Closed
Description
Hi
I'm a Falco core maintainer and have some doubts about the container images' license policy.
AFAIK, CNCF project dependencies under a non-Apache 2.0 license are allowed only if they satisfy the "Allowlist License Policy" criteria:
https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
Questions:
- I guess the container base image used by a CNCF project must follow the same policy. Is this assumption correct?
- In particular, is a CNCF project allowed to use the Red Hat UBI (as the base image for its main container image)? Does the UBI (EULA) satisfy the CNCF requirements?
- Should we request a license exception for that?
See:
- https://developers.redhat.com/articles/ubi-faq#introduction
- https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf
After some community members had proposed switching Falco's base image from Debian to UBI, those questions came up.
The main Falco image is still using Debian as a base image, but we also have an alternative image docker image based on UBI
👉 https://github.com/falcosecurity/falco/blob/master/docker/ubi/Dockerfile
I want to ensure there're no licensing issues.
Thank you,
Leo