Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify dependencies #388

Merged
merged 2 commits into from
Mar 23, 2020
Merged

Clarify dependencies #388

merged 2 commits into from
Mar 23, 2020

Conversation

lizrice
Copy link
Contributor

@lizrice lizrice commented Mar 13, 2020

Following TOC discussion I'm suggesting some clarification around the acceptability of dependencies

caniszczyk
caniszczyk reviewed Mar 13, 2020
View reviewed changes
PRINCIPLES.md Outdated Show resolved Hide resolved
@VinodAnandan
Copy link

I think it's better to verify the OSS license compliance with all existing CNCF projects and see the practicality. I also think it's better to grant some time for existing and new projects to achieve the license compliance.

Few open questions

  • How deep the dependency license check should be carried out?
  • What if there are transitive dependencies without any license (unlicensed code)?

@lizrice
Copy link
Contributor Author

lizrice commented Mar 16, 2020

@VinodAnandan this is something the CNCF legal team already do for projects coming into the CNCF

caniszczyk
caniszczyk approved these changes Mar 23, 2020
View reviewed changes
Copy link
Contributor

@caniszczyk caniszczyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do an in depth license check every time a project is brought in and most of our projects end up adopting an automated solution like FOSSA/Snyk/etc e.g., https://app.fossa.com/attribution/3fb2fc80-0420-41d8-bd5e-adcaf06f3057

Internally in CNCF our lawyers do in depth license scans and send them to projects at least a couple times of year to resolve issues and/or create an exception/whitelist entry that's approved by the CNCF GB Legal Committee: https://github.com/cncf/foundation/blob/master/whitelist-policy.md

@caniszczyk caniszczyk merged commit de7446c into master Mar 23, 2020
@caniszczyk caniszczyk deleted the dependencies branch March 23, 2020 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justincormack justincormack justincormack left review comments

@caniszczyk caniszczyk caniszczyk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lizrice @VinodAnandan @caniszczyk @justincormack