Project contains AGPL code, which sets off license scanners

[evankanderson]

What steps did you take:

94 imported exact-sha, which is AGPL licensed. Some companies use automated tools to detect the use of AGPL code, and this can fire on the examples in this library.

What happened: examples/hg/vendor/exact-sha/LICENSE contains the AGPL, and this triggered our license-audit flow because it includes the AGPL.

What did you expect: A project licensed under Apache 2.0 would not include AGPL code.

Anything else you would like to add: Filed from https://github.com/vmware-tanzu/carvel-vendir/pull/94#issuecomment-1265797450

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[joaopapereira]

We should try to find an apache project that uses hg to replace the one used in this example. If anyone knows of any from the top of their head please leave a comment here.

Thanks

Accepted the story and now waiting for the availability of people. We also accept PRs if anyone is interested in tackling this issue.

[neil-hickey]

The example just illustrates the usage of a sha when using a vendir file right? Is there any need to use hg at all? We could remove this entirely and just use something else?

[joaopapereira]

From what I understand this is to test that Mercurial integration based on sha is working. So I assume it would be good to keep it.

[joaopapereira]

This was fixed by #247