-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit the need to bundle the LICENSE files in third_party
folder
#1441
Comments
/project Steering Committee Backlog |
@evankanderson: You must be a member of the knative/community github team to set the project and column. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
See discussion in cncf/foundation#642 |
Following up here - I'm inclined to drop this practice given we've gotten no guidance from CNCF. Clearly it's not an issue for them if we don't do this. |
I would drop our license handling, too. The sooner, the better. After the upgrade to go 1.21 that introduced "toolchain", the license checker is broken for any toolchain not bundled with the installed go installation. See google/go-licenses#244 . And there are tons of other peculiarities which took ages to analyze. Please drop the license check. |
Is there a reason to specify the toolchain directive over go directive? |
I don't think so. We haven't added |
Okay. Can we agree that we could at least remove the need to bundle all those Personally, I would keep the check as it, from time to time, actually finds some invalid libs, like knative/client-pkg#166 |
Yeah let's update hack to stop saving the licenses - then each repo can delete them |
This PR does that knative/hack#376 |
Serving PRs are out that drop the vendored files |
Background
We run
google/go-licenses
tool's save command in every repo. It bundles theLICENSE
files of the dependencies, or their code, depends on the license itself. This has been the practice of the project since Knative inception. The requirements were coming from Google's OSPO office.The CNCF has those 2 pages on the licenses:
Despite that, the CNCF Allowlist License Policy mentions that non-apache deps should be held in a designated third-party folder, such practice is very uncommon among the CNCF projects.
I did find only the https://github.com/kubernetes/kubernetes actually holds some third-party components in a designated folder (not only the LICENSE files)
Question
Is the current practice really required by CNCF? Maybe we can drop it like most projects do?
Links
This follows up the discussion in knative/hack#315
Related to cncf/foundation#642
The text was updated successfully, but these errors were encountered: