-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guidance on use of a third party library maintained by a Sanctioned Entity #550
Comments
In short, the CNCF/LF consider open source a global endeavor so there isn't necessarily a critical issue here: https://www.linuxfoundation.org/blog/blog/open-source-collaboration-is-a-global-endeavor However, this doesn't mean you as a project can view this situation as risky... just like any other 3rd party dependency that may have little to no maintainers. I'm not sure if the kubernetes has guidance on 3rd party dependencies that they may find risky in that regard, but I'd follow that (cc: @dims) |
We don't wish to diverge from the rest of the CNCF in that regard, as we inevitably have dependencies in our dependency graph by way of other CNCF projects we depend on. If there isn't CNCF-wide-applicable guidance to avoid a dependency (e.g. due to unacceptable license) then it's probably not worth the effort to try to excise from our dependency set which is a superset of other projects. We have asked projects to work with us to remove dependencies before, but within reason ... We do have guidance for dependencies: Kubernetes avoids unmaintained libraries where possible and we have guidance for dependencies / vendor at: Which is applied by a small approval team for vendor changes 👋 The code-organization group also attempts to pro-actively improve dependency management. However, we don't currently have any guidance with respect to sanctions and we've asked for CNCF-wide guidance on this topic (kubernetes/kubernetes#117553 (comment) => this issue). It sounds like the response is "no, sanctions need not be considered". |
I'll consider this closed given the k8s guidance + CNCF response that this isn't an issue for us. |
Originally raised via kubernetes/kubernetes#117553 and was correctly advised that this is a broader issue.
With the war in Ukraine, it's possible that multiple C.N.C.F. projects are using libraries that are maintained by sanctioned entities. I would like to request that there is clear guidance on what these projects should do. Should they fork the libraries, remove them, vendorise them etc etc?
Sorry for the poor style of request, if someone can link me to an issue guide, I'll happily rewrite this!
The text was updated successfully, but these errors were encountered: