License Scan/Remediation Questions

[austinlparker]

Hello maintainers! We have received a report from the CNCF license audit that the following paths contain licenses that do not match the project license. You can find the full report here: https://lfscanning.org/reports/cncf-2/open-telemetry-2024-02-09-e8fcbc12-0a27-470a-9f2d-c5f680322e13.html

• okhttp-4.12.0

From what I can see, okhttp is covered under Apache2 but it contains a file that's covered by MPL? If this can't be removed, please document it in this issue. Thanks!

[trask]

did some research:

• okhttp uses the file from https://publicsuffix.org/list/public_suffix_list.dat at build time to generate a list of top-level domains that it uses in a few places
• the file from https://publicsuffix.org/list/public_suffix_list.dat is licensed under MPL
• okhttp includes this NOTICE file since they are deriving their list of TLDs from the MPL-licensed file
• we include the same NOTICE file since we are embedding okhttp inside of the Java agent

[trask]

I'm not sure what's best here.

Based on https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md, we may need to apply for an exception for this OkHttp dependency MPL licensed content for the core SDK anyways (cc @jack-berg).

Btw, there's an interesting active discussion in Apache HTTP Client about essentially the same problem: https://issues.apache.org/jira/browse/HTTPCLIENT-2317.