Comments (9)
This issue is currently awaiting triage.
If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from kubernetes.
/sig architecture
from kubernetes.
@skitt we have had this issue for a long time now... for example cadvisor one of our very important dependencies needs a non-CNCF CLA ( google/cadvisor#3541 (comment) for example )
from kubernetes.
Right, but we don’t have a policy around it — should we?
(The Google CLA is OK, at least for my employer — google/cadvisor#3078. But I’m more interested in a general stance before we dive into specifics, which we can’t do anyway.)
from kubernetes.
@skitt every employer may likely make different choices with respect to the same CLA, so probably no common ground that i can see to write a policy that revolves around explicit terms in CLA or which companies are willing to sign it or not.
This probably needs to be booted up the stack to CNCF level as our licensing posture comes from what's allowed and not allowed from the CNCF charter and Governing Body deliberations etc.
For now, we muddle around with what we have, asking folks who can contribute to fixing something in a repo to do so and when that becomes a burden figure out alternatives to remove them. This is what we have been doing in general for a bunch of dependencies already for one reason or another.
See https://github.com/kubernetes/kubernetes/blob/master/hack/unwanted-dependencies.json where we drop things into that we track longer term to cleanup/get-rid-off. To get something into that json files, needs the consensus of the dependency approvers. So that's the current "policy" if you will.
from kubernetes.
@dims I agree 100%, this can’t be decided at “our” level, and rather than a list of principles, we’d end up with (if anything) a list of approved CLAs (in the same way there’s a list of approved licenses, which may also be at odds with member companies’ own lists of approved licenses).
I suppose the question for the community is whether it’s OK to muddle along, or whether it’s worth pushing this up the stack.
from kubernetes.
See https://github.com/kubernetes/kubernetes/blob/master/hack/unwanted-dependencies.json where we drop things into that we track longer term to cleanup/get-rid-off. To get something into that json files, needs the consensus of the dependency approvers. So that's the current "policy" if you will.
That reminds me that I wondered about adding gomock to this as part of this PR... What do you think?
from kubernetes.
I suppose the question for the community is whether it’s OK to muddle along, or whether it’s worth pushing this up the stack.
I think it's a good question for the TOC, but currently I'm not sure it's worth blocking on.
It's not ideal, but we do need maintained dependencies, however the maintainers want to work on it, and as long as it's under the license policy we have the ability to fork later if it comes to it.
Even if a dependency has no CLA, we can't predict if it will accept contributions from our contributor base for any other reasons.
Forking or replacing dependencies is always on the table if we can't get necessary changes implemented otherwise, but doing so preemptively for every dependency we think may be difficult for some of our contributors to patch is expensive and probably unnecessary.
Deciding on that seems pretty in scope for the TOC, and we otherwise largely stick to CNCF dependency policy.
from kubernetes.
Also: If every open source project took the attitude that only their own CLA was acceptable, then any non-CNCF projects couldn't use our libraries ...
That doesn't seem like a desirable place to be, so I'd hesitate to endorse a blanket ban on dependencies having non-CNCF CLAs.
If we have specific dependencies where we're unable to achieve essential fixes, then we should probably deal with those.
from kubernetes.
Related Issues (20)
- Support HTTP2 probes over cleartext (h2c) HOT 11
- The startup time of the init container is later than that of the application container. HOT 3
- Can't get secrets when adding imagePullSecrets HOT 3
- [Flaking test] [sig-node] Containers should use the image defaults if command and args are blank HOT 1
- kubectl --server-side --dry-run=server - wrong output for converting client side applied manifest HOT 3
- Node Labeling node.kubernetes.io/out-of-service Taint Label Delay HOT 2
- [FG:InPlacePodVerticalScaling] e2e test does not verify resource update in pod status HOT 3
- cronjob schedule with multiple conditions not working - conflict between day (week) and day (month) HOT 5
- NetPol block self pod trafic using an svc and not direct call HOT 12
- kube-apiserver logs watch requests before they end in 1.30 HOT 10
- Node Lifecycle Controller does not mark pods not ready when node becomes Ready=False HOT 8
- endpoints cannot be changed from notReadyAddresses to addresses HOT 8
- Enhancement: Add vTPM Configuration Fields for Enhanced Container Security HOT 3
- 'kubectl delete istag/$ISTAG --dry-run=server' is unexpectedly deleting the object from the server HOT 5
- [FG:InPlacePodVerticalScaling] resources in pod status are never updated if EventedPLEG is enabled HOT 2
- [Flaking test] ci-kubernetes-e2e-gci-gce.Overall HOT 4
- `kubernetes.io/legacy-token-last-used` label being added to long lived service token secrets HOT 2
- The endpoint status does not update when the pod state changes rapidly. HOT 8
- Pod with exitCode 137, The reason has nothing to do with resources。 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes.