Sig-release: [Umbrella] License Auditing & Remediation

Created on 15 Jul 2018  Â·  22Comments  Â·  Source: kubernetes/sig-release

This is an umbrella issue to carry out licensing tasks requested by the CNCF and Steering Committee.

  • [ ] Draft license audit policies for SIG Release
  • [ ] File issues / PRs with [sub]projects to fix their licensing issues (list from @swinslow):

    • [ ] (@nikhita) The component github.com/heketi/heketi is used in four repos. Heketi uses a mix of licenses, but the main issue is that files in heketi/pkg/utils/ can only be used under LGPL-3.0 or GPL-2.0, both of which are likely problematic here. Can the files in heketi/pkg/utils/ be removed, or replaced with an alternative library under a more permissive license?

      The repos are: ~kubernetes~ (fixed in https://github.com/kubernetes/kubernetes/pull/70811), minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler

    • [ ] (@BenTheElder (test-infra) / @justinsb (kops)) There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

      The repos are: cloud-provider-aws, federation, ~kops~ (fixed in https://github.com/kubernetes/kops/pull/6019), and ~test-infra~ (fixed in kubernetes/test-infra#8979)

    • [ ] (@justaugustus) The component github.com/juju/ratelimit is under LGPL-3.0 with a linking exception. It was replaced in the main kubernetes repo in #38320 to use golang.org/x/time/rate instead. juju/ratelimit is still present in several other kubernetes repos; can these be similarly updated to the alternate library?

      The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, scale-demo and service-loadbalancer), dashboard, dns, federation, frakti, heapster, kompose, kube-deploy, node-problem-detector, perf-tests, and test-infra.

    • [ ] (@justaugustus) The component gopkg.in/yaml.v2 used to have the same LGPL-3.0 license, but has now been updated in the kubernetes repo to a newer version with Apache-2.0. Several other repos still use the old version under LGPL-3.0; can these also be updated?

      The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, podex, scale-demo and service-loadbalancer), dashboard, federation, heapster, kube-deploy, node-problem-detector, perf-tests, publishing-bot and test-infra.

    • [ ] In minikube, there is a config file which states that it is part of systemd and is under LGPL-2.1. Most of the file is commented out. Is it necessary to distribute this file, or could it be obtained by the downstream user separately (along with systemd, which I assume we aren't distributing)?

    • [ ] In kops, /hooks/nvidia-bootstrap/README.md says that "Using this hook indicates that you agree to" a non-OSS license from NVIDIA. Is this intended to refer to software separately installed by the Dockerfile, rather than code in the kops repo itself? If so, I may propose a tweak to the language here.

    • [x] (@nikhita) In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically? - https://github.com/kubernetes/kubernetes/pull/66233

    • [x] (@nikhita) In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0? - https://github.com/kubernetes-client/javascript/pull/61

  • [x] Close out k/steering issue

ref:
[1] https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/L2KnInDBAgAJ

cc: @philips @swinslow

/assign
/sig release
/committee steering

committesteering lifecyclfrozen prioritimportant-longterm sirelease

Most helpful comment

@dims -- we need to leave that as incomplete until the issue is also resolved for minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler. I'll strikethrough the k/k one though.

All 22 comments

In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0?

The typsecript client is deprecated and doesn't contain the Unlicense package.json file. The typescript client is replaced by the javascript client.

Created a PR against the javascript repo: https://github.com/kubernetes-client/javascript/pull/61

In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically?

Created a PR against k/k: https://github.com/kubernetes/kubernetes/pull/66233

Email update to steering + sig-release + sig-contribex: https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/sH8W-uwwAAAJ

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

I've taken care of this for test-infra. https://github.com/kubernetes/test-infra/pull/8979

@bentheelder -- thanks for knocking another one off the list!

quick update on heketi: Have asked the maintainers if they could update the license (instead of us updating our code) since it could have been a side-effect of a whole sale licensing change - https://github.com/heketi/heketi/issues/1279.

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

This still needs to be fixed for cloud-provider-aws, federation and kops. Thanks for taking care of test-infra, @BenTheElder! :+1:

/assign

https://github.com/kubernetes/kops/pull/6019 cleans up the license files that dep added in kops.

@justaugustus please mark the github.com/heketi/heketi item as done

@dims -- we need to leave that as incomplete until the issue is also resolved for minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler. I'll strikethrough the k/k one though.

Fyi: The following repos did not have the LICENSE file. I have created PRs to add them:

I have created https://github.com/kubernetes/community/pull/3231 to add the list of whitelisted licenses to k/community.

Planning to update this list and break out the relevant items into separate issues this cycle.

/area licensing
/priority important-longterm
/milestone v1.15

Mentioned on the Community meeting last week that @nikhita will be managing the Licensing subproject to give me an opportunity to focus on building out the Release Engineering subproject.

/unassign

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/lifecycle frozen

On Wed, Apr 29, 2020 at 11:16 AM fejta-bot notifications@github.com wrote:

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually
close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta
https://github.com/fejta.
/lifecycle stale

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/sig-release/issues/223#issuecomment-621003163,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AD24BUES7U3AZZ57B6I2S6TRO65NDANCNFSM4FKAEIHQ
.

/close

let's please open fresh issues for things we need to do.

@dims: Closing this issue.

In response to this:

/close

let's please open fresh issues for things we need to do.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

daminisatya picture daminisatya  Â·  8Comments

Bubblemelon picture Bubblemelon  Â·  6Comments

jeremyrickard picture jeremyrickard  Â·  7Comments

jihoon-seo picture jihoon-seo  Â·  6Comments

justaugustus picture justaugustus  Â·  7Comments