BlueOak-1.0.0 license is not approved by CNCF

[jandubois]

package.json lists several dependencies that are licensed under the BlueOak-1.0.0 license. That license is not listed as an approved CNCF license.

The packages are also not listed in the exception lists.

Are there any plans to resolve this?

Possible ways:

• Get the license added to the CNCF Approved List
• Apply for a CNCF exception for the specific modules
• Ask the maintainer of the modules to add a dual-license for one of the approved licenses
• Replace the dependencies with something else

[jandubois]

The problematic dependencies are:

[
  "chownr",
  "3.0.0",
  "BlueOak-1.0.0",
  "git://github.com/isaacs/chownr.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "jackspeak",
  "3.4.3",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/jackspeak.git",
  "Unknown",
  "Isaac Z. Schlueter"
]
[
  "package-json-from-dist",
  "1.0.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/package-json-from-dist.git",
  "https://izs.me/",
  "Isaac Z. Schlueter"
]
[
  "path-scurry",
  "1.11.1",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/path-scurry",
  "https://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "yallist",
  "5.0.0",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/yallist.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]

[cjihrig]

These are all indirect dependencies.

chownr and yallist come from our dependency on tar.

jackspeak, package-json-from-dist, and path-scurry come from our dependency on c8.

[jandubois]

These are all indirect dependencies.

It is my understanding that CNCF license approval requirement applies to indirect dependencies as well. Is that not the case?

Otherwise you could just create a wrapper with an approved license around a module and circumvent the whole license checking. The whole point of an official list is that the CNCF confirms that it considers the licenses compatible.

[cjihrig]

I don't know the policy. Without any investigation, I would assume it applies to all dependencies, direct or otherwise. I just wanted to document where these dependencies were coming from in case changes need to be made.

[mattfarina]

The license policy for the whole CNCF can be found here. It applies to all dependencies not just direct ones. The approved exceptions can be found here. The BlueOak-1.0.0 license is not an approved one.

[cjihrig]

It might be worth applying for an exception. BlueOak is OSI approved and, if I recall correctly, was recently approved by the OpenJS Foundation.

[brendandburns]

fwiw, c8 is a dev dependency for running tests, not a runtime dependency, so I don't think that the CNCF policy applies. I agree it's a little weird since package.json combines both runtime and dev dependencies in a way that other language ecosystems don't.

@mattfarina if you feel like clarifying this with the CNCF/LF legal folks, feel free to reply here with what you find out.

[jandubois]

c8 is a dev dependency for running tests, not a runtime dependency, so I don't think that the CNCF policy applies.

I would think so too, but will leave it to @mattfarina to give us the final word.

We had some corruption in our yarn.lock file that seems to have caused the c8 dependencies to be included in the yarn license list --prod output. After recreating yarn.lock it only shows the 2 tar dependencies anymore:

$ ~/suse/rancher-desktop/scripts/node-license-check.sh
Forbidden license(s) detected; allowed are Apache-2.0|0?BSD|ISC|MIT|Python-2.0|Unlicense
[
  "chownr",
  "3.0.0",
  "BlueOak-1.0.0",
  "git://github.com/isaacs/chownr.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]
[
  "yallist",
  "5.0.0",
  "BlueOak-1.0.0",
  "git+https://github.com/isaacs/yallist.git",
  "http://blog.izs.me/",
  "Isaac Z. Schlueter"
]

[brendandburns]

I'll move the tar dependency to be optional since it is only used for copy anyway.

That way people get to chose to install it or not for themselves.

[brendandburns]

Actually, I'm going to look into switching to https://www.npmjs.com/package/nanotar which is MIT licensed has no dependencies.