Closed BlaineEXE closed 1 year ago
@BlaineEXE thank you for raising this issue! It's good to know we have others using this package. We definitely would like to move away from the BUSL-1.1 dependency.
We'd happily review a PR if you send it our way. While this repo doesn't get much activity, we use it extensively.
Please request review from myself and @dahuang-purestorage, and @adityadani. I am available on k8s slack with the same username if you have any questions or need to ping for a review.
The libopenstorage/serets library uses Vault code that is under the business source license (BUSL-1.1). This license prohibits using Hashicorp's code in any "competing products" in production. Hashicorp has kept the definition of what constitutes a competing product vague, meaning that usage of BUSL-1.1 licensed code in production could be high risk. More info: https://infisical.com/blog/hashicorp-new-bsl-license
This dependency is codified in this repo in the following 2 lines. https://github.com/libopenstorage/secrets/blob/efe55db6c349bba256c8b5868af17062a64031b9/vault/utils/utils.go#L16-L17
github.com/hashicorp/vault/command
is part of the Vault primary application that is BUSL-1.1 licensed. The Vault API (github.com/hashicorp/vault/api
) is licensed under the open source MozillaMPL-2.0
license.I can make the changes to libopenstorage/secrets to use the API methods for auth (MPL-2.0) rather than the command methods (BUSL-1.1), but I am concerned that this repository does not have many regular contributors. I would like some assurance before I begin this work that someone is interested in reviewing and merging my pull request before I begin.
The alternative is that the project I am working on (Rook - https://github.com/rook/rook) will stop using libopenstorage/secrets and begin using the Vault API directly, which we don't prefer.
I see that @dahuang-purestorage @arivankar-px and @fmilichovsky are the last 3 contributors to successfully have a PR merged, with @piyush-nimbalkar @ggriffiths and @adityadani providing approving reviews. Could any of you provide review and merge support my work, assuming it meets your repo's quality guidelines within the next 2 weeks?