containerized-data-importer icon indicating copy to clipboard operation
containerized-data-importer copied to clipboard

Published 20 hours ago verified publisher icon kubevirt

Possible license issue in v1.50.0

Open dhiller opened this issue 2 years ago • 8 comments

What happened:

KubeVirt FOSSA check complains about some GPL'ed stuff that CDI itself uses on a PR against KubeVirt where the CDI API is about to be bumped to CDI v1.50.0.

  • https://github.com/kubevirt/containerized-data-importer/tree/v1.50.0/vendor/libguestfs.org/libnbd#license
  • https://github.com/kubevirt/containerized-data-importer/blob/v1.50.0/vendor/github.com/gorhill/cronexpr/GPLv3

Sources:

  • https://app.fossa.com/projects/custom+13072%[email protected]:kubevirt%2Fkubevirt.git/refs/branch/main/96c6d3ccd73b8c7e6ab7213dbfad6d942467fbc2
  • comment: https://github.com/kubevirt/kubevirt/pull/7906#issuecomment-1155021010

What you expected to happen: A clear and concise description of what you expected to happen.

How to reproduce it (as minimally and precisely as possible): Steps to reproduce the behavior.

Additional context: Add any other context about the problem here.

Environment:

  • CDI version (use kubectl get deployments cdi-deployment -o yaml): v1.50.0
  • Kubernetes version (use kubectl version): N/A
  • DV specification: N/A
  • Cloud provider or hardware configuration: N/A
  • OS (e.g. from /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
  • Install tools: N/A
  • Others: N/A

dhiller avatar Jun 14 '22 11:06 dhiller

Our libnbd Go bindings are now LGPL, and cronexpr seems to be dual licensed as either GPLv3 or Apache license v2, which I assume is acceptable. So the problem is not present in newer releases.

maya-r avatar Jun 26 '22 14:06 maya-r

There might still be an issue, assuming CDI affects KubeVirt's status as a CNCF project. It looks like CNCF requires an exception for third-party libraries with licenses not in this list: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist

So I think maybe the right way to fix this is to apply for an exception, but if that doesn't work out I can remove the current usage of libnbd from CDI entirely.

mrnold avatar Jun 27 '22 13:06 mrnold

Maybe if you had a fossa check on your repository, you might have caught this earlier. Would that be reasonable? I could help establishing a check similar to what we have at kubevirt/kubevirt.

dhiller avatar Jul 11 '22 08:07 dhiller

Besides that, if, as @maya-r pointed out, the issues are fixed in the latest release, shouldn't we just update cdi api on kubevirt?

dhiller avatar Jul 11 '22 11:07 dhiller

I guess this is not an issue for kubevirt, since kubevirt only vendors the api of cdi and that does not pull in shared libraries and libnbd go binaries. So for CDI we should double-check that it is ok to use the bindings with the latest mentioned licenses, but kubevirt can probably green-wave this on the fossa side.

rmohr avatar Jul 28 '22 12:07 rmohr

I believe KubeVirt uses one function from CDI to determine if a PVC is associated with a DataVolume which is why there is a non cdi-api import as well. It is also the wrong version (1.42) while the cdi-api is (1.50)

awels avatar Jul 28 '22 13:07 awels

On which files it is complaining?

@brianmcarey mentioned it is for:

vendor/github.com/mrnold/go-libnbd
vendor/github.com/gorhill/cronexpr

But these are not imported by kubevirt/kubevirt.

Excluding these files may be ok now, but I think it is problematic for proper protection for the future. If some PR will cause them to be vendored in the future, we will not detect it due to such an exception.

Can we do these in parallel?

  • Contact fossa support and see if they can scan only our codebase and not the dependencies? If it includes the vendor folder, it is enough for us I think.
  • Silence the warning by adding these files as exceptions (at least until the next point is resolved).
  • Make sure CDI stops depending on these.

EdDev avatar Jul 28 '22 13:07 EdDev

I have a TODO Item to add fossa to CDI, but need some help configuring it for the repo.

awels avatar Jul 28 '22 13:07 awels

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kubevirt-bot avatar Oct 26 '22 14:10 kubevirt-bot

This has been resolved CDI is fully compliant and has a test lane to ensure we remain compliant

awels avatar Oct 29 '22 23:10 awels

In the last release version(v1.55.2), license conflict has not been solved: libnbd is license under GPL

  • https://github.com/kubevirt/containerized-data-importer/blob/v1.55.2/vendor/libguestfs.org/libnbd/LICENSE

Do we have any plan to remove the usage of libnbd from CDI. THX.

lxs137 avatar Dec 29 '22 04:12 lxs137