Guidance on use of a third party library maintained by a Sanctioned Entity

[RichardoC]

Originally raised via kubernetes/kubernetes#117553 and was correctly advised that this is a broader issue.

With the war in Ukraine, it's possible that multiple C.N.C.F. projects are using libraries that are maintained by sanctioned entities. I would like to request that there is clear guidance on what these projects should do. Should they fork the libraries, remove them, vendorise them etc etc?

Sorry for the poor style of request, if someone can link me to an issue guide, I'll happily rewrite this!

[caniszczyk]

In short, the CNCF/LF consider open source a global endeavor so there isn't necessarily a critical issue here: https://www.linuxfoundation.org/blog/blog/open-source-collaboration-is-a-global-endeavor

However, this doesn't mean you as a project can view this situation as risky... just like any other 3rd party dependency that may have little to no maintainers. I'm not sure if the kubernetes has guidance on 3rd party dependencies that they may find risky in that regard, but I'd follow that (cc: @dims)

[BenTheElder]

I'm not sure if the kubernetes has guidance on 3rd party dependencies that they may find risky in that regard, but I'd follow that

We don't wish to diverge from the rest of the CNCF in that regard, as we inevitably have dependencies in our dependency graph by way of other CNCF projects we depend on.

If there isn't CNCF-wide-applicable guidance to avoid a dependency (e.g. due to unacceptable license) then it's probably not worth the effort to try to excise from our dependency set which is a superset of other projects. We have asked projects to work with us to remove dependencies before, but within reason ...

---

We do have guidance for dependencies:

Kubernetes avoids unmaintained libraries where possible and we have guidance for dependencies / vendor at:
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/vendor.md

Which is applied by a small approval team for vendor changes 👋

The code-organization group also attempts to pro-actively improve dependency management.

However, we don't currently have any guidance with respect to sanctions and we've asked for CNCF-wide guidance on this topic (kubernetes/kubernetes#117553 (comment) => this issue).

It sounds like the response is "no, sanctions need not be considered".

[caniszczyk]

I'll consider this closed given the k8s guidance + CNCF response that this isn't an issue for us.

[bodnarbm]

Apologies if this is not the appropriate place for this and let me know if I should open a separate issue.

But should this be reopened and reanalyzed given the updated information published by the LF earlier this year that different analysis is needed for trade sanctions versus export controls. [1] The above question re: the larger ecosystem and the specific underlaying issue in k8s relate to the impact of OFAC sanctions. I believe this requires a different analysis on how the impacted CNCF projects should mitigate the sanctions risk given the updated information that sanctions do need to be considered.

[1] https://www.linuxfoundation.org/blog/navigating-global-regulations-and-open-source-us-ofac-sanctions