update_licenses should still run when repos don't have vendor folder

[dprotaso]

see discussion here: https://github.com/knative/pkg/pull/2810#discussion_r1319110291

Caused by #311

[dprotaso]

/assign @cardil

[cardil]

I don't agree this is required. There is no such requirement anywhere in CNCF docs.

See either https://github.com/cncf/foundation/blob/main/charter.md#11-ip-policy and https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md

Both docs focus on license use and checking. None of them refers to a need to embedding the deps license in a specific folder, nor in a container.

[dprotaso]

This has been the practice of the project since it's inception. The requirements were coming from Google's OSPO office. I opened a CNCF request months back to see if we should continue it.

Also the update_licenses checks also ensures we don't pull in GPL code etc.

Whether we change this practice should be a separate discussion from vendoring dependencies.

[cardil]

@dprotaso: Also the update_licenses checks also ensures we don't pull in GPL code etc.

We still run that check, within the presubmit build test: https://github.com/knative/hack/blob/0bb79ff2d16224e9e3d689d4651066142831eb21/presubmit-tests.sh#L157

[upodroid]

We should keep the checks for forbidden licenses but drop the licenses being published to third_party folder

[cardil]

@upodroid We should keep the checks for forbidden licenses but drop the licenses being published to third_party folder

Exaclly what https://github.com/knative/hack/pull/311 did.

[dprotaso]

There is no such requirement anywhere in CNCF docs.

See either https://github.com/cncf/foundation/blob/main/charter.md#11-ip-policy and https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md

We have MPL in some repos - given that the CNCF Allowlist License Policy states

It is stored unmodified in a designated third-party folder; AND

Again - I'm not saying we shouldn't change what we are doing. I'm stating let's separate this from the 'vendorless' work

[upodroid]

Hmm, that is an important detail we missed

[cardil]

@dprotaso We have MPL in some repos - given that the CNCF Allowlist License Policy states

It is stored unmodified in a designated third-party folder; AND

Doesn't that section says that the whole third-party component should be kept in the third-party folder, not just the license?

[cardil]

However, looking at some of the graduated CNCF projects, it's hard to find the third-party folder like ours (from https://landscape.cncf.io/card-mode):

• https://github.com/etcd-io/etcd
• https://github.com/istio/istio
• https://github.com/coredns/coredns
• https://github.com/envoyproxy/envoy (has the third-party folder to hold some Android C header files)
• https://github.com/argoproj/argo-cd
• https://github.com/kedacore/keda
• https://github.com/fluent/fluentd
• https://github.com/prometheus/prometheus

I did find only the https://github.com/kubernetes/kubernetes actually holds some third-party components in a designated folder (not only the LICENSE files)

[dprotaso]

We keep going back and forth. My point here is let's not deviate from what we are currently doing without a discussion at the TOC level - since this impacts all subgroups. This is a separate discussion from vendorless work

So let's continue our license disclosure practice until we have consensus at that level.

Thus let's

1. Fix the hack script to continue to call update_licenses (this issue)
2. Create a new community issue regarding the license disclosure practice
3. Bring it up with the TOC

[cardil]

Moving this issue to knative/hack

[evankanderson]

To provide additional context, this was original implemented to meet the second clause of the BSD 2-clause license:

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

By embedding the license in the container image, people who received the OCI image (for example, by pulling from a repo which the image had been cloned to) would also receive a copy of the license, which would trivially satisfy "reproduce the above copyright notice". Since I'm not a lawyer, I'm not going to venture whether this was an overly-restrictive reading of this clause. (This also similarly trivially satisfies the MIT requirement of including a liability disclaimer notice.)

[dprotaso]

I'm going to move my question to a public cncf foundation issue - it probably shouldn't be a service desk issue.

[dprotaso]

https://github.com/cncf/foundation/issues/642

[cardil]

@dprotaso I've opened the issue you mention: https://github.com/knative/community/issues/1441