-
Bug
-
Resolution: Done
-
Medium
-
Casablanca Release
From: Michael O'Brien
Sent: Thursday, August 23, 2018 10:49 AM
To: Steve Winslow <swinslow@linuxfoundation.org>
Cc: Gildas Lanilis <gildas.lanilis@huawei.com>; Kenny Paul <kpaul@linuxfoundation.org>; Amanda McLean <Amanda.McLean@amdocs.com>; Brad Benesch <Brad.Benesch@amdocs.com>; David Stangl <David.Stangl@amdocs.com>; Geora Barsky <georab@amdocs.com>; J.Ram Balasubramanian <J.Ram.Balasubramanian@amdocs.com>; James MacNider <James.MacNider@amdocs.com>; Jennie Jia <Jennie.Jia@amdocs.com>; Mohammadreza Pasandideh <mohammadreza.pasandideh@amdocs.com>; Phillip Leigh <Phillip.Leigh@amdocs.com>; Pierre Rioux <Pierre.Rioux@amdocs.com>; Prudence Au <Prudence.Au@amdocs.com>; Shane Daniel <Shane.Daniel@amdocs.com>; Sharon Chisholm <Sharon.Chisholm@amdocs.com>; Trevor Tait <Trevor.Tait@amdocs.com>; Luke Parker <lparker@amdocs.com>; Avdhut Kholkar <avdhut.kholkar@amdocs.com>; breslau@research.att.com
Subject: RE: ONAP codebase license scan - logging-analytics, Aug. 2018
Steve,
Good point – missed the “restricted” license – reopening JIRA to fix this.
https://jira.onap.org/browse/LOG-522
via
https://jira.onap.org/browse/LOG-628
/michael
From: Steve Winslow <swinslow@linuxfoundation.org>
Sent: Thursday, August 23, 2018 10:38 AM
To: Michael O'Brien <Frank.Obrien@amdocs.com>
Cc: Gildas Lanilis <gildas.lanilis@huawei.com>; Kenny Paul <kpaul@linuxfoundation.org>; Amanda McLean <Amanda.McLean@amdocs.com>; Brad Benesch <Brad.Benesch@amdocs.com>; David Stangl <David.Stangl@amdocs.com>; Geora Barsky <georab@amdocs.com>; J.Ram Balasubramanian <J.Ram.Balasubramanian@amdocs.com>; James MacNider <James.MacNider@amdocs.com>; Jennie Jia <Jennie.Jia@amdocs.com>; Mohammadreza Pasandideh <mohammadreza.pasandideh@amdocs.com>; Phillip Leigh <Phillip.Leigh@amdocs.com>; Pierre Rioux <Pierre.Rioux@amdocs.com>; Prudence Au <Prudence.Au@amdocs.com>; Shane Daniel <Shane.Daniel@amdocs.com>; Sharon Chisholm <Sharon.Chisholm@amdocs.com>; Trevor Tait <Trevor.Tait@amdocs.com>; Luke Parker <lparker@amdocs.com>; Avdhut Kholkar <avdhut.kholkar@amdocs.com>; breslau@research.att.com
Subject: Re: ONAP codebase license scan - logging-analytics, Aug. 2018
Hi Michael,
Thanks very much for the quick response, and for the background here. I wasn't aware of the prior conversations and context – this is helpful.
I think I understand your point about the .zip files in the context of testing. Let me investigate a bit further on my side, and connect with Gildas and Kenny to make sure I follow about the need for binaries here.
That said, just to clarify – my note on the license scan findings here wasn't about including .zip files generally. It was to note that in this case, one of the files in the .zip file contains a "proprietary" / "restricted" notice.
I think the concern is that having the file with this notice may raise questions about whether a "proprietary / restricted" notice should appear in an Apache-2.0 licensed repository. Downstream users may not know whether they can actually use the file under Apache-2.0 when it has that notice.
So, assuming for the moment that the .zip files remain in place – is it possible to modify this one file's contents, just to remove that restriction notice? That would at least remove this licensing concern.
Thanks again for your help on this.
Steve
On Thu, Aug 23, 2018 at 10:27 AM Michael O'Brien <Frank.Obrien@amdocs.com> wrote:
Steve,
Hi, I was expecting this email on the zip file – I rejected initially this merge but after a discussion and a reminder on the fact that SDC requires a zip during VNF onboarding (the heat template and the tosca zip) – to fully test SDC inputs we need to either pass in or dynamically generate zip files to get proper code coverage.
I recommend we allow certain binaries specifically for testing – IE vFW*.zip and tosca zip files.
https://gerrit.onap.org/r/#/c/57083/
https://jira.onap.org/browse/LOG-522
Michael O'Brien Jul 24 8:42 PM Patch Set 2: Code-Review-1
(1 comment) src/test/resources/toscaModel.csar.zip cannot me merged - it violates the M2 template checklist - no binaries
I updated Gildas on this in the review
Michael O'Brien Jul 27 10:10 AM Patch Set 3: Code-Review+1
Team, Gildas, we discussed the zip issue some more - (zip files not allowed in git), we decided that since SDC works with tosca zip files then to fully test our interaction with SDC we need to be able to have zip files available to the testing framework - changing this review off -1 for zip submission Note: we should document this decision for the future when an audit of the code is done - I will send a mail to onap-discuss but it would be good if the javadoc of the testcase explained this zip requirement so we can link to git from the review, jira and release review
We will need to update the wiki for cases where binaries like SDC zip files are required for testing
https://wiki.onap.org/display/DW/Commit+Messages
For example the vFWSNK.zip and vFWPKG.zip files for the vFW - https://wiki.onap.org/display/DW/Vetted+vFirewall+Demo+-+Full+draft+how-to+for+F2F+and+ReadTheDocs#VettedvFirewallDemo-Fulldrafthow-toforF2FandReadTheDocs-Prerequisites
For the python license header – entering a jira and fixing this today/tomorrow.
https://jira.onap.org/browse/LOG-627
/michael
From: Steve Winslow <swinslow@linuxfoundation.org>
Sent: Thursday, August 23, 2018 9:05 AM
To: Michael O'Brien <Frank.Obrien@amdocs.com>
Cc: Gildas Lanilis <gildas.lanilis@huawei.com>; Kenny Paul <kpaul@linuxfoundation.org>
Subject: ONAP codebase license scan - logging-analytics, Aug. 2018
Hi Michael, I have a couple of quick items for your attention from the license scan:
1) In logging-analytics-pomba-pomba-sdc-context-builder, the file at /src/test/resources/toscaModel.csar.zip/Artifacts/org.openecomp.resource.vf.TestVsp1_v1.0/Informational/GUIDE/VSP_test-vsp-1_Information.txt has an "AT&T Proprietary (Restricted)" notice. Can this notice, or the file, be removed from the repo?
2) In logging-analytics, the file at /pylog/setup.py has the ONAP Apache-2.0 license header in comments. However, the metadata in that file lists the license as "MIT License". Can this be corrected to say "Apache-2.0" instead?
Thanks,
Steve
---------- Forwarded message ---------
From: Steve Winslow <swinslow@linuxfoundation.org>
Date: Wed, Aug 22, 2018 at 1:05 PM
Subject: ONAP codebase license scan, Aug. 2018
To: FORSYTH, JAMES <jf2512@att.com>, KOYA, RAMPRASAD <rk541m@att.com>, <tc012c@att.com>, NGUEKO, GERVAIS-MARTIAL <gn422w@intl.att.com>, Kanagaraj Manickam <kanagaraj.manickam@huawei.com>, <dtimoney@att.com>, Addepalli, Srinivasa R <srinivasa.r.addepalli@intel.com>, Kamineni, Kiran K <kiran.k.kamineni@intel.com>, VENKATESH KUMAR, VIJAY <vv770d@att.com>, GLOVER, GREG L <gg2147@att.com>, MAYER, ANDREW J <am803u@att.com>, <fu.guangrong@zte.com.cn>, Yunxia Chen <helen.chen@huawei.com>, OBRIEN, FRANK MICHAEL <frank.obrien@amdocs.com>, <zhao.huabing@zte.com.cn>, denghui (L) <denghui12@huawei.com>, <bin.yang@windriver.com>, BALASUBRAMANIAN, BHARATH (BHARATH) <bharathb@research.att.com>, Sauvageau, David <david.sauvageau@bell.ca>, PUTHENPURA, SARAT (SARAT) <sarat@research.att.com>, DRAGOSH, PAM <pdragosh@research.att.com>, TALASILA, MANOOP <talasila@research.att.com>, <ml636r@att.com>, Seshu m <seshu.kumar.m@huawei.com>, shentao <shentao@chinamobile.com>, SONSINO, OFIR <os0695@intl.att.com>, 杨艳 <yangyanyj@chinamobile.com>, Steven A Wright <sw3588@att.com>, Chris Donley <christopher.donley@huawei.com>
Cc: MCCRAY, CHRISTOPHER <cm6826@att.com>, Lefevre, Catherine <cl664y@intl.att.com>, Gildas Lanilis <gildas.lanilis@huawei.com>, Kenny Paul <kpaul@linuxfoundation.org>, Phil Robb <probb@linuxfoundation.org>
Hello ONAP PTLs,
I am attaching the results of the most recent ONAP codebase license scans. These are based on a scan of the repos as of August 13.
Attached is a spreadsheet showing the codebase license scan results across all ONAP source code repos. I am also attaching a .zip file which contains individual reports for each ONAP subproject. I would encourage you to review the specific spreadsheets for your own subproject(s).
As with prior reports, the first tab shows a summary of licenses and categories. The other tabs list out each file with the detected licenses.
Please note that there are a number of key findings that may require remediation or removal. These are particularly those in the tabs labeled "Needs review", "Use restrictions", "Copyleft", and "Wrong license statement".
For this scan, please review the overall spreadsheet and the reports for your own subprojects, particularly the tabs listed above.
1. For files in your project that are in the "Needs review", "Use restrictions" or "Copyleft" tabs, please review and determine whether it is possible to remove the components using these files from the ONAP source code repositories.
2. For files listed in the "Wrong license statement" tab, please review and correct the license statement. If the code is original to ONAP, this will likely mean correcting the license to Apache-2.0. If it is third party code, then there may be another issue with the license, and I will circle back with you.
Please respond back to me at swinslow@linuxfoundation.org (not reply all) with any questions, or with confirmation on findings you've been able to address. I will also be reaching out to some of you directly with specific comments and details.
As always, your help with this is greatly appreciated, and please feel free to reach out to me at any time with questions.
Best,