search

cncf / foundation

☁️♮🏛 This repo contains several documents related to the operation of the CNCF. File non-technical issues related to CNCF here.
https://cncf.io
Other
553 stars 543 forks source link

[License Exception Request] Additional Hashicorp libraries under MPL / MIT #624

Open antoninbas opened 1 year ago

antoninbas commented 1 year ago

Some of the projects being used without an exception by CNCF projects (I may have missed some):

The references are not exhaustive of course.

amye commented 1 year ago

https://github.com/cncf/foundation/pull/621 may resolve this - we usually try to have projects request these directly because the exceptions sometimes depend on their usecase.

Which projects are you requesting these for?

antoninbas commented 1 year ago

Let me double check with #621 and update the list

antoninbas commented 1 year ago

@amye In the end I found only 4 modules missing from the exceptions list

I am an Antrea maintainer. Only 2 of these 4 are dependencies for Antrea: github.com/hashicorp/go-msgpack (MIT) and github.com/hashicorp/memberlist (MPL).

shubham1172 commented 1 year ago

Thanks @antoninbas for opening this issue, and @amye for helping with Hashicorp exceptions in #294 #297. There are two more dependencies by Dapr project that are not yet exempted (please let me know if I should open a separate issue).

  1. github.com/hashicorp/memberlist (MPL)
  2. github.com/hashicorp/consul/sdk (MPL)
amye commented 1 year ago

Thanks @antoninbas for opening this issue, and @amye for helping with Hashicorp exceptions in #294 #297. There are two more dependencies by Dapr project that are not yet exempted (please let me know if I should open a separate issue).

  1. github.com/hashicorp/memberlist (MPL)
  2. github.com/hashicorp/consul/sdk (MPL)

Separate are better! (Unfortunately) - it's easier to track usecases; said as we have one giant issue for that.

Rationale: If there's something that we need more information on, it's easier to track in different issues. It's how it is.

shubham1172 commented 1 year ago

Thanks, I am not opening the issue for some time because I realized they are not actual dependencies (although a part of go.sum).

antoninbas commented 1 year ago

@amye is this issue good as it is, or would you rather have me close it in favor of an issue specific to Antrea and the 2 dependencies (out of the 4 above) that we currently use?

leogr commented 1 year ago

@antoninbas github.com/hashicorp/go-msgpack package should be automatically approved because [MIT is in the allowlist https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist]. So, I guess a specific license exception is not needed.

@amye Could you confirm? :pray:

amye commented 11 months ago

One question came up: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy

Can we confirm these meet the requirements for allowlist?

A third-party component under a non-Apache 2.0 license is deemed automatically approved by the Governing Board for inclusion in a CNCF codebase as an exception to the CNCF Intellectual Property Policy, if all of the following apply:

It is fully licensable under the approved licenses set forth below under Approved Licenses (including combinations with Apache-2.0); AND

It is stored unmodified in a designated third-party folder; AND

It has indications of substantial use outside CNCF by satisfying one of the following:

the component is part of the applicable programming language’s standard library; or

the component was created on Github at least 12 months ago and has at least 10 stars or 10 forks.

antoninbas commented 11 months ago

@amye These requirements are indeed met for github.com/hashicorp/go-msgpack (MIT license), but not for the other libraries (MPL license) listed in this issue:

These require an exception.

amye commented 11 months ago

It's this part that we need to confirm:

antoninbas commented 11 months ago

It is stored unmodified in a designated third-party folder; AND

That's not generally applicable to Go modules. These are imported and not copied / vendored into the project source tree. If a project does still choose to vendor the dependency for any reason, and make it part of its source tree, go mod vendor places it in a designated third-party folder.

It has indications of substantial use outside CNCF

github.com/hashicorp/go-msgpack, github.com/hashicorp/go-getter and github.com/hashicorp/memberlist all meet the following criteria: "the component was created on Github at least 12 months ago and has at least 10 stars or 10 forks."

github.com/hashicorp/go-safetemp does NOT meet the criteria. Perhaps projects depending on this library should look for an alternative (not always straightforward for indirect dependencies).

amye commented 9 months ago

For the three MPL-2.0 HashiCorp libraries, the CNCF Legal Committee has asked a few clarifying questions. Can you please let us know your thoughts on these?

1) Can you provide a brief (1-2 sentences) describing the purpose and functionality of these dependencies? 2) Is it accurate that each of these libraries does not rely on, import, or otherwise require the use of any of HashiCorp's applications and libraries that were relicensed from MPL-2.0 to BUSL-1.1 earlier this year?

antoninbas commented 9 months ago

@amye Thanks for following up on this. Answers below.

  1. Can you provide a brief (1-2 sentences) describing the purpose and functionality of these dependencies?

github.com/hashicorp/go-getter: go-getter is a utility library to download resources identified by a URL, from Golang code. It supports a variety of network protocols (HTTP, cloud object storage such as S3, Git, etc.) and provides useful functionality associated with downloading files, such as checksum verification and download progress tracking.

github.com/hashicorp/go-safetemp: go-safetemp is a utility library providing functions for working safely with temporary files and directories. In practice, it consists of a single public function which wraps ioutil.TempDir (part of the Go standard library, deprecated as of Go 1.17). This library is not really useful for CNCF projects, however, it is used as a dependency in other more useful Hashicopr packages, including go-getter.

github.com/hashicorp/memberlist: memberlist is a Golang package implementing a gossip-based membership protocol, with member failure detection. This is useful for building a distributed system where different nodes form a cluster, and each node needs to be aware of all the other active / live nodes in the cluster, assuming that eventual consistency is acceptable for the system ("nodes" and "cluster" here are used in the context of a generic distributed system, and not as K8s terminology). Project Antrea uses this package to implement a feature which requires different K8s Nodes to agree (eventually) on which Node is responsible for a specific network resource.

  1. Is it accurate that each of these libraries does not rely on, import, or otherwise require the use of any of HashiCorp's applications and libraries that were relicensed from MPL-2.0 to BUSL-1.1 earlier this year?

Yes, this is an accurate statement. See the full list of their hashicorp dependencies below.

Dependency Used by Dependency license
github.com/hashicorp/go-immutable-radix memberlist MPL-2.0
github.com/hashicorp/go-msgpack (fork) memberlist MIT
github.com/hashicorp/go-multierror memberlist MPL-2.0
github.com/hashicorp/go-sockaddr memberlist MPL-2.0
github.com/hashicorp/go-cleanhttp go-getter MPL-2.0
github.com/hashicorp/go-safetemp go-getter MPL-2.0
github.com/hashicorp/go-version go-getter MPL-2.0
shahar-h commented 1 week ago

hi, any update?