Re: [kubernetes-sig-testing] Re: Limitations in our ability to manage our ecosystem
96 views
Skip to first unread message
Benjamin Elder
Jun 18, 2024, 1:02:05 PMJun 18
to Josh Berkus, kubernetes-sig-architecture, Tim Hockin, Stephen Kitt, kubernetes-...@googlegroups.com, stee...@kubernetes.io, Davanum Srinivas, Jordan Liggitt
Dependency management is under the purview of the code organization subproject of SIG Architecture, so adding that list
+kubernetes-sig-architecture
> But the general issue remains: here we have a non-CNCF project which
is a relatively important dependency for k/k, and at least some
Kubernetes contributors can’t contribute to it.
>
> Does this bother anyone else?
Yes, this is one of the reasons we enforce the CNCF policy about only using dependencies with approved licenses.
We haven't yet had a policy about contribution agreements, and we ourselves require a CLA, just foundation, not corporate ...
I think we should start by asking politely as suggested above, this was probably a default policy at Uber.
Let's file a tracking issue in kubernetes/kubernetes for more visibility outside of the SIG lists and the outcome of this particular dependency.
+kubernetes-sig-architecture
> But the general issue remains: here we have a non-CNCF project which
is a relatively important dependency for k/k, and at least some
Kubernetes contributors can’t contribute to it.
>
> Does this bother anyone else?
Yes, this is one of the reasons we enforce the CNCF policy about only using dependencies with approved licenses.
We haven't yet had a policy about contribution agreements, and we ourselves require a CLA, just foundation, not corporate ...
I think we should start by asking politely as suggested above, this was probably a default policy at Uber.
Let's file a tracking issue in kubernetes/kubernetes for more visibility outside of the SIG lists and the outcome of this particular dependency.
Benjamin Elder
Jun 18, 2024, 1:07:54 PMJun 18
to Josh Berkus, Tim Hockin, Stephen Kitt, kubernetes-...@googlegroups.com, stee...@kubernetes.io, Davanum Srinivas, Jordan Liggitt, kubernetes-sig-architecture
On Tue, Jun 18, 2024 at 10:06 AM Josh Berkus <jbe...@redhat.com> wrote:
On 6/18/24 09:12, Tim Hockin wrote:
> From my experience in a large company with a robust legal team, the
> answer was "This is how we do it. Period." I don't think we have any
> basis on which to approach companies and demand they go against their
> legal team's advice.
>
> I mean, you don't get what you don't ask for, but this is not a strategy.
It would be easier to ask -- and ASK, not demand -- than maintain our
own fork. If they say "no" we're not any worse off.
Otherwise we're likely to end up in this convo next year:
Uber: Why did you fork mock? We were maintaining it for you.
K8s: it had a CLA that blocked our PRs.
Uber: why didn't you just ask? We could have fixed that.
Also, note that it's not a problem that the project has a CLA *at all*,
it's the terms of the CLA that are the problem, as I understand it.
After all, Kubernetes itself has a CLA. A different CLA might be fine.
--
-- Josh Berkus
Kubernetes Community Architect
OSPO, OCTO
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-testing" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-te...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-testing/b0188eff-7dc4-40df-8d1f-c2592b42a12e%40redhat.com.
John Belamaric
Jun 18, 2024, 4:05:27 PMJun 18
to Sanchayan Ghosh, Benjamin Elder, Josh Berkus, Tim Hockin, Stephen Kitt, kubernetes-sig-testing, stee...@kubernetes.io, Davanum Srinivas, Jordan Liggitt, kubernetes-sig-architecture
In my experience with company-specific CLAs, it's not that there are necessarily specific issues with the CLA, it's that legal departments don't have the time to review every different CLA. So, if it's not a standard CLA or something, it's a painful process to get permission to contribute.
On Tue, Jun 18, 2024 at 1:02 PM Sanchayan Ghosh <sanchaya...@gmail.com> wrote:
I went through Uber's CLA. Is there any particular provision that would go against Kubernetes?I see a provision where we give Uber a non revocable transferrable royalty free license to distribute our work (which if we contribute to go-mock , make PRs the existing Apache 2 license gives Uber permission to use our code/contribution).Let me know if I am missing some concerning provision.Sanchayan Ghosh
--To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-testing/CAOZRXm9GkGV4k7nqx-qA73%2BMKFzOm4%2B8poYGa1vrFVfNN8iAmw%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "steering" group.
To unsubscribe from this group and stop receiving emails from it, send an email to steering+u...@kubernetes.io.
To view this discussion on the web visit https://groups.google.com/a/kubernetes.io/d/msgid/steering/CAChLpQCR95X5f75MEst%3D8%2B%3D6uWw2541F04V%2BXierXJGnBeQMww%40mail.gmail.com.
Tim Hockin
Jun 18, 2024, 5:46:37 PMJun 18
to Sanchayan Ghosh, John Belamaric, Benjamin Elder, Josh Berkus, Stephen Kitt, kubernetes-sig-testing, stee...@kubernetes.io, Davanum Srinivas, Jordan Liggitt, kubernetes-sig-architecture
At least in the US, work done "off hours" may still belong to your employer.
On Tue, Jun 18, 2024 at 1:32 PM Sanchayan Ghosh
<sanchaya...@gmail.com> wrote:
>
> Small question here. I am new to CLAs in general. When you mean asking legal departments of employers is it needed by all? Or is it only asked if you are contributing from your work time/resources like work devices, open source contribution during work hours etc.
>
> If a company is restrictive towards open source in general, can we still sign CLAs to contribute off work (on our own time, our own systems, on projects that don't at all overlap with our company's tech stack of core offering)?
On Tue, Jun 18, 2024 at 1:32 PM Sanchayan Ghosh
<sanchaya...@gmail.com> wrote:
>
> Small question here. I am new to CLAs in general. When you mean asking legal departments of employers is it needed by all? Or is it only asked if you are contributing from your work time/resources like work devices, open source contribution during work hours etc.
>
> If a company is restrictive towards open source in general, can we still sign CLAs to contribute off work (on our own time, our own systems, on projects that don't at all overlap with our company's tech stack of core offering)?
Davanum Srinivas
Jun 18, 2024, 6:28:56 PMJun 18
to John Belamaric, Sanchayan Ghosh, Benjamin Elder, Josh Berkus, Tim Hockin, Stephen Kitt, kubernetes-sig-testing, stee...@kubernetes.io, Jordan Liggitt, kubernetes-sig-architecture
Stephen,
It's always good to reduce the number of dependencies, from that point of view alone it's worth figuring out if https://github.com/skitt/kubernetes/pull/2 is a way forward, please open a PR so we can test it out.
thanks,
Dims
Stephen Kitt
Jun 19, 2024, 1:12:14 PMJun 19
to John Belamaric, Sanchayan Ghosh, Benjamin Elder, Josh Berkus, Tim Hockin, kubernetes-sig-testing, stee...@kubernetes.io, Davanum Srinivas, Jordan Liggitt, kubernetes-sig-architecture
In Red Hat’s case, legal does review CLAs on request. Specifically
regarding the Uber CLA, the main issue is that of representation — the
CLA requires that “If a legal entity is a copyright owner, in whole or
in part, of the Contribution, You represent and warrant that You are
authorized by such entity to enter into this Agreement on that
entity’s behalf and to bind that entity to this Agreement (in which
case, references to “You” and “Your” in this Agreement–other than in
this sentence–refer to that entity).”
> >> https://groups.google.com/d/msgid/kubernetes-sig-testing/CAOZRXm9GkGV4k7nqx-qA73%2BMKFzOm4%2B8poYGa1vrFVfNN8iAmw%40mail.gmail.com
> >> <https://groups.google.com/d/msgid/kubernetes-sig-testing/CAOZRXm9GkGV4k7nqx-qA73%2BMKFzOm4%2B8poYGa1vrFVfNN8iAmw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
> > .
> >
--
Stephen Kitt
Senior Principal Software Engineer
Red Hat Application Networking
regarding the Uber CLA, the main issue is that of representation — the
CLA requires that “If a legal entity is a copyright owner, in whole or
in part, of the Contribution, You represent and warrant that You are
authorized by such entity to enter into this Agreement on that
entity’s behalf and to bind that entity to this Agreement (in which
case, references to “You” and “Your” in this Agreement–other than in
this sentence–refer to that entity).”
> >> <https://groups.google.com/d/msgid/kubernetes-sig-testing/CAOZRXm9GkGV4k7nqx-qA73%2BMKFzOm4%2B8poYGa1vrFVfNN8iAmw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
> >>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "steering" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to steering+u...@kubernetes.io.
> > To view this discussion on the web visit
> > https://groups.google.com/a/kubernetes.io/d/msgid/steering/CAChLpQCR95X5f75MEst%3D8%2B%3D6uWw2541F04V%2BXierXJGnBeQMww%40mail.gmail.com
> > <https://groups.google.com/a/kubernetes.io/d/msgid/steering/CAChLpQCR95X5f75MEst%3D8%2B%3D6uWw2541F04V%2BXierXJGnBeQMww%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "steering" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to steering+u...@kubernetes.io.
> > To view this discussion on the web visit
> > https://groups.google.com/a/kubernetes.io/d/msgid/steering/CAChLpQCR95X5f75MEst%3D8%2B%3D6uWw2541F04V%2BXierXJGnBeQMww%40mail.gmail.com
> > .
> >
--
Stephen Kitt
Senior Principal Software Engineer
Red Hat Application Networking
Stephen Kitt
Jun 19, 2024, 1:12:19 PMJun 19
to Davanum Srinivas, John Belamaric, Sanchayan Ghosh, Benjamin Elder, Josh Berkus, Tim Hockin, kubernetes-sig-testing, stee...@kubernetes.io, Jordan Liggitt, kubernetes-sig-architecture
On Tue, Jun 18, 2024 at 06:28:41PM -0400, Davanum Srinivas wrote:
> It's always good to reduce the number of dependencies, from that point of
> view alone it's worth figuring out if
> https://github.com/skitt/kubernetes/pull/2 is a way forward, please open a
> PR so we can test it out.
Done: https://github.com/kubernetes/kubernetes/pull/125596
> It's always good to reduce the number of dependencies, from that point of
> view alone it's worth figuring out if
> https://github.com/skitt/kubernetes/pull/2 is a way forward, please open a
> PR so we can test it out.
Thanks,
Davanum Srinivas
Jun 20, 2024, 6:55:07 AMJun 20
to Sanchayan Ghosh, Josh Berkus, Benjamin Elder, Tim Hockin, Stephen Kitt, kubernetes-sig-testing, stee...@kubernetes.io, Jordan Liggitt, kubernetes-sig-architecture
On Thu, Jun 20, 2024 at 6:38 AM Sanchayan Ghosh <sanchaya...@gmail.com> wrote:
> The problem with individual company CLAs is that each contributor needs
their company's legal department to approve them contributing,
individually. Many legal departments (including mine) refuse to do so.Is this a problem also with foundation CLAs?
Depends on the company lawyers
Or is there a provision that makes foundation CLAs permissive?
Depends on the company lawyers
I hope that is the case since a lot of mission critical repos (eclipse, kubernetes, docker) have CLAs and sometimes depending on your personal projects doing a bugfix is often the only way to go.
Depends on the company if they will let you sign a personal CLA or not. Please check with them before you sign stuff or you will be in trouble in certain company/legal jurisdictions
Also is there a list of whitelisted CLAs we can get information about?
No, there is not white list in the community. it's up to each company, so reach out to your lawyers.
There is a https://todogroup.org/ which may be a better place for you to ask these sort of questions as we are practitioners here and not policy makers. Also google for "OSPO CLA" as well. There is a list of folks with their own CLA here https://en.wikipedia.org/wiki/Contributor_License_Agreement as well.
Good Luck!
On Wed, 19 Jun, 2024, 11:22 pm Josh Berkus, <jbe...@redhat.com> wrote:
On 6/18/24 12:47, Sanchayan Ghosh wrote:
> I went through Uber's CLA. Is there any particular provision that would
> go against Kubernetes?
>
> I see a provision where we give Uber a non revocable transferrable
> royalty free license to distribute our work (which if we contribute to
> go-mock , make PRs the existing Apache 2 license gives Uber permission
> to use our code/contribution).
The problem with individual company CLAs is that each contributor needs
their company's legal department to approve them contributing,
individually. Many legal departments (including mine) refuse to do so.
There also may be a specific problem with the terms; I don't know, I'm
not an attorney.
--
-- Josh Berkus
Kubernetes Community Architect
OSPO, OCTO
Reply all
Reply to author
Forward
0 new messages