Hi Tobias, we once nailed down the requirements for documenting software for distribution (with or without hardware):
https://github.com/org-metaeffekt/metaeffekt-asset-annex-requirements In my eyes the document is still very valid and defines on a generic and general level how a software asset (container, tar ball, …) needs to be covered. Depending on the projects’ context you can decide on which requirements you put your priorities. From a consumer/operator perspective all listed requirements are at least relevant. We further took a closer look on BusyBox (as this is the core of the Prometheus containers). Version 1.33 source code covers the following licenses (in no particular but alphabetic order): * Beerware License * Bison Exception 2.0 * BSD 3-Clause License * BSD 3-Clause License (UC) * BSD 4-Clause License * BSD alike * BSD Simplified (Intel) * GNU General Public License 2.0 * GNU General Public License 2.0 (or any later version) * GNU Lesser General Public License 2.1 (or any later version) * MIT License * Netcat Permission Statement * NTP License * Permission Terms (no warranty; no liability) * Public Domain * RSA MD License * Sash Notice * Unlicense (Additional licenses in examples and tests are not listed.) Please note that the information above was automatically extracted by our license scanning tool. The list may be neither accurate nor complete. Our scanner already produced several hints regarding unmatched licenses. We need to further dig into the details here to match and identify those. So far, the above list contains “open source licenses”. Not all of them OSI-approved, but at least commonly used licenses without commercial fee or restrictions to commercial use (as far as we can see; no legal advice!). However, the resulting obligations should be addressed within or complementary to the container. In addition to BusyBox, the container is based on a Debian distribution with additional packages installed (certificates, gcc, netbase). See https://github.com/prometheus/busybox/blob/master/glibc/Dockerfile. The licenses covered on Debian side (used core packages if any, plus the extra installed packages) need also to be considered. We plan to aggregate further information from a compliance perspective in the course of our customer projects that intend to ship/operate Prometheus containers. We will check in the context of the projects how much of the results we are able to share here in the group. Stay tuned… Karsten -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/AM6PR0302MB3335FF9090B91832130CBE8AA2A60%40AM6PR0302MB3335.eurprd03.prod.outlook.com.
