Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Licensing Question] Import semver package partially into code base #2504

Open
serkan-ozal opened this issue Jan 9, 2025 · 9 comments
Open

Comments

@serkan-ozal
Copy link

Hi all,

I am OTEL FAAS SIG maintainer and working on reducing OTEL Lambda Node.js layer coldstart overhead.
During my analysis I have noticed that semver package initialization has some impact on the startup time.
So, I am working on replacing semver package with more lightweight internal/custom semantic versioning implementation having only required functionalities: open-telemetry/opentelemetry-js#5305

Some of the code parts in the custom semver implementation are imported (with very minor modifications) from the actual semver package and their license is ISC .

So, even though ISC is listed as one of the allowed ones here, we are not sure that whether

  • it is enough just to add their ISC license header to the associated source file(s) or
  • it requires more than that or
  • it is not allowed at all

You can check the discussion in the PR here: open-telemetry/opentelemetry-js#5305 (comment)

Waiting for your feedbacks ...

cc @trentm @mx-psi @tylerbenson @dyladan

@austinlparker
Copy link
Member

Is the only file in question the test fixture?

@serkan-ozal
Copy link
Author

@austinlparker and also semver.ts file.

The following methods have been copied with very minor modifications into the semver.ts file:

  • replaceTilde
  • replaceCaret
  • replaceXRange
  • replaceHyphen
  • regexp definitions used by them

@austinlparker
Copy link
Member

I am not a lawyer but I do know how to find them, so let me submit this to CNCF. I think it is fine as long as you include the ISC license as well as the Apache2 license but I'd rather we check to make sure.

@austinlparker
Copy link
Member

For GC - opened https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-2625

@svrnm
Copy link
Member

svrnm commented Jan 9, 2025

https://github.com/cncf/foundation/blob/main/recommendations-for-attribution.md might answer some portions of that question

@trentm
Copy link
Contributor

trentm commented Jan 9, 2025

One of the reasons we are asking about ISC is because https://github.com/open-telemetry/community/blob/main/guides/contributor/processes.md#copyright-notices says:

Any contributed third-party code must originally be Apache 2.0-Licensed or must carry a permissive software license that is compatible when combining with Apache 2.0 License. At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible.

I'd be curious if we change that "BSD and MIT are the only" to instead defer to the CNCF allowlist that Serkan pointed to above (https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist).

@svrnm
Copy link
Member

svrnm commented Jan 10, 2025

thanks for calling this out @trentm, I would assume this can (and needs to?) be updated to to point to the CNCF document.

@trentm
Copy link
Contributor

trentm commented Jan 10, 2025

I would assume this can (and needs to?) be updated to to point to the CNCF document.

I've opened #2506 for this.

trask pushed a commit that referenced this issue Jan 16, 2025
… in CNCF repos (#2506)

* Refer to CNCF allowlist for 3rd-party licenses approved for inclusion in CNCF repos

This came up in open-telemetry/opentelemetry-js#5305

Refs: #2504

* mention and refer to the CNCF conditions for including third-party code
@trentm
Copy link
Contributor

trentm commented Jan 17, 2025

From my POV I think we are good to close this. However, @austinlparker is there any feedback from the cncfservicedesk issue you opened above? (I don't have access to view it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants