Refer to CNCF allowlist for 3rd-party licenses approved for inclusion in CNCF repos

[trentm]

This came up in open-telemetry/opentelemetry-js#5305 which is looking to include some ISC-licensed code in opentelemetry-js.git.

Refs: #2504

---

Some notes:

• The original "At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible" language came from Add Copyright Notices section to CONTRIBUTING.md #479
• There is this older issue Add guidelines about allowed licenses for dependencies #649 that may be resolved with this change? /cc @tigrannajaryan
• FWIW, the ASF maintains a list of licenses it "identifies the acceptable licenses for inclusion of third-party Open Source components in Apache Software Foundation products.": https://www.apache.org/legal/resolved.html However, the CNCF lists is probably the better one to treat an authoritative.

[mx-psi]

I think the wording should indicate that there are further conditions that need to be met in order for the third party code to be usable (namely the 'third party folder' and popularity requirements)

[danielgblanco]

Maybe instead of specifying those here we can link to CNCF recommendations for code attribution and state that they should also be observed?

[trentm]

that there are further conditions that need to be met

I'm a little wary of extending the scope here -- the current state allows MIT/BSD but doesn't add this requirement -- but fair. The requirement from that CNCF doc that I have specific questions about:

It is either (A) stored unmodified in a designated third-party folder

Looking at open-telemetry/opentelemetry-js#5305 that originally motivated this. That PR includes two test files verbatim from the node-semver 3rd-party dependency:

• semver-range-exclude.js
• semver-range-include.js

and one test file adapted from node-semver:

• semver.test.ts

Q: Do you think it would be sufficient to pull those two files into a separate subfolder, say "test/common/third-party/fixtures" rather than the current "test/common/fixtures/" (which has other fixture files)? Then we could include the node-semver license file in that subfolder.

(I can also move this discussion over to the original PR or to #2504 if that is more helpful.)

[trentm]

commit 41b543a. PTAL.

[trask]

I wasn't previously aware of the "third party folder" requirement 🤔

[trentm]

I think that guidance was written for considering inclusion of whole 3rd-party libraries, but that's totally a guess.

Some random other examples in OTel repos:

• I see some MIT code included in https://github.com/open-telemetry/opentelemetry-collector/tree/main/internal/memorylimiter/cgroups. Files in there are prefixed with:

// Copyright The OpenTelemetry Authors
// SPDX-License-Identifier: Apache-2.0

// Keep the original Uber license.

// Copyright (c) 2017 Uber Technologies, Inc.
//
// Permission is hereby granted, ...

• https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/tree/main/test/test-applications/integrations/TestApplication.GraphQL/StarWars/ appears to be a separate dir holding a 3rd-party MIT-licensed thing.

[trask]

we have many occurrences in the Java Instrumentation repo of 3rd party code that we've imported: https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-java-instrumentation+%22Includes+work+from%22+language%3AJava&type=code

luckily Apache is by far the most popular license in the Java world 😅