Description
This comes from an email to Steering@
Hello Kubernetes maintainers,
I'm running the Linux Foundation's license scanning and analysis services for several LF projects. For CNCF's IP policy and its new license whitelist (approved at the May Governing Board meeting), going forward I'll be running and providing monthly scan reports for CNCF projects, including Kubernetes.
Attached are two spreadsheets showing the license notices found in the kubernetes and kubernetes-client orgs' code repos as of July 3. (Future results will be available through a web interface and in other file formats.) This report shows licenses actually contained in the source code repos, and does not address external dependencies pulled in at build-time or run-time.
Apache-2.0 files are under CNCF's project license, and many of the "Attribution" licenses will be auto-approved under CNCF's whitelist policy. For the remainder, I'll work with CNCF's IP Committee to review and discuss recommending approvals by the Governing Board.
In preparation for that, I have a few questions for you, focusing on the key findings. If you'd prefer that I submit issues in Github for these, I'm happy to do so -- just let me know. But for #1 and #2 in particular I wanted to raise these first with the maintainer list, in light of the particular license issues.
-
The component github.com/heketi/heketi is used in four repos. Heketi uses a mix of licenses, but the main issue is that files in heketi/pkg/utils/ can only be used under LGPL-3.0 or GPL-2.0, both of which are likely problematic here. Can the files in heketi/pkg/utils/ be removed, or replaced with an alternative library under a more permissive license?
The repos are: kubernetes, minikube, autoscaler/cluster-autoscaler, and contrib/rescheduler -
There are GPL-2.0 LICENSE text files in the github.com/docker/docker component, within the contrib/selinux-* subfolders in four repos. There is no corresponding code in these directories. Can these directories and LICENSE files be removed?
The repos are: cloud-provider-aws, federation, kops and test-infra -
The component github.com/juju/ratelimit is under LGPL-3.0 with a linking exception. It was replaced in the main kubernetes repo in #38320 to use golang.org/x/time/rate instead. juju/ratelimit is still present in several other kubernetes repos; can these be similarly updated to the alternate library?
The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, scale-demo and service-loadbalancer), dashboard, dns, federation, frakti, heapster, kompose, kube-deploy, node-problem-detector, perf-tests, and test-infra. -
The component gopkg.in/yaml.v2 used to have the same LGPL-3.0 license, but has now been updated in the kubernetes repo to a newer version with Apache-2.0. Several other repos still use the old version under LGPL-3.0; can these also be updated?
The repos are: autoscaler/addon-resizer, contrib (in diurnal, docker-micro-benchmark, election, keepalived-vip, podex, scale-demo and service-loadbalancer), dashboard, federation, heapster, kube-deploy, node-problem-detector, perf-tests, publishing-bot and test-infra. -
In minikube, there is a config file which states that it is part of systemd and is under LGPL-2.1. Most of the file is commented out. Is it necessary to distribute this file, or could it be obtained by the downstream user separately (along with systemd, which I assume we aren't distributing)?
-
In kops, /hooks/nvidia-bootstrap/README.md says that "Using this hook indicates that you agree to" a non-OSS license from NVIDIA. Is this intended to refer to software separately installed by the Dockerfile, rather than code in the kops repo itself? If so, I may propose a tweak to the language here.
-
In the translations/ folder in kubernetes, there are 12 files stating that "This file is distributed under the same license as the PACKAGE package." (e.g., here) Can these be corrected to refer to Kubernetes specifically?
-
In the kubernetes-client javascript repo, a package.json file was added stating that the kubernetes-client-typescript package is under the Unlicense. Can this be corrected to Apache-2.0?
Going forward I will likely have other suggestions and questions around licenses, but those above will help me to prepare Kubernetes for review and approval by the IP Committee / GB.
Thanks again for all your help, and please let me know if you have any questions. Best,
Steve
--
Steve Winslow
Director of Strategic Programs
The Linux Foundation
[email protected]