argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard
verified publisher icon argoproj

comply with licenses of argo's dependencies when releasing images

Open Bobgy opened this issue 4 years ago • 3 comments

Summary

What change needs making?

Integrate a process into argo release to comply with licenses of argo's dependencies and transitive dependencies built into the binary.

I am already doing this process for argo in https://github.com/kubeflow/pipelines/pull/5266 (see issue https://github.com/kubeflow/pipelines/issues/5232) when kubeflow/pipelines redistributes argo workflow images, using a tool I just built https://github.com/Bobgy/go-mod-licenses.

Use Cases

When would you use this?

When GCP redistributes argo images, we'll need to make sure the images are license compliant. I think it helps everyone with similar legal concerns, so that we can directly use argo official images.

By license compliant, I mean that

  • some licenses require a copy of its full text copyright notice and license distributed with any binary built with it
  • some licenses require source code distributed along with the binary
  • no GPL etc licensed code should be used
  • etc

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

Bobgy avatar Mar 09 '21 07:03 Bobgy

We used this tool for Kubeflow training operators before they graduated. Could that be reused instead of building another tool?

terrytangyuan avatar Mar 09 '21 10:03 terrytangyuan

For clarification, I'm not opinionated about which tool to use. I think https://github.com/github/licensed might be a good choice too.

Bobgy avatar Mar 09 '21 11:03 Bobgy

We now produce SPDX with each release.

alexec avatar Feb 07 '22 21:02 alexec