Third-party license attribution missing from k0s binary

[kke]

Many k0s dependencies have licenses that require some kind attribution in binary distributions.

• Apache 2.0: Requires NOTICE file preservation (Section 4d)
• BSD/MIT: Require copyright notice preservation
• GPL family: Require source offer / license text

The current SBOM does not help:

It contains:

• Package names and versions (1,243 Go modules)
• PURLs like pkg:golang/cel.dev/expr@v0.24.0
• Dependency relationships

but..

• No actual license identifiers: all packages have "licenseConcluded": "NOASSERTION"
• No copyright text: all are "copyrightText": "NOASSERTION"
• Empty extracted licensing section
• It can't be displayed from the binary

Others have done this by adding a licenses subcommand or something like xyz version --licenses.

[kke]

Not many other tools are doing it either so it's probably not a huge issue.

Github's "gh" is one that does:

$ gh licenses
GitHub CLI third-party dependencies
====================================

The following open source dependencies are used to build the GitHub CLI.

charm.land/bubbles/v2 (v2.0.0) - MIT - https://github.com/charmbracelet/bubbles/blob/v2.0.0/LICENSE
charm.land/bubbletea/v2 (v2.0.2) - MIT - https://github.com/charmbracelet/bubbletea/blob/v2.0.2/LICENSE
charm.land/huh/v2 (v2.0.3) - MIT - https://github.com/charmbracelet/huh/blob/v2.0.3/LICENSE
...
...

I think this is more of an exception than common practice. At minimum the 3rd party licenses should be included alongside the released binaries. We do ship the SBOM but it's missing the licenses.

Also, it's possible I have misinterpreted the requirement.

[github-actions]

The issue is marked as stale since no activity has been recorded in 30 days