add job to check oss licenses

[cpanato]

Summary

• add oss licenses directory
• add job to check oss licenses

Fixes: #2258

we need to check what to do with some libraries that does not have licenses

E0916 09:33:08.668941   16133 library.go:115] Failed to find license for github.com/alibabacloud-go/cr-20160607/client: cannot find a known open source license for "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/cr-20160607@v1.0.1/client" whose name matches regexp ^(?i)((UN)?LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/cr-20160607@v1.0.1"
E0916 09:33:08.757242   16133 library.go:115] Failed to find license for github.com/alibabacloud-go/tea-xml/service: cannot find a known open source license for "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/tea-xml@v1.1.2/service" whose name matches regexp ^(?i)((UN)?LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/Users/cpanato/code/pkg/mod/github.com/alibabacloud-go/tea-xml@v1.1.2"

those dependencies were introduced in #2008

[codecov-commenter]

Codecov Report

Merging #2259 (7904906) into main (63fe875) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2259   +/-   ##
=======================================
  Coverage   28.56%   28.56%           
=======================================
  Files         131      131           
  Lines        7855     7855           
=======================================
  Hits         2244     2244           
  Misses       5305     5305           
  Partials      306      306           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

I don't have any context, but can I ask a high level question - What is the purpose of copying in licenses into the repo? Is this a common practice in OSS? I would have assumed that if you're trying to verify if you can use a repo due to licenses, you'd want to go to the source of truth (each dependency repo) for the licenses, rather than trust this repo to provide them (since we could modify the licenses)

[vaikas]

Great question! From the projects that I've worked on (and it's not authoritative by any means, just my experience), it used to be that all the code would be vendored in, but since things changed along the way with go mods, etc. We started to vendor only in the LICENSE as well as check them to ensure that we're not using code that has licenses that are not compatible with our license.
FWIW, the tooling we use is here:
https://github.com/google/licensecheck

I think as far as going to source, we do grab the LICENSE at the version it's imported, so if we did modify, one could see the change, but I think it's more just for tooling purposes.

Not sure this helps :)

[vaikas]

I'm fine with this change, but since this also is sort of a policy decision, I'd like members of the TSC to weigh in on this matter.

[vaikas]

@mattmoor who probably remembers more details about licenses than I have already forgotten.

[dlorenc]

I don't really see any need to check in the licenses. Can we verify they meet our policies without doing that?

[mattmoor]

The main purpose of this is to enable including the directory generated by go-licenses into kodata so that the publicly released images as in compliance with open source licenses. This is why in some cases the directory also includes source code (since some licenses require that). This was added when policy-controller came in, so perhaps it can be ripped out of cosign now.

IANAL, but this is my understanding of why Knative/Tekton did this.

[cpanato]

If we care about the licenses and use libraries/code that have Licenses, I think we should track that.
Maybe we will only accept or use it in the future if the lib/code has specific licenses.

If we don't want to track or care about this now, we can close this PR

[cpanato]

to get back to this, we don't want to do the license check and then this job will be not needed, correct?
also i don't know which policy in this regard we follow/have

cc @dlorenc @bobcallaway

[cpanato]

closing this for now, if we decide to have this or similar job I can make that happen