Comments (25)
@philips --
@cblecker and I are planning to braindump on this and I'll take it over.
/assign
/cc @nikhita
from sig-release.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta
.
/lifecycle stale
from sig-release.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta
.
/lifecycle rotten
/remove-lifecycle stale
from sig-release.
/remove-lifecycle rotten
This is relevant right now:
kubernetes/steering#21
from sig-release.
@kubernetes/sig-contributor-experience-feature-requests @grodrigues3 @spiffxp @parispittman @Phillels
This might be an important task for the 1.10 cycle.
from sig-release.
@mattfarina pointed out that https://fossa.io/ is a SaaS product that does this. We'd have to talk to them about pricing and such (we don't have private repos, which is how they track "developers").
@bgrant0607 @thockin Would something like this be worth looking into?
from sig-release.
We desperately need automated enforcement.
cc @caniszczyk
from sig-release.
@spiffxp poked me to get some additional ContribEx eyes on this and try to run with it in his absence...
I'm worried we're reinventing an oft reinvented wheel here.
First it would be good if we could assume a forward world where SPDX license strings and headers are standard. But in the meantime we will need to deal with outliers cleanly to build a complete list of observed licenses and pieces of code where a license was not determined. There are existing tools that do this and comprehend the umpteen gazillion different variants of whitespace and surrounding delimiting text.
In https://github.com/clearlinux/autospec/tree/master/autospec/license* files there is an actively maintained scanner with a quite comprehensive set of license file hashes observed from maintaining a full featured linux distro for a number of years. I suspect it would be nice and usable here if we were to suggest to them (and help code?) separating it out into a standalone library and github project. They even package kubernetes and for example as of 1.9.4 had determined via that automation that k8s is:
License : Apache-2.0 BSD-2-Clause BSD-2-Clause-FreeBSD BSD-3-Clause CC-BY-4.0 CC-BY-SA-4.0 CC0-1.0 CDDL-1.0 GPL-2.0 ISC LGPL-3.0 MIT MPL-2.0-no-copyleft-exception NCSA
But there are also many many more similar tools. LF has for many years had a whole annual conference on license compliance topics and there's a tonne of tooling out there.
And then there's the whole question of what is the set of compatible licenses for the k8s project. @caniszczyk is there a CNCF determination documented on this?
from sig-release.
@tpepper that seems like a cool tool that could be a great basis for the checker. As it is, we have bespoke tools that extract a best-guess at license info, and a slim list of reviewers who verify changes thereto.
https://github.com/kubernetes/kubernetes/blob/master/hack/update-godep-licenses.sh
https://github.com/kubernetes/kubernetes/blob/master/Godeps/LICENSES
If we had a tool, we could maybe simplify this file to be a list of license names, or at least augment the raw file with the detected name for easier human review.
Are you volunteering?
from sig-release.
I’ve never used FOSSA so if that’s the CNCF preference I’ll defer to those who do have experience there. Otherwise I’m interested in contributing to making this layer of automation better.
from sig-release.
(I note FOSSA as the thread in pr 62088 has revived and appears headed that way at the moment)
from sig-release.
Note, in addition to Fossa there is also https://www.fossology.org/
from sig-release.
Gonna take a trial run of FOSSA, based on the recommendation of @caniszczyk. Reached out to them here: https://groups.google.com/d/msg/kubernetes-sig-contribex/kpoYAyVUlew/4bTwVjTOBQAJ
/assign
from sig-release.
any updates on your FOSSA research @cblecker ?
from sig-release.
We met with FOSSA last month. The Github integration and periodic reports look decent, but the key was trying it out in our org and workflow.
My plate ended up overflowing with other tasks though, and I haven't got to setting it up and trialing it.
from sig-release.
from sig-release.
/unassign @cblecker
from sig-release.
Email update to steering + sig-release + sig-contribex: https://groups.google.com/d/msg/kubernetes-sig-release/6oljCwkD6HQ/sH8W-uwwAAAJ
from sig-release.
/sig release
/remove-sig contributor-experience
from sig-release.
/milestone v1.18
from sig-release.
/area licensing
/milestone v1.18
/priority important-longterm
/kind feature
from sig-release.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from sig-release.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
from sig-release.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
from sig-release.
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen
.
Mark the issue as fresh with/remove-lifecycle rotten
.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from sig-release.
Related Issues (20)
- Assemble Kubernetes 1.31 Release Team 🚀🌍🌷🐱 HOT 26
- [1.31] Release Team Lead Cycle Progress HOT 10
- Create new label for feature blogs for Release Comms and Blog Team tracking HOT 1
- Updating documentation: Post 1.30 Release Notes Updates
- Cut v1.30.1 release HOT 1
- Cut v1.29.5 release HOT 1
- Cut v1.28.10 release HOT 1
- Cut v1.27.14 release HOT 1
- The stage of enhancements are marked wrong in enhancement tracking board HOT 5
- Determine access levels for SIG subproject leads HOT 1
- Subproject Lead access for Grace, Kat & Marko
- Cut v1.31.0-alpha.1 release HOT 7
- Archive meeting notes from 2023 for Kubernetes SIG Release meeting HOT 1
- Cut v1.27.15 release HOT 4
- Cut v1.28.11 release HOT 3
- Cut v1.29.6 release HOT 3
- Cut v1.30.2 release HOT 3
- Kubernetes v1.31 Major Themes contact HOT 10
- Cut v1.31.0-alpha.2 release HOT 5
- k8s UPGrade
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sig-release.