There are a number of license compliance scanners around such as term, which could be added to the build pipeline for the containers.
This tool would provide a listing of the licenses used by the components added in each layer of the container build. https://github.com/tern-tools/tern On Sun, Jan 17, 2021, 00:00 Karsten Klein <[email protected]> wrote: > Hi Tobias, > > > > we once nailed down the requirements for documenting software for > distribution (with or without hardware): > > > > https://github.com/org-metaeffekt/metaeffekt-asset-annex-requirements > > > > In my eyes the document is still very valid and defines on a generic and > general level how a software asset (container, tar ball, …) needs to be > covered. Depending on the projects’ context you can decide on which > requirements you put your priorities. From a consumer/operator perspective > all listed requirements are at least relevant. > > > > We further took a closer look on BusyBox (as this is the core of the > Prometheus containers). Version 1.33 source code covers the following > licenses (in no particular but alphabetic order): > > - Beerware License > - Bison Exception 2.0 > - BSD 3-Clause License > - BSD 3-Clause License (UC) > - BSD 4-Clause License > - BSD alike > - BSD Simplified (Intel) > - GNU General Public License 2.0 > - GNU General Public License 2.0 (or any later version) > - GNU Lesser General Public License 2.1 (or any later version) > - MIT License > - Netcat Permission Statement > - NTP License > - Permission Terms (no warranty; no liability) > - Public Domain > - RSA MD License > - Sash Notice > - Unlicense > > > > (Additional licenses in examples and tests are not listed.) > > > > Please note that the information above was automatically extracted by our > license scanning tool. The list may be neither accurate nor complete. Our > scanner already produced several hints regarding unmatched licenses. We > need to further dig into the details here to match and identify those. > > > > So far, the above list contains “open source licenses”. Not all of them > OSI-approved, but at least commonly used licenses without commercial fee or > restrictions to commercial use (as far as we can see; no legal advice!). > However, the resulting obligations should be addressed within or > complementary to the container. > > > > In addition to BusyBox, the container is based on a Debian distribution > with additional packages installed (certificates, gcc, netbase). See > https://github.com/prometheus/busybox/blob/master/glibc/Dockerfile. The > licenses covered on Debian side (used core packages if any, plus the extra > installed packages) need also to be considered. > > > > We plan to aggregate further information from a compliance perspective in > the course of our customer projects that intend to ship/operate Prometheus > containers. We will check in the context of the projects how much of the > results we are able to share here in the group. > > > > Stay tuned… > > > > Karsten > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/AM6PR0302MB3335FF9090B91832130CBE8AA2A60%40AM6PR0302MB3335.eurprd03.prod.outlook.com > <https://groups.google.com/d/msgid/prometheus-developers/AM6PR0302MB3335FF9090B91832130CBE8AA2A60%40AM6PR0302MB3335.eurprd03.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAEbsasQoin7v2785E-GtAyFuFKg4xSjYjXk0P92nmSuL_bGcAQ%40mail.gmail.com.
