Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

License requirements when shipping containers #642

Open
dprotaso opened this issue Sep 21, 2023 · 11 comments
Open

License requirements when shipping containers #642

dprotaso opened this issue Sep 21, 2023 · 11 comments

Comments

@dprotaso
Copy link

This is the public issue for (https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652).

There were enough people in the Knative project asking about this so I figured it warranted having a public issue others can comment on (so I'm not the sole proxy).

Original Question

What are the CNCF requirements for license disclosure for dependencies when shipping container images?

Background

Knative has been vendoring licenses and including them in the containers we ship. This been our practice since the project went public in 2018 and was a requirement of Google's OSPO's office.

Some context from Evan Anderson [1]

To provide additional context, this was original implemented to meet the second clause of the BSD 2-clause license:

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

By embedding the license in the container image, people who received the OCI image (for example, by pulling from a repo which the image had been cloned to) would also receive a copy of the license, which would trivially satisfy "reproduce the above copyright notice". Since I'm not a lawyer, I'm not going to venture whether this was an overly-restrictive reading of this clause. (This also similarly trivially satisfies the MIT requirement of including a liability disclaimer notice.)

[1] knative/hack#315 (comment)

Related Info

We now build our containers using a tool called ko - this will also publish a SBOM file https://ko.build/features/sboms/

I believe the SBOM will include some license info. Is having this file available for download sufficient for license compliance?

@dprotaso
Copy link
Author

dprotaso commented Sep 21, 2023

Looks like the licenses in the SBOM is not a thing at moment - ko-build/ko#766

but what if it were 🤔

@amye amye added the licensing label Sep 25, 2023
@amye
Copy link
Contributor

amye commented Sep 26, 2023

So as I'm reading through this, this may no longer be an active question?

@dprotaso
Copy link
Author

We're still looking for input from the CNCF what is required

@dprotaso
Copy link
Author

hey @amye any updates?

@puerco
Copy link

puerco commented Nov 21, 2023

@amye can we satisfy the requirements to distribute licenses by having the project and dependency licenses in the SBOM? We can also add the license text to the SBOM in addition to the identifiers if needed.

@dprotaso
Copy link
Author

Hi - just following up here again

@amye
Copy link
Contributor

amye commented Dec 12, 2023

Hi - just following up here again

Still in discussion with Legal Committee!

@dprotaso
Copy link
Author

dprotaso commented Dec 12, 2023 via email

@dprotaso
Copy link
Author

dprotaso commented Jan 15, 2024

Following up - I'm assuming the lack of response indicates there's no requirement and thus projects are not required to have disclosures in our project's container image.

@jeffcshapiro
Copy link

@joannalee333 Can you comment on this?

@joannalee333
Copy link
Collaborator

joannalee333 commented Jul 12, 2024

Staff will be working with the Legal Committee on development of guidance for this issue. Licensing compliance for container images is not as straightforward as it is for code. We'll likely have guidance ready to share later this quarter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants