Open antoninbas opened 1 year ago
https://github.com/cncf/foundation/pull/621 may resolve this - we usually try to have projects request these directly because the exceptions sometimes depend on their usecase.
Which projects are you requesting these for?
Let me double check with #621 and update the list
@amye In the end I found only 4 modules missing from the exceptions list
I am an Antrea maintainer. Only 2 of these 4 are dependencies for Antrea: github.com/hashicorp/go-msgpack
(MIT) and github.com/hashicorp/memberlist
(MPL).
Thanks @antoninbas for opening this issue, and @amye for helping with Hashicorp exceptions in #294 #297. There are two more dependencies by Dapr project that are not yet exempted (please let me know if I should open a separate issue).
Thanks @antoninbas for opening this issue, and @amye for helping with Hashicorp exceptions in #294 #297. There are two more dependencies by Dapr project that are not yet exempted (please let me know if I should open a separate issue).
- github.com/hashicorp/memberlist (MPL)
- github.com/hashicorp/consul/sdk (MPL)
Separate are better! (Unfortunately) - it's easier to track usecases; said as we have one giant issue for that.
Rationale: If there's something that we need more information on, it's easier to track in different issues. It's how it is.
Thanks, I am not opening the issue for some time because I realized they are not actual dependencies (although a part of go.sum).
@amye is this issue good as it is, or would you rather have me close it in favor of an issue specific to Antrea and the 2 dependencies (out of the 4 above) that we currently use?
@antoninbas
github.com/hashicorp/go-msgpack
package should be automatically approved because [MIT is in the allowlist https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist]. So, I guess a specific license exception is not needed.
@amye Could you confirm? :pray:
One question came up: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
Can we confirm these meet the requirements for allowlist?
A third-party component under a non-Apache 2.0 license is deemed automatically approved by the Governing Board for inclusion in a CNCF codebase as an exception to the CNCF Intellectual Property Policy, if all of the following apply:
It is fully licensable under the approved licenses set forth below under Approved Licenses (including combinations with Apache-2.0); AND
It is stored unmodified in a designated third-party folder; AND
It has indications of substantial use outside CNCF by satisfying one of the following:
the component is part of the applicable programming language’s standard library; or
the component was created on Github at least 12 months ago and has at least 10 stars or 10 forks.
@amye These requirements are indeed met for github.com/hashicorp/go-msgpack
(MIT license), but not for the other libraries (MPL license) listed in this issue:
github.com/hashicorp/go-getter
github.com/hashicorp/go-safetemp
github.com/hashicorp/memberlist
These require an exception.
It's this part that we need to confirm:
It is stored unmodified in a designated third-party folder; AND
That's not generally applicable to Go modules. These are imported and not copied / vendored into the project source tree. If a project does still choose to vendor the dependency for any reason, and make it part of its source tree, go mod vendor
places it in a designated third-party folder.
It has indications of substantial use outside CNCF
github.com/hashicorp/go-msgpack
, github.com/hashicorp/go-getter
and github.com/hashicorp/memberlist
all meet the following criteria: "the component was created on Github at least 12 months ago and has at least 10 stars or 10 forks."
github.com/hashicorp/go-safetemp
does NOT meet the criteria. Perhaps projects depending on this library should look for an alternative (not always straightforward for indirect dependencies).
For the three MPL-2.0 HashiCorp libraries, the CNCF Legal Committee has asked a few clarifying questions. Can you please let us know your thoughts on these?
1) Can you provide a brief (1-2 sentences) describing the purpose and functionality of these dependencies? 2) Is it accurate that each of these libraries does not rely on, import, or otherwise require the use of any of HashiCorp's applications and libraries that were relicensed from MPL-2.0 to BUSL-1.1 earlier this year?
@amye Thanks for following up on this. Answers below.
github.com/hashicorp/go-getter: go-getter is a utility library to download resources identified by a URL, from Golang code. It supports a variety of network protocols (HTTP, cloud object storage such as S3, Git, etc.) and provides useful functionality associated with downloading files, such as checksum verification and download progress tracking.
github.com/hashicorp/go-safetemp: go-safetemp is a utility library providing functions for working safely with temporary files and directories. In practice, it consists of a single public function which wraps ioutil.TempDir
(part of the Go standard library, deprecated as of Go 1.17). This library is not really useful for CNCF projects, however, it is used as a dependency in other more useful Hashicopr packages, including go-getter.
github.com/hashicorp/memberlist: memberlist is a Golang package implementing a gossip-based membership protocol, with member failure detection. This is useful for building a distributed system where different nodes form a cluster, and each node needs to be aware of all the other active / live nodes in the cluster, assuming that eventual consistency is acceptable for the system ("nodes" and "cluster" here are used in the context of a generic distributed system, and not as K8s terminology). Project Antrea uses this package to implement a feature which requires different K8s Nodes to agree (eventually) on which Node is responsible for a specific network resource.
Yes, this is an accurate statement. See the full list of their hashicorp dependencies below.
Dependency | Used by | Dependency license |
---|---|---|
github.com/hashicorp/go-immutable-radix | memberlist | MPL-2.0 |
github.com/hashicorp/go-msgpack (fork) | memberlist | MIT |
github.com/hashicorp/go-multierror | memberlist | MPL-2.0 |
github.com/hashicorp/go-sockaddr | memberlist | MPL-2.0 |
github.com/hashicorp/go-cleanhttp | go-getter | MPL-2.0 |
github.com/hashicorp/go-safetemp | go-getter | MPL-2.0 |
github.com/hashicorp/go-version | go-getter | MPL-2.0 |
hi, any update?
Some of the projects being used without an exception by CNCF projects (I may have missed some):
github.com/hashicorp/go-getter
(MPL)github.com/hashicorp/go-msgpack
(MIT license for this one)github.com/hashicorp/go-safetemp
(MPL)github.com/hashicorp/memberlist
(MPL)The references are not exhaustive of course.