opentelemetry-java-instrumentation icon indicating copy to clipboard operation
opentelemetry-java-instrumentation copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

License Scan/Remediation Questions

Open austinlparker opened this issue 1 year ago • 2 comments

Hello maintainers! We have received a report from the CNCF license audit that the following paths contain licenses that do not match the project license. You can find the full report here: https://lfscanning.org/reports/cncf-2/open-telemetry-2024-02-09-e8fcbc12-0a27-470a-9f2d-c5f680322e13.html

  • okhttp-4.12.0

From what I can see, okhttp is covered under Apache2 but it contains a file that's covered by MPL? If this can't be removed, please document it in this issue. Thanks!

austinlparker avatar Feb 28 '24 14:02 austinlparker

did some research:

  • okhttp uses the file from https://publicsuffix.org/list/public_suffix_list.dat at build time to generate a list of top-level domains that it uses in a few places
  • the file from https://publicsuffix.org/list/public_suffix_list.dat is licensed under MPL
  • okhttp includes this NOTICE file since they are deriving their list of TLDs from the MPL-licensed file
  • we include the same NOTICE file since we are embedding okhttp inside of the Java agent

trask avatar Feb 29 '24 04:02 trask

I'm not sure what's best here.

Based on https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md, we may need to apply for an exception for this OkHttp dependency MPL licensed content for the core SDK anyways (cc @jack-berg).

Btw, there's an interesting active discussion in Apache HTTP Client about essentially the same problem: https://issues.apache.org/jira/browse/HTTPCLIENT-2317.

trask avatar Mar 05 '24 20:03 trask