Description
This is the public issue for (https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652).
There were enough people in the Knative project asking about this so I figured it warranted having a public issue others can comment on (so I'm not the sole proxy).
Original Question
What are the CNCF requirements for license disclosure for dependencies when shipping container images?
Background
Knative has been vendoring licenses and including them in the containers we ship. This been our practice since the project went public in 2018 and was a requirement of Google's OSPO's office.
Some context from Evan Anderson [1]
To provide additional context, this was original implemented to meet the second clause of the BSD 2-clause license:
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
By embedding the license in the container image, people who received the OCI image (for example, by pulling from a repo which the image had been cloned to) would also receive a copy of the license, which would trivially satisfy "reproduce the above copyright notice". Since I'm not a lawyer, I'm not going to venture whether this was an overly-restrictive reading of this clause. (This also similarly trivially satisfies the MIT requirement of including a liability disclaimer notice.)
[1] knative/hack#315 (comment)
Related Info
We now build our containers using a tool called ko - this will also publish a SBOM file https://ko.build/features/sboms/
I believe the SBOM will include some license info. Is having this file available for download sufficient for license compliance?