Proposal to Move Hedera Core Network Software to LFDT #20
Conversation
hendrikebbers
force-pushed
the
hedera-hashgraph
branch
from
bace6b7
to
15ff61a
Compare
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
hendrikebbers
force-pushed
the
hedera-hashgraph
branch
from
c2eeb5f
to
77f8443
Compare
swcurran
changed the title
|
I tweaked the title to make it clear in emails what the PR is about. Also — a previous commit requires DCO signoff — DCO - Developer Certificate of Origin - https://github.com/apps/dco. Details about how to fix are in the “Details” link beside the failed check. |
HIPs/hedera-hashgraph.md
Outdated
| Today, Snyk is used to create automatic dependency and license overviews of the subprojects. | ||
| The attached file [`dependencies-client-sdks.csv`](../assets/hedera-licenses-sdks.csv) contains a list of all | ||
| dependencies of our SDK projects. | ||
| Next to that, the attached file [`licenses.cvs`](../assets/hedera-licenses.csv) contains an overview of all licenses that |
There was a problem hiding this comment.
Seeing a few dependencies that are non-permissive (e.g., GPL) in the list. Is there an intention to replace these dependencies with a permissive license dependency?
There was a problem hiding this comment.
Can you provide a list of all licences in hedera-licenses.csv that are problematic? By doing so we can identify the dependencies and define actions for each of them.
There was a problem hiding this comment.
This is a list of licenses from hedera-licenses-sdk.csv:
- ""
- "Apache-2.0, MIT"
- "BSD-2-Clause, MIT, Apache-2.0"
- "BSD-3-Clause, GPL-2.0"
- "BSD-3-Clause, MIT"
- "BSD-3-Clause, Unlicense, Unknown"
- "CDDL-1.1, GPL-2.0-with-classpath-exception"
- "GPL-3.0, LGPL-3.0"
- "MIT, CC0-1.0"
- "WTFPL, MIT"
- 0BSD
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
- CC-BY-3.0
- CC-BY-4.0
- CC0-1.0
- EDL-1.0
- GPL-2.0
- ISC
- LGPL-2.1
- LGPL-3.0
- MIT
- MPL-2.0
- Public-Domain
- Python-2.0
- Unknown
- Unlicense
The dependencies with "" or Unknown licenses are something that should be researched to determine what the actual license is.
The lines that have "GPL-2.0" and "CDDL-1.1" are also of concern as these are non-permissive licenses. There may be others, as I am not familiar with all of these licenses.
Also, are those lines that contain multiple licenses "one-of" or something else?
There was a problem hiding this comment.
This is a list of licenses from hedera-licenses.csv:
- "0BSD, BSD-2-Clause"
- "AFL-2.1, BSD-2-Clause"
- "AFL-2.1, BSD-3-Clause"
- "Apache-2.0, BSD-2-Clause"
- "Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, CC0-1.0, MIT"
- "Apache-2.0, BSD-2-Clause, BSD-3-Clause, EDL-1.0, EPL-2.0, GPL-2.0-with-classpath-exception, MIT, Public-Domain, W3C"
- "Apache-2.0, BSD-2-Clause, MIT, Protobuf"
- "Apache-2.0, BSD-3-Clause"
- "Apache-2.0, BSD-3-Clause, MIT"
- "Apache-2.0, EPL-1.0"
- "Apache-2.0, EPL-2.0, GPL-3.0"
- "Apache-2.0, GPL-2.0, MPL-1.1"
- "Apache-2.0, LGPL-2.1"
- "Apache-2.0, LGPL-2.1, MPL-1.1"
- "Apache-2.0, LGPL-3.0"
- "Apache-2.0, LGPL-3.0-or-later"
- "Apache-2.0, LGPL-3.0-or-later, MIT"
- "Apache-2.0, MIT"
- "Apache-2.0, MPL-1.1"
- "BSD-1-Clause, BSD-2-Clause"
- "BSD-1-Clause, BSD-2-Clause-Views"
- "BSD-2-Clause, BSD-3-Clause"
- "BSD-2-Clause, BSD-3-Clause, BSD-3-Clause-No-Military-License"
- "BSD-2-Clause, BSD-3-Clause, HPND"
- "BSD-2-Clause, GPL-2.0-only"
- "BSD-2-Clause, GPL-3.0"
- "BSD-2-Clause, MIT, Apache-2.0"
- "BSD-3-Clause, Apache-2.0"
- "BSD-3-Clause, GPL-2.0"
- "BSD-3-Clause, LGPL-2.1"
- "BSD-3-Clause, MIT"
- "CC-BY-4.0, MIT"
- "CC0-1.0, GPL-2.0-with-classpath-exception"
- "CDDL-1.1, GPL-2.0-with-classpath-exception"
- "CPL-1.0, EPL-1.0, IPL-1.0"
- "EDL-1.0, EPL-1.0"
- "EDL-1.0, EPL-2.0"
- "EPL-1.0, EDL-1.0"
- "EPL-1.0, GPL-2.0, LGPL-2.1"
- "EPL-1.0, LGPL-2.1"
- "EPL-2.0, GPL-2.0-with-classpath-exception"
- "FTL, GPL-2.0"
- "GPL-2.0, MIT"
- "GPL-2.0-with-classpath-exception, CDDL-1.1"
- "GPL-2.0-with-classpath-exception, MIT"
- "GPL-3.0, LGPL-3.0"
- "GPL-3.0, MIT"
- "MIT, Apache-2.0"
- "MIT, BSD-2-Clause"
- "MIT, BSD-3-Clause"
- "MIT, CC0-1.0"
- "MIT, GPL-2.0"
- "MIT, GPL-3.0-or-later"
- "MIT, Unlicense"
- "MIT, WTFPL"
- "MIT, X11"
- "MIT, Zlib"
- "MPL-2.0, EPL-1.0"
- "Ruby, BSD-2-Clause"
- "Ruby, GPL-2.0"
- "Unlicense, Apache-2.0"
- "WTFPL, MIT"
- AGPL-3.0
- ANTLR-PD
- Apache-2.0
- BSD 0.00
- BSD-2-Clause
- BSD-3-Clause
- BSL-1.0
- BlueOak-1.0.0
- CC-BY-3.0
- CC-BY-3.0-US
- CC-BY-4.0
- CC0-1.0
- CDDL-1.0
- CDDL-1.1
- CPL-1.0
- EDL-1.0
- EPL-1.0
- EPL-2.0
- EUPL-1.1
- GPL-2.0
- GPL-2.0-with-classpath-exception
- GPL-3.0
- ISC
- LGPL-2.1
- LGPL-3.0
- MIT
- MIT-0
- MPL-2.0
- ODC-By-1.0
- OpenSSL
- Public-Domain
- Python-2.0
- Unicode-DFS-2016
- Unknown
- Unlicense
- WTFPL
- ZPL-2.1
- Zlib
There was a problem hiding this comment.
We should check with LF Legal team on these licenses. cc: @hartm
There was a problem hiding this comment.
if this conversation goes off GH, please keep me cc'd, I have a bit of background on this topic
There was a problem hiding this comment.
Tracy, the licenses you reference have modifiers that may be ok with your lawyers, the one I think might be an issue is the CDDL:GPL-2.0-with-classpath-exception, CDDL-1.1, but as it is dual licensed the exception may make it ok.
There was a problem hiding this comment.
@tkuhrt thank you for the input.
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
| Since all the subprojects are part of separate repositories and even created in different programming languages, | ||
| their dependencies differ. Based on that, it doesn’t make sense to provide a global list of dependencies. | ||
| All dependencies and related licenses can be identified by automatic project analysis. | ||
| Today, Snyk is used to create automatic dependency and license overviews of the subprojects. |
There was a problem hiding this comment.
Question:
How is the Snyk generated report analyzed or assessed? Is the tool also configured to flag (potentially as part of the CI process) the new dependency introduction that do not follow expected license?
There was a problem hiding this comment.
I will check and come back with more details.
HIPs/hedera-hashgraph.md
Outdated
| As shown, the Hedera ecosystem already contains several sub-projects that must be part of `PROJECT`. | ||
| All those sub-projects are necessary to deploy and run a full Hashgraph-based network and interact with that network. | ||
| All mentioned projects are currently part of the Hashgraph organization at GitHub. | ||
| Supplemental repositories include supporting tooling to deploy and validate a network built using the above codebases. |
There was a problem hiding this comment.
Question:
Are these supplementary repositories currently part of the open-source hashgraph GitHub org? If yes, is there a plan to bring them as well to the LFDT?
There was a problem hiding this comment.
The hashgraph org currently contains way more repositories as we mentioned in this proposal. The mentioned repos here are the ones that we want to migrate "at the start". So yes, we plan to bring them to the LFDT. We will add more detail regarding the mentioned repos.
HIPs/hedera-hashgraph.md
Outdated
| While the GitHub Action workflow definitions are stored as part of the repository, we use custom action runners on | ||
| hardware in the Google Cloud. | ||
| The default GitHub action runners can not be used due to the complexity of `PROJECT`, especially for the services sub-project. | ||
| To continue the development of `PROJECT` based on best practices and continuous integration, we propose to set up | ||
| clones of the current hardware and action runners. |
There was a problem hiding this comment.
- additional questions:
- What about the infrastructure for these runners, where will those be installed and run?
- Does any developer making contributions to the project have access to run these?
| To continue the development of `PROJECT` based on best practices and continuous integration, we propose to set up | ||
| clones of the current hardware and action runners. | ||
| The Hedera Hashgraph projects define teams with specific authorities. | ||
| Those configurations should be migrated, and maintainers and committers for each sub-project should be defined. |
There was a problem hiding this comment.
Thank you, please also work towards a process for maintainer's journey within the project.
There was a problem hiding this comment.
@arsulegai I already updated the text regarding the action runners. Can you please check if the new version fits you?
There was a problem hiding this comment.
a process for maintainer's journey
What do you mean with that comment?
There was a problem hiding this comment.
@hendrikebbers , I was referring to setting up a document for new contributors. They will use this document to learn how can they become one the maintainers someday with their persistent contribution efforts.
There was a problem hiding this comment.
@arsulegai I already updated the text regarding the action runners. Can you please check if the new version fits you?
Thank you for clarifying that Hedera will continue to provide these runners on Google Cloud. It would be helpful to state the reason for this requirement either in a project's improvement plan or as an issue within the project's repositories. Future developers or contributors can reference the document to understand and eventually remove these runners' dependency.
Co-authored-by: Arun S M <arun.s.m.cse@gmail.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Arun S M <arun.s.m.cse@gmail.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Co-authored-by: Tracy Kuhrt <tracy.a.kuhrt@accenture.com> Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
…shgraph # Conflicts: # HIPs/hedera-hashgraph.md
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
HIPs/hedera-hashgraph.md
Outdated
| contribute to the open-source community, and accelerate the adoption of enterprise-grade DLT solutions. | ||
|
|
||
| # Dependent Projects | ||
| None |
There was a problem hiding this comment.
Consensus node and Mirror node use Besu's EVM. Mirror node uses Web3j.
There was a problem hiding this comment.
thanks @shemnon, I had the exact same question and now you just answered it.
There was a problem hiding this comment.
You are right. I will fix that
HIPs/hedera-hashgraph.md
Outdated
| contribute to the open-source community, and accelerate the adoption of enterprise-grade DLT solutions. | ||
|
|
||
| # Dependent Projects | ||
| None |
There was a problem hiding this comment.
thanks @shemnon, I had the exact same question and now you just answered it.
| - Nikhil Vadgama (DLT Science Foundation) [<nv@dsf.xyz>](mailto:nv@dsf.xyz) | ||
|
|
||
| # Abstract | ||
| This proposal outlines the plan to move Hedera’s core network software to the Linux Foundation’s Decentralized Trust Foundation. |
There was a problem hiding this comment.
would be good to clarify what core network software means, in particular whether this will provide a complete set of components to stand up a Hedera network?
There was a problem hiding this comment.
All projects that are necessary to deploy and run a full network and interact with that network.
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
Signed-off-by: Hendrik Ebbers <hendrik.ebbers@web.de>
|
@hendrikebbers : It looks like DCO needs to be fixed. You can follow the instructions on the checks tab for details on how to fix. |
|
APPROVED at the August 22, 2024 TOC meeting |
|
@hendrikebbers if you could do a rebase and make this one or two commits that would be awesome; good time to fix the DCO, too. :) |
Proposal for Hedera added.