Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Umbrella] License Auditing & Remediation #223

Closed
3 of 11 tasks
justaugustus opened this issue Jul 14, 2018 · 22 comments
Closed
3 of 11 tasks

[Umbrella] License Auditing & Remediation #223

justaugustus opened this issue Jul 14, 2018 · 22 comments
Assignees
@nikhita
Labels
committee/steering Denotes an issue or PR intended to be handled by the steering committee. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/release Categorizes an issue or PR as relevant to SIG Release.
Milestone
v1.16

Comments

@justaugustus
Copy link
Member

justaugustus commented Jul 14, 2018
edited by lasomethingsomething
Loading

This is an umbrella issue to carry out licensing tasks requested by the CNCF and Steering Committee.

  • Draft license audit policies for SIG Release
  • File issues / PRs with [sub]projects to fix their licensing issues (list from @swinslow):
    • (@nikhita) The component github.com/heketi/heketi is used in four repos. Heketi uses a mix of licenses, but the main issue is that files in heketi/pkg/utils/ can only be used under LGPL-3.0 or GPL-2.0, both of which are likely problematic here. Can the files in heketi/pkg/utils/ be removed, or replaced with an alternative library under a more permissive license?
      The repos are: kubernetes (fixed in Update heketi dependencies to sha@558b29266ce0a873991ecfb3edc41a668a998514 kubernetes#70811), minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler
    • (@BenTheElder (test-infra) / @justinsb (kops)) There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?
      The repos are: cloud-provider-aws, federation, kops (fixed in Prune some license files that dep added kops#6019), and test-infra (fixed in remove unused vendor/github.com/docker/docker/contrib test-infra#8979)
    • (@justaugustus) The component github.com/juju/ratelimit is under LGPL-3.0 with a linking exception. It was replaced in the main kubernetes repo in #38320 to use golang.org/x/time/rate instead. juju/ratelimit is still present in several other kubernetes repos; can these be similarly updated to the alternate library?
      The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, scale-demo and service-loadbalancer), dashboard, dns, federation, frakti, heapster, kompose, kube-deploy, node-problem-detector, perf-tests, and test-infra.
    • (@justaugustus) The component gopkg.in/yaml.v2 used to have the same LGPL-3.0 license, but has now been updated in the kubernetes repo to a newer version with Apache-2.0. Several other repos still use the old version under LGPL-3.0; can these also be updated?
      The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, podex, scale-demo and service-loadbalancer), dashboard, federation, heapster, kube-deploy, node-problem-detector, perf-tests, publishing-bot and test-infra.
    • In minikube, there is a config file which states that it is part of systemd and is under LGPL-2.1. Most of the file is commented out. Is it necessary to distribute this file, or could it be obtained by the downstream user separately (along with systemd, which I assume we aren't distributing)?
    • In kops, /hooks/nvidia-bootstrap/README.md says that "Using this hook indicates that you agree to" a non-OSS license from NVIDIA. Is this intended to refer to software separately installed by the Dockerfile, rather than code in the kops repo itself? If so, I may propose a tweak to the language here.
    • (@nikhita) In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically? - translations: point license header to Kubernetes kubernetes#66233
    • (@nikhita) In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0? - node-client/src: change license from Unlicense to Apache-2.0 kubernetes-client/javascript#61
  • Close out k/steering issue

ref:
[1] https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/L2KnInDBAgAJ

cc: @philips @swinslow

/assign
/sig release
/committee steering
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. committee/steering Denotes an issue or PR intended to be handled by the steering committee. labels Jul 14, 2018
@nikhita nikhita mentioned this issue Jul 16, 2018
Merged
@nikhita
Copy link
Member

nikhita commented Jul 16, 2018

In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0?

The typsecript client is deprecated and doesn't contain the Unlicense package.json file. The typescript client is replaced by the javascript client.

Created a PR against the javascript repo: kubernetes-client/javascript#61

@nikhita nikhita mentioned this issue Jul 16, 2018
Merged
@nikhita
Copy link
Member

nikhita commented Jul 16, 2018

In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically?

Created a PR against k/k: kubernetes/kubernetes#66233

@nikhita nikhita mentioned this issue Jul 18, 2018
Closed
@justaugustus
Copy link
Member Author

Email update to steering + sig-release + sig-contribex: https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/sH8W-uwwAAAJ

@BenTheElder BenTheElder mentioned this issue Aug 8, 2018
Merged
@BenTheElder
Copy link
Member

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

I've taken care of this for test-infra. kubernetes/test-infra#8979

@justaugustus
Copy link
Member Author

@BenTheElder -- thanks for knocking another one off the list!

@nikhita nikhita mentioned this issue Aug 12, 2018
Closed
@nikhita
Copy link
Member

nikhita commented Aug 12, 2018

quick update on heketi: Have asked the maintainers if they could update the license (instead of us updating our code) since it could have been a side-effect of a whole sale licensing change - heketi/heketi#1279.

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

This still needs to be fixed for cloud-provider-aws, federation and kops. Thanks for taking care of test-infra, @BenTheElder! 👍

@nikhita
Copy link
Member

nikhita commented Aug 12, 2018

/assign

sigma added a commit to sigma/kubernetes that referenced this issue Aug 15, 2018
@sigma
replace heketi client implementation
5bc0e0b 
This change makes use of github.com/sigma/heketi branch k8s-standalone, which is
a stripped down, k8s-specific version of github.com/heketi/heketi with:
- only useful client-code, which sidesteps the issue of heketi improperly
  vendoring k8s (which prevents vgo from working, see kubernetes#65683)
- uses only Apache 2 licensed code (which addresses partially
  kubernetes/sig-release#223)

For details, see
sigma/heketi@d481979
@sigma sigma mentioned this issue Aug 15, 2018
Closed
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Aug 23, 2018
Merge pull request #66233 from nikhita/translations-fix-license
b5abc20 
Automatic merge from submit-queue (batch tested with PRs 59230, 66233, 67483, 67713). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

translations: point license header to Kubernetes

Part of kubernetes/sig-release#223 and kubernetes/steering#57 (point 7):

> In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically?

/cc justaugustus swinslow
/assign justaugustus brendandburns 



**Release note**:

```release-note
NONE
```
@d-nishi d-nishi mentioned this issue Sep 28, 2018
Closed
@nikhita nikhita mentioned this issue Oct 4, 2018
Merged
This was referenced Oct 12, 2018
Closed
Closed
@nikhita nikhita mentioned this issue Oct 30, 2018
Merged
justinsb added a commit to justinsb/kops that referenced this issue Oct 30, 2018
@justinsb
Prune some license files that dep added
52d3449 
Dep apparently decided to add some license files for packages that we
aren't using, which is particularly irksome because the license is
GPL.  Remove those packages so that there's no confusion.

Issue kubernetes/sig-release#223
@justinsb justinsb mentioned this issue Oct 30, 2018
Merged
@justinsb
Copy link
Member

kubernetes/kops#6019 cleans up the license files that dep added in kops.

@dims
Copy link
Member

dims commented Nov 13, 2018

@justaugustus please mark the github.com/heketi/heketi item as done

@tpepper tpepper mentioned this issue Feb 13, 2019
Closed
@justaugustus
Copy link
Member Author

Planning to update this list and break out the relevant items into separate issues this cycle.

/area licensing
/priority important-longterm
/milestone v1.15

@k8s-ci-robot k8s-ci-robot added this to the v1.15 milestone May 1, 2019
@k8s-ci-robot k8s-ci-robot added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label May 1, 2019
@justaugustus
Copy link
Member Author

Mentioned on the Community meeting last week that @nikhita will be managing the Licensing subproject to give me an opportunity to focus on building out the Release Engineering subproject.

/unassign

@idealhack idealhack modified the milestones: v1.15, v1.16 Aug 3, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 1, 2019
@nikhita
Copy link
Member

nikhita commented Nov 1, 2019

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 1, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2020
@markjacksonfishing
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 29, 2020
@nikhita
Copy link
Member

nikhita commented Apr 29, 2020 via email

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 29, 2020
@dims
Copy link
Member

dims commented Jan 13, 2021

/close

let's please open fresh issues for things we need to do.

@k8s-ci-robot
Copy link
Contributor

@dims: Closing this issue.

In response to this:

/close

let's please open fresh issues for things we need to do.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikhita nikhita

Labels
committee/steering Denotes an issue or PR intended to be handled by the steering committee. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
v1.16
Development

No branches or pull requests
9 participants
@dims @justinsb @idealhack @justaugustus @BenTheElder @nikhita @markjacksonfishing @k8s-ci-robot @fejta-bot