Include licenses and recipricol source-files in OTEL's docker distro

[jsuereth]

Fixes #2458

• Adds go-licenses tool to make install-tools
• Adds a new otelcol-licenses make target which dumps all license files from dependencies used to build otelcol
  • This includes the original license in a directory associated with the go dependency
  • For "reciprocal" licenses (weak copyleft, like MPL) that require access to source, this copies the source used at build time into the docker image to comply with the license.
• Updated docker image to include this "third-party" directory, complying with distribution requirements on 3P licenses.

[codecov]

Codecov Report

Merging #2604 (675045e) into main (484e315) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2604   +/-   ##
=======================================
  Coverage   88.42%   88.42%           
=======================================
  Files         176      176           
  Lines       10378    10378           
=======================================
  Hits         9177     9177           
  Misses        971      971           
  Partials      230      230           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 484e315...675045e. Read the comment docs.

[tigrannajaryan]

For "reciprocal" licenses (weak copyleft, like MPL) that require access to source, this copies the source used at build time into the docker image to comply with the license.

Do we have licenses like this? Can you show the output of the tool?

[jsuereth]

@tigrannajaryan

Do we have licenses like this? Can you show the output of the tool?

MPL is a "weak copyleft" license, and yes, I think most hashicorp libraries are MPL 2.0.

The go-licenses tool takes the "strictest" definition of MPL v2.0 paragraph 3.2 and just bundles the source right in the executable. I'm not aware of another tool that copy-pastes the LICENSE notices in a clear way for dependencies (but am totally happy to use another tool if you know of one).

Here's a (truncated) example where I highlight what's done with MPL dependencies:

$ ls -R third-party/*
third-party/go.mod

third-party/cloud.google.com:
go

third-party/cloud.google.com/go:
compute

third-party/cloud.google.com/go/compute:
metadata

third-party/cloud.google.com/go/compute/metadata:
LICENSE

third-party/contrib.go.opencensus.io:
exporter

third-party/contrib.go.opencensus.io/exporter:
prometheus

third-party/contrib.go.opencensus.io/exporter/prometheus:
LICENSE

...

third-party/github.com/hashicorp/consul/api:
acl.go         catalog.go                           config_entry.go                  connect.go                 debug_test.go            go.sum          lock.go                operator_autopilot_test.go  operator_raft_test.go   README.md          snapshot_test.go
acl_test.go    catalog_test.go                      config_entry_intentions.go       connect_intention.go       discovery_chain.go       health.go       lock_test.go           operator.go                 operator_segment.go     semaphore.go       status.go
agent.go       config_entry_discoverychain.go       config_entry_intentions_test.go  connect_intention_test.go  discovery_chain_test.go  health_test.go  namespace.go           operator_keyring.go         oss_test.go             semaphore_test.go  status_test.go
agent_test.go  config_entry_discoverychain_test.go  config_entry_test.go             coordinate.go              event.go                 kv.go           namespace_test.go      operator_keyring_test.go    prepared_query.go       session.go         txn.go
api.go         config_entry_gateways.go             connect_ca.go                    coordinate_test.go         event_test.go            kv_test.go      operator_area.go       operator_license.go         prepared_query_test.go  session_test.go    txn_test.go
api_test.go    config_entry_gateways_test.go        connect_ca_test.go               debug.go                   go.mod                   LICENSE         operator_autopilot.go  operator_raft.go            raw.go                  snapshot.go        watch

third-party/github.com/hashicorp/consul/api/watch:
funcs.go  funcs_test.go  plan.go  plan_test.go  watch.go  watch_test.go


...

[tigrannajaryan]

We need a clarification on MPL, commented here: open-telemetry/community#649 (comment)

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[jsuereth]

@tigrannajaryan Should I be working to fix this up, or are we still waiting on the MPL question?

[tigrannajaryan]

@tigrannajaryan Should I be working to fix this up, or are we still waiting on the MPL question?

I do not expect that MPL may be prohibited, so I believe you can work on this in parallel. We do need to clarify the license question though (if it turns out that MPL is prohibited we will need to find replacements for dependencies).

[tigrannajaryan]

I opened a separate issue to clarify MPL dependency usage: open-telemetry/community#688

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[jsuereth]

@tigrannajaryan let me know if you need any more insight into what this is doing, or restructuring.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[tigrannajaryan]

LGTM, let's merge, run and see the list of license files, then we may need to file for approval of any dependencies that are MPL.

[tigrannajaryan]

Nit: should we put the licenses under a licenses subdirectory, so that if there is anything else from third parties in the future it doesn't get mixed with license files?

[jsuereth]

Will fix.

[tigrannajaryan]

@bogdandrutu PTAL.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[bogdandrutu]

@jsuereth we no-longer build the collector with "make" directly but we use the builder, which I think will benefit everyone to have this in the builder.

@jpkrohling can we add this to the builder to add a all "licenses" file in the docker image? Would be great I think.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[jpkrohling]

I believe this PR here should be closed in favor of doing the same on the releases repository.