Third-party license policy for container base images (e.g., is Red Hat UBI allowed?)

[leogr]

Hi

I'm a Falco core maintainer and have some doubts about the container images' license policy.

AFAIK, CNCF project dependencies under a non-Apache 2.0 license are allowed only if they satisfy the "Allowlist License Policy" criteria:
https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy

Questions:

1. I guess the container base image used by a CNCF project must follow the same policy. Is this assumption correct?
2. In particular, is a CNCF project allowed to use the Red Hat UBI (as the base image for its main container image)? Does the UBI (EULA) satisfy the CNCF requirements?
3. Should we request a license exception for that?

See:

• https://developers.redhat.com/articles/ubi-faq#introduction
• https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf

After some community members had proposed switching Falco's base image from Debian to UBI, those questions came up.
The main Falco image is still using Debian as a base image, but we also have an alternative image docker image based on UBI
👉 https://github.com/falcosecurity/falco/blob/master/docker/ubi/Dockerfile

I want to ensure there're no licensing issues.

Thank you,
Leo

[richardfontana]

With respect to software licensing, the UBI EULA just passes through all component open source licenses in a fairly uninteresting way. Thus I'd think the main issue would be the various package licenses represented in the UBI (or I guess any other conventional container base images) that are not allowed by default by CNCF (e.g. GPLv2, GPLv3, LGPLvx).