Linuxコンテナイメージをsaveしたtarファイルでベンダーから顧客に提供するときに、例えばベースイメージがUbuntuだったらGPL適用なので全体的にGPL適用になってしまう問題。今までは業界を挙げて目を瞑っていたのが2020年中頃から真面目に議論され始めている様で。RHEL UBIベースだとRed Hatの特殊理論と友達圧力で封殺できるかもしれない訳ではありますが。
これはCI/CDやToolchainの仕組みを考える上でちょっと重要かもしれず、つまりベンダー内でコンテナイメージのビルドまでして、そのdocker saveファイルを顧客に提供するのはGPL適用になる可能性が高いが、Dockerイメージのビルドを顧客環境内で行って都度pullして利用するだけならGPLの適用要件(ソースコードの要求者への開示義務)が不要になるんだろうと。だけというのはもちろん、開発コードそのものはGPLソースからのコピペが存在しない前提で。
あとは多分、Docker hub等公的レジストリに登録した開発イメージを顧客がpullするという形で引き渡すなら、こちらもソースコード開示義務が無い(GPL適用となるベースイメージ部分は別レイヤー・別バイナリとして個別にダウンロードされるため、ベンダーがベースイメージ部分を提供していない形になる)。というのが私の認識。
てな事を、ternというツールがあるのを知って思った次第。
ternは、コンテナイメージに存在するベースイメージを含めた全レイヤーで使用ライセンスを洗い出してくれるツールで、Linux Foundation肝入りなのか何なのか(?)
https://www.linuxfoundation.org/blog/tern-1-0-0-is-generally-available/
そういうツールがあるならプライベートレジストリにあるコンテナイメージのライセンス、全部洗いだして見たくなりますよね、と。
Dockerとプライベートレジストリのセットアップ
環境はUbuntu 18.04。Lightsailの$3.5のマシンでOK。
1.DockerとRegistryをセットアップする。
$ sudo -i
# apt-get update
# apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io
# docker run -d -p 5000:5000 --restart always --name registry registry:2
2.プライベートレジストリにubuntu、centos、busybox:1:23:2、ubi(8)をpushする。
# docker pull ubuntu
# docker tag ubuntu localhost:5000/ubuntu
# docker push localhost:5000/ubuntu
# docker rmi ubuntu localhost:5000/ubuntu
# docker pull centos
# docker tag centos localhost:5000/centos
# docker push localhost:5000/centos
# docker rmi centos localhost:5000/centos
# docker pull busybox:1.23.2
# docker tag busybox:1.23.2 localhost:5000/busybox:1.23.2
# docker push localhost:5000/busybox:1.23.2
# docker rmi busybox:1.23.2 localhost:5000/busybox:1.23.2
# docker login registry.redhat.io
→ Red Hatアカウントを入力
# docker pull registry.redhat.io/ubi8/ubi
# docker tag registry.redhat.io/ubi8/ubi localhost:5000/ubi
# docker push localhost:5000/ubi
# docker rmi registry.redhat.io/ubi8/ubi localhost:5000/ubi
(確認)
ubuntu@ip-172-26-2-169:~$ curl localhost:5000/v2/_catalog
{"repositories":["busybox","centos","ubuntu"]}
ubuntu@ip-172-26-2-169:~$ curl -s http://localhost:5000/v2/busybox/tags/list
{"name":"busybox","tags":["1.23.2"]}
ternのインストールとスクリプト作成
1.ternをインストールする。
# sudo apt-get install attr
# sudo apt-get install python3-pip
# pip3 install tern
2.レポート作成用のディレクトリを作り、移動する。
# mkdir reports
# cd reports
3.以下のpythonファイルを作る。
make-reports.py
import urllib.request
import json
import os
protocol = "http"
registry = "localhost:5000"
req = urllib.request.Request(protocol + "://" + registry + "/v2/_catalog")
with urllib.request.urlopen(req) as res:
repos = json.loads(res.read())
for repo in repos["repositories"]:
req2 = urllib.request.Request(protocol + "://" + registry + "/v2/" + repo + "/tags/list")
with urllib.request.urlopen(req2) as res2:
tags = json.loads(res2.read())
for tag in tags["tags"]:
os.system("tern report -i " + registry + "/" + repo + ":" + tag + " -o " + repo + ":" + tag + ".txt")
os.system("docker rmi " + registry + "/" + repo + ":" + tag)
レポート生成
1.レポートを生成する。
動作としては、レポジトリのイメージ毎に:
レポジトリをローカルイメージとしてpull
ternでスキャン
ローカルイメージを削除
としているので、ローカルイメージを削除してほしくない場合はpythonファイル最後の「os.system("docker rmi~」の行を削除すること。
レポートの作成は結構、数分時間が掛かる。
# python3 make-reports.py
2.レポートを確認する。
レポート生成したイメージについては、プログラムを実行したディレクトリに「イメージ:タグ.txt」のファイル名が生成される。
ubuntu、centosは成功したが、busybox、ubiはternが途中でエラーを吐いて終了する。まだあまり安定しているものでは無い。
(ファイルの確認)
root@ip-172-26-2-169:~/reports# ls -l
total 28
-rw-r--r-- 1 root root 5798 Jan 2 19:45 centos:latest.txt
-rw-r--r-- 1 root root 666 Jan 2 19:33 make-reports.py
-rw-r--r-- 1 root root 7095 Jan 2 19:47 tern.log
-rw-r--r-- 1 root root 7129 Jan 2 19:47 ubuntu:latest.txt
さて肝心のファイルの中身は。。
centos:latest.txt
This report was generated by the Tern Project
Version: 2.3.0
Docker image: localhost:5000/centos:latest:
Layer 1:
File licenses found in Layer: None
Packages found in Layer: crypto-policies-20200713, python3-pip-wheel-9.0.3, ncurses-base-6.1, dnf-data-4.2.23, dbus-common-1.12.8, centos-linux-release-8.3, setup-2.12.2, basesystem-11, libselinux-2.9, glibc-minimal-langpack-2.28, glibc-2.28, libsepol-2.9, xz-libs-5.2.4, libcap-2.26, info-6.5, libcom_err-1.45.6, libxml2-2.9.7, expat-2.2.5, libuuid-2.32.1, chkconfig-1.13, gmp-6.1.2, libattr-2.4.48, coreutils-single-8.30, sed-4.5, libcap-ng-0.7.9, libffi-3.1, libzstd-1.4.4, lz4-libs-1.8.3, libgcrypt-1.8.5, gzip-1.9, libunistring-0.9.9, libassuan-2.5.1, keyutils-libs-1.5.10, p11-kit-trust-0.23.14, pcre-8.42, systemd-libs-239, dbus-tools-1.12.8, libusbx-1.0.23, ca-certificates-2020.2.41, libdb-5.3.28, ima-evm-utils-1.1, libdb-utils-5.3.28, xz-5.2.4, gdbm-1.18, shadow-utils-4.6, libutempter-1.1.6, acl-2.2.53, nettle-3.4.1, glib2-2.56.4, libcomps-0.1.11, findutils-4.6.0, cpio-2.12, ipcalc-0.2.4, iproute-5.3.0, libpcap-1.9.1, libseccomp-2.4.3, gawk-4.2.1, krb5-libs-1.18.2, libnsl2-1.2.0, platform-python-3.6.8, libpwquality-1.4.0, util-linux-2.32.1, curl-7.61.1, rpm-libs-4.14.3, device-mapper-1.02.171, cryptsetup-libs-2.3.3, elfutils-libs-0.180, systemd-239, iputils-20180629, libkcapi-hmaccalc-1.2.0, dracut-049, python3-libcomps-0.1.11, dhcp-client-4.3.6, cyrus-sasl-lib-2.1.27, libyaml-0.1.7, npth-1.5, gpgme-1.13.1, libdnf-0.48.0, python3-hawkey-0.48.0, rpm-build-libs-4.14.3, python3-dnf-4.2.23, yum-4.2.23, binutils-2.30, vim-minimal-8.0.1763, less-530, rootfiles-8.1, libgcc-8.3.1, python3-setuptools-wheel-39.2.0, tzdata-2020d, libreport-filesystem-2.9.5, dhcp-common-4.3.6, centos-gpg-keys-8, centos-linux-repos-8, filesystem-3.8, pcre2-10.32, ncurses-libs-6.1, glibc-common-2.28, bash-4.4.19, zlib-1.2.11, bzip2-libs-1.0.6, libgpg-error-1.31, elfutils-libelf-0.180, libxcrypt-4.1.1, sqlite-libs-3.26.0, libstdc++-8.3.1, popt-1.16, readline-7.0, json-c-0.13.1, libacl-2.2.53, libblkid-2.32.1, libmount-2.32.1, audit-libs-3.0, libsmartcols-2.32.1, lua-libs-5.3.4, p11-kit-0.23.14, file-libs-5.33, cracklib-2.9.6, libidn2-2.2.0, gdbm-libs-1.18, libtasn1-4.13, lzo-2.08, grep-3.1, dbus-libs-1.12.8, dhcp-libs-4.3.6, procps-ng-3.3.15, openssl-libs-1.1.1g, kmod-libs-25, kmod-25, libarchive-3.3.2, squashfs-tools-4.3, libsemanage-2.9, dbus-daemon-1.12.8, libfdisk-2.32.1, mpfr-3.1.6, gnutls-3.6.14, snappy-1.1.8, libmetalink-0.1.3, libksba-1.3.5, ethtool-5.0, libmnl-1.0.4, libnghttp2-1.33.0, iptables-libs-1.8.4, libsigsegv-2.11, libverto-0.3.0, libtirpc-1.1.4, platform-python-setuptools-39.2.0, python3-libs-3.6.8, pam-1.3.1, libcurl-minimal-7.61.1, rpm-4.14.3, libsolv-0.7.11, device-mapper-libs-1.02.171, elfutils-default-yama-scope-0.180, systemd-pam-239, dbus-1.12.8, libkcapi-1.2.0, systemd-udev-239, dracut-squash-049, bind-export-libs-9.11.20, dracut-network-049, openldap-2.4.46, libmodulemd-2.9.4, gnupg2-2.2.20, librepo-1.12.0, python3-libdnf-0.48.0, python3-gpg-1.13.1, python3-rpm-4.14.3, dnf-4.2.23, kexec-tools-2.0.20, tar-1.30, hostname-3.20, langpacks-en-1.0
Licenses found in Layer: LGPLv2+, MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD), MIT, GPLv2+ and GPLv2 and GPL, (GPLv2+ or AFL) and GPLv2+, GPLv2, Public Domain, LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL, GPLv3+, BSD, LGPLv3+ or GPLv2+, BSD and GPLv2, GPLv2+ and BSD, GPLv3+ and GFDL, GPLv2+ or LGPLv3+, LGPLv2+ and GPLv3+, GPLv2+ and LGPLv2+, LGPLv2+ and MIT, BSD and LGPLv2 and Sleepycat, GPLv2+ and Public Domain, BSD and GPLv2+, GPLv2+, BSD with advertising, LGPLv2, GPLv3+ and GPLv2+ and LGPLv2+ and BSD, BSD and LGPLv2+, Python, BSD or GPLv2+, GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain, GPLv2+ and LGPLv2+ with exceptions, LGPLv2+ and MIT and GPLv2+, BSD or GPLv2, ISC, Vim and MIT, GPLv3+ or BSD, GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD, zlib and Boost, LGPLv2+ and BSD and Public Domain, (GPLv2+ or LGPLv3+) and GPLv3+, GPLv3+ and LGPLv2+, GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+, OpenSSL and ASL 2.0, LGPLv3+ and GPLv3+ and GFDL, (LGPLv3+ or GPLv2+) and GPLv3+, GPLv2 and Artistic 2.0 and ISC, SISSL and BSD, MPLv2.0, OpenLDAP
------------------------------------------------
###########################################
# Summary of licenses found in Container: #
###########################################
GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+, LGPLv3+ or GPLv2+, OpenLDAP, GPLv2+ and BSD, Python, MIT, (LGPLv3+ or GPLv2+) and GPLv3+, GPLv2, MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD), GPLv2+ and Public Domain, LGPLv2+ and BSD and Public Domain, GPLv3+ and GFDL, GPLv3+ and LGPLv2+, GPLv3+, BSD, BSD with advertising, GPLv2 and Artistic 2.0 and ISC, zlib and Boost, ISC, LGPLv2+ and GPLv3+, GPLv2+, BSD and GPLv2, GPLv2+ and LGPLv2+, LGPLv2+ and MIT, GPLv3+ and GPLv2+ and LGPLv2+ and BSD, GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD, LGPLv2+, LGPLv2+ and MIT and GPLv2+, LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL, LGPLv3+ and GPLv3+ and GFDL, SISSL and BSD, LGPLv2, GPLv2+ and GPLv2 and GPL, BSD or GPLv2, BSD and LGPLv2+, GPLv2+ or LGPLv3+, Vim and MIT, GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain, OpenSSL and ASL 2.0, (GPLv2+ or AFL) and GPLv2+, BSD and GPLv2+, BSD and LGPLv2 and Sleepycat, BSD or GPLv2+, GPLv2+ and LGPLv2+ with exceptions, (GPLv2+ or LGPLv3+) and GPLv3+, MPLv2.0, Public Domain, GPLv3+ or BSD
ubuntu:latest.txt
This report was generated by the Tern Project
Version: 2.3.0
Docker image: localhost:5000/ubuntu:latest:
Layer 1:
File licenses found in Layer: None
Packages found in Layer: adduser-3.118ubuntu2, apt-2.0.2ubuntu0.1, base-files-11ubuntu5.2, base-passwd-3.5.47, bash-5.0-6ubuntu1.1, bsdutils-1:2.34-0.1ubuntu9.1, bzip2-1.0.8-2, coreutils-8.30-3ubuntu2, dash-0.5.10.2-6, debconf-1.5.73, debianutils-4.9.1, diffutils-1:3.7-3, dpkg-1.19.7ubuntu3, e2fsprogs-1.45.5-2ubuntu1, fdisk-2.34-0.1ubuntu9.1, findutils-4.7.0-1ubuntu1, gcc-10-base-10.2.0-5ubuntu1~20.04, gpgv-2.2.19-3ubuntu2, grep-3.4-1, gzip-1.10-0ubuntu4, hostname-3.23, init-system-helpers-1.57, libacl1-2.2.53-6, libapt-pkg6.0-2.0.2ubuntu0.1, libattr1-1:2.4.48-5, libaudit-common-1:2.8.5-2ubuntu6, libaudit1-1:2.8.5-2ubuntu6, libblkid1-2.34-0.1ubuntu9.1, libbz2-1.0-1.0.8-2, libc-bin-2.31-0ubuntu9.1, libc6-2.31-0ubuntu9.1, libcap-ng0-0.7.9-2.1build1, libcom-err2-1.45.5-2ubuntu1, libcrypt1-1:4.4.10-10ubuntu4, libdb5.3-5.3.28+dfsg1-0.6ubuntu2, libdebconfclient0-0.251ubuntu1, libext2fs2-1.45.5-2ubuntu1, libfdisk1-2.34-0.1ubuntu9.1, libffi7-3.3-4, libgcc-s1-10.2.0-5ubuntu1~20.04, libgcrypt20-1.8.5-5ubuntu1, libgmp10-2:6.2.0+dfsg-4, libgnutls30-3.6.13-2ubuntu1.3, libgpg-error0-1.37-1, libhogweed5-3.5.1+really3.5.1-2, libidn2-0-2.2.0-2, liblz4-1-1.9.2-2, liblzma5-5.2.4-1ubuntu1, libmount1-2.34-0.1ubuntu9.1, libncurses6-6.2-0ubuntu2, libncursesw6-6.2-0ubuntu2, libnettle7-3.5.1+really3.5.1-2, libp11-kit0-0.23.20-1build1, libpam-modules-1.3.1-5ubuntu4.1, libpam-modules-bin-1.3.1-5ubuntu4.1, libpam-runtime-1.3.1-5ubuntu4.1, libpam0g-1.3.1-5ubuntu4.1, libpcre2-8-0-10.34-7, libpcre3-2:8.39-12build1, libprocps8-2:3.3.16-1ubuntu2, libseccomp2-2.4.3-1ubuntu3.20.04.3, libselinux1-3.0-1build2, libsemanage-common-3.0-1build2, libsemanage1-3.0-1build2, libsepol1-3.0-1, libsmartcols1-2.34-0.1ubuntu9.1, libss2-1.45.5-2ubuntu1, libstdc++6-10.2.0-5ubuntu1~20.04, libsystemd0-245.4-4ubuntu3.3, libtasn1-6-4.16.0-2, libtinfo6-6.2-0ubuntu2, libudev1-245.4-4ubuntu3.3, libunistring2-0.9.10-2, libuuid1-2.34-0.1ubuntu9.1, libzstd1-1.4.4+dfsg-3, login-1:4.8.1-1ubuntu5.20.04, logsave-1.45.5-2ubuntu1, lsb-base-11.1.0ubuntu2, mawk-1.3.4.20200120-2, mount-2.34-0.1ubuntu9.1, ncurses-base-6.2-0ubuntu2, ncurses-bin-6.2-0ubuntu2, passwd-1:4.8.1-1ubuntu5.20.04, perl-base-5.30.0-9ubuntu0.2, procps-2:3.3.16-1ubuntu2, sed-4.7-1, sensible-utils-0.0.12+nmu1, sysvinit-utils-2.96-2.1ubuntu1, tar-1.30+dfsg-7, ubuntu-keyring-2020.02.11.2, util-linux-2.34-0.1ubuntu9.1, zlib1g-1:1.2.11.dfsg-2ubuntu1.2
Licenses found in Layer: GPLv2+, PD, GPL-2, public-domain, LGPL-2.1+, BSD-2-clause, GPL-2+, LGPL, LGPL-2+, LGPL-3+, GPL-3+, BSD-4-clause, BSD-3-clause, MIT, BSD-variant, public-domain-s-s-d, public-domain-md5, GPL-3+ or BSD-3-clause, CC0-1.0, Expat, permissive, TinySCHEME, RFC-Reference, LGPL-2.1, LGPLv3+_or_GPLv2+, GPLv3+, Public domain., LGPLv2.1+, Apache-2.0, LGPL-2.1+ or BSD-3-clause, g10-permissive, GPL-2+ with Autoconf exception, GAP, other, LGPL-3+ or GPL-2+, Unicode, permissive-nowarranty, config-h, probably-PD, Autoconf, PD-debian, noderivs, none, permissive-fsf, permissive-like-automake-output, ISC, BSD-3-Clause, same-as-rest-of-p11kit, GPL-2.0+, LGPL-2.0+, GPL-2 with Linux-syscall-note exception, GPL-3+ or GFDL-1.2+, GPL-2+ with distribution exception, GFDL-1.2+, FreeSoftware, BSD-3-clause and GPL-2, zlib, REGCOMP, and GPL-1+ or Artistic, BSD-4-clause-POWERDOG, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, GPL-1+, Artistic or GPL-1+ or Artistic-dist, DONT-CHANGE-THE-GPL, GPL-1+ or Artistic, and Unicode, REGCOMP, GPL-3+-WITH-BISON-EXCEPTION, BSD-3-clause-GENERIC, HSIEH-DERIVATIVE, GPL-2+ or Artistic, GPL-1+ or Artistic, TEXT-TABS, GPL-1+ or Artistic or Artistic-dist, BSD-3-clause-with-weird-numbering, Expat or GPL-1+ or Artistic, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, ZLIB, SDBM-PUBLIC-DOMAIN, RRA-KEEP-THIS-NOTICE, BZIP, Artistic-2, Artistic, HSIEH-BSD, GPL-1+ or Artistic, and Expat, Artistic-dist, installsh, All-permissive, configure, Zlib
------------------------------------------------
Layer 2:
warning:
Unrecognized Commands:set -xe
echo #!/bin/sh > /usr/sbin/policy-rc.d
echo exit 101 >> /usr/sbin/policy-rc.d
chmod +x /usr/sbin/policy-rc.d
dpkg-divert --local --rename --add /sbin/initctl
cp -a /usr/sbin/policy-rc.d /sbin/initctl
sed -i s/^exit.*/exit 0/ /sbin/initctl
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
echo DPkg::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
> /etc/apt/apt.conf.d/docker-clean
echo APT::Update::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
>> /etc/apt/apt.conf.d/docker-clean
echo Dir::Cache::pkgcache
Dir::Cache::srcpkgcache
>> /etc/apt/apt.conf.d/docker-clean
echo Acquire::Languages none
> /etc/apt/apt.conf.d/docker-no-languages
echo Acquire::GzipIndexes true
Acquire::CompressionTypes::Order:: gz
> /etc/apt/apt.conf.d/docker-gzip-indexes
echo Apt::AutoRemove::SuggestsImportant false
> /etc/apt/apt.conf.d/docker-autoremove-suggests
File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
------------------------------------------------
Layer 3:
warning:
Unrecognized Commands:mkdir -p /run/systemd
echo docker > /run/systemd/container
File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
------------------------------------------------
###########################################
# Summary of licenses found in Container: #
###########################################
LGPL, GPL-3+ or GFDL-1.2+, none, LGPL-2+, RFC-Reference, GPL-1+ or Artistic, GPL-1+ or Artistic or Artistic-dist, permissive-nowarranty, permissive-like-automake-output, TinySCHEME, noderivs, Expat or GPL-1+ or Artistic, ZLIB, ISC, BZIP, Public domain., GPL-1+ or Artistic, and Expat, MIT, public-domain, BSD-3-clause and GPL-2, GPL-1+, LGPL-2.0+, GPL-2+ or Artistic, TEXT-TABS, Apache-2.0, LGPL-3+ or GPL-2+, LGPL-2.1+, CC0-1.0, g10-permissive, probably-PD, Artistic-2, LGPL-3+, BSD-4-clause-POWERDOG, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, PD, BSD-variant, GPL-2.0+, zlib, Artistic or GPL-1+ or Artistic-dist, BSD-3-clause-GENERIC, BSD-2-clause, LGPL-2.1+ or BSD-3-clause, same-as-rest-of-p11kit, config-h, permissive-fsf, configure, GPL-2+ with Autoconf exception, BSD-3-clause-with-weird-numbering, public-domain-s-s-d, GPL-2 with Linux-syscall-note exception, GPL-3+ or BSD-3-clause, GAP, SDBM-PUBLIC-DOMAIN, RRA-KEEP-THIS-NOTICE, Artistic, GPLv2+, REGCOMP, and GPL-1+ or Artistic, BSD-3-Clause, LGPLv3+_or_GPLv2+, GPL-2, All-permissive, DONT-CHANGE-THE-GPL, GPL-3+, BSD-4-clause, LGPL-2.1, GPL-1+ or Artistic, and Unicode, REGCOMP, GPL-3+-WITH-BISON-EXCEPTION, HSIEH-DERIVATIVE, GPL-2+, Autoconf, PD-debian, Expat, Unicode, public-domain-md5, BSD-3-clause, FreeSoftware, GPLv3+, other, GFDL-1.2+, Zlib, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, installsh, permissive, GPL-2+ with distribution exception, HSIEH-BSD, Artistic-dist, LGPLv2.1+
まじか。こんなにライセンスの種類あるのか。
これは。。会社の弁護士さんも気乗りしないわ。。
(追記)似たような仕組みで、イメージの脆弱性のチェック。
https://qiita.com/rk05231977/items/062410b319f4cc28c89b