go modules: Allowlist specific hashicorp modules #1595
Conversation
kubevirt-bot
added
release-note-none
|
/cc @maya-r |
|
I wonder what happened to our fossa lanes, which seem to be deactivated for kubevirt/kubevirt, which served this purpose but more widely - they tested the licenses of all our modules. (However, I am not opposed to a list of allowed modules) |
|
Print all errors at once |
oshoval
changed the title
| module=$(echo "$line" | cut -d ' ' -f 1) | ||
| if [[ $module == github.com/hashicorp/* ]]; then | ||
| if ! [[ " ${allowed_hashicorp_modules[*]} " == *" $module "* ]]; then | ||
| echo "found non whitelisted hashicorp module: $module" |
There was a problem hiding this comment.
| echo "found non whitelisted hashicorp module: $module" | |
| echo "found non allowlisted hashicorp module: $module" |
| done < go.sum | ||
|
|
||
| if [[ $error_found == true ]]; then | ||
| echo "non whitelisted hashicorp modules found. exiting with error" |
There was a problem hiding this comment.
| echo "non whitelisted hashicorp modules found. exiting with error" | |
| echo "non 03589504 hashicorp modules found. exiting with error" |
Please include reasoning why we cannot allow any unlisted modules. And also what should be done to resolve the issue (review the licensing and either add it to the list or use a different library)
There was a problem hiding this comment.
It is in the commit message, self explanatory isn't it ?
Will add if you prefer of course.
This commit creates a github action which allowlists them.
Any other module of hashicorp will be rejected, and will need
to be manually examined if it uses MPL (or other non restrictive license)
or BSL.
There was a problem hiding this comment.
When the check fails on my PR, i will not be looking for the PR that added the check. I would like the message on my PR to tell me what I should do to get it merged
| echo "non whitelisted hashicorp modules found. exiting with error" | ||
| exit 1 | ||
| fi | ||
| echo "All hashicorp modules are whitelisted" |
There was a problem hiding this comment.
| echo "All hashicorp modules are whitelisted" | |
| echo "All included hashicorp modules are allowlisted" |
oshoval
changed the title
Due to [1] We need to make sure not to use BSL modules. Luckily the current we use have not changed. The ones that are not changed are SDK/API and general Go libraries. "HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0." [1] [2] This commit creates a github action which allowlists them. Any other module of hashicorp will be rejected, and will need to be manually examined if it uses MPL (or other non restrictive license) or BSL. [1] https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license [2] cncf/foundation#617 (comment) Signed-off-by: Or Shoval <oshoval@redhat.com>
|
Thanks |
|
Kudos, SonarCloud Quality Gate passed!
|
|
@oshoval: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: phoracek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
Thanks,
Not sure it worth it, but it will allow central changes, which is nice |
|
I would vote to just copy it. It would be simpler and it would keep those repos independent |
|
It seems MPL2 need to be in exception list [1], [2] but we need to do so only for the direct dependencies (BenTheElder raised it, and also on [1]) still not sure about those, monitoring the decisions of kubevirt maintainers [1] cncf/foundation#617 (comment) |
What this PR does / why we need it:
Due to [1] we need to make sure not to use BSL modules.
Luckily the current we use have not changed.
The ones that are not changed are SDK/API and general Go libraries.
"HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0." [1] [2]
This commit creates a github action which whitelists them.
Any other module of hashicorp will be rejected,
and will need to be manually examined if it uses MPL (or other non restrictive license) or BSL.
[1] https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
[2] cncf/foundation#617 (comment)
Special notes for your reviewer:
Release note: