was added and removed from the license exceptions project board. Will this be also addressed in the next meeting? Is there any other information that I can provide here? |
|
This has several requests in it which make it difficult to track, and right now I'm prioritizing project requests directly. |
|
Okay, please let me know if I can help sorting them in any way to make it easier for tracking. We can also track them as a part of #297 if that is easier. |
|
Appreciated! We're just now rolling out a more direct process for this to be able to help deal with backlog, I will leave this open as we work through this. |
|
Thank you @amye! |
|
Where are you getting this list of packages? We aren't using any |
|
See also Kubernetes' complete dump of LICENSES for all packages we're using: https://github.com/kubernetes/kubernetes/tree/master/LICENSES I suspect at least some of these are incorrectly listed due to looking at the entire module graph, which is NOT the set of packages actually linked into binaries. We build releases in Go's vendor mode, from only the checked in sources under That only leaves whatever else is in docker base images (which we've also shrunk to be very small distroless based), or what is only used at development time ( We specifically have custom tooling to catch and prevent taking these dependencies: EDIT: see also kubernetes/kubernetes#95571 (comment) I suspect the list above is coming from the go module graph which includes the entire transitive dependency tree even packages that will not be linked into binaries. The actual dependency set used is smaller than the module graph. |
|
For dependencies used by kubernetes, see the go.mod files and vendor directory, not the go.sum file. |
|
None of the dependencies listed in the description are in use by the kubernetes/kubernetes repo. I added them to kubernetes/kubernetes#118023 to ensure they don't get added as dependencies in the future. |
|
I don't think helm is using github.com/armon/consul-api either, again it's in go.sum but it's not in the transitive deps in go.mod, and go 1.19 go.mod will include transitive deps that are used. It's possible helm's go.mod is not in sync with actual builds but seems unlikely. argo-cd however does appear to be using github.com/hashicorp/go-retryablehttp: https://github.com/argoproj/argo-cd/blob/7825821c1cda17b809e44b66cc5980fecf28af4f/go.mod#L47 |
so is kubernetes-sigs/zeitgeist#543 and kubernetes-sigs/release-sdk#197 #138 was opened years ago specifically for this library... it's not clear why that wasn't allowlisted along with several of the other hashicorp libraries |
|
Closing as #138 resolves, but let me know if that's not the case! |
Hi,
The following projects are used by software under CNCF today, but these do not comply with CNCF Allowlist License Policy and are not listed under License exceptions. We are looking to understand the status of these projects - are they going to be moved under the exception lists?
The text was updated successfully, but these errors were encountered: