License requirements when shipping containers

[dprotaso]

This is the public issue for (https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652).

There were enough people in the Knative project asking about this so I figured it warranted having a public issue others can comment on (so I'm not the sole proxy).

Original Question

What are the CNCF requirements for license disclosure for dependencies when shipping container images?

Background

Knative has been vendoring licenses and including them in the containers we ship. This been our practice since the project went public in 2018 and was a requirement of Google's OSPO's office.

Some context from Evan Anderson [1]

To provide additional context, this was original implemented to meet the second clause of the BSD 2-clause license:

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

By embedding the license in the container image, people who received the OCI image (for example, by pulling from a repo which the image had been cloned to) would also receive a copy of the license, which would trivially satisfy "reproduce the above copyright notice". Since I'm not a lawyer, I'm not going to venture whether this was an overly-restrictive reading of this clause. (This also similarly trivially satisfies the MIT requirement of including a liability disclaimer notice.)

[1] knative/hack#315 (comment)

Related Info

We now build our containers using a tool called ko - this will also publish a SBOM file https://ko.build/features/sboms/

I believe the SBOM will include some license info. Is having this file available for download sufficient for license compliance?

[dprotaso]

Looks like the licenses in the SBOM is not a thing at moment - ko-build/ko#766

but what if it were 🤔

[amye]

So as I'm reading through this, this may no longer be an active question?

[dprotaso]

We're still looking for input from the CNCF what is required

[dprotaso]

hey @amye any updates?

[puerco]

@amye can we satisfy the requirements to distribute licenses by having the project and dependency licenses in the SBOM? We can also add the license text to the SBOM in addition to the identifiers if needed.

[dprotaso]

Hi - just following up here again

[amye]

Hi - just following up here again

Still in discussion with Legal Committee!

[dprotaso]

What has the discussion been? Is there a timeline on a decision - the original service desk ticket is almost a year old

…

On Mon, Dec 11, 2023 at 19:08 Amye Scavarda Perrin ***@***.***> wrote: Hi - just following up here again Still in discussion with Legal Committee! — Reply to this email directly, view it on GitHub <#642 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAERAVYQQIU3QYWO5IK22TYI6OBTAVCNFSM6AAAAAA5CAM6QGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJRGA4TKMJTGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[dprotaso]

Following up - I'm assuming the lack of response indicates there's no requirement and thus projects are not required to have disclosures in our project's container image.

[jeffcshapiro]

@joannalee333 Can you comment on this?

[joannalee333]

Staff will be working with the Legal Committee on development of guidance for this issue. Licensing compliance for container images is not as straightforward as it is for code. We'll likely have guidance ready to share later this quarter.