Watch for dependencies that go AWOL or switch licenses

[dims]

Problem:
We had an issue in external-dns repository where ( kubernetes-sigs/external-dns#2653 (comment) )

• The project switched licenses
• The project git repo vanished

Ask:
We need to monitor all kubernetes repos for (At least start with k/k)

• the licenses of dependencies listed in go.mod are valid ( https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md )
• ensure the project continues to use a license that is valid for us over time
• ensure that the dependency is still active/available for us to use.

Idea:

• Use https://github.com/google/go-licenses#build-tags to scan (see the CSV option for example)
• Validate that the licenses in the CSV are in the allowed-third-party-license-policy.md above
• Run this periodically as a prow periodic job
• Start with k/k and then extend this to other repositories

Thanks,
Dims

[k8s-ci-robot]

@dims: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dims]

/sig architecture

[thockin]

This tool has worked well in other (smaller) repos.

[Priyankasaggu11929]

/assign

I'll work on this. Will go through the pointers from the issue description & get back. Thank you!

[thockin]

The git-sync repo branch uses it as part of the image build, if that helps at all.

…

On Wed, Mar 23, 2022, 9:01 PM Priyanka Saggu ***@***.***> wrote: /assign I'll work on this. Will go through the pointers from the issue description & get back. Thank you! — Reply to this email directly, view it on GitHub <#108942 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVELZQM4U7KK4K2E6M3VBPSKBANCNFSM5RPKROAQ> . You are receiving this because you commented.Message ID: ***@***.***>

[RinkiyaKeDad]

@Priyankasaggu11929 I can also help with this!

/assign

[dims]

/area code-organization

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dims]

Oh! this is done! see https://testgrid.k8s.io/sig-testing-misc#kubernetes-verify-go-licenses-periodical

thanks,
dims

[dims]

/close

[k8s-ci-robot]

@dims: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.