Skip to content

Simplify handling of licenses#299

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
SgtCoDFish:simplify-licenses
Jun 17, 2025
Merged

Simplify handling of licenses#299
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
SgtCoDFish:simplify-licenses

Conversation

@SgtCoDFish

@SgtCoDFish SgtCoDFish commented Jun 16, 2025

Copy link
Copy Markdown
Member

Currently, changes to dependencies usually trigger a corresponding need to run "make generate-go-licenses" to update the LICENSES file.

The ultimate aim of this file is to track that the licenses we use are compliant with the policies we operate under (i.e. those of the CNCF). As such, the most important thing is tracking when licenses are added or when a project changes its license.

It isn't helpful for us to have to do busywork just to update the version number of a dependency in the LICENSES file; that mostly serves to break dependabot PRs and doesn't provide us with useful functionality.

Instead, if we log out the module name and the license we get the ability to track and audit licenses when they change, providing a useful signal that a maintainer should take a careful look at what changed to ensure compliance.

Example of a LICENSES file (from openshift-routes) generated with the new template:

This LICENSES file is generated by the `licenses` module in makefile-modules.

The licenses below the "---" are determined by the go-licenses tool.

The aim of this file is to collect the licenses of all dependencies, and provide
a single source of truth for licenses used by this project.

If CI reports that this file is out of date, you should be careful to check that the
new licenses are acceptable for this project before running `make generate-go-licenses`
to update this file.

Acceptable licenses are those allowlisted by the CNCF[0].

You MUST NOT add any new dependencies whose licenses are not allowlisted by the CNCF,
or which do not have an explicit license exception[1].

[0]: https://github.com/cncf/foundation/blob/db4179134ebe7fa00b140a050c19147db808b6fa/policies-guidance/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
[1]: https://github.com/cncf/foundation/blob/db4179134ebe7fa00b140a050c19147db808b6fa/license-exceptions/README.md

---

github.com/Azure/go-ntlmssp,MIT
github.com/beorn7/perks/quantile,MIT
github.com/blang/semver/v4,MIT
github.com/cert-manager/cert-manager,Apache-2.0
github.com/cert-manager/openshift-routes/internal,Apache-2.0
github.com/cespare/xxhash/v2,MIT
github.com/davecgh/go-spew/spew,ISC
github.com/emicklei/go-restful/v3,MIT
github.com/evanphx/json-patch/v5,BSD-3-Clause
github.com/fsnotify/fsnotify,BSD-3-Clause
github.com/fxamacker/cbor/v2,MIT
github.com/go-asn1-ber/asn1-ber,MIT
github.com/go-errors/errors,MIT
github.com/go-ldap/ldap/v3,MIT
github.com/go-logr/logr,Apache-2.0
github.com/go-logr/zapr,Apache-2.0
github.com/go-openapi/jsonpointer,Apache-2.0
github.com/go-openapi/jsonreference,Apache-2.0
github.com/go-openapi/swag,Apache-2.0
github.com/gogo/protobuf,BSD-3-Clause
github.com/google/btree,Apache-2.0
github.com/google/gnostic-models,Apache-2.0
github.com/google/go-cmp/cmp,BSD-3-Clause
github.com/google/shlex,Apache-2.0
github.com/google/uuid,BSD-3-Clause
github.com/gregjones/httpcache,MIT
github.com/josharian/intern,MIT
github.com/json-iterator/go,MIT
github.com/liggitt/tabwriter,BSD-3-Clause
github.com/mailru/easyjson,MIT
github.com/moby/term,Apache-2.0
github.com/modern-go/concurrent,Apache-2.0
github.com/modern-go/reflect2,Apache-2.0
github.com/monochromegane/go-gitignore,MIT
github.com/munnerz/goautoneg,BSD-3-Clause
github.com/openshift/api/route/v1,Apache-2.0
github.com/openshift/client-go/route,Apache-2.0
github.com/peterbourgon/diskv,MIT
github.com/pkg/errors,BSD-2-Clause
github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil,BSD-3-Clause
github.com/prometheus/client_golang/prometheus,Apache-2.0
github.com/prometheus/client_model/go,Apache-2.0
github.com/prometheus/common,Apache-2.0
github.com/prometheus/procfs,Apache-2.0
github.com/spf13/cobra,Apache-2.0
github.com/spf13/pflag,BSD-3-Clause
github.com/x448/float16,MIT
github.com/xlab/treeprint,MIT
go.opentelemetry.io/otel,Apache-2.0
go.opentelemetry.io/otel/trace,Apache-2.0
go.uber.org/multierr,MIT
go.uber.org/zap,MIT
golang.org/x/crypto,BSD-3-Clause
golang.org/x/net,BSD-3-Clause
golang.org/x/oauth2,BSD-3-Clause
golang.org/x/sync/errgroup,BSD-3-Clause
golang.org/x/sys/unix,BSD-3-Clause
golang.org/x/term,BSD-3-Clause
golang.org/x/text,BSD-3-Clause
golang.org/x/time/rate,BSD-3-Clause
gomodules.xyz/jsonpatch/v2,Apache-2.0
google.golang.org/protobuf,BSD-3-Clause
gopkg.in/evanphx/json-patch.v4,BSD-3-Clause
gopkg.in/inf.v0,BSD-3-Clause
gopkg.in/yaml.v3,MIT
k8s.io/api,Apache-2.0
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions,Apache-2.0
k8s.io/apimachinery/pkg,Apache-2.0
k8s.io/apimachinery/third_party/forked/golang,BSD-3-Clause
k8s.io/cli-runtime/pkg,Apache-2.0
k8s.io/client-go,Apache-2.0
k8s.io/client-go/third_party/forked/golang/template,BSD-3-Clause
k8s.io/component-base,Apache-2.0
k8s.io/klog/v2,Apache-2.0
k8s.io/kube-openapi/pkg,Apache-2.0
k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json,BSD-3-Clause
k8s.io/kube-openapi/pkg/validation/spec,Apache-2.0
k8s.io/utils,Apache-2.0
k8s.io/utils/internal/third_party/forked/golang,BSD-3-Clause
sigs.k8s.io/controller-runtime,Apache-2.0
sigs.k8s.io/gateway-api/apis/v1,Apache-2.0
sigs.k8s.io/json,Apache-2.0
sigs.k8s.io/json,BSD-3-Clause
sigs.k8s.io/kustomize/api,Apache-2.0
sigs.k8s.io/kustomize/kyaml,Apache-2.0
sigs.k8s.io/randfill,Apache-2.0
sigs.k8s.io/structured-merge-diff/v4,Apache-2.0
sigs.k8s.io/yaml,MIT
sigs.k8s.io/yaml,Apache-2.0
sigs.k8s.io/yaml,BSD-3-Clause
sigs.k8s.io/yaml/goyaml.v2,Apache-2.0
sigs.k8s.io/yaml/goyaml.v3,MIT

@SgtCoDFish
simplify handling of licenses
e8545c3 
Currently, changes to dependencies usually trigger a corresponding need
to run "make generate-go-licenses" to update the LICENSES file.

The ultimate aim of this file is to track that the licenses we use are
compliant with the policies we operate under (i.e. those of the CNCF).
As such, the most important thing is tracking when licenses change.

It isn't helpful for us to have to do busywork just to update the
version number of a dependency in the LICENSES file; that mostly serves
to break dependabot PRs and doesn't provide us with useful
functionality.

Instead, if we log out the module name and the license, we get the
ability to track and audit licenses, providing a useful signal when a
license changes or a new dependency is added that a maintainer should
take a careful look at what changed to ensure compliance.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 16, 2025
@ThatsMrTalbot

ThatsMrTalbot commented Jun 17, 2025

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@cert-manager-prow cert-manager-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 17, 2025
@cert-manager-prow

cert-manager-prow Bot commented Jun 17, 2025

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ThatsMrTalbot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2025
@cert-manager-prow cert-manager-prow Bot merged commit a7819ed into cert-manager:main Jun 17, 2025
4 checks passed
@SgtCoDFish SgtCoDFish deleted the simplify-licenses branch June 17, 2025 10:32
inteon
inteon reviewed Jun 17, 2025
View reviewed changes
Comment thread modules/licenses/01_mod.mk
GOWORK=$(abspath $(licenses_go_work)) \
GOOS=linux GOARCH=amd64 \
$(GO-LICENSES) report --ignore "$$(license_ignore)" ./... > LICENSES
$(GO-LICENSES) report --ignore "$$(license_ignore)" --template $(dir $(lastword $(MAKEFILE_LIST)))/licenses.tmpl ./... > LICENSES

@inteon inteon Jun 17, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm getting this error: F0617 11:53:58.644045 7139 main.go:75] open make/_shared/licenses//licenses.tmpl: no such file or directory

see https://github.com/cert-manager/trust-manager/actions/runs/15706463048/job/44253339339

@SgtCoDFish SgtCoDFish Jun 17, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking into it; worked for me locally (of course :D)

@SgtCoDFish SgtCoDFish mentioned this pull request Jun 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@inteon inteon inteon left review comments

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SgtCoDFish @ThatsMrTalbot @inteon