community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

3rd party licenses in agent

Open iNikem opened this issue 3 years ago • 5 comments

I don't know if my question is relevant to many SIGs, but it was based on https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/836

Namely, java instrumentation agent repackages several 3rd party dependencies into a single uber-jar, which is our main published artifacts. What are Otel/CNCF guidelines regarding license attribution in this case? This CNCF guidelines talk only about source-code.

iNikem avatar Jan 27 '21 16:01 iNikem

Our advice is to not mess with the copyright notices and properly attribute the code: https://github.com/cncf/foundation/blob/master/copyright-notices.md

We also recommend hooking up a tool like https://github.com/fossas/fossa-cli for license scanning + attribution notices.

On Wed, Jan 27, 2021 at 10:43 AM Nikita Salnikov-Tarnovski < [email protected]> wrote:

I don't know if my question is relevant to many SIGs, but it was based on open-telemetry/opentelemetry-java-instrumentation#836 https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/836

Namely, java instrumentation agent repackages several 3rd party dependencies into a single uber-jar, which is our main published artifacts. What are Otel/CNCF guidelines regarding license attribution in this case? This CNCF guidelines https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md talk only about source-code.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/open-telemetry/community/issues/625, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIJMNSGIDWLWDMMU4KTS4A7BVANCNFSM4WVSI57A .

-- Cheers,

Chris Aniszczyk http://aniszczyk.org +1 512 961 6719

caniszczyk avatar Jan 27 '21 16:01 caniszczyk

@caniszczyk We don't include source code. We repackage compiled classfiles into our own jar file. Where should we put that attribution?

iNikem avatar Jan 27 '21 17:01 iNikem

@open-telemetry/governance-committee Any advice?

iNikem avatar Feb 02 '21 16:02 iNikem

The README of the project would suffice, you just need attribution somewhere.

On Tue, Feb 2, 2021 at 10:16 AM Nikita Salnikov-Tarnovski < [email protected]> wrote:

@open-telemetry/governance-committee https://github.com/orgs/open-telemetry/teams/governance-committee Any advice?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/open-telemetry/community/issues/625#issuecomment-771752081, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIL44K3IKMLETZ2X3ELS5AQNJANCNFSM4WVSI57A .

-- Cheers,

Chris Aniszczyk http://aniszczyk.org +1 512 961 6719

caniszczyk avatar Feb 02 '21 16:02 caniszczyk

Does the attribution need to ship with the published artifact?

trask avatar Feb 05 '21 02:02 trask

Closing, the Java agent has been shipping with these attributions for a while now.

trask avatar Nov 29 '22 05:11 trask