[License Exception Request] For common C/C++ libraries: libcurl, libelf, uthash

[leogr]

The C/C++ libraries (libcurl, libefl, uthash) for which this issue requests license exceptions to be approved are commonly utilized across various CNCF projects. These dependencies are typically vital for these projects, given the absence of any compelling alternatives in C/C++.

• libcurl
  • The underlying library that powers curl, provides projects with functions to handle data transfers and interact with different internet protocols programmatically. It's widely used and hard to replace. The curl License is inspired by MIT/X, but not identical.
  • URL: https://github.com/curl/curl
  • License: curl License
  • Used by:
    • Envoy
    • Falco
    • Istio
    • KubeVirt
    • Longhorn
    • OPA
    • OpenCurve
    • Rook
• libelf
  • A library for handling, analyzing, and generating files in the ELF (Executable and Linkable Format). Projects use libelf to read, modify, or create ELF files within their software projects, which is usually particularly relevant when dealing with eBPF-compiled programs. It's widely used and part of most Linux distributions. Many libraries and tools depend on libelf, which is basically not replaceable with another library. When using libelf unmodified, projects can opt for LGPLv3 (which is more permissive than GPLv2), and this allows linking to the library without requiring the rest of the program to be LGPL-licensed. Note that libelf is developed as a component of elfutils, which includes various other libraries and utilities. However, this request specifically concerns libelf and does not extend to other software within the elfutils umbrella.
  • URL: https://sourceware.org/elfutils/
  • License: (dual) GPL-2.0-or-later or LGPL-3.0-or-later
  • Used by:
    • Falco
    • Inspektor Gadget
    • KubeVirt
    • Minikube (?)
    • Pixie
    • Tetragon
    • WasmEdge
• uthash
  • A lightweight, portable macro-based C library for adding hash tables to your C programs. It enables projects to easily manage hash tables without external dependencies, using simple-to-follow macros integrated directly into their source code. It is licensed under BSD-1-Clause, which is very permissive (and similar to BSD-2-Clause and BSD-3-Clause that are already in the Allowlist).
  • URL: https://github.com/troydhanson/uthash
  • License: BSD-1-Clause
  • Used by:
    • Falco
    • WasmEdge

The list of projects using them is not exhaustive. Additionally, inspired by this template, below is some helpful information.

• If it is Apache-2.0 for code or CC-BY-4.0 for documentation, no further exception request is required.
  • No, they are not Apache-2.0 or CC-BY-4.
• Do they meet the Allowlist policy? If so, no further exception request is required.
  • These depedencies do not meet the Allowlist policy.
• Will the code be used in modified or unmodified form?
  • These dependencies are typically downloaded by the build system and used without modification. The license exception requests pertain to instances where they are utilized in their unmodified form.
• Are there any alternative components available with equivalent functionality under a more permissive license?
  • To the best of my knowledge, there are no compelling alternatives.
• How do these component integrate with or interact with, if at all, other components of the project?
  • These components are required by the project either directly or transitively through other third-party components. For instance, libbpf (licensed under the BSD 2-clause and therefore automatically accepted on the Allowlist) depends on libelf. Typically, these components are linked into the project's programs by compilers during build time.

[amye]

Clarification: libelf - is this statically or dynamically linked?

[leogr]

Clarification: libelf - is this statically or dynamically linked?

Hey @amye It depends on the project. In Falco, libelf is statically linked.

[amye]

Ok, so in order to get an exception approved, we should scope this a little more. What's the scope of the exception requested -- just Falco's usage?

[leogr]

Ok, so in order to get an exception approved, we should scope this a little more. What's the scope of the exception requested -- just Falco's usage?

As a Falco maintainer, I would like to request an exception for Falco's usage. In Falco, we use it to deal with the eBPF program used by Falco to collect data from the kernel. It's statically compiled inside the Falco binary. Also, libbpf (another 3rd party dependency for Falco, licensed under the BSD 2-clause and therefore automatically accepted on the Allowlist) depends on libelf. Please, let us know if you need any further information in this regard.

That being said, as a separate and optional request, I would suggest you consider a general exception for libelf since it may benefit some projects, too.

Thanks

[richardfontana]

I'm a little confused by some of the example uses. Some of these look like packages installed in container images, but if that's what CNCF license policy covers, then it would have to have a blanket exception for GPLv2, GPLv3 and tons of other copyleft and non-copyleft licenses.

[leogr]

I'm a little confused by some of the example uses. Some of these look like packages installed in container images, but if that's what CNCF license policy covers, then it would have to have a blanket exception for GPLv2, GPLv3 and tons of other copyleft and non-copyleft licenses.

Hey @richardfontana

As a Falco maintainer, my insights are specific to Falco, where all three libraries mentioned above are statically linked during the build, not packaged in the container image. This requires only license exceptions specifically for their usage in Falco, not a blanket one.

That said, I still think discussing GPL packages in container images is valuable, however, it's beyond this issue's scope, in my opinion. wdyt?

[amye]

Approved by the GB as of 2/12:

• License exception for libcurl
• License exception for uthash
• License exception for libelf, but for dynamic linking only

[leogr]

Hey @Cmierly, should this be documented in https://github.com/cncf/foundation/tree/main/documents? :thinking: