Resolve differences with CNCF allow-list for dependency licenses #2107
Description
Describe the improvement you'd like to request
We now intend to follow the allow-list of dependency licenses prescribed by the CNCF here https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md#approved-licenses-for-allowlist
#2106 added additional entries to our deny.toml where the CNCF list allows more licenses, but there was one existing entries for Unicode-3.0 used by our (transitive) dependency unicode-ident that the CNCF doesn't include.
We need to either submit an issue to get an exception or remove our dependency on unicode-indent (not likely since it's a transitively used by many dependencies)
We also depend on some crates under Apache-2.0 WITH LLVM-exception. This also isn't explicitly allowed, but it might be implicitly allowed as a simple variant of Apache-2.0. We'll need to check up on this regardless. This covers a few dependencies: ar_archive_writer, linux-raw-sys, rustix, and wasi
To get an up to date list of dependencies we use under these licenses run cargo deny --list.
Describe alternatives you've considered
No response
Additional context
No response
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this internal improvement
-
⚠️ This feature might incur a breaking change