community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon open-telemetry

OTel .NET Contrib - Hangfire.Core license dependency verification

Open Kielek opened this issue 9 months ago • 3 comments

OpenTelemetry .NET contrib repository is hosting source code for OpenTelemetry.Instrumentation.Hangfire nuget package.

One of the dependency is Hangfire.Core licensed by double license LGPL v3 License or Commercial License.

The important part is that, if the end-user references OpenTelemetry.Instrumentation.Hangfire it automatically brings packages licensed by LGPL/Commercial. This dependency seems to be mandatory to make the instrumentation working correctly.

What is the recommendation in such cases? Can we host/maintains such library? If it is not possible, what is the recommendation for the already published artifacts.

Detected by the FOSSA scans created by #2574

Kielek avatar Feb 20 '25 06:02 Kielek

hi @Kielek! in Java, the instrumentation libraries use a "compileOnly" dependency on the instrumented libraries, which avoids this:

if the end-user references OpenTelemetry.Instrumentation.Hangfire it automatically brings packages licensed by LGPL/Commercial

and seems reasonable from a usability perspective since users will only use the instrumentation library if they are already using the instrumented library

in addition to helping us avoid licensing issues, it also helps us avoid CVE issues (since we're not transitively passing those dependencies on to our consumers)

would something like this make sense in .Net?

trask avatar Feb 20 '25 20:02 trask

@trask, it will be unusual. I can rise this on .NET SIG. Before we can consider, we should verify what is perspective of CNCF on similar, non-production dependency. See #2558.

Kielek avatar Feb 21 '25 05:02 Kielek

Blocked on #2558

trask avatar Mar 11 '25 20:03 trask

@trask is this now unblocked?

tedsuo avatar Jul 02 '25 15:07 tedsuo

Following the same logic as in the previous one, I think we'll need to file an exception like https://github.com/cncf/foundation/issues/995?

danielgblanco avatar Jul 02 '25 15:07 danielgblanco

I that is unblocker. We should go the same way, but there is a key difference. It is used in the production code, and shipped to OpenTelemetry.Instrumentation.Hangfire users as a dependency https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Hangfire/1.12.0-beta.1#dependencies-body-tab.

I am not sure if it will be allowed. @danielgblanco, should I rise the new issue on cncf side, or you want to handle it?

Kielek avatar Jul 02 '25 16:07 Kielek

Issue created https://github.com/cncf/foundation/issues/1065

Kielek avatar Jul 09 '25 14:07 Kielek

PR merged https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/3553 based on https://github.com/cncf/foundation/issues/1065#issuecomment-3563771634

Kielek avatar Nov 24 '25 07:11 Kielek