Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure we bundle a copy of every license used by 3rd-party dependencies into our container image. #308

Open
tobz opened this issue Nov 7, 2024 · 2 comments · Fixed by #313
Open

Ensure we bundle a copy of every license used by 3rd-party dependencies into our container image. #308

tobz opened this issue Nov 7, 2024 · 2 comments · Fixed by #313
Assignees
@tobz
Labels
area/ci CI/CD, automated testing, etc. effort/simple Involves trivial changes that should be fine so long as the code compiles and tests pass. good first issue Good for newcomers type/chore Updates to dependencies or general "administrative" tasks necessary to maintain the codebase/repo.

Comments

@tobz
Copy link
Member

tobz commented Nov 7, 2024

Context

While we currently generate our SBOM to track used dependencies and their licenses, we don't include copy of each of those licenses. We should do that, as doing so ensures that there's no confusion over what the license's terms are at the time the image was built, and it also ensures we're satisfying the relevant clause in some licenses that require a copy of the license to be included with usages or derivative works, etc.
@tobz tobz added effort/simple Involves trivial changes that should be fine so long as the code compiles and tests pass. good first issue Good for newcomers type/chore Updates to dependencies or general "administrative" tasks necessary to maintain the codebase/repo. labels Nov 7, 2024
@tobz
Copy link
Member Author

tobz commented Nov 7, 2024

A note: we might end up needing to depend on something like https://github.com/spdx/license-list-data, since I could foresee scenarios where we can't simply grab the license file from the code dependencies themselves. This would at least mean we have a consistent (and trustworthy) source to pull the license files from, although we would end up needing to do a little bit of parsing of LICENSE-3rdparty.csv to build the list of licenses to copy...

Anyways.

@tobz tobz added the area/ci CI/CD, automated testing, etc. label Nov 7, 2024
@tobz tobz mentioned this issue Nov 8, 2024
Merged
@tobz tobz closed this as completed in #313 Nov 8, 2024
@tobz tobz reopened this Nov 8, 2024
@tobz
Copy link
Member Author

tobz commented Nov 8, 2024

Actually keeping this open because our current solution captures like 95% of what we need, but we still need to handle some other areas / scenarios:

  • custom licenses (sometimes denoted via the Custom SPDX identifier; relevant to ring)
  • paying attention to whether or not a dependency specifies license or license-file in Cargo.toml (since license-file would be a good heuristic to treat as "this might be custom, so just copy it directly")
  • considering if there's relevant copyright notices to copy over above and beyond the straight SPDX identifier-based license

@tobz tobz self-assigned this Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tobz tobz

Labels
area/ci CI/CD, automated testing, etc. effort/simple Involves trivial changes that should be fine so long as the code compiles and tests pass. good first issue Good for newcomers type/chore Updates to dependencies or general "administrative" tasks necessary to maintain the codebase/repo.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[APR-248] chore: bundle licenses of dependencies into ADP container image DataDog/saluki
1 participant
@tobz