Hey Karsten, Thank you for bringing this topic to our attention!
Your email spawned some discussions in other channels, without any conclusions yet. There is a long-standing issue about our NOTICE files which doesn't only affect Docker containers: https://github.com/prometheus/prometheus/issues/3399. As the project we'd love to drop custom NOTICE files altogether to avoid having to deal with regular updates. We're not sure yet whether that's possible and have reached out to various parties again. If anyone can provide clear requirements, guidelines, or examples from other major projects on how to handle license and notice files in container images / packaged tarballs, that would be very helpful. Best, Tobias On Mon, Jan 4, 2021 at 2:13 PM Karsten Klein <karsten.kl...@gmail.com> wrote: > Hi there, > > I hope I am addressing the right audience here. Otherwise, forgive me and > please support me in finding the appropriate contact. > > We are currently investigating the options using the Prometheus Docker > container within software distributions and diverse production scenarios. > > We found in particular that there is no complete information available > regarding all covered software contained the current docker containers that > can be publicly pulled from https://hub.docker.com/r/prom/prometheus/. > Specifically, the containers that we analysed do not include any license > information covering operating system level packages (such as busybox; see > below). > > We are wondering whether there is a complete documentation (compliance > documentation, bill of materials) available. The LICENSE and NOTICE file > are rather incomplete in this (and other) aspects. > > For example: > > > - The container covers busybox, which is licensed under GNU General > Public License Version 2.0 (GPL-2.0). > - The GPL-2.0 license requires to include the license text in the > distribution and to make source code available to the recipient of the > software. > - The container / project does not make these aspects transparent and > does not deal with the license obligations. > - The container / project does not include enough information to > derive the covered software (unique identification, version, license > details) > > Perhaps we can get in touch to clarify these questions. We are happy to > dig into the details with some guidance. > > Regards and a good start into 2021...Stay healthy, > > Karsten > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prometheus-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/b691e8e6-a7e1-493e-aa65-8a5062477faen%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-developers/b691e8e6-a7e1-493e-aa65-8a5062477faen%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAChBsdBBmUcpSc1_pdGZGB35MaVJmML%3DkxokMVZqFKGmzet%2B8w%40mail.gmail.com.
