Review hashicorp license change impact #9181
Description
Recently hashicorp announced changes to some of its licenses. This issue is a place to assess the impact on Cluster API.
CNCF issue: cncf/foundation#617
None of the dependencies CAPI imports have been updated to the Business source license.
Note: The original finding in this issue are irrelevant at this point. See below for the current state and plan-of-action.
Initial findings
Generate list of all modules which are importing a hashicorp module. This must be done for each of the three go modules in the CAPI repo.
go mod graph | grep "\s.*hashicorp" > hashicorp_modules
cd test ; go mod graph | grep "\s.*hashicorp" >> ../hashicorp_modules
cd ../hack/tools ; go mod graph | grep "\s.*hashicorp" >> ../../hashicorp_modules
cd ../..
Get a unique sorted list of hashicorp modules that are being imported
cat hashicorp_modules | cut -d ' ' -f 2 | sort -u -o hashicorp_modules
The end result of the above is a list of 27 modules. Some are the same module with a different version.
-
MPL: https://github.com/hashicorp/consul/blob/main/api/LICENSE
github.com/hashicorp/consul/[email protected]
github.com/hashicorp/consul/[email protected] -
MPL: https://github.com/hashicorp/consul/blob/main/sdk/LICENSE
github.com/hashicorp/consul/[email protected] -
MPL: https://github.com/hashicorp/errwrap/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MPL: https://github.com/hashicorp/go-cleanhttp/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] -
MIT: https://github.com/hashicorp/go-hclog/blob/main/LICENSE
github.com/hashicorp/[email protected] -
MPL: https://github.com/hashicorp/go-immutable-radix/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] -
MPL: https://github.com/hashicorp/golang-lru/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] -
MIT: https://github.com/hashicorp/go-msgpack/blob/main/LICENSE
github.com/hashicorp/[email protected] -
MPL: https://github.com/hashicorp/go-multierror/blob/main/LICENSE
github.com/hashicorp/[email protected] -
BSD: (forked from go) https://github.com/hashicorp/go.net/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/go-rootcerts/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/go-sockaddr/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MIT https://github.com/hashicorp/go-syslog/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/go-uuid/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/hcl/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/logutils/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MIT https://github.com/hashicorp/mdns/blob/main/LICENSE
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/memberlist/blob/master/LICENSE
github.com/hashicorp/[email protected] -
MPL https://github.com/hashicorp/serf/blob/master/LICENSE
github.com/hashicorp/[email protected]
github.com/hashicorp/[email protected]
Outstanding tasks:
- 🌱 Add licence-scan for pull requests #9184
- Remove the indirect dependency on hashicorp HCL. Current exception is implemented here: https://github.com/killianmuldoon/cluster-api/blob/c173312047ca2497cae8e4617fcea050d29e670e/hack/verify-licenses.sh#L38C1-L38C1
- Consider adding an additional periodic license scan for published artifacts including images and binaries. Do periodic license scanning on images and build artifacts #9436