Don't overwrite container labels in order to hide the true authors.
monoxane opened this issue · 10 comments
Is your feature request related to a problem?
In many mirrored dockerfiles you're intentionally overwriting the metadata labels for the images with references to yourselves, hiding the true authors of the packaged applications. This is especially troubling as you are simply copying directly from the upstream, replacing all their information with yours, and shoving it into a different repository, often without the consent or knowledge of the authors.
Describe the solution you'd like
Remove these overwrites from the dockerfiles to ensure the actual code and container authors are referenced instead of yourselves.
LABEL org.opencontainers.image.source=https://github.com/truecharts/containers
ARG CONTAINER_NAME
ARG CONTAINER_VER
LABEL org.opencontainers.image.licenses="BSD-3-Clause"
LABEL org.opencontainers.image.title="${CONTAINER_NAME}"
LABEL org.opencontainers.image.url="https://truecharts.org/docs/charts/${CONTAINER_NAME}"
LABEL org.opencontainers.image.version="${CONTAINER_VER}"
LABEL org.opencontainers.image.description="Container for ${CONTAINER_NAME} by TrueCharts"
LABEL org.opencontainers.image.authors="TrueCharts"
LABEL org.opencontainers.image.documentation="https://truecharts.org/docs/charts/${CONTAINER_NAME}"
Describe alternatives you've considered
Do not unnecessary rebuild the images with the FROM layer and instead copy the OCI artefact directly from the upstream repository.
Additional context
No response
I've read and agree with the following
- I've checked all open and closed issues and my request is not there.
- I've checked all open and closed pull requests and my request is not there.
In particular, labeling everything with a BSD-3-Clause license without any regard for the upstream license is questionable at best.
As @bo0tzz has stated, and I did not realise, your re-licensing of every single application as BSD-3-Clause is not only a gross mishandling of open source applications but is in many cases a direct license violation of the upstream applications.
just want to note that @monoxane is trying to farm outrage and drive people to this issue. From libera irc #kubernetes
12:19:19 monoxane | im aware linking my own issue to draw attention to something is pretty shitty but wow, truenas/truecharts guys are actively stealing and relabeling peoples projects, and directly violating
| licenses with zero care in the world https://github.com/truecharts/containers/issues/30783
He should at least have stronger evidence for the claims he made, repackaging FOSS software is allowed by most licenses.
repackaging FOSS software is allowed by most licenses
Changing the assigned license and removing attribution from said software is copyright infringement, though.
Bro... Wtf
https://github.com/opencontainers/image-spec/blob/main/annotations.md The OCI specification states that the license is the one under which the contained software is distributed, not the image, so setting the label to a different license is in most cases a violation of the license of the original application.
just want to note that @monoxane is trying to farm outrage and drive people to this issue. From libera irc #kubernetes
I came across this issue whist scrying my crystal ball (IRC gives me hives) and I had my emotions surgically removed as a young child after watching Beetlejuice so I am unable to become outraged. With these facts in consideration, I also agree that specifying a license carte blanche for all software as well as adding labels that misleadingly imply ownership is a problem that should be addressed, as well as exposes truecharts to legal liability.
He should at least have stronger evidence for the claims he made, repackaging FOSS software is allowed by most licenses.
GPL does not allow repackaging as BSD because, among other reasons, it includes the ability to incorporate it into proprietary software without releasing the source code which is not allowed by GPL. In fact, going through an informal list of the most common OSS licenses, these do not allow repackaging as BSD:
- GPL
- Apache
- CDDL
Possible, but needs careful consideration:
- Ms-PL
- EPL
- MIT
In any case though, the fact that it is not safe to re-license software in all situations should compel truecharts to halt this practice and rethink it.
In short, in accordance with the OCI specification as linked by @monoxane :
- We will remove the overwrite on the License label, this should indeed not be done like this, in accordance with the specs.
- The readme will be adapted to reflect that the dockerfiles are bsd-3 or BSL licensed, regardless of OCI label and explain what the OCI label means (= contained software license) instead of using the OCI label for that,.
- We will keep the rest, as they reference the author and maintainenace contact for this build of the image, according to specs.
- We've plans, yet again, more cleanly display original container sources on the docs, but these, sadly enough take time.
Besides this:
I'm going to take moderative action towards @monoxane
We all do this in our free time and we don't need or want, to have all sorts of purposefully created internet outrage.
@stavros-k @xstar97 or @StevenMcElligott
Feel free to remove the license row from every dockerfile in the mirror folder.
CI will eventually keep up and update the images.
Closing this as completed