-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
License requirements when shipping containers #642
Comments
Looks like the licenses in the SBOM is not a thing at moment - ko-build/ko#766 but what if it were 🤔 |
So as I'm reading through this, this may no longer be an active question? |
We're still looking for input from the CNCF what is required |
hey @amye any updates? |
@amye can we satisfy the requirements to distribute licenses by having the project and dependency licenses in the SBOM? We can also add the license text to the SBOM in addition to the identifiers if needed. |
Hi - just following up here again |
Still in discussion with Legal Committee! |
What has the discussion been? Is there a timeline on a decision - the
original service desk ticket is almost a year old
…On Mon, Dec 11, 2023 at 19:08 Amye Scavarda Perrin ***@***.***> wrote:
Hi - just following up here again
Still in discussion with Legal Committee!
—
Reply to this email directly, view it on GitHub
<#642 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAERAVYQQIU3QYWO5IK22TYI6OBTAVCNFSM6AAAAAA5CAM6QGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJRGA4TKMJTGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Following up - I'm assuming the lack of response indicates there's no requirement and thus projects are not required to have disclosures in our project's container image. |
@joannalee333 Can you comment on this? |
Staff will be working with the Legal Committee on development of guidance for this issue. Licensing compliance for container images is not as straightforward as it is for code. We'll likely have guidance ready to share later this quarter. |
This is the public issue for (https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652).
There were enough people in the Knative project asking about this so I figured it warranted having a public issue others can comment on (so I'm not the sole proxy).
Original Question
What are the CNCF requirements for license disclosure for dependencies when shipping container images?
Background
Knative has been vendoring licenses and including them in the containers we ship. This been our practice since the project went public in 2018 and was a requirement of Google's OSPO's office.
Some context from Evan Anderson [1]
[1] knative/hack#315 (comment)
Related Info
We now build our containers using a tool called
ko
- this will also publish a SBOM file https://ko.build/features/sboms/I believe the SBOM will include some license info. Is having this file available for download sufficient for license compliance?
The text was updated successfully, but these errors were encountered: