Help Needed: CNCF License scanning owner
75 views
Skip to first unread message
Brandon Philips
Jul 11, 2018, 7:54:13 PM7/11/18
to kubernetes-...@googlegroups.com, kubernetes-s...@googlegroups.com
Hello SIG Release and Contribex-
The CNCF does periodic scans for Kubernetes repo software license issues. The most recent results find issues that need to be tracked and fixed across a number of repos. Currently these reports come to the steering committee but ideally a SIG is accountable to the follow-up.
Do either of these SIGs feel they can own the process of correcting these issues?
IMHO, we should make resolving these issues minor release blockers.
Thank You,
Brandon
Josh Berkus
Jul 11, 2018, 8:01:00 PM7/11/18
to Brandon Philips, kubernetes-...@googlegroups.com, kubernetes-s...@googlegroups.com
On 07/11/2018 04:54 PM, Brandon Philips wrote:
> Hello SIG Release and Contribex-
>
> The CNCF does periodic scans for Kubernetes repo software license
> issues. The most recent results
> <https://github.com/kubernetes/steering/issues/57> find issues that need
> Hello SIG Release and Contribex-
>
> The CNCF does periodic scans for Kubernetes repo software license
> issues. The most recent results
> to be tracked and fixed across a number of repos. Currently these
> reports come to the steering committee but ideally a SIG is accountable
> to the follow-up.
>
> Do either of these SIGs feel they can own the process of correcting
> these issues?
>
> IMHO, we should make resolving these issues minor release blockers.
Making the license issues release-blockers suggests that it should be
> reports come to the steering committee but ideally a SIG is accountable
> to the follow-up.
>
> Do either of these SIGs feel they can own the process of correcting
> these issues?
>
> IMHO, we should make resolving these issues minor release blockers.
sig-release. However, SIG-release isn't exactly equipped to resolve
licensing problems; while we can fix the code, we have no attorneys in
the SIG to determine what kind of fixes are sufficient.
Seems to me like this needs to be a new WG (under -release, I guess, but
could also be -contribex) with a lawyer on loan from the CNCF ...
--
--
Josh Berkus
Kubernetes Community
Red Hat OSAS
Caleb Miles
Jul 11, 2018, 8:01:31 PM7/11/18
to bphi...@redhat.com, Jago Macleod, kubernetes-...@googlegroups.com, kubernetes-s...@googlegroups.com
It probably makes sense to have at the very least a "License Coordinator" as a part of the release team to make sure that each release is compliant. I could imagine that ownership of tooling to continuously monitor for license incompatibilities would be owned by SIG Architecture but that's just a thought.
Caleb
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-contribex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-con...@googlegroups.com.
To post to this group, send email to kubernetes-s...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-contribex/CAHHNuYcw7KKBDkhfC4xQU9HHoi%2BEkv0CJzsJ%2BgGGyy%2BG08d45g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Stephen Augustus
Jul 11, 2018, 8:02:03 PM7/11/18
to Brandon Philips, kubernetes-...@googlegroups.com, kubernetes-s...@googlegroups.com
Hey Brandon,
I'd be happy to help out with this! :)
Best,
Stephen
Stephen
--
Brandon Philips
Jul 12, 2018, 5:39:29 PM7/12/18
to augu...@redhat.com, kubernetes-...@googlegroups.com, kubernetes-s...@googlegroups.com
Hello Stephen-
Great! I am going to assign the issue to you and I wrote-up a small project plan: https://github.com/kubernetes/steering/issues/57#issuecomment-404659126
Cheers!
Brandon
Jaice Singer DuMars
Jul 12, 2018, 5:42:15 PM7/12/18
to Brandon Philips, Stephen Augustus, kubernetes-sig-release, kubernetes-s...@googlegroups.com
Yay on all counts! Thank you for using the Steering repo/issue to maximum effect as well.
On Thu, Jul 12, 2018 at 2:39 PM, Brandon Philips <bphi...@redhat.com> wrote:
Hello Stephen-Great! I am going to assign the issue to you and I wrote-up a small project plan: https://github.com/kubernetes/steering/issues/57#issuecomment-404659126Cheers!Brandon
On Wed, Jul 11, 2018 at 5:02 PM Stephen Augustus <augu...@redhat.com> wrote:
Hey Brandon,I'd be happy to help out with this! :)Best,
Stephen
On Wed, Jul 11, 2018 at 7:54 PM Brandon Philips <bphi...@redhat.com> wrote:
Hello SIG Release and Contribex---The CNCF does periodic scans for Kubernetes repo software license issues. The most recent results find issues that need to be tracked and fixed across a number of repos. Currently these reports come to the steering committee but ideally a SIG is accountable to the follow-up.Do either of these SIGs feel they can own the process of correcting these issues?IMHO, we should make resolving these issues minor release blockers.Thank You,Brandon
You received this message because you are subscribed to the Google Groups "kubernetes-sig-contribex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-contribex+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-contribex@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-contribex/CAHHNuYcw7KKBDkhfC4xQU9HHoi%2BEkv0CJzsJ%2BgGGyy%2BG08d45g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-release+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-release@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-release/CAHHNuYfc8RUhFMhsjrhr9t0L2oPLwHgaPLOoQc0k6jgT03sAxA%40mail.gmail.com.
Stephen Augustus
Aug 8, 2018, 7:26:52 AM8/8/18
to stee...@kubernetes.io, Brandon Philips, kubernetes-...@googlegroups.com, nikitar...@gmail.com, Steve Winslow
(sig-contribex to bcc)
Hey everyone,
I wanted to provide a quick update re: license scanning
Since the below email chatter:
- I've had a chat with Christoph to get an overview on the current goals / process
- Discussed CNCF scanning w/ Steve Winslow (they're currently using fossology, not FOSSA and doing some manual massaging to report out to the individual projects)
- Had a call with Kevin and Leo at FOSSA to do an overview of the product, GitHub integration and figure out the next best steps
- Created a demo FOSSA account (Kubernetes - Demo), which has Premium features enabled to allow us to start doing some scanning
- Nikhita and I have begun working through the remediation tasks detailed on https://github.com/kubernetes/sig-release/issues/223
Active tracking issues:
- SIG Release umbrella issue: https://github.com/kubernetes/sig-release/issues/223
- Steering umbrella: https://github.com/kubernetes/steering/issues/57
- Automating compliance: https://github.com/kubernetes/kubernetes/issues/44505
Next steps:
- Get Nikhita and Steve access to the FOSSA demo account
- Get Nikhita and Steve access to the #kubernetes channel on FOSSA Slack
- Continue through the remediation tasks
- Identify repo candidates to do scanning and eventually activate GitHub integrations
- Draft License Audit / Scanning / Remediation policies
Additionally, we'd like to form a License Compliance subproject under SIG Release to maintain this process and ensure it survives / improves across release cycles w/ Steve, Nikhita, and myself as Subproject Chairs. I'll put up something formal, if there are no objections.
Let me know what you think!
Best,
Stephen
On Thu, Jul 12, 2018 at 5:42 PM Jaice Singer DuMars <jdu...@gmail.com> wrote:
Yay on all counts! Thank you for using the Steering repo/issue to maximum effect as well.
On Thu, Jul 12, 2018 at 2:39 PM, Brandon Philips <bphi...@redhat.com> wrote:
Hello Stephen-Great! I am going to assign the issue to you and I wrote-up a small project plan: https://github.com/kubernetes/steering/issues/57#issuecomment-404659126Cheers!Brandon
On Wed, Jul 11, 2018 at 5:02 PM Stephen Augustus <augu...@redhat.com> wrote:
Hey Brandon,I'd be happy to help out with this! :)Best,
Stephen
On Wed, Jul 11, 2018 at 7:54 PM Brandon Philips <bphi...@redhat.com> wrote:
Hello SIG Release and Contribex---The CNCF does periodic scans for Kubernetes repo software license issues. The most recent results find issues that need to be tracked and fixed across a number of repos. Currently these reports come to the steering committee but ideally a SIG is accountable to the follow-up.Do either of these SIGs feel they can own the process of correcting these issues?IMHO, we should make resolving these issues minor release blockers.Thank You,Brandon
You received this message because you are subscribed to the Google Groups "kubernetes-sig-contribex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-con...@googlegroups.com.
To post to this group, send email to kubernetes-s...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-contribex/CAHHNuYcw7KKBDkhfC4xQU9HHoi%2BEkv0CJzsJ%2BgGGyy%2BG08d45g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-re...@googlegroups.com.
To post to this group, send email to kubernetes-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages