Conversation
This change introduces a `licenses` field to the metadata schema, allowing each
extension to define its own SPDX license identifier. The `docker-bake.hcl` has
been updated to use this metadata for OCI labels and annotations instead of a
hardcoded "Apache-2.0" string.
This enables proper legal transparency for extensions with different, yet
compatible, licensing requirements, such as PostGIS (`GPL-2.0-only`).
Changes:
- Added `licenses` field to metadata.hcl template
- Updated docker-bake.hcl to reference `${metadata.licenses}`
- Updated `metadata.hcl` for the existing extensions
Closes #110
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
I have used trivy to provide that list Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
|
I have been able to get the full list of licenses included in the postgis image with: |
|
That's a good idea. However, I tried to work on that and thought to use "join" and concatenate multiple licenses with "AND". |
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
4 participants
Introduce a
licensesfield in the metadata schema as a list of SPDX identifiers, allowing each extension to declare its own licensing. These are joined with " AND " at build time to populate the OCIorg.opencontainers.image.licenseslabel and annotation, replacing the previously hardcoded "Apache-2.0".The existing extensions have been updated: pgaudit and pgvector use the PostgreSQL license, while PostGIS includes the full set of licenses from its dependency tree, as reported by trivy.
Closes #110