Hello, I’m fearing to open the pandora box but I have a question around the way we install ONAP: in https://wiki.onap.org/display/DW/ONAP+Operations+Manager, I’ve listed all components that we used around ONAP in order to deploy ONAP.
I’ve also tried to find per components (and I may have missed some): * Their license * The license of their deployment files (Dockerfile) I see for example that: * Mariadb is GPLv2 and the Dockerfile used for creating the container we use is GPLv3 * Mongodb is Server Side Public License and the Dockerfile used for creating the container we use is Apache 2.0 * … So, are we good with that? Or do we need to have components in onap deployment only with some specific licenses (for the component itself and for the packaging)? If yes, can you provide a whitelist / blacklist? --- Sylvain Desbureaux From: <onap-...@lists.onap.org<mailto:onap-...@lists.onap.org>> on behalf of Steve Winslow <swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org>> Reply-To: "onap-...@lists.onap.org<mailto:onap-...@lists.onap.org>" <onap-...@lists.onap.org<mailto:onap-...@lists.onap.org>>, "swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org>" <swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org>> Date: Tuesday, March 10, 2020 at 4:43 PM To: "onap-...@lists.onap.org<mailto:onap-...@lists.onap.org>" <onap-...@lists.onap.org<mailto:onap-...@lists.onap.org>> Cc: "LEFEVRE, CATHERINE" <catherine.lefe...@intl.att.com<mailto:catherine.lefe...@intl.att.com>>, "CLOSE, PIERRE" <pierre.cl...@intl.att.com<mailto:pierre.cl...@intl.att.com>>, "MCCRAY, CHRISTOPHER" <cm6...@att.com<mailto:cm6...@att.com>>, "ittay.st...@att.com<mailto:ittay.st...@att.com>" <ittay.st...@att.com<mailto:ittay.st...@att.com>>, Kenny Paul <kp...@linuxfoundation.org<mailto:kp...@linuxfoundation.org>>, David McBride <dmcbr...@linuxfoundation.org<mailto:dmcbr...@linuxfoundation.org>> Subject: [onap-ptl] ONAP codebase license scan, Mar. 2020 Hello ONAP PTLs, I am attaching links to the subprojects results of the most recent ONAP codebase license scans. These are based on a scan of the repos as of March 5. The key findings, as well as the overall license summary, can be found at the following address: https://lfscanning.org/reports/onap/onap-2020-03-0c36f9d6-950d-42e1-8f86-7f0b4759019c.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__lfscanning.org_reports_onap_onap-2D2020-2D03-2D0c36f9d6-2D950d-2D42e1-2D8f86-2D7f0b4759019c.html&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=AMkuCVbI7Yl9CC7oXyGq1dS7hINBx2Qzxq715swobgM&e=> In particular, the following projects should look at the findings noted for them: * ccsdk-distribution * multicloud-k8s * portal The full spreadsheet with a list of all licenses and files can be found at: https://lfscanning.org/reports/onap/onap-2020-03-0c36f9d6-950d-42e1-8f86-7f0b4759019c.xlsx<https://urldefense.proofpoint.com/v2/url?u=https-3A__lfscanning.org_reports_onap_onap-2D2020-2D03-2D0c36f9d6-2D950d-2D42e1-2D8f86-2D7f0b4759019c.xlsx&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=JkmIGjvmWwy78T7nAcQB93yYEAXxeyjKpybldCYLsAA&e=> Although these links and its contents are not confidential, they may be considered sensitive and should not be generally publicized / uploaded to public wikis, etc. Please treat in the same manner that past license scan report emails have typically been treated. Please take a look at the findings and recommendations available at the first URL. There are also separate reports for each subproject, and the URLs to those reports can be found in the attached text file. I have not yet enabled the JIRA integration that we discussed on the PTL call last week. I will be looking to do that for the next monthly scan if feasible. These reports cover license notices contained in the ONAP codebases themselves; as always, build-time dependency licenses are available in Sonatype Nexus IQ at https://jenkins.onap.org/view/CLM/<https://urldefense.proofpoint.com/v2/url?u=https-3A__jenkins.onap.org_view_CLM_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=5Rck08OX8Q8bwjKpPuODTryIkQnL0e2PZztRu3L2VnQ&e=>, and I am continuing to review and update the results there. I will send a couple of emails with specific comments on these in the coming days. Finally, updated SPDX files for the scan results from each subproject's repos can be found at https://github.com/lfscanning/spdx-onap<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lfscanning_spdx-2Donap&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=JL9u_YDZkDRzLyEQ2SvUeXjq-P1Nk0nFD6cycxUQ-50&e=>. Please feel free to let me know if you have any questions. Best, Steve -- Steve Winslow Director of Strategic Programs The Linux Foundation swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org> -- Steve Winslow Director of Strategic Programs The Linux Foundation swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org> -- Steve Winslow Director of Strategic Programs The Linux Foundation swins...@linuxfoundation.org<mailto:swins...@linuxfoundation.org> _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6020): https://lists.onap.org/g/onap-tsc/message/6020 Mute This Topic: https://lists.onap.org/mt/71903959/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
