License Scan Report

[spowelljr]

https://lfscanning.org/reports/cncf/kubernetes-2022-10-13-19a6e7e7-4f53-4c58-9dcb-6ab28ebf194d.html

Minikube has 7 licenses that came up in the report

This code is under the GPL license and could contaminate the entire codebase, it must be removed from the repo.

kubernetes-2022-10-13.zip/minikube/deploy/iso/minikube-iso/package/crun/crun.mk
kubernetes-2022-10-13.zip/minikube/deploy/iso/minikube-iso/package/pahole/pahole.mk
kubernetes-2022-10-13.zip/minikube/deploy/iso/minikube-iso/package/sysdig/sysdig.mk

This file lists the license as "Apache", but doesn't specify which version. Could this be updated to "Apache-2.0" in order to be clearer?

kubernetes-2022-10-13.zip/minikube/installers/linux/archlinux-driver/.SRCINFO
kubernetes-2022-10-13.zip/minikube/installers/linux/archlinux-driver/PKGBUILD
kubernetes-2022-10-13.zip/minikube/installers/linux/archlinux/.SRCINFO
kubernetes-2022-10-13.zip/minikube/installers/linux/archlinux/PKGBUILD

[spowelljr]

The latter four are our own files, so updating to Apache-2.0 isn't an issue

[afbjorklund]

@spowelljr : the ISO license is different from the minikube license. There are many GPL components, on the ISO.

If you want a full summary of all licenses and all patches, there is a legal-info build target that could be used ?

With the exceptions below, Buildroot is distributed under the terms of
the GNU General Public License, reproduced below; either version 2 of
the License, or (at your option) any later version.

Some files in Buildroot contain a different license statement. Those
files are licensed under the license contained in the file itself.

https://buildroot.org/downloads/manual/manual.html#legal-info

[afbjorklund]

/remove-lifecycle stale

[afbjorklund]

For the KIC base, you could use something like https://github.com/daald/dpkg-licenses

It is supposed to generate a list of all the .deb files that are installed by our Dockerfile ?

[afbjorklund]

Note that the "LICENSE" line is not related to the packaging, or the minikube code.

It just describes the software being packaged, so it is just metadata for the package.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten