Review hashicorp license change impact

[killianmuldoon]

Note: this issue is mostly being lead in core CAPI with this being a mirror issue for CAPV. The problems with both repos are the same, but more up to date info and disussion may be found at

Recently hashicorp announced changes to some of its licenses. This issue is a place to assess the impact on Cluster API Provider vSphere.

CNCF issue: cncf/foundation#617

None of the dependencies CAPV imports have been updated to the Business source license.

Initial findings

Generate list of all modules which are importing a hashicorp module.

go mod graph | grep "\s.*hashicorp" > hashicorp_modules

Get a unique sorted list of hashicorp modules that are being imported

cat hashicorp_modules | cut -d ' ' -f 2 | sort -u -o hashicorp_modules

The end result of the above is a list of 28 modules

• MPL: hashicorp/consul@main/api/LICENSE
  github.com/hashicorp/consul/api@v1.1.0
  github.com/hashicorp/consul/api@v1.20.0

• MPL: hashicorp/consul@main/sdk/LICENSE
  github.com/hashicorp/consul/sdk@v0.1.1

• MPL: hashicorp/errwrap@master/LICENSE
  github.com/hashicorp/errwrap@v1.0.0

• MPL: hashicorp/go-cleanhttp@master/LICENSE
  github.com/hashicorp/go-cleanhttp@v0.5.1
  github.com/hashicorp/go-cleanhttp@v0.5.2

• MIT: hashicorp/go-hclog@main/LICENSE
  github.com/hashicorp/go-hclog@v1.2.0

• MPL: hashicorp/go-immutable-radix@master/LICENSE
  github.com/hashicorp/go-immutable-radix@v1.0.0
  github.com/hashicorp/go-immutable-radix@v1.3.1

• MPL: hashicorp/golang-lru@master/LICENSE
  github.com/hashicorp/golang-lru@v0.5.0
  github.com/hashicorp/golang-lru@v0.5.1
  github.com/hashicorp/golang-lru@v0.5.4

• MIT: github.com/hashicorp/go-msgpack@master/LICENSE
  github.com/hashicorp/go-msgpack@v0.5.3

• MPL: hashicorp/go-multierror@main/LICENSE
  github.com/hashicorp/go-multierror@v1.0.0

• BSD: (forked from go) hashicorp/go.net@master/LICENSE
  github.com/hashicorp/go.net@v0.0.1

• MPL hashicorp/go-rootcerts@master/LICENSE
  github.com/hashicorp/go-rootcerts@v1.0.0
  github.com/hashicorp/go-rootcerts@v1.0.2

• MPL hashicorp/go-sockaddr@master/LICENSE
  github.com/hashicorp/go-sockaddr@v1.0.0

• MIT hashicorp/go-syslog@master/LICENSE

• github.com/hashicorp/go-syslog@v1.0.0

• MPL hashicorp/go-uuid@master/LICENSE
  github.com/hashicorp/go-uuid@v1.0.0
  github.com/hashicorp/go-uuid@v1.0.1

• MPL hashicorp/hcl@master/LICENSE
  github.com/hashicorp/hcl@v1.0.0

• MPL hashicorp/logutils@master/LICENSE
  github.com/hashicorp/logutils@v1.0.0

• MIT hashicorp/mdns@main/LICENSE
  github.com/hashicorp/mdns@v1.0.0

• MPL hashicorp/memberlist@master/LICENSE
  github.com/hashicorp/memberlist@v0.1.3

• MPL hashicorp/serf@master/LICENSE
  github.com/hashicorp/serf@v0.10.1
  github.com/hashicorp/serf@v0.8.2

• 🌱 Add license scan for pull requests #2299
• Remove the indirect dependency on hashicorp HCL. Current exception is implemented in a script as part of 🌱 Add license scan for pull requests #2299
• Consider adding an additional periodic license scan for published artifacts including images and binaries.

[killianmuldoon]

As in core CAPI we should consider doing license scans on PRs to identify license changes - initial PR for CAPI: kubernetes-sigs/cluster-api#9184

[killianmuldoon]

IMO we can close this as done with the same rationale as kubernetes-sigs/cluster-api#9181

We can consider periodic image license scanning here too once the problem is solved in CAPI.

/close

[k8s-ci-robot]

@killianmuldoon: Closing this issue.

In response to this:

IMO we can close this as done with the same rationale as kubernetes-sigs/cluster-api#9181

We can consider periodic image license scanning here too once the problem is solved in CAPI.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.