Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include vendored source in release-built images #1338

Merged
merged 1 commit into from
Sep 20, 2019

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented Sep 20, 2019

This adds logic to the nightly release Task that targz's up everything
in vendor/ and includes it in ko-built container images. Some of our
dependencies' licenses require their source to be included in
distributed artifacts (like container images).

Once we've determined this works fine for nightly releases, I'll copy
this to publish.yaml so it's also done for official releases.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

Reviewer Notes

If API changes
are included, additive changes
must be approved by at least two OWNERS
and backwards incompatible changes
must be approved by more than 50% of the OWNERS,
and they must first be added
in a backwards compatible way.

Release Notes

Include vendored source in each released container image, to comply with some depdencies' licenses.

This adds logic to the nightly release Task that targz's up everything
in vendor/ and includes it in ko-built container images. Some of our
dependencies' licenses require their source to be included in
distributed artifacts (like container images).

Once we've determined this works fine for nightly releases, I'll copy
this to publish.yaml so it's also done for official releases.
@tekton-robot tekton-robot requested review from dlorenc and a user September 20, 2019 13:19
@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 20, 2019
@googlebot googlebot added the cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit label Sep 20, 2019
@tekton-robot tekton-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 20, 2019
Copy link
Member

@afrittoli afrittoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks straight forward enough to me.
/lgtm

.gitignore Show resolved Hide resolved
tekton/publish-nightly.yaml Show resolved Hide resolved
tekton/publish-nightly.yaml Show resolved Hide resolved
tekton/publish-nightly.yaml Show resolved Hide resolved
@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 20, 2019
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli, ImJasonH

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit 3407dc6 into tektoncd:master Sep 20, 2019
@imjasonh
Copy link
Member Author

Also worth pointing out: each released image grows by 11MB, but it's in a layer that's shared among all ko-built images in the repo, so it's only 11MB more once if you fetch each image in the set.

The result to end users is that it takes 11MB-worth of time (<1 second) more to install the controller components, and might take 11MB-worth of time to start the first Pod on each new node.

imjasonh added a commit to imjasonh/pipeline that referenced this pull request Sep 20, 2019
tektoncd#1338 added this logic to the
nightly release pipeline.
imjasonh added a commit to imjasonh/pipeline that referenced this pull request Sep 20, 2019
tektoncd#1338 added this logic to the
nightly release pipeline.
imjasonh added a commit to imjasonh/pipeline that referenced this pull request Sep 20, 2019
tektoncd#1338 added this logic to the
nightly release pipeline.
imjasonh added a commit to imjasonh/pipeline that referenced this pull request Sep 20, 2019
tektoncd#1338 added this logic to the
nightly release pipeline.
@chmouel
Copy link
Member

chmouel commented Sep 23, 2019

@imjasonh would you know which dependencies has a license that needs to have source shipped with the binary ? (and not just available on a public URL)

@imjasonh
Copy link
Member Author

@imjasonh would you know which dependencies has a license that needs to have source shipped with the binary ? (and not just available on a public URL)

I believe the main one was our dependency on hashicorp/golang-lru, which, being licensed under the Mozilla Public License, requires the source be made available when distributing.

@chmouel
Copy link
Member

chmouel commented Sep 23, 2019

I see thanks, it seems from this discussion here :

https://opensource.stackexchange.com/a/4783

only a link needs to the source code needs to be referenced?

since IANAL I wonder if I need to engage our legal department to clarify it properly 🤔

tekton-robot pushed a commit that referenced this pull request Oct 10, 2019
#1338 added this logic to the
nightly release pipeline.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants