[cip core] license compliance for CIP core image releases


Daniel Sangorrin <daniel.sangorrin@...>
 

Hello,

During the last CIP Core meeting we discussed about license compliance for CIP core image releases.
In particular, we talked about how to make sure that users can get exactly the same source code version used to build the Debian binary packages included on each image.

We concluded that we should not rely on Debian repositories, but rather create our own apt mirror with snapshots for each release.

However, today I asked myself: when people upload a Docker image to Dockerhub, what do they do to comply with the licenses of all of the packages inside.

I thought that Microsoft would be one of the most cautious and checked their Docker images.

https://hub.docker.com/_/microsoft-dotnet-core (click "Discover licensing for Linux image contents")

If you read their document, it looks like the rely on the Debian source code packages to be always available either in the Debian repo or the Snapshots repository.

[Note] additionally they rely on the license and copyright information provided by Debian to be correct (they do not verify it manually)

I would like to know your opinions about this. Do you think it is worth the effort to build, pay and maintain a repository mirror with snapshots? or can we rely on Debian snapshot repositories (for users to retrieve source code, not for building the image)?

Thanks,
Daniel