You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/08/31 19:50:15 UTC

[GitHub] [airflow] ryw opened a new issue #10667: Licensing risks

ryw opened a new issue #10667:
URL: https://github.com/apache/airflow/issues/10667


   I've pulled together a list of questionable licenses that license scanners will pick up for Airflow. Ideally we should look to remove the dependencies from the project.
   
   | Component | Project | License  | PR |
   |-----------|---------|----------|----|
   | apache-airflow | [astroid](https://pypi.org/project/astroid/) | LGPL-3.0 |
   | apache-airflow | [certifi](https://pypi.org/project/certifi/) | MPL-2.0 |
   | apache-airflow | [chardet](https://pypi.org/project/chardet/) | LGPL-2.1 |
   | apache-airflow | [JayDeBeApi](https://pypi.org/project/JayDeBeApi/) | LGPL-3.0 |
   | apache-airflow | [ldap3](https://pypi.org/project/ldap3/) | LGPL-3.0 |
   | apache-airflow | [mysql-connector-python](https://pypi.org/project/mysql-connector-python/) | GPL-3.0 |
   | apache-airflow | [paramiko](https://pypi.org/project/paramiko/) | LGPL-3.0 |
   | apache-airflow | [pathspec](https://pypi.org/project/pathspec/) | MPL-2.0 |
   | apache-airflow | [psycopg2-binary](https://pypi.org/project/psycopg2binary/) | LGPL-3.0 |
   | apache-airflow | [pycountry](https://pypi.org/project/pycountry/) | LGPL-2.1 |
   | apache-airflow | [PyGithub](https://pypi.org/project/PyGithub/) | LGPL-3.0 |
   | apache-airflow | [pymssql](https://pypi.org/project/pymssql/) | LGPL-3.0 |
   | apache-airflow | [PySmbClient](https://pypi.org/project/PySmbClient/) | GPL-3.0 |
   | apache-airflow | [pytest-rerunfailures](https://pypi.org/project/pytest-rerunfailures/) | MPL-2.0 |
   | apache-airflow | [text-unidecode](https://pypi.org/project/text-unidecode/) | Artistic-2.0 |
   | apache-airflow | [Unidecode](https://pypi.org/project/Unidecode/) | GPL-3.0 | https://github.com/apache/airflow/pull/10665 |
   | apache-airflow | [yamllint](https://pypi.org/project/yamllint/) | GPL-3.0 |


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685036547


   Ah, so Snyke is not that smart eventually :). We still have text-unidecode as transitive (tho optional) dependency still. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685036547


   Ah, so Snyke is not that smart eventually :). We still have text-unidecode as transitive (though optional) dependency still. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685036547


   Ah, so Snyke is not that smart eventually :). We still have text-unicode as transitive (tho optional) dependency still. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684859581


   Hi @potiuk i better understand now the technique we're using to provide constraint files that aren't in the source code - which definitely helps with automated scanners, since those files are in orphaned branches (confirmed via Snyk today, at least).
   
   Is the intention to keep this structure going forward through future releases, or is it a 1.10 -> 2.0 thing?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685016759


   Thanks @potiuk closing this issue, as the latest master doesn't trigger all these licenses any longer.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685016759


   Thanks @potiuk - closing this issue, as the latest master doesn't trigger all these license vulnerabilities in Snyk any longer.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684025212


   Duplicate of #9898 
   
   Just to give a bit of context here: As an ASF project we are bound by the https://www.apache.org/legal/resolved.html
   
   We've discussed most (if not all) of those libraries in #9898. I looked through it and do not find any new "watchouts".
   
   IMHO the result of this discussion is that we are "ok". Unless there is other reason (not ASF policies) that we want to get rid of those as risk @ryw? 
   
   Maybe we simply want to get rid of those because we want to avoid any risk whatsoever ?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684883376


   It's going to stay like that as far as I am concerned. But his is something we are going to discuss on Monday. 
   
   I am writing a short proposal for 2.0 release/packaging process today, so that everyone can read it before we have our Monday meetingu on 2.0. I promised I send it before at the last meeting.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684859581


   Hi @potiuk i better understand now the technique we're using to provide constraint files that aren't in the source code - which definitely helps with automated scanners, since those files are in orphaned branches. 
   
   Is the intention to keep this structure going forward through future releases, or is it a 1.10 -> 2.0 thing?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684025212


   Duplicate of #9898 
   
   Just to give a bit of context here: As an ASF project we are bound by the https://www.apache.org/legal/resolved.html
   
   We've discussed most (if not all) of those licences in #9898. I looked through it and do not find any new "watchouts".
   
   IMHO the result of this discussion is that we are "ok". Unless there is other reason (not ASF policies) that we want to get rid of those as risk @ryw? 
   
   Maybe we simply want to get rid of those because we want to avoid any risk whatsoever ?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw edited a comment on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw edited a comment on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-685016759


   Thanks @potiuk - closing this issue, as the latest master doesn't trigger all these licenses any longer.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684063437


   Sure - I am perfectly ok with that - and documenting is a good thing. 
   
   I just think we are spinning in circles a bit - I thought we reached conclusions and explained all reasons in #9898. So I am surprised a bit that we have the second one, but I might be wrong about "conclusions", so I prefer to ask.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw commented on issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw commented on issue #10667:
URL: https://github.com/apache/airflow/issues/10667#issuecomment-684030568


   We should seek to eliminate category-x dependencies/references, if possible, as the cleanest resolution.
   
   For those that we cannot get rid of, or don't think we must get rid of (if we think we are OK in how we're using them), we'll document that somewhere for reference (which I volunteer to do).


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryw closed issue #10667: Licensing risks

Posted by GitBox <gi...@apache.org>.

ryw closed issue #10667:
URL: https://github.com/apache/airflow/issues/10667


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org