Open miao0miao opened 10 months ago
cc @amye
Quick note: I could not assign the issue or add a label. I do not have sufficient permissions. I was trying to follow the instructions here https://github.com/cncf/foundation/pull/313/files cc: @amye @caniszczyk
I would like to bring to your attention the current status of our repositories that require a license exception, particularly as we have entered the year 2024. The repositories are sorted by 4 categories (listed below). Your approval for this exception is greatly appreciated.
Thank you for your time and consideration.
a. the following includes exceptions that were perviously approved by the CNCF GB: Repo | Licence | Further information |
---|---|---|
flatcar/locksmith | MPL-2.0 | This was approved by CNCF GB as a license exception 2019-03-11, see https://github.com/cncf/foundation/blob/fb57be18d48fa936b1b45786d12ab7132d15e476/license-exceptions/cncf-exceptions-2019-11-01.spdx#L76-L85 |
flatcar/mayday ; flatcar | MPL-2.0 | This was approved by CNCF GB as a license exception 2019-03-11, see https://github.com/cncf/foundation/blob/fb57be18d48fa936b1b45786d12ab7132d15e476/license-exceptions/cncf-exceptions-2019-11-01.spdx#L54-L63 |
flatcar/torcx | CC-BY-SA-4.0 | This was approved by CNCF GB as a license exception 2019-03-11, see https://github.com/cncf/foundation/blob/fb57be18d48fa936b1b45786d12ab7132d15e476/license-exceptions/cncf-exceptions-2019-11-01.spdx#L230-L239 |
b. this list includes repos we cannot change their licenses and require an exception: update Mar 13th, 2024 - flatcar-dev-util is taken off the list as we did work that enabled us to change the license Repo | Licence | Further information |
---|---|---|
flatcar/bootengine | BSD-2-Clause | This repo is listed as copyright CoreOS; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-2-Clause, and going forward under either BSD-2-Clause or Apache-2.0- ; bootengine contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. |
~flatcar/flatcar-dev-util~ flatcar/seismograph flatcar/update_engine | BSD-3-Clause | This repo is listed as copyright Chromium authors and a CoreOS notice; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-3-Clause and going forward under either BSD-3-Clause or Apache-2.0 ; Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine; ~flatcar-dev-util contains a python script (“emerge-gitclone”) which is shipped with the Flatcar devcontainer. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. The Flatcar Sysext initiative aims to replace the devcontainer with a suitable sysext, at which point this repository will be archived.~ ; Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container li |
baselayout | GPL-2.0, LGPL-2.1, LGPL-3.0 | This repo appears to be forked from upstream, and uses GPL-2.0, LGPL-2.1, LGPL-3.0 as repo license. Likely need to ask LC / GB to approve retaining pre-existing and going-forward development under GPL-2.0, LGPL-2.1, LGPL-3.0, as doesn't appear to be feasible to relicense ; Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. |
c. the list below also require an exception, as they are part of the core of Flatcar or got multiple decencies by other CNCF projects: Repo | Licence | Further information |
---|---|---|
flatcar/coreos-cloudinit | LGPL-3.0 WITH LGPL-3.0-linking-exception | We explore switching to go-ymal eventually. However this will require several months due the impact it can have and stabilization cycles that will be required. |
flatcar/ignition | LGPL-2.1-only OR CDDL-1.0 | Moving this repo would pose some risk - it has 18 direct and 30 indirect dependencies on Github alone. Exception justification Downstream repo not used for active development (we use upstream ignition directly), but many CNCF projects (CAPI providers) directly or indirectly depend on it. |
flatcar/scripts | LGPL (version unspecified),GPL-2.0, Proprietary | Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers. |
d.
the following repos are still under Flatcar and contain license exception but will be resolved by of business week 5 2024 (next week). I will provide another update once the work on this two exception is completed and no longer required. update Jan 30th, 2024 - this is still WIP, added reference to the PR update Feb 28th, 2024 -these items do not require an exception any longer. The PRs were merged Repo | Licence | Further information |
---|---|---|
flatcar/shim | Project License is BSD-2-Clause | ~This PR will make this repo not required by the end of next week (week 5 2024). Shim is an UEFI stub that allows a secure, signed boot chain.The repository in the Flatcar org does not contain any changes from upstream Shim and is used for development.~ done |
flatcar/mantle | LGPL-3.0 WITH LGPL-3.0-linking-exception | ~switching to use upstream go-yaml~ done |
update regarding flatcar/shim and flatcar/mantle - both PRs tracking those items were merged- the exception is no longer needed.
update - /flatcar/flatcar-dev-util is taken off the list as we did work that enabled us to change the license
I wanted to provide an update that reflects all the work that was done since the issue was first opened.
Please note - We added one repo azure-vhd-utils
Repo |
Licence | Further information |
---|---|---|
flatcar/sysroot-wrappers | GPL-3.0 | This repository was forked from CoreOS container linux because the upstream repository was archived. It contains a low-level build helper utility which is not distributed with the OS image; the utility is only required at image build time. Sysroot-wrappers works in close relation with the GCC compiler and incorporates sources from the GCC project, which is licensed under GPL 3.0. Hence, the derivative is also GPL 3.0 licensed. |
flatcar/baselayout | GPL-2 | Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. We're investigating switching to upstream (Gentoo) baselayout so we would not need to maintain our own. As upstream significantly differs this work will go on for a while.* |
flatcar/nss-altfiles | LGPL-2.1 | Nss-altfiles is a glibc plugin which enables user and group lookup in paths other than /etc. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.We're working on deprecating nss-altfiles in favour of systemd confext. This could lead to the retirement of the nss-altfiles repository at a point in the future – the project would instead use upstream systemd releases directly. |
flatcar/bootengine | BSD-2-Clause | This repository contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. |
flatcar/init | BSD-3-Clause | Init contains OS configuration and utilities. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. |
flatcar/update_engine | BSD-3-Clause | Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine. |
flatcar/seismograph | BSD-3-Clause | Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. |
flatcar/scripts | LGPL (version unspecified),GPL-2.0, Proprietary | Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers. |
flatcar/azure-vhd-utils | MIT | azure-vhd-utils is mainly used from mantle, Flatcar release/test tools to help in the automation regarding Flatcar release process on Azure: https://github.com/search?q=org%3Aflatcar%20azure-vhd-utils&type=code It is not included in Flatcar images. It is forked since the upstream project is not maintained any longer. |
Background
Since the issue was first opened some repos were archived and moved to https://github.com/flatcar-archive/
The repos that are used temporarily for active development work to contribute upstream are found under https://github.com/flatcar-hub/
The Flatcar Project consists of a total of 62 active repositories, all of which will be contributed to CNCF upon acceptance. Most repositories are licensed under the Apache 2.0 license. Some are licensed differently since they build on existing work. 6 repositories are used for secrets storage, i.e. contain GPG-encrypted infrastructure secrets, and 1 repository contains infrastructure-as-code for the Flatcar build and release infrastructure – these repositories do not use any license. A detailed break-down of licenses can be found here. An overview follows below. All repositories that are not licensed under Apache 2.0 and are not part of the infrastructure automation are discussed in detail below. 46 repositories are licensed under Apache 2.0 4 repositories are licensed under BSD 3-Clause 1 repositories are licensed under BSD 2-Clause 1 repositories are licensed under GPL-3.0 1 repository is licensed under GPL-2.0 1 repository is licensed under LGPL-2.1 1 repository is licensed under MIT (and 7 repositories used for infrastructure automation without a license)
We would like to contribute Flatcar project to CNCF. However, few repos are licensed under licenses that are not not CNCF Allowlist License Policy and are not listed under License exceptions. We would like to ask for an exception for the following repositories that Flatcar uses:
Background:
The Flatcar Project consists of a total of 61 active repositories. Most repositories are licensed under the Apache 2.0 license. 12 are licensed differently since they build on existing work. 6 repositories are used for secrets storage, i.e. contain GPG-encrypted infrastructure secrets, and 1 repository contains infrastructure-as-code for the Flatcar build and release infrastructure – these repositories do not use any license.
The breakdown of the 61 active repositories total: 42 repositories are licensed under Apache 2.0 5 repositories are licensed under BSD 3-Clause 2 repositories are licensed under BSD 2-Clause 2 repositories are licensed under GPL-3.0 1 repository is licensed under GPL-2.0 1 repository is licensed under LGPL-2.1 1 repository is licensed under MIT (and 7 repositories used for infrastructure automation without a license)
Like most Linux distributions, Flatcar Container Linux packages, builds, and ships many upstream projects’ releases that use a wide variety of licenses. Most of these releases are shipped without modification; some require amendments to integrate well with Flatcar. These Flatcar-specific changes reside in the “scripts” repo and are applied at build time on top of a pristine upstream source release for most upstreams that need amendments.
These Flatcar-specific changes are a one-time effort and usually do not require continued development - except for very few upstreams. For the upstreams that are under active development – these are very few - the Flatcar project maintains a fork of the upstream repo with Flatcar-specific changes included, and packages/builds reference the Flatcar development fork instead of the upstream repository (or release tarball).
The sole purpose of these forks is to provide a place for maintainers to focus their development. The upstream license is retained with the fork. We always aim to contribute back upstream – after which we switch back to the upstream sources, and the development fork is removed. None of the forked repositories’ projects are released separate from Flatcar; all repos are used as packaging/build sources for Flatcar OS and SDK releases.