Proposal to Move Hedera Core Network Software to LFDT

[hendrikebbers]

Proposal for Hedera added.

[swcurran]

I tweaked the title to make it clear in emails what the PR is about. Also — a previous commit requires DCO signoff — DCO - Developer Certificate of Origin - https://github.com/apps/dco. Details about how to fix are in the “Details” link beside the failed check.

[tkuhrt]

Thanks for the proposal. I made a few minor suggested edits and added some questions.

[tkuhrt]

Seeing a few dependencies that are non-permissive (e.g., GPL) in the list. Is there an intention to replace these dependencies with a permissive license dependency?

[hendrikebbers]

Can you provide a list of all licences in hedera-licenses.csv that are problematic? By doing so we can identify the dependencies and define actions for each of them.

[tkuhrt]

This is a list of licenses from hedera-licenses-sdk.csv:

• ""
• "Apache-2.0, MIT"
• "BSD-2-Clause, MIT, Apache-2.0"
• "BSD-3-Clause, GPL-2.0"
• "BSD-3-Clause, MIT"
• "BSD-3-Clause, Unlicense, Unknown"
• "CDDL-1.1, GPL-2.0-with-classpath-exception"
• "GPL-3.0, LGPL-3.0"
• "MIT, CC0-1.0"
• "WTFPL, MIT"
• 0BSD
• Apache-2.0
• BSD-2-Clause
• BSD-3-Clause
• CC-BY-3.0
• CC-BY-4.0
• CC0-1.0
• EDL-1.0
• GPL-2.0
• ISC
• LGPL-2.1
• LGPL-3.0
• MIT
• MPL-2.0
• Public-Domain
• Python-2.0
• Unknown
• Unlicense

The dependencies with "" or Unknown licenses are something that should be researched to determine what the actual license is.

The lines that have "GPL-2.0" and "CDDL-1.1" are also of concern as these are non-permissive licenses. There may be others, as I am not familiar with all of these licenses.

Also, are those lines that contain multiple licenses "one-of" or something else?

[tkuhrt]

This is a list of licenses from hedera-licenses.csv:

• "0BSD, BSD-2-Clause"
• "AFL-2.1, BSD-2-Clause"
• "AFL-2.1, BSD-3-Clause"
• "Apache-2.0, BSD-2-Clause"
• "Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, CC0-1.0, MIT"
• "Apache-2.0, BSD-2-Clause, BSD-3-Clause, EDL-1.0, EPL-2.0, GPL-2.0-with-classpath-exception, MIT, Public-Domain, W3C"
• "Apache-2.0, BSD-2-Clause, MIT, Protobuf"
• "Apache-2.0, BSD-3-Clause"
• "Apache-2.0, BSD-3-Clause, MIT"
• "Apache-2.0, EPL-1.0"
• "Apache-2.0, EPL-2.0, GPL-3.0"
• "Apache-2.0, GPL-2.0, MPL-1.1"
• "Apache-2.0, LGPL-2.1"
• "Apache-2.0, LGPL-2.1, MPL-1.1"
• "Apache-2.0, LGPL-3.0"
• "Apache-2.0, LGPL-3.0-or-later"
• "Apache-2.0, LGPL-3.0-or-later, MIT"
• "Apache-2.0, MIT"
• "Apache-2.0, MPL-1.1"
• "BSD-1-Clause, BSD-2-Clause"
• "BSD-1-Clause, BSD-2-Clause-Views"
• "BSD-2-Clause, BSD-3-Clause"
• "BSD-2-Clause, BSD-3-Clause, BSD-3-Clause-No-Military-License"
• "BSD-2-Clause, BSD-3-Clause, HPND"
• "BSD-2-Clause, GPL-2.0-only"
• "BSD-2-Clause, GPL-3.0"
• "BSD-2-Clause, MIT, Apache-2.0"
• "BSD-3-Clause, Apache-2.0"
• "BSD-3-Clause, GPL-2.0"
• "BSD-3-Clause, LGPL-2.1"
• "BSD-3-Clause, MIT"
• "CC-BY-4.0, MIT"
• "CC0-1.0, GPL-2.0-with-classpath-exception"
• "CDDL-1.1, GPL-2.0-with-classpath-exception"
• "CPL-1.0, EPL-1.0, IPL-1.0"
• "EDL-1.0, EPL-1.0"
• "EDL-1.0, EPL-2.0"
• "EPL-1.0, EDL-1.0"
• "EPL-1.0, GPL-2.0, LGPL-2.1"
• "EPL-1.0, LGPL-2.1"
• "EPL-2.0, GPL-2.0-with-classpath-exception"
• "FTL, GPL-2.0"
• "GPL-2.0, MIT"
• "GPL-2.0-with-classpath-exception, CDDL-1.1"
• "GPL-2.0-with-classpath-exception, MIT"
• "GPL-3.0, LGPL-3.0"
• "GPL-3.0, MIT"
• "MIT, Apache-2.0"
• "MIT, BSD-2-Clause"
• "MIT, BSD-3-Clause"
• "MIT, CC0-1.0"
• "MIT, GPL-2.0"
• "MIT, GPL-3.0-or-later"
• "MIT, Unlicense"
• "MIT, WTFPL"
• "MIT, X11"
• "MIT, Zlib"
• "MPL-2.0, EPL-1.0"
• "Ruby, BSD-2-Clause"
• "Ruby, GPL-2.0"
• "Unlicense, Apache-2.0"
• "WTFPL, MIT"
• AGPL-3.0
• ANTLR-PD
• Apache-2.0
• BSD 0.00
• BSD-2-Clause
• BSD-3-Clause
• BSL-1.0
• BlueOak-1.0.0
• CC-BY-3.0
• CC-BY-3.0-US
• CC-BY-4.0
• CC0-1.0
• CDDL-1.0
• CDDL-1.1
• CPL-1.0
• EDL-1.0
• EPL-1.0
• EPL-2.0
• EUPL-1.1
• GPL-2.0
• GPL-2.0-with-classpath-exception
• GPL-3.0
• ISC
• LGPL-2.1
• LGPL-3.0
• MIT
• MIT-0
• MPL-2.0
• ODC-By-1.0
• OpenSSL
• Public-Domain
• Python-2.0
• Unicode-DFS-2016
• Unknown
• Unlicense
• WTFPL
• ZPL-2.1
• Zlib

[tkuhrt]

We should check with LF Legal team on these licenses. cc: @hartm

[awaiken]

if this conversation goes off GH, please keep me cc'd, I have a bit of background on this topic

[awaiken]

Tracy, the licenses you reference have modifiers that may be ok with your lawyers, the one I think might be an issue is the CDDL:GPL-2.0-with-classpath-exception, CDDL-1.1, but as it is dual licensed the exception may make it ok.

[hendrikebbers]

@tkuhrt thank you for the input.

[arsulegai]

Question:
How is the Snyk generated report analyzed or assessed? Is the tool also configured to flag (potentially as part of the CI process) the new dependency introduction that do not follow expected license?

[hendrikebbers]

I will check and come back with more details.

[arsulegai]

Question:
Are these supplementary repositories currently part of the open-source hashgraph GitHub org? If yes, is there a plan to bring them as well to the LFDT?

[hendrikebbers]

The hashgraph org currently contains way more repositories as we mentioned in this proposal. The mentioned repos here are the ones that we want to migrate "at the start". So yes, we plan to bring them to the LFDT. We will add more detail regarding the mentioned repos.

[arsulegai]

• additional questions:

1. What about the infrastructure for these runners, where will those be installed and run?
2. Does any developer making contributions to the project have access to run these?

[arsulegai]

Thank you, please also work towards a process for maintainer's journey within the project.

[hendrikebbers]

@arsulegai I already updated the text regarding the action runners. Can you please check if the new version fits you?

[hendrikebbers]

a process for maintainer's journey

What do you mean with that comment?

[arsulegai]

@hendrikebbers , I was referring to setting up a document for new contributors. They will use this document to learn how can they become one the maintainers someday with their persistent contribution efforts.

[arsulegai]

@arsulegai I already updated the text regarding the action runners. Can you please check if the new version fits you?

Thank you for clarifying that Hedera will continue to provide these runners on Google Cloud. It would be helpful to state the reason for this requirement either in a project's improvement plan or as an issue within the project's repositories. Future developers or contributors can reference the document to understand and eventually remove these runners' dependency.

[jimthematrix]

would be good to clarify what core network software means, in particular whether this will provide a complete set of components to stand up a Hedera network?

[hendrikebbers]

All projects that are necessary to deploy and run a full network and interact with that network.

[tkuhrt]

@hendrikebbers : It looks like DCO needs to be fixed. You can follow the instructions on the checks tab for details on how to fix.

[tkuhrt]

APPROVED at the August 22, 2024 TOC meeting

[ryjones]

@hendrikebbers if you could do a rebase and make this one or two commits that would be awesome; good time to fix the DCO, too. :)

[ryjones]

@hendrikebbers @tkuhrt @jimthematrix please check this - I did some cherry-picks to fix up DCO issues

[ryjones]

@hendrikebbers @tkuhrt @jimthematrix is this in a state where it can be merged, given the name is public now?

[tkuhrt]

@hendrikebbers @tkuhrt @jimthematrix is this in a state where it can be merged, given the name is public now?

It would be good if we changed the names of the files from hedera* to hiero*. Then we can merge it.

[petermetz]

@hendrikebbers @tkuhrt @jimthematrix is this in a state where it can be merged, given the name is public now?

It would be good if we changed the names of the files from hedera* to hiero*. Then we can merge it.

+1 - Later on it will only get more difficult to change the name.

[ryjones]

@tkuhrt @petermetz I updated them. The repo names themselves I did not update.

[ryjones]

@hendrikebbers please review the change I made.

[ryjones]

@jimthematrix please re-review so it can be merged