[License Exception Request] Flatcar

[miao0miao]

We would like to contribute Flatcar project to CNCF. However, few repos are licensed under licenses that are not not CNCF Allowlist License Policy and are not listed under License exceptions.
We would like to ask for an exception for the following repositories that Flatcar uses:

Repo	Licence	Further information
flatcar/sysroot-wrappers	GPL-3.0	This repository was forked from CoreOS container linux because the upstream repository was archived. It contains a low-level build helper utility which is not distributed with the OS image; the utility is only required at image build time. Sysroot-wrappers works in close relation with the GCC compiler and incorporates sources from the GCC project, which is licensed under GPL 3.0. Hence, the derivative is also GPL 3.0 licensed.
flatcar/grub	GPL-3.0	Grub, the GRand Unified Bootloader, is a package shipped with the Flatcar OS image. The bootloader runs at early start-up and is responsible for loading Flatcar’s kernel and initrd. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. We do not use the upstream GRUB release sources but maintain our own repository to ease development, which is currently in progress. We are planning to contribute back after development concludes and switch to using upstream sources (with our patches on top if necessary) in the future.
flatcar/baselayout	GPL-2	Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/nss-altfiles	LGPL-2.1	Nss-altfiles is a glibc plugin which enables user and group lookup in paths other than /etc. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. We are investigating switching to systemd-userdbd instead. This could lead to the retirement of the nss-altfiles repository at a point in the future – the project would instead use upstream systemd releases directly.
flatcar/bootengine	BSD-2-Clause	This repository contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/shim	BSD 2-Clause	Shim is an UEFI stub that allows a secure, signed boot chain.The repository in the Flatcar org does not contain any changes from upstream Shim and is used for development.
flatcar/scripts	BSD-3-Clause	Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers.
flatcar/init	BSD-3-Clause	Init contains OS configuration and utilities. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/update_engine	BSD-3-Clause	Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine.
flatcar/flatcar-dev-util	BSD-3-Clause	This repository contains a python script (“emerge-gitclone”) which is shipped with the Flatcar devcontainer. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. The Flatcar Sysext initiative aims to replace the devcontainer with a suitable sysext, at which point this repository will be archived.
flatcar/seismograph	BSD-3-Clause	Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container linux for Flatcar because the upstream repository was archived.
flatcar/nomad-on-flatcar	MIT	Nomad-on-flatcar is a set of example configurations for running Flatcar Container Linux on Nomad. It serves as hands-on documentation for users; this repository does not generate artifacts and is not shipped in releases. It is based on fedora-coreos-nomad which is MIT licensed.

Background:

The Flatcar Project consists of a total of 61 active repositories. Most repositories are licensed under the Apache 2.0 license. 12 are licensed differently since they build on existing work.
6 repositories are used for secrets storage, i.e. contain GPG-encrypted infrastructure secrets, and 1 repository contains infrastructure-as-code for the Flatcar build and release infrastructure – these repositories do not use any license.

The breakdown of the 61 active repositories total:
42 repositories are licensed under Apache 2.0
5 repositories are licensed under BSD 3-Clause
2 repositories are licensed under BSD 2-Clause
2 repositories are licensed under GPL-3.0
1 repository is licensed under GPL-2.0
1 repository is licensed under LGPL-2.1
1 repository is licensed under MIT
(and 7 repositories used for infrastructure automation without a license)

Like most Linux distributions, Flatcar Container Linux packages, builds, and ships many upstream projects’ releases that use a wide variety of licenses. Most of these releases are shipped without modification; some require amendments to integrate well with Flatcar. These Flatcar-specific changes reside in the “scripts” repo and are applied at build time on top of a pristine upstream source release for most upstreams that need amendments.

These Flatcar-specific changes are a one-time effort and usually do not require continued development - except for very few upstreams. For the upstreams that are under active development – these are very few - the Flatcar project maintains a fork of the upstream repo with Flatcar-specific changes included, and packages/builds reference the Flatcar development fork instead of the upstream repository (or release tarball).

The sole purpose of these forks is to provide a place for maintainers to focus their development. The upstream license is retained with the fork. We always aim to contribute back upstream – after which we switch back to the upstream sources, and the development fork is removed. None of the forked repositories’ projects are released separate from Flatcar; all repos are used as packaging/build sources for Flatcar OS and SDK releases.

[nikhita]

cc @amye

[miao0miao]

Quick note: I could not assign the issue or add a label. I do not have sufficient permissions.
I was trying to follow the instructions here https://github.com/cncf/foundation/pull/313/files
cc: @amye @caniszczyk

[miao0miao]

I would like to bring to your attention the current status of our repositories that require a license exception, particularly as we have entered the year 2024. The repositories are sorted by 4 categories (listed below). Your approval for this exception is greatly appreciated.

Thank you for your time and consideration.

a.
the following includes exceptions that were perviously approved by the CNCF GB:

Repo	Licence	Further information
flatcar/locksmith	MPL-2.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 76 to 85 in fb57be1 ##### Package: github.com/hashicorp/errwrap PackageName: github.com/hashicorp/errwrap SPDXID: SPDXRef-Package8 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: MPL-2.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11
flatcar/mayday ; flatcar	MPL-2.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 54 to 63 in fb57be1 ##### Package: github.com/hashicorp/hcl PackageName: github.com/hashicorp/hcl SPDXID: SPDXRef-Package6 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: MPL-2.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11
flatcar/torcx	CC-BY-SA-4.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 230 to 239 in fb57be1 ##### Package: github.com/opencontainers/go-digest PackageName: github.com/opencontainers/go-digest SPDXID: SPDXRef-Package22 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: Apache-2.0 AND CC-BY-4.0 AND CC-BY-SA-4.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11

b.
this list includes repos we cannot change their licenses and require an exception:
update Mar 13th, 2024 - flatcar-dev-util is taken off the list as we did work that enabled us to change the license

Repo	Licence	Further information
flatcar/bootengine	BSD-2-Clause	This repo is listed as copyright CoreOS; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-2-Clause, and going forward under either BSD-2-Clause or Apache-2.0- ; bootengine contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/flatcar-dev-util flatcar/seismograph flatcar/update_engine	BSD-3-Clause	This repo is listed as copyright Chromium authors and a CoreOS notice; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-3-Clause and going forward under either BSD-3-Clause or Apache-2.0 ; Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine; flatcar-dev-util contains a python script (“emerge-gitclone”) which is shipped with the Flatcar devcontainer. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. The Flatcar Sysext initiative aims to replace the devcontainer with a suitable sysext, at which point this repository will be archived. ; Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container li
baselayout	GPL-2.0, LGPL-2.1, LGPL-3.0	This repo appears to be forked from upstream, and uses GPL-2.0, LGPL-2.1, LGPL-3.0 as repo license. Likely need to ask LC / GB to approve retaining pre-existing and going-forward development under GPL-2.0, LGPL-2.1, LGPL-3.0, as doesn't appear to be feasible to relicense ; Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.

c.
the list below also require an exception, as they are part of the core of Flatcar or got multiple decencies by other CNCF projects:

Repo	Licence	Further information
flatcar/coreos-cloudinit	LGPL-3.0 WITH LGPL-3.0-linking-exception	We explore switching to go-ymal eventually. However this will require several months due the impact it can have and stabilization cycles that will be required.
flatcar/ignition	LGPL-2.1-only OR CDDL-1.0	Moving this repo would pose some risk - it has 18 direct and 30 indirect dependencies on Github alone. Exception justification Downstream repo not used for active development (we use upstream ignition directly), but many CNCF projects (CAPI providers) directly or indirectly depend on it.
flatcar/scripts	LGPL (version unspecified),GPL-2.0, Proprietary	Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers.

d.

the following repos are still under Flatcar and contain license exception but will be resolved by of business week 5 2024 (next week). I will provide another update once the work on this two exception is completed and no longer required.
update Jan 30th, 2024 - this is still WIP, added reference to the PR
update Feb 28th, 2024 -these items do not require an exception any longer. The PRs were merged

Repo	Licence	Further information
flatcar/shim	Project License is BSD-2-Clause	This PR will make this repo not required by the end of next week (week 5 2024). Shim is an UEFI stub that allows a secure, signed boot chain.The repository in the Flatcar org does not contain any changes from upstream Shim and is used for development. done
flatcar/mantle	LGPL-3.0 WITH LGPL-3.0-linking-exception	switching to use upstream go-yaml done

[miao0miao]

update regarding flatcar/shim and flatcar/mantle - both PRs tracking those items were merged- the exception is no longer needed.

[miao0miao]

update - /flatcar/flatcar-dev-util is taken off the list as we did work that enabled us to change the license

[miao0miao]

I wanted to provide an update that reflects all the work that was done since the issue was first opened.
Please note - We added one repo azure-vhd-utils

Repo	Licence	Further information
flatcar/sysroot-wrappers	GPL-3.0	This repository was forked from CoreOS container linux because the upstream repository was archived. It contains a low-level build helper utility which is not distributed with the OS image; the utility is only required at image build time. Sysroot-wrappers works in close relation with the GCC compiler and incorporates sources from the GCC project, which is licensed under GPL 3.0. Hence, the derivative is also GPL 3.0 licensed.
flatcar/baselayout	GPL-2	* Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. * It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. * We're investigating switching to upstream (Gentoo) baselayout so we would not need to maintain our own. As upstream significantly differs this work will go on for a while.
flatcar/nss-altfiles	LGPL-2.1	Nss-altfiles is a glibc plugin which enables user and group lookup in paths other than /etc. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.We're working on deprecating nss-altfiles in favour of systemd confext. This could lead to the retirement of the nss-altfiles repository at a point in the future – the project would instead use upstream systemd releases directly.
flatcar/bootengine	BSD-2-Clause	This repository contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/init	BSD-3-Clause	Init contains OS configuration and utilities. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/update_engine	BSD-3-Clause	Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine.
flatcar/seismograph	BSD-3-Clause	Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container linux for Flatcar because the upstream repository was archived.
flatcar/scripts	LGPL (version unspecified),GPL-2.0, Proprietary	Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers.
flatcar/azure-vhd-utils	MIT	azure-vhd-utils is mainly used from mantle, Flatcar release/test tools to help in the automation regarding Flatcar release process on Azure: https://github.com/search?q=org%3Aflatcar%20azure-vhd-utils&type=code It is not included in Flatcar images. It is forked since the upstream project is not maintained any longer.

Background

Since the issue was first opened some repos were archived and moved to https://github.com/flatcar-archive/

The repos that are used temporarily for active development work to contribute upstream are found under https://github.com/flatcar-hub/

The Flatcar Project consists of a total of 62 active repositories, all of which will be contributed to CNCF upon acceptance. Most repositories are licensed under the Apache 2.0 license. Some are licensed differently since they build on existing work. 6 repositories are used for secrets storage, i.e. contain GPG-encrypted infrastructure secrets, and 1 repository contains infrastructure-as-code for the Flatcar build and release infrastructure – these repositories do not use any license.
A detailed break-down of licenses can be found here. An overview follows below. All repositories that are not licensed under Apache 2.0 and are not part of the infrastructure automation are discussed in detail below.
46 repositories are licensed under Apache 2.0
4 repositories are licensed under BSD 3-Clause
1 repositories are licensed under BSD 2-Clause
1 repositories are licensed under GPL-3.0
1 repository is licensed under GPL-2.0
1 repository is licensed under LGPL-2.1
1 repository is licensed under MIT
(and 7 repositories used for infrastructure automation without a license)

[jeefy]

Hey everyone! This license exception was PARTIALLY approved. Please see below

Approved exceptions

Following reviews and recommendations from the CNCF Legal Committee, the CNCF Governing Board has approved the following license exception requests for Flatcar:

Flatcar repos with different project licenses

The Governing Board has approved the following Flatcar repositories using overall project licenses that differ from CNCF's standard Apache-2.0 license:

• bootengine: BSD-2-Clause

• flatcar-dev-util: BSD-3-Clause

• scripts: BSD-3-Clause

• seismograph: BSD-3-Clause

• update_engine: BSD-3-Clause

• azure-vhd-utils: MIT

• nss-altfiles: LGPL-2.1

• baselayout: GPL-2.0
  addendum-Flatcar-package-licenses.txt

• sysroot-wrappers: GPL-3.0

Copyleft dependencies

The Governing Board has approved the following dependencies under certain weak copyleft licenses, in the manner of use described for the specified Flatcar Apache-2.0 repositories:

• **github.com/coreos/yaml** (used by coreos-cloudinit and mantle): LGPL-3.0 WITH LGPL-3.0-linking-exception

• **github.com/sigma/vmw-guestinfo** (used by ignition): LGPL-2.1-only OR CDDL-1.0

• shflags (used by scripts): LGPL (version unspecified)

Ebuild scripts licensed under GPL-2.0

The Governing Board has approved the inclusion of pre-existing, third party ebuild scripts licensed under GPL-2.0 in the scripts repository.

Third Party Packages incorporated into the Flatcar Linux distribution

Although the Legal Committee and Governing Board did not individually review every third party package included in the Flatcar Linux distribution, they have reviewed the lists of licenses based on the Flatcar distribution's JSON files documenting the license identifiers applicable to their contents. A summary of the license identifiers together with counts of corresponding packages is attached as an addendum.

With two exceptions (netperf and NPSL-0.95, as described more fully below), the CNCF Governing Board has approved license exceptions for packages included in the Flatcar distribution under these licenses.

Not Approved exceptions

Following reviews and recommendations from the CNCF Legal Committee, the CNCF Governing Board has not approved the following license exception for Flatcar:

Ebuild scripts referencing proprietary licenses

An earlier review indicated references to licenses such as Google Terms of Service or an NVIDIA Tegra Software License Agreement, potentially in connection with ebuild scripts from an upstream source that referenced those licenses.

We understand from discussions with the Flatcar maintainers that these licenses, and their corresponding components, are not in fact included in any of Flatcar's source code or binary distributions; and that the inapplicable proprietary license text has now been removed from the Flatcar repos. Accordingly, the Governing Board has not approved a license exception for these licenses.

Non-approved third party packages

As described above, the Governing Board has not approved the inclusion of the following packages in the Flatcar Linux distribution under the licenses specified below. We understand that the Flatcar maintainers have remediated, or are working towards remediating, these issues.

• netperf: A license exception was not approved for the Netperf project's original "non-commercial purposes only" license, which has been used for Netperf releases v2.7.0 and earlier. Although the license for the Netperf project's source code has been replaced with MIT, a new release with the MIT license has not been published by the project. As a result, Flatcar should either (1) work with the Netperf project to have them release a new version using their updated MIT license; (2) build and use their own release from the MIT-licensed Netperf source code; or (3) cease distribution of Netperf under the old "non-commercial purposes only" license.

• NPSL-0.95: Nmap's custom modified version of the GPL was not approved by the Governing Board, so the Nmap component should not be distributed by Flatcar.

[jeefy]

addendum-Flatcar-package-licenses.txt

[miao0miao]

thank you for the response @jeefy - netperf license was fixed upstream and nmap was replaced with ncat.

[jeefy]

Closing it out!