Hi Sylvain, Thanks for raising this. The license scans that I run are focused on (1) the contents of the ONAP repositories themselves, and (2) the dependencies to the extent that the scanning tools are able to identify them. That said, if there are other known dependencies that you've separately identified, I think it's worth raising them for consideration under the project's IP policies.
For the components that you listed at https://wiki.onap.org/display/DW/ONAP+Operations+Manager, how are these being used? In other words, in what ways are these incorporated into / installed by ONAP? Of the components you listed, I see several are under Apache-2.0 (which is fine as it matches the project's licenses or other permissive licenses like MIT / BSD (which have typically been readily approved). Those that are copyleft (such as GPL-2.0 / GPL-3.0) or not OSI-approved licenses (such as Elastic License or Server-Side Public License) are likely to be greater concern, and particularly in the latter case I do not know that the ONAP Legal Subcommittee would recommend that the TSC approve license exceptions for these. Thanks, Steve On Thu, Mar 12, 2020 at 11:02 AM <[email protected]> wrote: > Hello, I’m fearing to open the pandora box but I have a question around > the way we install ONAP: in > https://wiki.onap.org/display/DW/ONAP+Operations+Manager, I’ve listed all > components that we used around ONAP in order to deploy ONAP. > > > > I’ve also tried to find per components (and I may have missed some): > > - Their license > - The license of their deployment files (Dockerfile) > > > > I see for example that: > > - Mariadb is GPLv2 and the Dockerfile used for creating the container > we use is GPLv3 > - Mongodb is Server Side Public License and the Dockerfile used for > creating the container we use is Apache 2.0 > - … > > > > So, are we good with that? > > Or do we need to have components in onap deployment only with some > specific licenses (for the component itself and for the packaging)? > > If yes, can you provide a whitelist / blacklist? > > > > > > --- > > Sylvain Desbureaux > > > > *From: *<[email protected]> on behalf of Steve Winslow < > [email protected]> > *Reply-To: *"[email protected]" <[email protected]>, " > [email protected]" <[email protected]> > *Date: *Tuesday, March 10, 2020 at 4:43 PM > *To: *"[email protected]" <[email protected]> > *Cc: *"LEFEVRE, CATHERINE" <[email protected]>, "CLOSE, > PIERRE" <[email protected]>, "MCCRAY, CHRISTOPHER" <[email protected]>, > "[email protected]" <[email protected]>, Kenny Paul < > [email protected]>, David McBride <[email protected]> > *Subject: *[onap-ptl] ONAP codebase license scan, Mar. 2020 > > > > Hello ONAP PTLs, > > > > I am attaching links to the subprojects results of the most recent ONAP > codebase license scans. These are based on a scan of the repos as of March > 5. > > > > The key findings, as well as the overall license summary, can be found at > the following address: > > > > > https://lfscanning.org/reports/onap/onap-2020-03-0c36f9d6-950d-42e1-8f86-7f0b4759019c.html > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lfscanning.org_reports_onap_onap-2D2020-2D03-2D0c36f9d6-2D950d-2D42e1-2D8f86-2D7f0b4759019c.html&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=AMkuCVbI7Yl9CC7oXyGq1dS7hINBx2Qzxq715swobgM&e=> > > > > In particular, the following projects should look at the findings noted > for them: > > - *ccsdk-distribution* > - *multicloud-k8s* > - *portal* > > The full spreadsheet with a list of all licenses and files can be found at: > > > > > https://lfscanning.org/reports/onap/onap-2020-03-0c36f9d6-950d-42e1-8f86-7f0b4759019c.xlsx > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lfscanning.org_reports_onap_onap-2D2020-2D03-2D0c36f9d6-2D950d-2D42e1-2D8f86-2D7f0b4759019c.xlsx&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=JkmIGjvmWwy78T7nAcQB93yYEAXxeyjKpybldCYLsAA&e=> > > > > Although these links and its contents are not confidential, they may be > considered sensitive and should not be generally publicized / uploaded to > public wikis, etc. Please treat in the same manner that past license scan > report emails have typically been treated. > > > > Please take a look at the findings and recommendations available at the > first URL. There are also separate reports for each subproject, and the > URLs to those reports can be found in the attached text file. > > > > I have not yet enabled the JIRA integration that we discussed on the PTL > call last week. I will be looking to do that for the next monthly scan if > feasible. > > > > These reports cover license notices contained in the ONAP codebases > themselves; as always, build-time dependency licenses are available in > Sonatype Nexus IQ at https://jenkins.onap.org/view/CLM/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__jenkins.onap.org_view_CLM_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=5Rck08OX8Q8bwjKpPuODTryIkQnL0e2PZztRu3L2VnQ&e=>, > and I am continuing to review and update the results there. I will send a > couple of emails with specific comments on these in the coming days. > > > > Finally, updated SPDX files for the scan results from each subproject's > repos can be found at https://github.com/lfscanning/spdx-onap > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lfscanning_spdx-2Donap&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=a9qSC-xVaBVH6VAIuo2n3O0Ym0r1y3xKdDzgQptS8Jc&s=JL9u_YDZkDRzLyEQ2SvUeXjq-P1Nk0nFD6cycxUQ-50&e=> > . > > > > Please feel free to let me know if you have any questions. Best, > > Steve > > > -- > > Steve Winslow > Director of Strategic Programs > The Linux Foundation > > [email protected] > > > > -- > > Steve Winslow > Director of Strategic Programs > The Linux Foundation > > [email protected] > > > > -- > > Steve Winslow > Director of Strategic Programs > The Linux Foundation > > [email protected] > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > -- Steve Winslow Director of Strategic Programs The Linux Foundation [email protected] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6041): https://lists.onap.org/g/onap-tsc/message/6041 Mute This Topic: https://lists.onap.org/mt/71903959/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
