Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate MPL -> BUSL Changes/Impact #617

Closed
jeefy opened this issue Aug 11, 2023 · 74 comments
Closed

Investigate MPL -> BUSL Changes/Impact #617

jeefy opened this issue Aug 11, 2023 · 74 comments

Comments

@jeefy
Copy link
Member

jeefy commented Aug 11, 2023

We may have some projects that may be impacted by a license change.

We should investigate the impact on our projects and provide guidance if they are impacted.

Relevant Links:
https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
https://github.com/cncf/foundation/blob/main/agpl-recommendations.md
#187 (License exception for hashicorp/terraform projects)

EDIT: Let's keep this a data-gathering Issue only please 😄 See #617 (comment) for context.

EDIT EDIT: We've published some initial guidelines here: https://github.com/cncf/foundation/blob/main/source-available-recommendations.md

@dims
Copy link
Member

dims commented Aug 11, 2023

Kubernetes Infra (sig-k8s-infra) has a lot of usages of terraform:
https://github.com/search?q=repo%3Akubernetes%2Fk8s.io%20terraform&type=code

Kubernetes image-builder subproject of CAPI uses packer to build AMI(s):
https://cs.k8s.io/?q=packer&i=nope&files=&excludeFiles=&repos=kubernetes-sigs/image-builder

Some good news though, Kubernetes used to vendor libraries from hashicorp under MPL for a long time in its history, but over time we started pruning them a while ago, the last of which went in here:
kubernetes/kubernetes#103548

And we have tools to prevent regressions to the vendored depdenencies:
https://github.com/kubernetes/kubernetes/blob/master/hack/unwanted-dependencies.json#L30

Initial slack discussion:
https://kubernetes.slack.com/archives/C5P3FE08M/p1691699636105219

@rikatz
Copy link
Contributor

rikatz commented Aug 11, 2023

From a quick search on Vagrant usage:

Sig-windows-dev-tools rely on Vagrant to build the environment https://github.com/kubernetes-sigs/sig-windows-dev-tools

Kubespray (github.com/kubernetes-sigs/kubespray) offers a way to bootstrap using Vagrant

IIUC from the license, dev workflow licensing will not be changed and both tools uses Vagrant for development and not to offer production services, but it is worth checking as some cloud provider may be using at least kubespray internally and this may impact them

@BenTheElder
Copy link

BenTheElder commented Aug 11, 2023

While kubernetes core doesn't depend on any hashicorp libraries, plenty of subprojects do. https://cs.k8s.io/?q=%22github.com%2Fhashicorp&i=nope&files=&excludeFiles=&repos=

From a quick scan, I think these are all MPL things that remain MPL for now.

EDIT: We also have some vagrant usage in https://github.com/kubernetes-sigs/kind CI, but nothing critical and we can probably move to lima, we just need to non-interactively boot a cgroupsv2 enabled VM and ssh install/test docker/podman/kind. The kubernetes-sigs/image-builder project is probably the most immediate concern.

@vielmetti
Copy link

The Register has a story at https://www.theregister.com/2023/08/11/hashicorp_bsl_licence/ (in the inimitable El Reg style).

@jayunit100
Copy link

Sig windows dev tools uses vagrant

@amye
Copy link
Contributor

amye commented Aug 12, 2023

Sig windows dev tools uses vagrant

Slightly more details would be helpful!

@dims
Copy link
Member

dims commented Aug 12, 2023

Looking through the https://cs.k8s.io/?q=hashicorp%5C%2F&i=nope&files=go.mod&excludeFiles=&repos= and the exceptions list from https://github.com/cncf/foundation/tree/main/license-exceptions the grand total of 24 repos that seem to get vendored

hashicorp/consul/api
hashicorp/errwrap
hashicorp/go-cleanhttp
hashicorp/go-getter
hashicorp/go-hclog
hashicorp/go-immutable-radix
hashicorp/go-msgpack
hashicorp/go-multierror
hashicorp/go-plugin
hashicorp/go-retryablehttp
hashicorp/go-rootcerts
hashicorp/go-safetemp
hashicorp/go-secure-stdlib
hashicorp/go-sockaddr
hashicorp/go-uuid
hashicorp/go-version
hashicorp/golang-lru
hashicorp/hcl
hashicorp/memberlist
hashicorp/raft
hashicorp/raft-boltdb
hashicorp/serf
hashicorp/vault
hashicorp/yamux

@yurishkuro
Copy link
Contributor

Jaeger backend (https://github.com/jaegertracing/jaeger) uses two Hashicorp libraries:

  • github.com/hashicorp/go-hclog v1.5.0
  • github.com/hashicorp/go-plugin v1.4.10

It is my understanding that libraries are not subject to MPL -> BSL change, but we're watching those repos anyway. We also have a plan to phase out hashicorp/go-plugin (jaegertracing/jaeger#4647).

@aaguiarz
Copy link
Contributor

aaguiarz commented Aug 12, 2023

OpenFGA (https://github.com/openfga/openfga) uses:

OpenFGA's CLI (https://github.com/openfga/cli) uses

Our understanding is that those projects are libraries that are not subject to MPL -> BSL change.

@AkihiroSuda
Copy link
Contributor

@AkihiroSuda
Copy link
Contributor

Lima has a template for Nomad, but we are going to ditch it away

@terrytangyuan
Copy link
Contributor

Argo has one direct and multiple indirect dependencies on HashiCorp projects. My understand is that those dependencies are not subject to MPL -> BSL change. We are tracking those closely at argoproj/argoproj#236.

@ckotzbauer
Copy link

Kured uses one library indirectly, I opened kubereboot/kured#817

@stefanprodan
Copy link
Contributor

@dims I think CNCF needs to replace hashicorp/vault with hashicorp/vault/api in the license exceptions, only the API package remains MPL, while the rest is now BUSL 1.1.

@justincormack
Copy link

justincormack commented Aug 12, 2023

The repos that have changed licenses are below (note as Stefan says, there may be parts that are not relicensed in these repos)

hashicorp/terraform
hashicorp/consul
hashicorp/vault
hashicorp/vagrant
hashicorp/nomad
hashicorp/packer
hashicorp/waypoint
hashicorp/boundary
hashicorp/vault-csi-provider
hashicorp/vault-secrets-operator

All the general Go libraries etc are unchanged.

Sub parts that remain MPL include (not exhaustive check)
hashicorp/consul/api
hashicorp/vault/api
hashicorp/vault/sdk

@stefanprodan
Copy link
Contributor

For the Flux project we are tracking the HashiCorp license change impact here fluxcd/flux2#4156.

While evaluating our usage of HashiCorp Go packages and software products, two questions have been raised:

❓ We need to decide what do to with the Flux Terraform Provider, if CNCF doesn't add the Terraform Plugin SDK (MPL licensed) to the exceptions list we may be forced to stop offering an official Terraform Provider for Flux.

❓ We need to decide what do to with the various end-to-end tests that rely on Terraform for infrastructure bootstrap. We've invested tremendous time in developing automated e2e and conformance tests for Flux 2.0 GA. I hope we can keep using Terraform internally as we don't ship any HashiCorp software with Flux, we only use this software in GitHub Actions Workflows.

@jayunit100
Copy link

... anyways, so re: sig-windows-dev-tools...

  • we dont vendor it at all, its just used in the dev workflow as a blackbox, so ...
  • i dont think were effected by this @amye :) sorry about the useless initial response earlier.

@JorTurFer
Copy link

JorTurFer commented Aug 12, 2023

Hello,
In KEDA (keda.sh) we support HashiCorp Vault as secrets source (we just read values from there as a client), due to it, we use these deps:

github.com/hashicorp/vault/api
github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 
github.com/hashicorp/go-hclog v1.3.0 // indirect 
github.com/hashicorp/go-multierror v1.1.1 // indirect 
github.com/hashicorp/go-retryablehttp v0.7.2 // indirect 
github.com/hashicorp/go-rootcerts v1.0.2 // indirect 
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect 
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect 
github.com/hashicorp/go-sockaddr v1.0.2 // indirect 
github.com/hashicorp/go-uuid v1.0.3 // indirect 
github.com/hashicorp/hcl v1.0.0 // indirect

We also deploy a HashiCorp Vault during e2e test to test the integration (we use helm chart for it). We only use it locally within the testing cluster and we remove it after the e2e test.

For managing e2e test infrastructure we use terraform as well. We manage the infra from its own repo and terraform is executed via GH Action (using an Azure Blob Storage as backend).

I think that we aren't affected because KEDA doesn't provide any service that compits with hashicorp products, so 3rd parties who offer KEDA as service should be safe, but it'd be nice if we could confirm this point.

@sftim
Copy link

sftim commented Aug 12, 2023

Using Vagrant is allowed by the new licence, so long as either:

  • it's not a production service (our CI/CD isn't that, in my view)
  • it is a production service but there is no competition with Hashicorp's business interests

I am of course not a lawyer

@abstractj
Copy link
Contributor

Starting from the 21.0.0 release, Keycloak discontinued support for Hashicorp integration, so the impact should be low. If there's any information needed from us, please let me know.

oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this issue Aug 23, 2023
Due to [1] We need to make sure not to use BSL modules.

Luckily the current we use have not changed.
The ones that are not changed are SDK/API and general Go libraries.
"HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0." [1] [2]

This commit creates a github action which allowlists them.
Any other module of hashicorp will be rejected, and will need
to be manually examined if it uses MPL (or other non restrictive license)
or BSL.

[1] https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
[2] cncf/foundation#617 (comment)

Signed-off-by: Or Shoval <[email protected]>
kubevirt-bot pushed a commit to kubevirt/cluster-network-addons-operator that referenced this issue Aug 23, 2023
Due to [1] We need to make sure not to use BSL modules.

Luckily the current we use have not changed.
The ones that are not changed are SDK/API and general Go libraries.
"HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0." [1] [2]

This commit creates a github action which allowlists them.
Any other module of hashicorp will be rejected, and will need
to be manually examined if it uses MPL (or other non restrictive license)
or BSL.

[1] https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
[2] cncf/foundation#617 (comment)

Signed-off-by: Or Shoval <[email protected]>
@detiber
Copy link

detiber commented Aug 25, 2023

The repos that have changed licenses are below (note as Stefan says, there may be parts that are not relicensed in these repos)

hashicorp/terraform hashicorp/consul hashicorp/vault hashicorp/vagrant hashicorp/nomad hashicorp/packer hashicorp/waypoint hashicorp/boundary hashicorp/vault-csi-provider hashicorp/vault-secrets-operator

All the general Go libraries etc are unchanged.

Sub parts that remain MPL include (not exhaustive check) hashicorp/consul/api hashicorp/vault/api hashicorp/vault/sdk

They've added hashicorp/vault/shamir to the MPL licensed packages

@leogr
Copy link
Contributor

leogr commented Aug 28, 2023

Hello,

We conducted a manual audit in Falco by examining the content of all the go.sum files within the falcosecurity organization. Fortunately, it appears we aren't using any packages impacted by the MPL -> BUSL change. Great news! 🥳

We did identify a small number of MPL2 licensed packages without existing license exceptions. We're currently assessing whether we can get rid of these. If not, we'll proceed with a license exception request.

Tracking here: falcosecurity/evolution#305.

MPL2 licensed licensed package to be evaluated

License Package Used by Note
MPL-2.0 github.com/hashicorp/consul/sdk falcosidekick plugins An exception request for github.com/hashicorp/consul/api exists already
MPL-2.0 github.com/hashicorp/logutils event-generator falcoctl falcosidekick plugins This is likely an indirect dependency. Need investigation.
MPL-2.0 github.com/hashicorp/memberlist event-generator falcoctl falcosidekick plugins See #624
MPL-2.0 github.com/hashicorp/terraform-plugin-framework kilt See #187 and #619. Evaluate replacing: https://github.com/ko-build/terraform-provider-ko
MPL-2.0 github.com/hashicorp/terraform-plugin-go kilt same as above

Other Hashicorp package we are using

Allowlist / Exception License Package
2023-06-27 MPL-2.0 github.com/hashicorp/consul/api
2019-03-11 MPL-2.0 github.com/hashicorp/errwrap
2019-03-11 MPL-2.0 github.com/hashicorp/go-cleanhttp
Allowlist MIT github.com/hashicorp/go-hclog
2023-06-27 MPL-2.0 github.com/hashicorp/go-immutable-radix
Allowlist MIT github.com/hashicorp/go-msgpack
2019-03-11 MPL-2.0 github.com/hashicorp/go-multierror
2023-06-27 MPL-2.0 github.com/hashicorp/go-plugin
2021-07-19 MPL-2.0 github.com/hashicorp/go-retryablehttp
2023-06-27 MPL-2.0 github.com/hashicorp/go-rootcerts
2023-06-27 MPL github.com/hashicorp/go-secure-stdlib/parseutil
2023-06-27 MPL github.com/hashicorp/go-secure-stdlib/strutil
2023-06-27 MPL-2.0 github.com/hashicorp/go-sockaddr
Allowlist MIT github.com/hashicorp/go-syslog
2023-06-27 MPL-2.0 github.com/hashicorp/go-uuid
Allowlist BSD-3-Clause github.com/hashicorp/go.net
2019-03-11 MPL-2.0 github.com/hashicorp/golang-lru
2019-03-11 MPL-2.0 github.com/hashicorp/hcl
Allowlist MIT github.com/hashicorp/mdns
2023-06-27 MPL-2.0 github.com/hashicorp/raft
2023-06-27 MPL-2.0 github.com/hashicorp/serf
2023-06-27 MPL-2.0 github.com/hashicorp/vault/api
2023-06-27 MPL-2.0 github.com/hashicorp/yamux

N.B.
The 2023-06-27 license exceptions file inaccurately indicates that that github.com/hashicorp/vault is licensed under MPL-2.0 and has GB exception approval as of 2023-06-27. In reality, github.com/hashicorp/vault is BUSL-1.1, while only its sub-package github.com/hashicorp/vault/api is MPL-2.0. cc @amye

@amye
Copy link
Contributor

amye commented Aug 28, 2023

N.B. The 2023-06-27 license exceptions file inaccurately indicates that that github.com/hashicorp/vault is licensed under MPL-2.0 and has GB exception approval as of 2023-06-27. In reality, github.com/hashicorp/vault is BUSL-1.1, while only its sub-package github.com/hashicorp/vault/api is MPL-2.0. cc @amye

That was as of the time of publication and predates this issue.
Only thing we're looking for in here is "investigate the impact on our projects".

If you need a separate issue, feel free!

@leogr
Copy link
Contributor

leogr commented Aug 29, 2023

N.B. The 2023-06-27 license exceptions file inaccurately indicates that that github.com/hashicorp/vault is licensed under MPL-2.0 and has GB exception approval as of 2023-06-27. In reality, github.com/hashicorp/vault is BUSL-1.1, while only its sub-package github.com/hashicorp/vault/api is MPL-2.0. cc @amye

That was as of the time of publication and predates this issue. Only thing we're looking for in here is "investigate the impact on our projects".

If you need a separate issue, feel free!

@amye Thank you for the clarification!

My point is: since an exception for github.com/hashicorp/vault already existed when it was MPL 2.0'd, and its sub-package github.com/hashicorp/vault/api is still MPL-2.0'd (ie. the sub-package has not been relicensed), the exception should be still valid today for only the part of github.com/hashicorp/vault/api. Thus, this package should not impact our projects, and we are fine. Is that correct?

If this is not the case, I will open a separate issue 🙏

@RichiH
Copy link

RichiH commented Aug 29, 2023

Seems we never documented this here, Prometheus is using

which are both explicitly under MPL 2.0; scanners would catch it anyway if they weren't

@dhiguero
Copy link
Contributor

Hi, from the KubeVela project we have the following dependencies:

  • github.com/hashicorp/go-version
  • github.com/hashicorp/hcl/v2

oshoval added a commit to oshoval/cluster-network-addons-operator that referenced this issue Sep 19, 2023
According cncf/foundation#617 (comment)
we need to look on go.mod only because we have "go 1.17" in go.mod.
Adapt git actions accordingly.

Signed-off-by: Or Shoval <[email protected]>
kubevirt-bot pushed a commit to kubevirt/cluster-network-addons-operator that referenced this issue Sep 19, 2023
* go mod: Improve readability

The go VER line was there, but not in the beginning as it should.

Signed-off-by: Or Shoval <[email protected]>

* modules: Amend hashicorp filtering

According cncf/foundation#617 (comment)
we need to look on go.mod only because we have "go 1.17" in go.mod.
Adapt git actions accordingly.

Signed-off-by: Or Shoval <[email protected]>

---------

Signed-off-by: Or Shoval <[email protected]>
@FeynmanZhou
Copy link
Contributor

FeynmanZhou commented Nov 17, 2023

notation-hashicorp-vault uses vault API as a direct dependency. According to the HashiCorp statement and Vault API license file, HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0, as well as Vault API. I assume it is compliant to use Vault API as a dependency in notation-hashicorp-vault.

If there is any concern on Vault API's license, please let us know. Thanks.

linking notaryproject/notation-hashicorp-vault#14

@dims
Copy link
Member

dims commented Nov 17, 2023

@FeynmanZhou you should cross check if the official list of exceptions has what you need already ... if not you will need to ask for an exception

https://github.com/cncf/foundation/tree/main/license-exceptions

@stefanprodan
Copy link
Contributor

stefanprodan commented Nov 17, 2023

@dims are these lists up to date? Hashicorp Vault is marked MPL 2.0 while it's BUSL https://github.com/hashicorp/vault/blob/main/LICENSE

##### Package: hashicorp/vault
PackageName: hashicorp/vault
SPDXID: SPDXRef-Package7
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MPL-2.0
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2023-06-27

"package": "github.com/hashicorp/vault",
"license": "MPL-2.0 ",
"comment": "not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2023-06-27"
},

@dims
Copy link
Member

dims commented Nov 17, 2023

@stefanprodan looks you have to use the MPL version of the older tags/releases as BUSL is not been granted an exception. If you are not able to, then please file for a new exception specifying which release(s) you want to use which have the newer license.

@stefanprodan
Copy link
Contributor

@dims Vault's API package is MPL, see https://github.com/hashicorp/vault/blob/main/api/.copywrite.hcl

I this the exclusion list should point to the vault/api package, like it does for Consul

##### Package: hashicorp/consul/api
PackageName: hashicorp/consul/api
SPDXID: SPDXRef-Package8
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: MPL-2.0
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2023-06-27

@dims
Copy link
Member

dims commented Nov 17, 2023

@stefanprodan ok i kicked off a PR to force the issue - #670

@stefanprodan
Copy link
Contributor

Thanks @dims

@jeefy
Copy link
Member Author

jeefy commented May 24, 2024

We're going to close this out as we've collected enough info for the Legal Committee to navigate these waters. We really appreciate everyone's input! Y'all rock <3

@jeefy jeefy closed this as completed May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests