search

mojaloop / design-authority-project

This is the Issue and Decision Log for tracking mojaloop and related Designs
1 stars 2 forks source link

Failures on CI-CD builds due to Blue Oak License on License Checks #101

Closed mdebarros closed 1 year ago

mdebarros commented 1 year ago

Request Summary:

Several CI-CD builds are failing License Scanner Checks using the Mojaloop "allowedList" due to the introduction of a new License Blue Oak v1.0.0 to Mojaloop's underlying dependencies.

Here is an example of the [SDK-Scheme-Adapter] --> https://app.circleci.com/pipelines/github/mojaloop/sdk-scheme-adapter/2670/workflows/8a0e2fb0-ff1a-49d3-affb-a3fcac5e7cb0/jobs/19235

It seems to be impacting several key dependencies, specifically glob and also npm-check-updates. However, since this impacts a dependency like glob, it is more than likely that this issue will impact other dependencies going forward.

Request Details:

We have a couple of options here:

  1. Add the Blue Oak license to the Mojaloop License Scanner "allowedList", assuming the license is compatible with Apache 2.0 (which I believe it is, as it is a permissive license)
  2. Downgrade dependencies to versions not impacted by this License issue <-- Note: this approach is currently being taken as a workaround. (Example of this is done in Yarn: https://github.com/mojaloop/sdk-scheme-adapter/commit/f7022afdc5629882007403aa05bdc557a24a0573), similarly this can be done on NPM using Overrides)
  3. Find alternative dependencies that do not rely on the Blue Oak license <-- this may only be possible in some cases
**Artifacts**: - [Blue Oak v1.0.0 License](https://blueoakcouncil.org/license/1.0.0) - [Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0) **Dependencies**: - n/a ### **Accountability**: - **Owner:** - **Raised By:** @mdebarros ## **Decision(s)**: - **Approved By:** ### Details - [ ] Actual decision made as a result of discussion ## **Follow-up**: - [ ] Actions to implement the decisions
elnyry-sam-k commented 1 year ago

Thanks @mdebarros and the DA team.

After consultation with legal experts (by Paula H) and Blue Oak team, we've been given the recommendation to go ahead with adding this license to the "allow / approved list". Thanks to Paula for helping resolve this quickly.

mdebarros commented 1 year ago

Thanks @mdebarros and the DA team.

After consultation with legal experts (by Paula H) and Blue Oak team, we've been given the recommendation to go ahead with adding this license to the "allow / approved list". Thanks to Paula for helping resolve this quickly.

Great to hear! \:D/

Thanks to you, Paula and co for getting an answer on this!

mdebarros commented 10 months ago

Follow-up PR to add BlueOak to the allowedlist --> https://github.com/mojaloop/license-scanner-tool/pull/26