Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 695212

Summary: app-metrics/{alertmanager,prometheus,{bind,blackbox,burrow,elasticsearch,mongodb,node,openvpn,postgres,postfix,snmp,vault}_exporter,nginx-vts-exporter}: incomplete LICENSE
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: RESOLVED FIXED    
Severity: normal CC: andreasoehler, licenses, robbat2, treecleaner, whissi
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/13835
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 694792    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-20 21:17:43 UTC
app-metrics/alertmanager
app-metrics/blackbox_exporter
app-metrics/node_exporter
app-metrics/prometheus
app-metrics/snmp_exporter

The listed packages seem to be bundling (vendoring) multiple dependencies, however the LICENSE variable does not seem to reflect that.  Please verify the licenses for all vendored dependencies, and include them in the LICENSE variable.  While at it, please be watchful for license conflicts.

See tracker bug for tips on how to do that.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-11-03 19:59:03 UTC
Ping.
Comment 2 Holger Hoffstätte 2019-12-02 01:40:59 UTC
I don't think it's our job to verify upstream dependencies, but seeing these packages getting lost would be a shame so I decided to do my part.

At least the following are OK, verified with Google's go-licenses check
tool (linked in the blocker bug):

app-metrics/alertmanager
app-metrics/bind_exporter
app-metrics/blackbox_exporter
app-metrics/burrow_exporter
app-metrics/elasticsearch_exporter
app-metrics/nginx-vts-exporter
app-metrics/node_exporter
app-metrics/openvpn_exporter
app-metrics/postfix_exporter
app-metrics/postgres_exporter
app-metrics/prometheus
app-metrics/snmp_exporter

The app-metrics/vault_exporter repo has disappeared but was rescued at:
https://github.com/Talend/vault_exporter and checks OK with hiccups (thanks to the !"§$% Hashicorp SDK) but those dependencies are all MPL/BSD as well, so it's good.

app-metrics/mongodb_exporter on the other hand is indeed sloppy:
$go-licenses check github.com/percona/mongodb_exporter
Forbidden license type AGPL-3.0 for library github.com/percona/mongodb_exporter/vendor/github.com/percona/pmm/version

The project does not have an open issue tracker on Github - one is supposed to sign up at the Percona JIRA instance. It's also not clear to me how this is supposed to be solved since the "ppm" dependency is Percona's own library.

I may continue checking as I find the time, but for now the above ebuilds (except for mongodb_exporter) can & should be unmasked again, despite being maintainer-needed.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-12-02 08:05:05 UTC
It's not enough to say they're OK.  The ebuild needs to contain licenses of all bundled dependencies that are used in static linking or installed.
Comment 4 Holger Hoffstätte 2019-12-02 11:42:53 UTC
(In reply to Michał Górny from comment #3)
> It's not enough to say they're OK.  The ebuild needs to contain licenses of
> all bundled dependencies that are used in static linking or installed.

Understood, I'll create a Github PR for the above which I checked so far.
Comment 5 Holger Hoffstätte 2019-12-02 13:36:59 UTC
A bit more than promised since the go-licenses tool makes this quite easy:
https://github.com/gentoo/gentoo/pull/13835
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-02 15:07:12 UTC
Thank you Holger for your work and please continue.

However, I am going to revert the current mask in the meanwhile: All Prometheus code and all listed exporters are licensed under Apache 2.0 license and things like BSD or MIT license are _authorized_ 3rd party licenses of Apache 2.0 license and therefore there isn't any license problem justifying the current mask.
Comment 7 Larry the Git Cow gentoo-dev 2019-12-02 15:18:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a954357256aff48090c26c13ae59003c174d208

commit 9a954357256aff48090c26c13ae59003c174d208
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-02 15:09:15 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-02 15:18:24 +0000

    profiles: Unmask app-metrics/{alertmanager,prometheus,*_exporter}
    
    Mask was applied because of "incorrect license information" in commit
    431fad963f6677e8f58276b1433f9b9f56e75ca9. While you could list _more_
    licenses, and people started to work on this now, these packages are all
    licensed under Apache 2.0 which explicitly lists BSD, MIT.. as authorized
    3rd party licenses. Therefore a mask due to incorrect licenses isn't
    justified.
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/package.mask | 15 ---------------
 1 file changed, 15 deletions(-)
Comment 8 Holger Hoffstätte 2019-12-02 15:41:19 UTC
Thanks. I'd still argue that mongodb_exporter should be masked since
its license salad is really wrong and not easily fixed. But.. ¯\_(ツ)_/¯
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-02 15:58:59 UTC
Sure, please add app-metrics/mongodb to your PR and add AGPL..

But once done, why mask? AGPL is valid. License checker is complaining because it's not a general tool, it's a tool for Googlers and Google doesn't allow AGPL.
Comment 10 Holger Hoffstätte 2019-12-02 16:13:11 UTC
(In reply to Thomas Deutschmann from comment #9)
> Sure, please add app-metrics/mongodb to your PR and add AGPL..
> 
> But once done, why mask? AGPL is valid. License checker is complaining
> because it's not a general tool, it's a tool for Googlers and Google doesn't
> allow AGPL.

Understood, will do - but out of curiosity, how can a main executable be Apache while linking to an AGPL library? Is the AGPL not stronger ('viral') and therefore takes precedence, in addition to the SaaS aspect?
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-12-03 07:41:26 UTC
(In reply to Holger Hoffstätte from comment #10)
> Understood, will do - but out of curiosity, how can a main executable be
> Apache while linking to an AGPL library? Is the AGPL not stronger ('viral')
> and therefore takes precedence, in addition to the SaaS aspect?

You are correct, it can't.  It makes the package in question effectively AGPL.  Now, given dangerous AGPL terms, it can actually put users (understood as people using this in their own solutions) in peril of violating the license terms.

This is certainly a problem that needs to be reported and fixed upstream.  I suppose adding AGPL on our end somewhat works it around by making users aware that there's AGPL involved but IANAL.

Last time this was discussed, the conclusion was that upstream needs to fix license problems, not us.  CC-ing licenses@.
Comment 12 Ulrich Müller gentoo-dev 2019-12-03 08:26:44 UTC
(In reply to Michał Górny from comment #11)
> (In reply to Holger Hoffstätte from comment #10)
> > Understood, will do - but out of curiosity, how can a main executable be
> > Apache while linking to an AGPL library? Is the AGPL not stronger ('viral')
> > and therefore takes precedence, in addition to the SaaS aspect?
> 
> You are correct, it can't.  It makes the package in question effectively
> AGPL.  Now, given dangerous AGPL terms, it can actually put users
> (understood as people using this in their own solutions) in peril of
> violating the license terms.

Disclaimer: IANAL, TINLA.

By section 13 of the AGPL-3, if they modify the program, they must provide a link to the modified source code. I believe that there is no problem if they are running the unmodified version (or a patched Gentoo version), because the AGPL explicitly says "if *you* modify the Program".

> This is certainly a problem that needs to be reported and fixed upstream.  I
> suppose adding AGPL on our end somewhat works it around by making users
> aware that there's AGPL involved but IANAL.
> 
> Last time this was discussed, the conclusion was that upstream needs to fix
> license problems, not us.  CC-ing licenses@.

Right, it is mainly an upstream problem that we cannot solve at the distro level. We keep the AGPL in the FREE license group because it is approved as a FOSS license by both the FSF and the OSI. Users who don't want it can add "-AGPL-3 -AGPL-3+" to their ACCEPT_LICENSE setting.
Comment 13 Ulrich Müller gentoo-dev 2019-12-03 09:09:45 UTC
(In reply to Ulrich Müller from comment #12)
> By section 13 of the AGPL-3, if they modify the program, they must provide a
> link to the modified source code. I believe that there is no problem if they
> are running the unmodified version (or a patched Gentoo version), because
> the AGPL explicitly says "if *you* modify the Program".

To clarify: If they just run the unmodified program, then they don't even have to accept the AGPL, and they're not bound by its terms. Copyright law is only about modification and distribution, but not about usage.

The AGPL itself says this: "You are not required to accept this License in order to receive or run a copy of the Program."
Comment 14 Larry the Git Cow gentoo-dev 2019-12-03 09:48:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b17490f0beccc2e3a61d7faa3d1180c047bb0650

commit b17490f0beccc2e3a61d7faa3d1180c047bb0650
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:39:32 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:48:00 +0000

    app-metrics/vault_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Closes: https://github.com/gentoo/gentoo/pull/13835
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/vault_exporter/vault_exporter-0.1.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3b99ec034b0d929f95a525cc51e43daffc31fb4

commit d3b99ec034b0d929f95a525cc51e43daffc31fb4
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:39:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:58 +0000

    app-metrics/snmp_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/snmp_exporter/snmp_exporter-0.15.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=930b6f6f192408828239dcebee85e9ecfab95353

commit 930b6f6f192408828239dcebee85e9ecfab95353
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:38:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:57 +0000

    app-metrics/rabbitmq_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/rabbitmq_exporter/rabbitmq_exporter-0.29.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8edaf0ebd2de8a41f994a6613683af535f39d698

commit 8edaf0ebd2de8a41f994a6613683af535f39d698
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:38:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:55 +0000

    app-metrics/prometheus: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/prometheus/prometheus-2.13.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e0356b5c7b9ac6705ef1d6526c7fb3e92ea3a0f

commit 2e0356b5c7b9ac6705ef1d6526c7fb3e92ea3a0f
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:38:05 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:53 +0000

    app-metrics/postgres_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/postgres_exporter/postgres_exporter-0.4.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36988ac0da8384d68c0f3f7cde2a02e9161ba1db

commit 36988ac0da8384d68c0f3f7cde2a02e9161ba1db
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:37:25 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:51 +0000

    app-metrics/postfix_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/postfix_exporter/postfix_exporter-0.1.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3cc9214af0d55aa004c69eb4c4da84264273025d

commit 3cc9214af0d55aa004c69eb4c4da84264273025d
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:37:03 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:50 +0000

    app-metrics/openvpn_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/openvpn_exporter/openvpn_exporter-0.2.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=656a3aa96fff8b0358e6df06acc6e27106480e01

commit 656a3aa96fff8b0358e6df06acc6e27106480e01
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:36:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:48 +0000

    app-metrics/node_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/node_exporter/node_exporter-0.18.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5bd5e5ed1fbe070da0aa70aabefa4aa96d81685

commit c5bd5e5ed1fbe070da0aa70aabefa4aa96d81685
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:36:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:46 +0000

    app-metrics/nginx-vts-exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/nginx-vts-exporter/nginx-vts-exporter-0.10.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=032c19f1a1a64af6867d6b5291a07ccf1a736a3c

commit 032c19f1a1a64af6867d6b5291a07ccf1a736a3c
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:35:31 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:44 +0000

    app-metrics/mysql_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/mysqld_exporter/mysqld_exporter-0.10.0-r1.ebuild | 2 +-
 app-metrics/mysqld_exporter/mysqld_exporter-0.11.0.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=286a453adcad2787bd5d8f57993d355d6b88e3e3

commit 286a453adcad2787bd5d8f57993d355d6b88e3e3
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:33:53 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:43 +0000

    app-metrics/mongodb_exporter: add licenses for transitive go dependencies
    
    Also revbump since some users may reject AGPL.
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../{mongodb_exporter-0.6.2.ebuild => mongodb_exporter-0.6.2-r1.ebuild} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8153edfea31cfef3179fed479d7d61136565d28

commit b8153edfea31cfef3179fed479d7d61136565d28
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:33:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:41 +0000

    app-metrics/memcached_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/memcached_exporter/memcached_exporter-0.5.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e552adb58247a7aa6da68e591ec353a2b4809918

commit e552adb58247a7aa6da68e591ec353a2b4809918
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:33:00 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:39 +0000

    app-metrics/grok_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/grok_exporter/grok_exporter-0.2.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3068646094006b1d9c80bcb671ae42ef171b9eff

commit 3068646094006b1d9c80bcb671ae42ef171b9eff
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:32:34 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:37 +0000

    app-metrics/github-exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/github-exporter/github-exporter-04-r1.ebuild | 2 +-
 app-metrics/github-exporter/github-exporter-04.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea768ee1b6467fd2678974fac62eb7e63c570a61

commit ea768ee1b6467fd2678974fac62eb7e63c570a61
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:31:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:36 +0000

    app-metrics/elasticsearch_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/elasticsearch_exporter/elasticsearch_exporter-1.0.2.ebuild  | 2 +-
 .../elasticsearch_exporter/elasticsearch_exporter-1.0.4_rc1.ebuild      | 2 +-
 app-metrics/elasticsearch_exporter/elasticsearch_exporter-1.1.0.ebuild  | 2 +-
 .../elasticsearch_exporter/elasticsearch_exporter-1.1.0_rc1.ebuild      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cfc626f41b85cde22b253bfbde3484e9edf8a47

commit 4cfc626f41b85cde22b253bfbde3484e9edf8a47
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:31:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:34 +0000

    app-metrics/consul_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/consul_exporter/consul_exporter-0.4.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=936e17f5649ceb53c7317366fe70e64a3b4c8db9

commit 936e17f5649ceb53c7317366fe70e64a3b4c8db9
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:31:06 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:32 +0000

    app-metrics/burrow_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/burrow_exporter/burrow_exporter-0.0.6-r1.ebuild | 2 +-
 app-metrics/burrow_exporter/burrow_exporter-0.0.6.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=128eb3722ef2bab36bb176225fac1b07346e0c31

commit 128eb3722ef2bab36bb176225fac1b07346e0c31
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:30:28 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:30 +0000

    app-metrics/bind_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/bind_exporter/bind_exporter-0.2.0_p20190226.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0223cb8c4b5202a3405f4a0cbabda97c87530d31

commit 0223cb8c4b5202a3405f4a0cbabda97c87530d31
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:29:43 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:28 +0000

    app-metrics/blackbox_exporter: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/blackbox_exporter/blackbox_exporter-0.15.1.ebuild | 2 +-
 app-metrics/blackbox_exporter/blackbox_exporter-0.16.0.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fdc21244f352851749395e9897d361bf326b603

commit 9fdc21244f352851749395e9897d361bf326b603
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:28:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:27 +0000

    app-metrics/alertmanager: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-metrics/alertmanager/alertmanager-0.18.0.ebuild | 2 +-
 app-metrics/alertmanager/alertmanager-0.19.0.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fc7fdcc8e1ffe958988cf2067c565b89ada38d6

commit 8fc7fdcc8e1ffe958988cf2067c565b89ada38d6
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2019-12-02 22:26:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:47:25 +0000

    app-emulation/cadvisor: add licenses for transitive go dependencies
    
    Bug: https://bugs.gentoo.org/695212
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-emulation/cadvisor/cadvisor-0.34.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-04 07:08:16 UTC
mgorny:
Can you please clarify which of these packages still need further fixes?

It looks like every package you listed in the initial report has been fixed