Clarify usage of MPL-licensed dependencies

[tigrannajaryan]

We need to know whether we are allowed to have MPL-licensed dependencies in our code and license the whole as a Apache license.

This is what MPL says about combining MPL-licensed code and BSD or Apache licensed code:

Q13: May I combine MPL-licensed code and BSD-licensed code in the same executable program? What about Apache? Yes to both. Mozilla currently does this with BSD-licensed code. For example, libvpx, which is used in Firefox to decode WebM video, is under a BSD license.

I am not entirely sure how to interpret this. This appears to say that the combined code can be licensed under a BSD licenses (or Apache license in our case), but I am not a lawyer.

Can we have a ruling from a lawyer? Perhaps CNCF can help?

[tigrannajaryan]

@open-telemetry/governance-committee can you please help with this?

[yurishkuro]

I recommend opening a ticket to CNCF and asking them to reply here.

[tigrannajaryan]

@yurishkuro how can I open a CNCF ticket?

[yurishkuro]

https://github.com/cncf/servicedesk

[tigrannajaryan]

I think only GC members can submit tickets. I may be wrong, but only found https://servicedesk.cncf.io/ to which I have no access.

[yurishkuro]

Hm, not sure, I thought it was more open.

I opened a ticket CNCFSD-740.

[caniszczyk]

The CNCF allowlist is here: https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md

MPL isn't allowed by default but we have a lot of MPL libraries that have been approved in CNCF https://github.com/cncf/foundation/tree/master/license-exceptions

What is the particular library in question?

[tigrannajaryan]

@caniszczyk I can get the full list of MPL libraries we depend on, but at a glance it appears several that we use in OpenTelemetry Collector are from Hashicorp, and some of these libraries are already in the approved exception list, which is great.

Can you please tell what is the process for adding other MPL libraries to the exception list? For example, we depend on github.com/hashicorp/consul which is also MPL-2.0 but is not in the CNCF list. There are a few more, I will need help from @jsuereth to compile the full list.

Also, I am curious, what is the reason CNCF has an exception list for MPL libraries instead of generally allowing any MPL libraries? Are the reasons legal or something else? Is there a possibility for a blanket approval for all MPL-2.0, so that we don't have to seek approval for individual libraries?

[caniszczyk]

@tigrannajaryan open up an issue here to get new libraries added to the allow list: https://github.com/cncf/foundation/issues

We have to get the CNCF board (GB) to sign off.

Second, MPL is a weak copy left license like LGPL/EPL, while almost every license we allow is fully permissive. Weak copyleft licenses just add more work for distributers of the software and we try to avoid that. Ideally the question I'd ask is why not get Hashicorp to change their license of software instead :)?

[tigrannajaryan]

Thanks @caniszczyk

open up an issue here to get new libraries added to the allow list: https://github.com/cncf/foundation/issues

@jsuereth since you worked on https://github.com/open-telemetry/opentelemetry-collector/pull/2604 will be able to help get the full list of MPL dependencies so that we can submit it to CNCF for approval?

Ideally the question I'd ask is why not get Hashicorp to change their license of software instead :)?

@caniszczyk this is a good question. I can try to ask them nicely :-)

[tigrannajaryan]

Asked Hashicorp: https://github.com/hashicorp/consul/issues/9944