[License Exception Request] Flatcar

[miao0miao]

We would like to contribute Flatcar project to CNCF. However, few repos are licensed under licenses that are not not CNCF Allowlist License Policy and are not listed under License exceptions.
We would like to ask for an exception for the following repositories that Flatcar uses:

Repo	Licence	Further information
flatcar/sysroot-wrappers	GPL-3.0	This repository was forked from CoreOS container linux because the upstream repository was archived. It contains a low-level build helper utility which is not distributed with the OS image; the utility is only required at image build time. Sysroot-wrappers works in close relation with the GCC compiler and incorporates sources from the GCC project, which is licensed under GPL 3.0. Hence, the derivative is also GPL 3.0 licensed.
flatcar/grub	GPL-3.0	Grub, the GRand Unified Bootloader, is a package shipped with the Flatcar OS image. The bootloader runs at early start-up and is responsible for loading Flatcar’s kernel and initrd. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. We do not use the upstream GRUB release sources but maintain our own repository to ease development, which is currently in progress. We are planning to contribute back after development concludes and switch to using upstream sources (with our patches on top if necessary) in the future.
flatcar/baselayout	GPL-2	Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/nss-altfiles	LGPL-2.1	Nss-altfiles is a glibc plugin which enables user and group lookup in paths other than /etc. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. We are investigating switching to systemd-userdbd instead. This could lead to the retirement of the nss-altfiles repository at a point in the future – the project would instead use upstream systemd releases directly.
flatcar/bootengine	BSD-2-Clause	This repository contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/shim	BSD 2-Clause	Shim is an UEFI stub that allows a secure, signed boot chain.The repository in the Flatcar org does not contain any changes from upstream Shim and is used for development.
flatcar/scripts	BSD-3-Clause	Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers.
flatcar/init	BSD-3-Clause	Init contains OS configuration and utilities. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/update_engine	BSD-3-Clause	Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine.
flatcar/flatcar-dev-util	BSD-3-Clause	This repository contains a python script (“emerge-gitclone”) which is shipped with the Flatcar devcontainer. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. The Flatcar Sysext initiative aims to replace the devcontainer with a suitable sysext, at which point this repository will be archived.
flatcar/seismograph	BSD-3-Clause	Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container linux for Flatcar because the upstream repository was archived.
flatcar/nomad-on-flatcar	MIT	Nomad-on-flatcar is a set of example configurations for running Flatcar Container Linux on Nomad. It serves as hands-on documentation for users; this repository does not generate artifacts and is not shipped in releases. It is based on fedora-coreos-nomad which is MIT licensed.

Background:

The Flatcar Project consists of a total of 61 active repositories. Most repositories are licensed under the Apache 2.0 license. 12 are licensed differently since they build on existing work.
6 repositories are used for secrets storage, i.e. contain GPG-encrypted infrastructure secrets, and 1 repository contains infrastructure-as-code for the Flatcar build and release infrastructure – these repositories do not use any license.

The breakdown of the 61 active repositories total:
42 repositories are licensed under Apache 2.0
5 repositories are licensed under BSD 3-Clause
2 repositories are licensed under BSD 2-Clause
2 repositories are licensed under GPL-3.0
1 repository is licensed under GPL-2.0
1 repository is licensed under LGPL-2.1
1 repository is licensed under MIT
(and 7 repositories used for infrastructure automation without a license)

Like most Linux distributions, Flatcar Container Linux packages, builds, and ships many upstream projects’ releases that use a wide variety of licenses. Most of these releases are shipped without modification; some require amendments to integrate well with Flatcar. These Flatcar-specific changes reside in the “scripts” repo and are applied at build time on top of a pristine upstream source release for most upstreams that need amendments.

These Flatcar-specific changes are a one-time effort and usually do not require continued development - except for very few upstreams. For the upstreams that are under active development – these are very few - the Flatcar project maintains a fork of the upstream repo with Flatcar-specific changes included, and packages/builds reference the Flatcar development fork instead of the upstream repository (or release tarball).

The sole purpose of these forks is to provide a place for maintainers to focus their development. The upstream license is retained with the fork. We always aim to contribute back upstream – after which we switch back to the upstream sources, and the development fork is removed. None of the forked repositories’ projects are released separate from Flatcar; all repos are used as packaging/build sources for Flatcar OS and SDK releases.

[nikhita]

cc @amye

[miao0miao]

Quick note: I could not assign the issue or add a label. I do not have sufficient permissions.
I was trying to follow the instructions here https://github.com/cncf/foundation/pull/313/files
cc: @amye @caniszczyk

[miao0miao]

I would like to bring to your attention the current status of our repositories that require a license exception, particularly as we have entered the year 2024. The repositories are sorted by 4 categories (listed below). Your approval for this exception is greatly appreciated.

Thank you for your time and consideration.

a.
the following includes exceptions that were perviously approved by the CNCF GB:

Repo	Licence	Further information
flatcar/locksmith	MPL-2.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 76 to 85 in fb57be1 ##### Package: github.com/hashicorp/errwrap PackageName: github.com/hashicorp/errwrap SPDXID: SPDXRef-Package8 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: MPL-2.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11
flatcar/mayday ; flatcar	MPL-2.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 54 to 63 in fb57be1 ##### Package: github.com/hashicorp/hcl PackageName: github.com/hashicorp/hcl SPDXID: SPDXRef-Package6 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: MPL-2.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11
flatcar/torcx	CC-BY-SA-4.0	This was approved by CNCF GB as a license exception 2019-03-11, see foundation/license-exceptions/cncf-exceptions-2019-11-01.spdx Lines 230 to 239 in fb57be1 ##### Package: github.com/opencontainers/go-digest PackageName: github.com/opencontainers/go-digest SPDXID: SPDXRef-Package22 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: Apache-2.0 AND CC-BY-4.0 AND CC-BY-SA-4.0 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageComment: not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11

b.
this list includes repos we cannot change their licenses and require an exception:
update Mar 13th, 2024 - flatcar-dev-util is taken off the list as we did work that enabled us to change the license

Repo	Licence	Further information
flatcar/bootengine	BSD-2-Clause	This repo is listed as copyright CoreOS; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-2-Clause, and going forward under either BSD-2-Clause or Apache-2.0- ; bootengine contains a number of modules required for building Flatcar’s init-ramdisk, and a number of scripts that run from the initrd. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.
flatcar/flatcar-dev-util flatcar/seismograph flatcar/update_engine	BSD-3-Clause	This repo is listed as copyright Chromium authors and a CoreOS notice; likely infeasible to have all copyright holders agree to relicense to Apache-2.0. Likely need to ask LC / GB to approve retaining pre-existing under BSD-3-Clause and going forward under either BSD-3-Clause or Apache-2.0 ; Update_engine handles OS updates. It was created for Chromium OS and later extended by CoreOS container Linux. It was forked from CoreOS container linux for Flatcar because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image, not released independently. The Flatcar project has started “ue-rs”, a new project under Apache 2.0 license, to eventually replace update_engine; flatcar-dev-util contains a python script (“emerge-gitclone”) which is shipped with the Flatcar devcontainer. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently. The Flatcar Sysext initiative aims to replace the devcontainer with a suitable sysext, at which point this repository will be archived. ; Seismograph contains utilities used at image build and run time to initialise and modify the OS disk image (for example the special GPT attributes for A/B booting). It was forked from CoreOS container li
baselayout	GPL-2.0, LGPL-2.1, LGPL-3.0	This repo appears to be forked from upstream, and uses GPL-2.0, LGPL-2.1, LGPL-3.0 as repo license. Likely need to ask LC / GB to approve retaining pre-existing and going-forward development under GPL-2.0, LGPL-2.1, LGPL-3.0, as doesn't appear to be feasible to relicense ; Baselayout contains default configuration, filesystem content declarations, and early boot utilities that run at provisioning time to initialise the root file system. It was forked from CoreOS container linux because the upstream repository was archived. Artifacts built from this repository are distributed with the Flatcar OS image and are not released independently.

c.
the list below also require an exception, as they are part of the core of Flatcar or got multiple decencies by other CNCF projects:

Repo	Licence	Further information
flatcar/coreos-cloudinit	LGPL-3.0 WITH LGPL-3.0-linking-exception	We explore switching to go-ymal eventually. However this will require several months due the impact it can have and stabilization cycles that will be required.
flatcar/ignition	LGPL-2.1-only OR CDDL-1.0	Moving this repo would pose some risk - it has 18 direct and 30 indirect dependencies on Github alone. Exception justification Downstream repo not used for active development (we use upstream ignition directly), but many CNCF projects (CAPI providers) directly or indirectly depend on it.
flatcar/scripts	LGPL (version unspecified),GPL-2.0, Proprietary	Scripts is the main “distro” repository and contains build automation for CI and for release builds for both the SDK container as well as the OS image. It also contains package build instructions (“ebuilds”) for all packages, including pristine ebuild imports from Gentoo that retain their respective license. It is used for builds and versioning (reproducible builds). Scripts was forked from CoreOS container linux because the upstream repository was archived, and subsequently modified by Flatcar maintainers.

d.

the following repos are still under Flatcar and contain license exception but will be resolved by of business week 5 2024 (next week). I will provide another update once the work on this two exception is completed and no longer required.
update Jan 30th, 2024 - this is still WIP, added reference to the PR
update Feb 28th, 2024 -these items do not require an exception any longer. The PRs were merged

Repo	Licence	Further information
flatcar/shim	Project License is BSD-2-Clause	This PR will make this repo not required by the end of next week (week 5 2024). Shim is an UEFI stub that allows a secure, signed boot chain.The repository in the Flatcar org does not contain any changes from upstream Shim and is used for development. done
flatcar/mantle	LGPL-3.0 WITH LGPL-3.0-linking-exception	switching to use upstream go-yaml done

[miao0miao]

update regarding flatcar/shim and flatcar/mantle - both PRs tracking those items were merged- the exception is no longer needed.

[miao0miao]

update - /flatcar/flatcar-dev-util is taken off the list as we did work that enabled us to change the license