foundation icon indicating copy to clipboard operation
foundation copied to clipboard

Published 20 hours ago verified publisher icon cncf

Dapr license exceptions required

Open shubham1172 opened this issue 2 years ago • 3 comments

Hello, we are looking to get licensing exceptions for the following repositories for usage in Dapr.

Repo URL License Stars Forks
https://github.com/hashicorp/go-version MPL-2.0 1029 121
https://github.com/hashicorp/raft MPL-2.0 5644 750
https://github.com/hashicorp/raft-boltdb MPL-2.0 425 98
https://github.com/Microsoft/tslib 0BSD 933 92
https://github.com/eclipse/paho.mqtt.golang EPL 1865 449

shubham1172 avatar Feb 08 '22 05:02 shubham1172

@shubham1172 - connecting back in here!

For all license exception requests, we need the following information in order to help make a decision to grant an exception.

  • [ ] What is the alternative license?
  • [ ] If this is newly created code, why can't it be under Apache-2.0?
  • [ ] Is this an existing 3rd party open source project?
  • [ ] How does this code integrate with or interact with, if at all, other components of CNCF?
  • [ ] How will the code be maintained? Who is responsible?
  • [ ] How will the code be kept up to date with security patches?

amye avatar Mar 10 '22 23:03 amye

Thanks @amye for getting back.

(1) What is the alternative license?

All the projects mentioned above are single licensed except https://github.com/eclipse/paho.mqtt.golang - it is dual licensed, Eclipse Distribution License - v 1.0 and Eclipse Public License - v 2.0

(2) If this is newly created code, why can't it be under Apache-2.0?

All of them are old (>5 years on an average), third party dependencies.

(3) Is this an existing 3rd party open source project?

Yes for all.

(4) How does this code integrate with or interact with, if at all, other components of CNCF?

All of these repositories are used by some popular CNCF projects like Kubernetes, Argo Project. We use them at Dapr too (a CNCF incubation project). I can also give pointers on why we are using these libraries:

  1. https://github.com/hashicorp/go-version - Used by Dapr CLI for comparing versions
  2. https://github.com/hashicorp/raft - Used by Dapr for supporting Actors capability
  3. https://github.com/hashicorp/raft-boltdb - Same as above
  4. https://github.com/Microsoft/tslib - Used by Dapr dashboard
  5. https://github.com/eclipse/paho.mqtt.golang - Used by MQTT pubsub capability

(5) How will the code be maintained? Who is responsible?

If you are talking about the 3rd party dependencies, then their respective maintainers will maintain them.

(6) How will the code be kept up to date with security patches?

Same as above, their respective maintainers will be responsible for keeping it up-to date.

I tried answering these questions to the best of my knowledge, do let me know if I missed anything specific that you were looking for.

/cc @artursouza @rabollin

shubham1172 avatar Mar 11 '22 05:03 shubham1172

@amye are there any updates on these requests? (including # 292, # 294)

shubham1172 avatar Oct 06 '22 16:10 shubham1172