This wiki page will be used to update the community about the GPL issue found in August 2018. Subscribe to this page to get updates.
Our Objective has been to correct the issue, learn, put in place best practices and establish a solid foundation for building operationally ready reference M-CORD baseline.
ONF has worked closely with Intel and Sprint on the remediation plan and actions.
Update Nov 23 2018
While we had hoped to release new versions of the EPC software by the end of November, it is clear that it will be delayed to January. Here is an update to
the status. Intel, Sprint and a few other organizations have completed development and testing of the repos. The software will be a huge improvement
in terms of ability to scale and readiness for production. To make sure the software is of very high quality, we are taking it through a rigorous process
to check for license incompatibilities, security vulnerabilities, and more. As a result of this situation, the ONF has purchased and installed the Black Duck
tools. They will give us a new capability to run scans on a regular basis as the tools are tightly integrated with the development toolchains (of all ONF projects, not just M-CORD).
This new process will help catch any license issues much earlier. Of course, contributors are still responsible for their contributions meeting the license agreement, but adding tooling
provides a new service to the community and helps all of us find any issues that may have escaped
efforts made by the contributors. Because Intel and ONF are using different Black Duck tools, there are sometimes inconsistencies in the reports from the tools. The
ONF is starting to run our tools on the new repos and work with Intel and others to understand/correct the issues prior to release. Our requirement is
to have no issues on day 1 when Intel submits the new code. All of this takes time, and our best estimate for completion is mid January.
We apologize for the delay.
Completed
Made an announcement in cord-dev@, cord-discuss@ mobile@, email lists of effect on vEPC, ngic, c3po repos
Sent messages to those on record who had downloaded source
Consulted with Linux Foundation on best practices to address issue
Removed all affected images in all M-CORD releases
Removed access, then deleted affected repos
Put in place a plan to rebuild all functionality without any of the affected files - dates of availability TBD, expect in October
New code will run through Intel's best practice toolchain before submitting
ONF purchased Black Duck license checking product and is integrating with all project toolchains (not just M-CORD) - will be complete once new repos are announced
ONF is recommending people take the Linux Foundation training https://training.linuxfoundation.org/training/compliance-basics-for-developers/