cipherboy
commented
10 months ago From what I recall of the license changes, it shouldn't impact our ability to release or test, assuming we stick to code in the SDK/API, which IIRC we did as a best practice. (At least, based on my past reading of that CNCF issue, nobody has had issues getting exceptions for retaining SDK/API dependencies against Vault).
Has the CNCF taken a stance on automated integration testing against Vault?
The issue with the current API and SDK packages was the OpenAPI repo was still immature, so I wouldn't have relied it for release software... The in-repo API package lacked any typing associated with it and so I'd feel a lot less comfortable releasing that without integration tests than I would one built on OpenAPI.
It looks like it remains beta but MPL, so we could use it once it matures, if we cannot add automated tests now: https://github.com/hashicorp/vault-client-go/blob/main/LICENSE
Hi maintainers,
As the majority development and test of Notation HashiCorp Vault plugin has been completed, it's time to start the v0.1.0 release process for the next step.
Before we start release process, we will need to revisit the HashiCorp OSS license change tracked in https://github.com/cncf/foundation/issues/617. notation-hashicorp-vault uses vault API as a direct dependency.
Looking at the HashiCorp statement and Vault API license file, HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0, as well as Vault API. I assume it is compliant to use Vault API as a dependency in notation-hashicorp-vault.
To make sure we are following an compliant practice before releasing notation-hashicorp-vault project, I suggest holding on the release process before Dec 1, 2023 and gather feedback from the community and CNCF during this period.
If there is no concern from the community and CNCF, we could start the release process on Dec 1, 2023