There are a number of license compliance scanners around such as term, which could be added to the build pipeline for the containers.
This tool would provide a listing of the licenses used by the components added in each layer of the container build. https://github.com/tern-tools/tern On Sun, Jan 17, 2021, 00:00 Karsten Klein <karsten.kl...@gmail.com> wrote: > Hi Tobias, > > > > we once nailed down the requirements for documenting software for > distribution (with or without hardware): > > > > https://github.com/org-metaeffekt/metaeffekt-asset-annex-requirements > > > > In my eyes the document is still very valid and defines on a generic and > general level how a software asset (container, tar ball, …) needs to be > covered. Depending on the projects’ context you can decide on which > requirements you put your priorities. From a consumer/operator perspective > all listed requirements are at least relevant. > > > > We further took a closer look on BusyBox (as this is the core of the > Prometheus containers). Version 1.33 source code covers the following > licenses (in no particular but alphabetic order): > > - Beerware License > - Bison Exception 2.0 > - BSD 3-Clause License > - BSD 3-Clause License (UC) > - BSD 4-Clause License > - BSD alike > - BSD Simplified (Intel) > - GNU General Public License 2.0 > - GNU General Public License 2.0 (or any later version) > - GNU Lesser General Public License 2.1 (or any later version) > - MIT License > - Netcat Permission Statement > - NTP License > - Permission Terms (no warranty; no liability) > - Public Domain > - RSA MD License > - Sash Notice > - Unlicense > > > > (Additional licenses in examples and tests are not listed.) > > > > Please note that the information above was automatically extracted by our > license scanning tool. The list may be neither accurate nor complete. Our > scanner already produced several hints regarding unmatched licenses. We > need to further dig into the details here to match and identify those. > > > > So far, the above list contains “open source licenses”. Not all of them > OSI-approved, but at least commonly used licenses without commercial fee or > restrictions to commercial use (as far as we can see; no legal advice!). > However, the resulting obligations should be addressed within or > complementary to the container. > > > > In addition to BusyBox, the container is based on a Debian distribution > with additional packages installed (certificates, gcc, netbase). See > https://github.com/prometheus/busybox/blob/master/glibc/Dockerfile. The > licenses covered on Debian side (used core packages if any, plus the extra > installed packages) need also to be considered. > > > > We plan to aggregate further information from a compliance perspective in > the course of our customer projects that intend to ship/operate Prometheus > containers. We will check in the context of the projects how much of the > results we are able to share here in the group. > > > > Stay tuned… > > > > Karsten > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to prometheus-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/AM6PR0302MB3335FF9090B91832130CBE8AA2A60%40AM6PR0302MB3335.eurprd03.prod.outlook.com > <https://groups.google.com/d/msgid/prometheus-developers/AM6PR0302MB3335FF9090B91832130CBE8AA2A60%40AM6PR0302MB3335.eurprd03.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAEbsasQoin7v2785E-GtAyFuFKg4xSjYjXk0P92nmSuL_bGcAQ%40mail.gmail.com.
