Closed aalexanderr closed 3 years ago
kopasiak
commented
3 years ago Just to clarify @aalexanderr thoughts. GPL-v3 does not "infect" all image components but if the image contains some GPL-v3 and we used it as a base image we need to handle GPL-v3 compliance (ensuring access to source code, build scripts etc) process for those components.
tianon
commented
3 years ago I am not a lawyer, and I would recommend anyone who is reading this / wondering about this to consult with their counsel.
We have no current plans to provide a "GPL free" version of this image. For the components which are GPL, if they end up being distributed to your customers, I would recommend having a process for providing those customers the source code (which should be discoverable via Alpine's packaging systems).
Personally, I think the ability to reliably discover this information is much stronger in Debian (and https://snapshot.debian.org/ makes it really trivial to get the source code for previously published and now "gone" versions too), but YMMV.
kopasiak
commented
3 years ago @tianon Then let me ask the question differently. Do you have anywhere documented the list of GPL components that you are distributing in the Docker image and the compliance process done for GPL v2 and v3?
Based on the feedback that we received you don't need to deliver the image to the end customer. It's enough to upload it to docker hub or any other publicly available docker registry to fall under the definition of "distributing" and then any license troll may start chasing you asking for the source code, build scripts etc
tianon
commented
3 years ago Source code for the image itself is in this repository (and linked from the Docker Hub page).
License (and in many cases direct source code) information for the software contained in the image is in https://github.com/docker-library/repo-info, which is also linked from the Docker Hub page.
kopasiak
commented
3 years ago Sure but it's a license and source code of Dockerfiles not for example for gnupg or tar or am I missing sth?
So the whole story is that we love your images and use them as base images in ONAP which is yet another open source project. The challenge is that we are uploading our ready Docker images to publicly available Nexus instance so that a newcomer may deploy whole ONAP without rebuilding a few GB of source code.
The issue is that based on the lawyers opinion uploading a docker image to public server is equivalent to distributing it (for free) to the whole world and in that case we should have compliance process done for each of those images and for each of components that exist in the image. It's not an issue for components that we adding to the images but doing that from all base images that we are using is a little bit challenging so we wanted to check with you if anyone in your community is thinking about this and maybe you have already managed to complete the process for the image that you are distributing via Dockerhub
tianon
commented
3 years ago If there is software installed via APT (and thus dpkg), apk, or even rpm in images we publish, any information we can automatically get from that package manager is available from https://github.com/docker-library/repo-info (including the scripts used to get that information, so you can adjust/learn from them to suit your own needs).
According to the white-paper by Armijn Hemel in short: one copy-right thing, in any layer affects the license of the whole image.
The resulting python image for alpine has python-gdbm pkg & gdbm package installed which are GPLv3, readline, coreutils and findutils are also GPLv3. This means the whole container is GPLv3 which drastically reduces it's usability for most companies. as for coreutils and findutils a switch to busybox would resolve the issue, I'm not sure about solution for readline & gdbm apart from distributing an image without them.
Taking python3.9 on alpine3.12 as example. Packages listed below are licensed as GPLv3. Some of those pkgs are removed in the same layer they are introduced, and I don't know how it affects the license of the final container. But for many of those pkgs libraries are then installed/left in the layer which I'm sure affects the whole container.