Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive dependencies on github.com/hashicorp/go-retryablehttp required to build #197

Open
liggitt opened this issue May 16, 2023 · 10 comments
Open

Transitive dependencies on github.com/hashicorp/go-retryablehttp required to build #197

liggitt opened this issue May 16, 2023 · 10 comments

Comments

@liggitt
Copy link

liggitt commented May 16, 2023

What happened:

Cannot build release-sdk commands without pulling in MPL-licensed projects not in the CNCF allowlist.

go mod why github.com/hashicorp/go-retryablehttp shows this path to github.com/hashicorp/go-retryablehttp which is MPL-licensed and not included in the CNCF allowlist:

# github.com/hashicorp/go-retryablehttp
sigs.k8s.io/release-sdk/sign
github.com/sigstore/cosign/cmd/cosign/cli/rekor
github.com/sigstore/rekor/pkg/client
github.com/hashicorp/go-retryablehttp

https://github.com/cncf/foundation/blob/main/license-exceptions/

https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy

cncf/foundation#138

What you expected to happen:

No dependencies on MPL-licensed projects not explicitly allowlisted

How to reproduce it (as minimally and precisely as possible):

run go mod vendor to see code actually used/linked by release-sdk and observe go-retryablehttp code is required to build.
@liggitt liggitt mentioned this issue May 16, 2023
Closed
@saschagrunert
Copy link
Member

saschagrunert commented May 16, 2023
edited
Loading

Yeah, this needs to be changed in rekor / cosign. Probably a bump to cosign v2 may already fix that problem.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 20, 2024
@xmudrii
Copy link
Member

xmudrii commented Jan 22, 2024

Looks like we still have this transitive dependency.
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 22, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 21, 2024
@xmudrii
Copy link
Member

xmudrii commented Apr 22, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 22, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 21, 2024
@xmudrii
Copy link
Member

xmudrii commented Jul 22, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 22, 2024
@BenTheElder
Copy link
Member

I still see this dep, which gets pulled transitively into other repos by way of dependency on release-sdk.

We should consider splitting out cosign or something, if we can't resolve this on their end.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 20, 2024
@xmudrii
Copy link
Member

xmudrii commented Oct 21, 2024

We still use this dependency
https://cs.k8s.io/?q=github.com%2Fhashicorp%2Fgo-retryablehttp&i=nope&files=go.mod&excludeFiles=vendor&repos=
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@saschagrunert @BenTheElder @liggitt @xmudrii @k8s-ci-robot @k8s-triage-robot