Skip to content

Comments

feat: allow per-extension license metadata#111

Merged
mnencia merged 5 commits intomainfrom
dev/110
Feb 21, 2026
Merged

feat: allow per-extension license metadata#111
mnencia merged 5 commits intomainfrom
dev/110

Conversation

@gbartolini
Copy link
Contributor

@gbartolini gbartolini commented Feb 15, 2026

Introduce a licenses field in the metadata schema as a list of SPDX identifiers, allowing each extension to declare its own licensing. These are joined with " AND " at build time to populate the OCI org.opencontainers.image.licenses label and annotation, replacing the previously hardcoded "Apache-2.0".

The existing extensions have been updated: pgaudit and pgvector use the PostgreSQL license, while PostGIS includes the full set of licenses from its dependency tree, as reported by trivy.

Closes #110

This change introduces a `licenses` field to the metadata schema, allowing each
extension to define its own SPDX license identifier. The `docker-bake.hcl` has
been updated to use this metadata for OCI labels and annotations instead of a
hardcoded "Apache-2.0" string.

This enables proper legal transparency for extensions with different, yet
compatible, licensing requirements, such as PostGIS (`GPL-2.0-only`).

Changes:

- Added `licenses` field to metadata.hcl template
- Updated docker-bake.hcl to reference `${metadata.licenses}`
- Updated `metadata.hcl` for the existing extensions

Closes #110

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
I have used trivy to provide that list

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@gbartolini
Copy link
Contributor Author

I have been able to get the full list of licenses included in the postgis image with:

trivy image ghcr.io/cloudnative-pg/postgis-extension:3.6.2-18-trixie \
  --scanners vuln,secret,license --format sarif --license-full --output report.sarif

@gbartolini
Copy link
Contributor Author

That's a good idea. However, I tried to work on that and thought to use "join" and concatenate multiple licenses with "AND".

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@mnencia mnencia merged commit be6fe69 into main Feb 21, 2026
52 of 54 checks passed
@mnencia mnencia deleted the dev/110 branch February 21, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enable customisation of the licenses annotation and label

4 participants