[License Exception Request] Additional Hashicorp libraries under MPL / MIT #624
Comments
|
#621 may resolve this - we usually try to have projects request these directly because the exceptions sometimes depend on their usecase. Which projects are you requesting these for? |
|
Let me double check with #621 and update the list |
|
@amye In the end I found only 4 modules missing from the exceptions list I am an Antrea maintainer. Only 2 of these 4 are dependencies for Antrea: |
antoninbas
changed the title
|
Thanks @antoninbas for opening this issue, and @amye for helping with Hashicorp exceptions in #294 #297. There are two more dependencies by Dapr project that are not yet exempted (please let me know if I should open a separate issue).
|
Separate are better! (Unfortunately) - it's easier to track usecases; said as we have one giant issue for that. Rationale: If there's something that we need more information on, it's easier to track in different issues. |
|
Thanks, I am not opening the issue for some time because I realized they are not actual dependencies (although a part of go.sum). |
|
@amye is this issue good as it is, or would you rather have me close it in favor of an issue specific to Antrea and the 2 dependencies (out of the 4 above) that we currently use? |
|
@antoninbas @amye Could you confirm? 🙏 |
|
One question came up: Can we confirm these meet the requirements for allowlist?
|
|
@amye These requirements are indeed met for
These require an exception. |
|
It's this part that we need to confirm:
|
That's not generally applicable to Go modules. These are imported and not copied / vendored into the project source tree. If a project does still choose to vendor the dependency for any reason, and make it part of its source tree,
|
|
For the three MPL-2.0 HashiCorp libraries, the CNCF Legal Committee has asked a few clarifying questions. Can you please let us know your thoughts on these?
|
|
@amye Thanks for following up on this. Answers below.
github.com/hashicorp/go-getter: go-getter is a utility library to download resources identified by a URL, from Golang code. It supports a variety of network protocols (HTTP, cloud object storage such as S3, Git, etc.) and provides useful functionality associated with downloading files, such as checksum verification and download progress tracking. github.com/hashicorp/go-safetemp: go-safetemp is a utility library providing functions for working safely with temporary files and directories. In practice, it consists of a single public function which wraps github.com/hashicorp/memberlist: memberlist is a Golang package implementing a gossip-based membership protocol, with member failure detection. This is useful for building a distributed system where different nodes form a cluster, and each node needs to be aware of all the other active / live nodes in the cluster, assuming that eventual consistency is acceptable for the system ("nodes" and "cluster" here are used in the context of a generic distributed system, and not as K8s terminology). Project Antrea uses this package to implement a feature which requires different K8s Nodes to agree (eventually) on which Node is responsible for a specific network resource.
Yes, this is an accurate statement. See the full list of their hashicorp dependencies below.
|
|
hi, any update? |
|
The CNCF Governing Board has approved this exception request in a July vote. |
Some of the projects being used without an exception by CNCF projects (I may have missed some):
github.com/hashicorp/go-getter(MPL)github.com/hashicorp/go-msgpack(MIT license for this one)github.com/hashicorp/go-safetemp(MPL)github.com/hashicorp/memberlist(MPL)The references are not exhaustive of course.
The text was updated successfully, but these errors were encountered: