Addendum: Summary of licenses from Flatcar distro metadata The following summary is based solely on the license identifiers disclosed in the Flatcar distribution’s JSON files accompanying the OS image files. It has not been confirmed through direct review of the packages by the LF scanning team or CNCF legal counsel. As reflected in the Flatcar JSON files, the expressions below do not specify the manner in which the components under the corresponding licenses are linked together, or whether the licenses are a choice of license vs. a statement that all apply (e.g., an “OR” vs. an “AND”). Identifiers appear intended to refer to license texts at https://github.com/flatcar/scripts/tree/main/sdk_container/src/third_party/portage-stable/licenses. Counts below specify the number of packages indicated as containing this set of licenses, as of May 6, 2024. The CNCF Governing Board has approved license exceptions for packages included in the Flatcar distribution under the following licenses, EXCEPT FOR: * 'netperf': A license exception was not approved for the Netperf project's original "non-commercial purposes only" license, which has been used for Netperf releases v2.7.0 and earlier. Although the license for the Netperf project's source code has been replaced with MIT, a new release with the MIT license has not been published by the project. As a result, Flatcar should either (1) work with the Netperf project to have them release a new version using their updated MIT license; (2) build and use their own release from the MIT-licensed Netperf source code; or (3) cease distribution of Netperf under the old "non-commercial purposes only" license. * 'NPSL-0.95': Nmap's custom modified version of the GPL was not approved by the Governing Board, so the Nmap component should not be distributed by Flatcar. 1) amd64 production image licenses: 'Apache-2.0': 22 'Apache-2.0,BSD,BSD-2,CC-BY-SA-4.0,ISC,MIT,MPL-2.0': 1 'Apache-2.0,BSD,BSD-2,GPL-2,HPND,ISC,MPL-2.0': 1 'Apache-2.0,BSD,BSD-2,MIT': 1 'Apache-2.0,BSD,GPL-3,MIT,Unicode-DFS-2016': 1 'BEER-WARE,BSD,BSD-2,BSD-4,ISC,MIT': 1 'BSD': 17 'BSD,BSD-2,BSD-4,CC-BY-SA-3.0,GPL-2+,HPND,ISC,MIT,OPENLDAP,RSA,openafs-krb5-a': 1 'BSD,BSD-2,BSD-4,GPL-2,GPL-2+,GPL-3,ISC,MIT,linux-fw-redistributable': 1 'BSD,BSD-2,BSD-4,LGPL-2.1+': 1 'BSD,BSD-2,BSD-4,public-domain': 1 'BSD,BSD-2,ISC,MIT': 1 'BSD,GPL-2': 3 'BSD,GPL-2+': 1 'BSD,HPND,ISC': 1 'BSD,HPND,ISC,LGPL-2.1+,PCRE,inner-net,rc': 1 'BSD,ISC': 1 'BSD,ISC,curl': 1 'BSD,LGPL-2.1+': 1 'BSD,public-domain': 1 'BSD-2': 2 'BSD-2,GPL-2': 2 'BSD-4,GPL-2,GPL-3,LGPL-2.1,MIT,public-domain': 1 'BSD-with-attribution': 1 'BZIP2': 1 'CC-BY-3.0,MIT': 1 'CC0-1.0': 3 'CPL-1.0,GPL-2': 1 'FDL-1.3+,GPL-3+,LGPL-3+': 1 'GPL-2': 67 'GPL-2+': 4 'GPL-2+,GPL-3,LGPL-3+': 1 'GPL-2+,LGPL-2+,LGPL-2.1+': 1 'GPL-2+,LGPL-2.1+': 1 'GPL-2+,LGPL-2.1+,public-domain': 1 'GPL-2+,LGPL-3+': 1 'GPL-2,GPL-2+': 2 'GPL-2,LGPL-2.1': 3 'GPL-2,LGPL-2.1,MIT,public-domain': 1 'GPL-2,MPL-2.0': 1 'GPL-2,OPENLDAP': 1 'GPL-2,freedist': 2 'GPL-3': 12 'GPL-3+': 11 'GPL-3+,LGPL-2.1+': 1 'GPL-3,LGPL-2,LGPL-3+': 1 'GPL-3,LGPL-2.1': 1 'GPL-3,LGPL-2.1+': 1 'GPL-3,LGPL-3': 1 'ISC': 1 'ISC,MIT': 1 'Info-ZIP': 2 'LGPL-2': 3 'LGPL-2+': 1 'LGPL-2.1': 11 'LGPL-2.1+': 7 'LGPL-2.1,MIT': 1 'LGPL-3': 2 'LGPL-3+': 1 'MIT': 16 'NPSL-0.95': 1 'ZLIB': 2 'intel-ucode': 1 'lsof': 1 'metapackage': 1 'openssl': 1 'public-domain': 3 'vim': 2 '(,),FDL-1.2,GPL-3+,||': 1 2) arm64 production image licenses: same as #1 above, with the following differences: Different counts: 'Apache-2.0': 21 instead of 22 ‘BSD-2,GPL-2’: 1 instead of 2 ‘GPL-2’: 65 instead of 67 Removed: ‘intel-ucode’ 3) amd64 developer image licenses: same as #1 above, with the following differences: Different counts: 'Apache-2.0': 20 instead of 22 ‘BSD’: 18 instead of 17 'BSD,LGPL-2.1+': 2 instead of 1 ‘BSD-2’: 5 instead of 2 ‘CC0-1.0’: 6 instead of 3 ‘GPL-2’: 83 instead of 67 ‘GPL-2+’: 6 instead of 4 'GPL-2,GPL-2+': 3 instead of 2 'GPL-3': 15 instead of 12 'GPL-3+': 14 instead of 11 'GPL-3+,LGPL-2.1+': 2 instead of 1 'LGPL-3+': 2 instead of 1 ‘public-domain’: 4 instead of 3 Added: 'BSD,GPL-2+,man-pages': 1 'FDL-1.3+,LGPL-3+': 1 'GPL-2,unicode': 1 'GPL-3+-with-autoconf-exception': 1 'MIT,public-domain': 1 'PSF-2': 1 'netperf': 1 Removed: ‘Apache-2.0,BSD,BSD-2,MIT’ 4) arm64 developer image licenses: same as #3 above, with the following differences: Different counts: 'Apache-2.0': 20 instead of 19 ‘BSD-2,GPL-2’: 1 instead of 2 ‘GPL-2’: 81 instead of 83 Removed: ‘intel-ucode’