Fwd: [cncf-kubernetes-maintainers] LF CNCF Kubernetes License Scan and Findings Nov 2022
312 views
Skip to first unread message
Bob Killen
Nov 29, 2022, 11:22:50 AM11/29/22
to kubernetes-sig-architecture
FYI
Hi Team,
Here are the results from the October 2022 license scan of the Kubernetes project. The scan was performed using the Linux Foundation Fossology server. Licenses and copyrights were examined.
The key findings (if any) and license summary can be found in the HTML report, the list of files in the spreadsheet, and also find the SPDX file listed below:
REPORTS:
cncf/kubernetes, code pulled 2022-10-13
- report: https://lfscanning.org/reports/cncf/kubernetes-2022-10-13-19a6e7e7-4f53-4c58-9dcb-6ab28ebf194d.html
- xlsx: https://lfscanning.org/reports/cncf/kubernetes-2022-10-13-19a6e7e7-4f53-4c58-9dcb-6ab28ebf194d.xlsx
- spdx: https://github.com/lfscanning/spdx-cncf/tree/master/kubernetes/2022-10/kubernetes-2022-10-13.spdx
NOTE: There are high priority key findings from this scan that should be addressed as soon as possible.
Please feel free to contact me with any questions about the scan results. Be sure to reply to me directly as I may not get an email sent directly to the distribution list.
Thanks, Jeff
Jeff Shapiro
408-910-7792
jsha...@linuxfoundation.org
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#302): https://lists.cncf.io/g/cncf-kubernetes-maintainers/message/302
Mute This Topic: https://lists.cncf.io/mt/95336928/1325214
Group Owner: cncf-kubernetes-...@lists.cncf.io
Unsubscribe: https://lists.cncf.io/g/cncf-kubernetes-maintainers/unsub [kille...@gmail.com]
-=-=-=-=-=-=-=-=-=-=-=-
---------- Forwarded message ---------
From: Jeff Shapiro <jsha...@linuxfoundation.org>
Date: Tue, Nov 29, 2022 at 9:49 AM
Subject: [cncf-kubernetes-maintainers] LF CNCF Kubernetes License Scan and Findings Nov 2022
To: <cncf-kubernet...@lists.cncf.io>
Cc: Chris Aniszczyk <canis...@linuxfoundation.org>, Amye Scavarda Perrin <am...@linuxfoundation.org>
From: Jeff Shapiro <jsha...@linuxfoundation.org>
Date: Tue, Nov 29, 2022 at 9:49 AM
Subject: [cncf-kubernetes-maintainers] LF CNCF Kubernetes License Scan and Findings Nov 2022
To: <cncf-kubernet...@lists.cncf.io>
Cc: Chris Aniszczyk <canis...@linuxfoundation.org>, Amye Scavarda Perrin <am...@linuxfoundation.org>
Hi Team,
Here are the results from the October 2022 license scan of the Kubernetes project. The scan was performed using the Linux Foundation Fossology server. Licenses and copyrights were examined.
The key findings (if any) and license summary can be found in the HTML report, the list of files in the spreadsheet, and also find the SPDX file listed below:
REPORTS:
cncf/kubernetes, code pulled 2022-10-13
- report: https://lfscanning.org/reports/cncf/kubernetes-2022-10-13-19a6e7e7-4f53-4c58-9dcb-6ab28ebf194d.html
- xlsx: https://lfscanning.org/reports/cncf/kubernetes-2022-10-13-19a6e7e7-4f53-4c58-9dcb-6ab28ebf194d.xlsx
- spdx: https://github.com/lfscanning/spdx-cncf/tree/master/kubernetes/2022-10/kubernetes-2022-10-13.spdx
NOTE: There are high priority key findings from this scan that should be addressed as soon as possible.
Please feel free to contact me with any questions about the scan results. Be sure to reply to me directly as I may not get an email sent directly to the distribution list.
Thanks, Jeff
Jeff Shapiro
408-910-7792
jsha...@linuxfoundation.org
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#302): https://lists.cncf.io/g/cncf-kubernetes-maintainers/message/302
Mute This Topic: https://lists.cncf.io/mt/95336928/1325214
Group Owner: cncf-kubernetes-...@lists.cncf.io
Unsubscribe: https://lists.cncf.io/g/cncf-kubernetes-maintainers/unsub [kille...@gmail.com]
-=-=-=-=-=-=-=-=-=-=-=-
Jordan Liggitt
Nov 29, 2022, 11:34:16 AM11/29/22
to Bob Killen, kubernetes-sig-architecture
Are there false positives in the report?
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/cilium/ebpf/syscalls.go is https://github.com/cilium/ebpf/blob/master/syscalls.go which has no embedded license info and is under MIT license at https://github.com/cilium/ebpf/blob/master/LICENSE from what I can see.
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/mindprince/gonvml is (also?) licensed under the Apache license at https://github.com/mindprince/gonvml/blob/master/LICENSE ... does that govern?
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAJ18wa9iwCsfugDOR%2B%2Bo86udHjx6qGjYWfp6qCwBVL7gBu5C2A%40mail.gmail.com.
Davanum Srinivas
Nov 29, 2022, 11:57:16 AM11/29/22
to Bob Killen, kubernetes-sig-architecture
for our k/k based releases, just these are applicable
```
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/mindprince/gonvml/NVML_NOTICE
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/mindprince/gonvml/nvml.h
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/mindprince/gonvml/nvml.h
kubernetes-2022-10-13.zip/kubernetes/vendor/github.com/cilium/ebpf/syscalls.go
```
the syscalls.go is spurious, there's a string check "GPL" which triggers the warning:
the first two, we are just vendoring in, and the warning says "This file contains a license notice originating from a non-OSS SDK from NVIDIA. It permits use of the software, but does not appear to permit modification, redistribution, etc. " so we can just disregard this as well.
-- Dims
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAJ18wa9iwCsfugDOR%2B%2Bo86udHjx6qGjYWfp6qCwBVL7gBu5C2A%40mail.gmail.com.
Paco Xu
Nov 30, 2022, 8:28:54 AM11/30/22
to kubernetes-sig-architecture
github.com/mindprince/gonvml is using Apache License. But the `nvml.h` is from NVIDIA's NVML.
- It can be downloaded from https://developer.nvidia.com/nvidia-management-library-nvml inside the `tdk_2.295.2.tar.gz`
And cadvisor is using `github.com/mindprince/gonvml`
```
#include "nvml.h"
```Best regards,
Paco
Paco Xu
Nov 30, 2022, 8:28:54 AM11/30/22
to Davanum Srinivas, Bob Killen, kubernetes-sig-architecture
- - the nvm.h can be downloaded from https://developer.nvidia.com/gpu-deployment-kit inside the tar.
- cadvisor is using github.com/mindprince/gonvml. and https://github.com/mindprince/gonvml/blob/ac0b66419a4131fe2348bceb59358888edd9c4e4/bindings.go#L25 is including `nvml.h`
Best regards,
Paco Xu
Davanum Srinivas <dav...@gmail.com> 于2022年11月30日周三 00:57写道:
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CANw6fcGk8mg-1q45UZ%2B7tH9c3yqk9vmiKBbDawhzKZXCkirFfg%40mail.gmail.com.
一切皆有可能!
Davanum Srinivas
Nov 30, 2022, 11:53:16 AM11/30/22
to Paco Xu, kubernetes-sig-architecture
Paco,
we're collecting discussion/steps in https://github.com/kubernetes/community/issues/6992
-- Dims
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/8f6e605e-ebdf-4d24-8995-3da6b779c728n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages