Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guidance on use of a third party library maintained by a Sanctioned Entity #550

Closed
RichardoC opened this issue Apr 24, 2023 · 3 comments
Closed

Comments

@RichardoC
Copy link

Originally raised via kubernetes/kubernetes#117553 and was correctly advised that this is a broader issue.

With the war in Ukraine, it's possible that multiple C.N.C.F. projects are using libraries that are maintained by sanctioned entities. I would like to request that there is clear guidance on what these projects should do. Should they fork the libraries, remove them, vendorise them etc etc?

Sorry for the poor style of request, if someone can link me to an issue guide, I'll happily rewrite this!

@caniszczyk
Copy link
Contributor

In short, the CNCF/LF consider open source a global endeavor so there isn't necessarily a critical issue here: https://www.linuxfoundation.org/blog/blog/open-source-collaboration-is-a-global-endeavor

However, this doesn't mean you as a project can view this situation as risky... just like any other 3rd party dependency that may have little to no maintainers. I'm not sure if the kubernetes has guidance on 3rd party dependencies that they may find risky in that regard, but I'd follow that (cc: @dims)

@BenTheElder
Copy link

I'm not sure if the kubernetes has guidance on 3rd party dependencies that they may find risky in that regard, but I'd follow that

We don't wish to diverge from the rest of the CNCF in that regard, as we inevitably have dependencies in our dependency graph by way of other CNCF projects we depend on.

If there isn't CNCF-wide-applicable guidance to avoid a dependency (e.g. due to unacceptable license) then it's probably not worth the effort to try to excise from our dependency set which is a superset of other projects. We have asked projects to work with us to remove dependencies before, but within reason ...


We do have guidance for dependencies:

Kubernetes avoids unmaintained libraries where possible and we have guidance for dependencies / vendor at:
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/vendor.md

Which is applied by a small approval team for vendor changes 👋

The code-organization group also attempts to pro-actively improve dependency management.

However, we don't currently have any guidance with respect to sanctions and we've asked for CNCF-wide guidance on this topic (kubernetes/kubernetes#117553 (comment) => this issue).

It sounds like the response is "no, sanctions need not be considered".

@caniszczyk
Copy link
Contributor

I'll consider this closed given the k8s guidance + CNCF response that this isn't an issue for us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants