CORD : GPL Issue August 2018

This wiki page will be used to update the community about the GPL issue found in August 2018. Subscribe to this page to get updates.


Our Objective has been to correct the issue, learn, put in place best practices and establish a solid foundation for building operationally ready reference M-CORD baseline.


ONF has worked closely with Intel and Sprint on the remediation plan and actions.


Update Nov 23 2018

While we had hoped to release new versions of the EPC software by the end of November, it is clear that it will be delayed to January. Here is an update to

the status. Intel, Sprint and a few other organizations have completed development and testing of the repos. The software will be a huge improvement 

in terms of ability to scale and readiness for production. To make sure the software is of very high quality, we are taking it through a rigorous process

to check for license incompatibilities, security vulnerabilities, and more. As a result of this situation, the ONF has purchased and installed the Black Duck

tools. They will give us a new capability to run scans on a regular basis as the tools are tightly integrated with the development toolchains (of all ONF projects, not just M-CORD).

This new process will help catch any license issues much earlier. Of course, contributors are still responsible for their contributions meeting the license agreement, but adding tooling

provides a new service to the community and helps all of us find any issues that may have escaped

efforts made by the contributors. Because Intel and ONF are using different Black Duck tools, there are sometimes inconsistencies in the reports from the tools. The

ONF is starting to run our tools on the new repos and work with Intel and others to understand/correct the issues prior to release. Our requirement is 

to have no issues on day 1 when Intel submits the new code. All of this takes time, and our best estimate for completion is mid January. 

We apologize for the delay.

Completed

Made an announcement in cord-dev@, cord-discuss@ mobile@, email lists of effect on vEPC, ngic, c3po repos

Sent messages to those on record who had downloaded source

Consulted with Linux Foundation on best practices to address issue

Removed all affected images in all M-CORD releases

Removed access, then deleted affected repos

Put in place a plan to rebuild all functionality without any of the affected files - dates of availability TBD, expect in October

New code will run through Intel's best practice toolchain before submitting

ONF purchased Black Duck license checking product and is integrating with all project toolchains (not just M-CORD) - will be complete once new repos are announced

ONF is recommending people take the Linux Foundation training https://training.linuxfoundation.org/training/compliance-basics-for-developers/