[Umbrella] License Auditing & Remediation

[justaugustus]

This is an umbrella issue to carry out licensing tasks requested by the CNCF and Steering Committee.

• Draft license audit policies for SIG Release
• File issues / PRs with [sub]projects to fix their licensing issues (list from @swinslow):
  • (@nikhita) The component github.com/heketi/heketi is used in four repos. Heketi uses a mix of licenses, but the main issue is that files in heketi/pkg/utils/ can only be used under LGPL-3.0 or GPL-2.0, both of which are likely problematic here. Can the files in heketi/pkg/utils/ be removed, or replaced with an alternative library under a more permissive license?
    The repos are: kubernetes (fixed in Update heketi dependencies to sha@558b29266ce0a873991ecfb3edc41a668a998514 kubernetes#70811), minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler
  • (@BenTheElder (test-infra) / @justinsb (kops)) There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?
    The repos are: cloud-provider-aws, federation, kops (fixed in Prune some license files that dep added kops#6019), and test-infra (fixed in remove unused vendor/github.com/docker/docker/contrib test-infra#8979)
  • (@justaugustus) The component github.com/juju/ratelimit is under LGPL-3.0 with a linking exception. It was replaced in the main kubernetes repo in #38320 to use golang.org/x/time/rate instead. juju/ratelimit is still present in several other kubernetes repos; can these be similarly updated to the alternate library?
    The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, scale-demo and service-loadbalancer), dashboard, dns, federation, frakti, heapster, kompose, kube-deploy, node-problem-detector, perf-tests, and test-infra.
  • (@justaugustus) The component gopkg.in/yaml.v2 used to have the same LGPL-3.0 license, but has now been updated in the kubernetes repo to a newer version with Apache-2.0. Several other repos still use the old version under LGPL-3.0; can these also be updated?
    The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, podex, scale-demo and service-loadbalancer), dashboard, federation, heapster, kube-deploy, node-problem-detector, perf-tests, publishing-bot and test-infra.
  • In minikube, there is a config file which states that it is part of systemd and is under LGPL-2.1. Most of the file is commented out. Is it necessary to distribute this file, or could it be obtained by the downstream user separately (along with systemd, which I assume we aren't distributing)?
  • In kops, /hooks/nvidia-bootstrap/README.md says that "Using this hook indicates that you agree to" a non-OSS license from NVIDIA. Is this intended to refer to software separately installed by the Dockerfile, rather than code in the kops repo itself? If so, I may propose a tweak to the language here.
  • (@nikhita) In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically? - translations: point license header to Kubernetes kubernetes#66233
  • (@nikhita) In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0? - node-client/src: change license from Unlicense to Apache-2.0 kubernetes-client/javascript#61
• Close out k/steering issue

ref:
[1] https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/L2KnInDBAgAJ

cc: @philips @swinslow

/assign
/sig release
/committee steering

[nikhita]

In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0?

The typsecript client is deprecated and doesn't contain the Unlicense package.json file. The typescript client is replaced by the javascript client.

Created a PR against the javascript repo: kubernetes-client/javascript#61

[nikhita]

In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically?

Created a PR against k/k: kubernetes/kubernetes#66233

[justaugustus]

Email update to steering + sig-release + sig-contribex: https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/sH8W-uwwAAAJ

[BenTheElder]

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

I've taken care of this for test-infra. kubernetes/test-infra#8979

[justaugustus]

@BenTheElder -- thanks for knocking another one off the list!

[nikhita]

quick update on heketi: Have asked the maintainers if they could update the license (instead of us updating our code) since it could have been a side-effect of a whole sale licensing change - heketi/heketi#1279.

There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?

This still needs to be fixed for cloud-provider-aws, federation and kops. Thanks for taking care of test-infra, @BenTheElder! 👍

[nikhita]

/assign