8000 BlueOak-1.0.0 license is not approved by CNCF · Issue #2392 · kubernetes-client/javascript · GitHub
[go: up one dir, main page]
Skip to content

BlueOak-1.0.0 license is not approved by CNCF #2392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jandubois opened this issue Apr 25, 2025 · 10 comments · Fixed by #2402
Closed
8000

BlueOak-1.0.0 license is not approved by CNCF #2392

jandubois opened this issue Apr 25, 2025 · 10 comments · Fixed by #2402

Comments

@jandubois
Copy link

package.json lists several dependencies that are licensed under the BlueOak-1.0.0 license. That license is not listed as an approved CNCF license.

The packages are also not listed in the exception lists.

Are there any plans to resolve this?

Possible ways:

  • Get the license added to the CNCF Approved List
  • Apply for a CNCF exception for the specific modules
  • Ask the maintainer of the modules to add a dual-license for one of the approved licenses
  • Replace the dependencies with something else
@jandubois jandubois mentioned this issue Apr 25, 2025
Closed
@jandubois
Copy link
Author

The problematic dependencies are:

[
  "chownr",
  "3.0.0",
  "BlueOak-1.0.0",
  "git://github.com/isaacs/chownr.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "jackspeak",
  "3.4.3",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/jackspeak.git",
  "Unknown",
  "Isaac Z. Schlueter"
]
[
  "package-json-from-dist",
  "1.0.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/package-json-from-dist.git",
  "https://izs.me/",
  "Isaac Z. Schlueter"
]
[
  "path-scurry",
  "1.11.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/path-scurry",
  "https://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "yallist",
  "5.0.0",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/yallist.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]

@cjihrig
Copy link
Contributor
cjihrig commented Apr 25, 2025

These are all indirect dependencies.

chownr and yallist come from our dependency on tar.

jackspeak, package-json-from-dist, and path-scurry come from our dependency on c8.

@jandubois
Copy link
Author

These are all indirect dependencies.

It is my understanding that CNCF license approval requirement applies to indirect dependencies as well. Is that not the case?

Otherwise you could just create a wrapper with an approved license around a module and circumvent the whole license checking. The whole point of an official list is that the CNCF confirms that it considers the licenses compatible.

@cjihrig
Copy link
Contributor
cjihrig commented Apr 25, 2025

I don't know the policy. Without any investigation, I would assume it applies to all dependencies, direct or otherwise. I just wanted to document where these dependencies were coming from in case changes need to be made.

@mattfarina
Copy link

The license policy for the whole CNCF can be found here. It applies to all dependencies not just direct ones. The approved exceptions can be found here. The BlueOak-1.0.0 license is not an approved one.

@cjihrig
Copy link
Contributor
cjihrig commented Apr 26, 2025

It might be worth applying for an exception. BlueOak is OSI approved and, if I recall correctly, was recently approved by the OpenJS Foundation.

@brendandburns
Copy link
Contributor

fwiw, c8 is a dev dependency for running tests, not a runtime dependency, so I don't think that the CNCF policy applies. I agree it's a little weird since package.json combines both runtime and dev dependencies in a way that other language ecosystems don't.

@mattfarina if you feel like clarifying this with the CNCF/LF legal folks, feel free to reply here with what you find out.

@jandubois
Copy link
Author
jandubois commented Apr 28, 2025
edited
Loading

c8 is a dev dependency for running tests, not a runtime dependency, so I don't think that the CNCF policy applies.

I would think so too, but will leave it to @mattfarina to give us the final word.

We had some corruption in our yarn.lock file that seems to have caused the c8 dependencies to be included in the yarn license list --prod output. After recreating yarn.lock it only shows the 2 tar dependencies anymore:

$ ~/suse/rancher-desktop/scripts/node-license-check.sh
Forbidden license(s) detected; allowed are Apache-2.0|0?BSD|ISC|MIT|Python-2.0|Unlicense
[
  "chownr",
  "3.0.0",
  "BlueOak-1.0.0",
  "git://github.com/isaacs/chownr.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "yallist",
  "5.0.0",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/yallist.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]

@brendandburns
Copy link
Contributor

I'll move the tar dependency to be optional since it is only used for copy anyway.

That way people get to chose to install it or not for themselves.

@brendandburns
Copy link
Contributor

Actually, I'm going to look into switching to https://www.npmjs.com/package/nanotar which is MIT licensed has no dependencies.
790B

@brendandburns brendandburns mentioned this issue Apr 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Move to tar-fs. brendandburns/javascript
4 participants
@mattfarina @jandubois @cjihrig @brendandburns
0