Open liggitt opened 1 year ago
Yeah, this needs to be changed in rekor / cosign. Probably a bump to cosign v2 may already fix that problem.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
Looks like we still have this transitive dependency. /remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
I still see this dep, which gets pulled transitively into other repos by way of dependency on release-sdk.
We should consider splitting out cosign or something, if we can't resolve this on their end.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
We still use this dependency https://cs.k8s.io/?q=github.com%2Fhashicorp%2Fgo-retryablehttp&i=nope&files=go.mod&excludeFiles=vendor&repos= /remove-lifecycle stale
What happened:
Cannot build release-sdk commands without pulling in MPL-licensed projects not in the CNCF allowlist.
go mod why github.com/hashicorp/go-retryablehttp
shows this path to github.com/hashicorp/go-retryablehttp which is MPL-licensed and not included in the CNCF allowlist:https://github.com/cncf/foundation/blob/main/license-exceptions/
https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
https://github.com/cncf/foundation/issues/138
What you expected to happen:
No dependencies on MPL-licensed projects not explicitly allowlisted
How to reproduce it (as minimally and precisely as possible):
run
go mod vendor
to see code actually used/linked by release-sdk and observe go-retryablehttp code is required to build.