Skip to content

BlueOak-1.0.0 license is not approved by CNCF #2392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jandubois opened this issue Apr 25, 2025 · 6 comments
Open

BlueOak-1.0.0 license is not approved by CNCF #2392

jandubois opened this issue Apr 25, 2025 · 6 comments

Comments

@jandubois
Copy link

package.json lists several dependencies that are licensed under the BlueOak-1.0.0 license. That license is not listed as an approved CNCF license.

The packages are also not listed in the exception lists.

Are there any plans to resolve this?

Possible ways:

  • Get the license added to the CNCF Approved List
  • Apply for a CNCF exception for the specific modules
  • Ask the maintainer of the modules to add a dual-license for one of the approved licenses
  • Replace the dependencies with something else
@jandubois jandubois mentioned this issue Apr 25, 2025
Draft
@jandubois
Copy link
Author

The problematic dependencies are:

[
  "chownr",
  "3.0.0",
  "BlueOak-1.0.0",
  "git://github.com/isaacs/chownr.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "jackspeak",
  "3.4.3",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/jackspeak.git",
  "Unknown",
  "Isaac Z. Schlueter"
]
[
  "package-json-from-dist",
  "1.0.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/package-json-from-dist.git",
  "https://izs.me/",
  "Isaac Z. Schlueter"
]
[
  "path-scurry",
  "1.11.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/path-scurry",
  "https://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "yallist",
  "5.0.0",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/yallist.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]

@cjihrig
Copy link
Contributor

cjihrig commented Apr 25, 2025

These are all indirect dependencies.

chownr and yallist come from our dependency on tar.

jackspeak, package-json-from-dist, and path-scurry come from our dependency on c8.

@jandubois
Copy link
Author

These are all indirect dependencies.

It is my understanding that CNCF license approval requirement applies to indirect dependencies as well. Is that not the case?

Otherwise you could just create a wrapper with an approved license around a module and circumvent the whole license checking. The whole point of an official list is that the CNCF confirms that it considers the licenses compatible.

@cjihrig
Copy link
Contributor

cjihrig commented Apr 25, 2025

I don't know the policy. Without any investigation, I would assume it applies to all dependencies, direct or otherwise. I just wanted to document where these dependencies were coming from in case changes need to be made.

@mattfarina
Copy link

The license policy for the whole CNCF can be found here. It applies to all dependencies not just direct ones. The approved exceptions can be found here. The BlueOak-1.0.0 license is not an approved one.

@cjihrig
Copy link
Contributor

cjihrig commented Apr 26, 2025

It might be worth applying for an exception. BlueOak is OSI approved and, if I recall correctly, was recently approved by the OpenJS Foundation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattfarina @jandubois @cjihrig