As with everything we do, we are fully transparent. As it becomes obvious that
a simple resolution in this matter is not possible, we follow open source best
practices and choose a public forum for the sake of transparency.
It was brought to our attention that some of the new eBPF
code committed to the
Calico repository is violating the
license of source code in the Cilium repository.
The original report called out suspiciously similar code in both repositories.
This by itself is of course not a problem if the open source licenses involved
are respected. This includes, among other things, attribution and restrictions
regarding the rights to re-license.
Upon closer inspection, it was identified that source code has been copied from
modified to create derivative work, and then committed (commit)
to the Calico repository with the license changed in a non-compatible manner.
As part of this, the attribution required by the license was also omitted. The
details of this can be found further down in this post.
Like the majority of the Linux kernel source code, the datapath portion of
Cilium that runs as part of the Linux kernel is released under the GPL 2.0
license. The GPL license does not permit a license change to the Apache
License without consent of the original authors.
This prompted us to contact the authors of the derivative work. As a result,
an initial attempt was made
to rewrite some sections of the code. After inspection, we concluded that the
work is still a derivative of our original source code.
However, in order to resolve the situation as simply as possible, we offered to
dual-license the respective code under the Apache license with the condition
that attribution to the original authors is added. This resulted in the
following pull request
being proposed to the Calico repository to add the attribution. The pull
request is currently waiting to be merged.
From our perspective, this would resolve all of our concerns. We obviously also
accept any other resolution as long as it conforms to the respective open
We are waiting for a reaction by the maintainers of the Calico project.
Update 2019-06-25: Some of the eBPF related code has now been removed from
the Calico repository via this