Remove .go files from third_party/VENDOR-LICENSE

[06kellyjac]

Changes

@vdemeester

Remove .go files from third_party/VENDOR-LICENSE

Was causing issue with my build/test of all subpackages.

Also seems superfluous if the dir is just for the licenses

Shall I also post an issue on https://github.com/google/go-license requesting the .go files not be included?

λ find ./third_party/VENDOR-LICENSE -type f -name "*.go"
./third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/errwrap.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/errwrap_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/2q_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/2q.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru_interface.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/lru.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/arc.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/doc.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/lru_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/arc_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/multierror_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/sort_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/prefix.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/flatten_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/append.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/group.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/multierror.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/format_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/sort.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/prefix_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/flatten.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/append_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/format.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/group_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/version_collection_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/constraint.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/version_collection.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/constraint_test.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/version.go
./third_party/VENDOR-LICENSE/github.com/hashicorp/go-version/version_test.go

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Run the code checkers with make check
• Regenerate the manpages, docs and go formatting with make generated
• Commit messages follow commit message best practices

See the contribution guide
for more details.

Release Notes

NONE

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign danielhelfand
You can assign the PR to them by writing /assign @danielhelfand in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tekton-robot]

Hi @06kellyjac. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vdemeester]

/cc @imjasonh @wlynch

[tekton-robot]

@vdemeester: GitHub didn't allow me to request PR reviews from the following users: wlynch.

Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @imjasonh @wlynch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[imjasonh]

My understanding (I AM NOT A LAWYER) is that hashicorp/golang-lru's license requires us to include the Go source, along with the LICENSE, in images we build that include that source, which is IIRC why it's included in VENDOR-LICENSE, so that it can end up in the final image.

I think go-licenses might be working as intended in this case.

edit: See https://github.com/google/go-licenses#complying-with-license-terms

[06kellyjac]

I'm only seeing MPL-2.0 License in these hashicorp repos, surely some of your other dependencies are also MPL-2.0 License?
Is there an extra requirement written somewhere?

[06kellyjac]

Also even if the code must be distributed with tektoncd/cli's source it's already in vendor

[06kellyjac]

Hashicorp's boundary project uses https://github.com/hashicorp/errwrap and has neither a vendor dir or one generated by go-licenses. I guess they could get a pass using their own software? 🤷

https://github.com/hashicorp/boundary/blob/main/go.mod#L25

[06kellyjac]

Q7: I want to distribute (outside my organization) complete and unchanged executable programs built from MPL-licensed software by someone other than me. What do I have to do?

As long as the people who distributed the program to you have complied with the MPL, typically nothing. To check and see if the people who distributed the program to you have complied with the MPL, look for the notice that tells you where the software is available in Source Code form (i.e., check that it complies with Section 3.2(a)), and then check that the Source Code is available in that place, including a notice that informs you that the Source Code is available under the terms of the MPL (i.e., check that it complies with Section 3.1).

Also not a lawyer but that just sounds like if you have used some-library and you say it's from github.com/org/some-library (either in go.mod/go.sum or vendor or third_party/VENDOR-LICENSE), as long as the code is there (github.com/org/some-library) with a MPL license it meets the requirements

https://www.npmjs.com/package/next-mdx-enhanced
next-mdx-enhanced (GitHub, NPM) is MPL-2.0 but I doubt that every project that depends on it is now required to commit their node_modules directory so the source is distributed with their code.
That's 2.6k uses in repos commited to GitHub alone

---

Just rm-ing all .go might go against some other really weird license I'm not aware of so this find ... rm should be changed/solved in go-licenses

[06kellyjac]

Fossa are probably the most famous License Compliance company/service and their https://github.com/fossas/fossa-cli is apparently 13% MPL-2.0 + 25% MPL-2.0-no-copyleft-exception, but they don't have any external source-code outside of their vendor dir

Even assuming MPL-2.0-no-copyleft-exception doesn't have the same source code requirement, thats 13% of their dependencies which would require the source code be included if that was the case

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[06kellyjac]

I'm going to close the PR.

I've raised the question in the go-licenses repo and there's a v2 in the works and there's talk about it accepting vendor as already providing the source code.
Also in my packaging I just ignore the folder which avoids the compile issues