-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(opentelemetry-instrumentation): replace semver
package with internal semantic versioning check implementation
#5305
base: main
Are you sure you want to change the base?
feat(opentelemetry-instrumentation): replace semver
package with internal semantic versioning check implementation
#5305
Conversation
d683ca8
to
5a35b91
Compare
/* | ||
* Copyright The OpenTelemetry Authors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the correct Licence notice? The original one from semver says you have to mention theirs as well.
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Same for the other copied and modified files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I am not very familiar these license stuff. Shoıld I just append semver
License header to the OTEL header? Is there anything I should do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately I don't know either. And a google search didn't give me an answer.
I just wanted to highlight that there is maybe something to do, to mitigate the risk of a license issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you make substantial changes to the third-party code, prepend the contributed third party file with OpenTelemetry's copyright notice.
Here is an example:
https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/plugins/node/opentelemetry-instrumentation-aws-sdk/src/propwrap.ts
However, the same community repo link above also says:
Any contributed third-party code must originally be Apache 2.0-Licensed or must carry a permissive software license that is compatible when combining with Apache 2.0 License. At this moment, BSD and MIT are the only OSI-approved licenses known to be compatible.
Unfortunately this is neither BSD or MIT.
ISC is an OSI approved license (https://opensource.org/license/isc-license-txt) and https://en.wikipedia.org/wiki/ISC_license suggests it is "It is functionally equivalent to the simplified BSD and MIT licenses, but without language deemed unnecessary following the Berne Convention."
Options I see:
- Ask the OTel TC and/or GC for advice here on whether the ISC license could reasonably be added to that list of licenses "known to be compatible". @mx-psi Do you have any experience here with this kind of license question?
- Publish this separate simple semver-satisfies as a separate package to npm and add a dependency on it. I don't know if you'd be willing to do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for the ping. I'll preface this by saying that I am just stating my personal opinion and I am not giving legal advice nor representing the GC here.
AIUI this is not contributed code, but rather code you are using as a dependency of some sort. For that case, you can look into the CNCF third party license guidelines. ISC is listed there: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy as an "Approved [License] for Allowlist". If you are able to fulfill the rest of the criteria mentioned in that document (e.g. by "storing [the code] unmodified in a designated third-party folder") and checking that (3) is satisfied, then I think you should be good.
There's also some dependencies that are specifically approved (see here), I don't think this is one of them, but feel free to check it as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5305 +/- ##
=======================================
Coverage 94.54% 94.54%
=======================================
Files 318 318
Lines 8052 8052
Branches 1694 1694
=======================================
Hits 7613 7613
Misses 439 439 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm supportive of this.
- There is the license/copyright Q to sort out.
- I'd love to have some details on the semver.ts implementation to know if I should more closely review it.
Other comments are nits.
@@ -59,13 +59,11 @@ | |||
"@protobuf-ts/runtime-rpc": "2.9.4", | |||
"@types/mocha": "10.0.10", | |||
"@types/node": "18.6.5", | |||
"@types/semver": "7.5.8", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, you were doing this too. I noticed that some other packages had now-unused deps on semver and opened #5306
I should have read your patch first. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, there were some unused semver
deps and some of them are only used by tests and can easily be replaced.
experimental/packages/opentelemetry-instrumentation/src/types.ts
Outdated
Show resolved
Hide resolved
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Show resolved
Hide resolved
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Show resolved
Hide resolved
c1bd858
to
08168bc
Compare
semver
package with internal semantic versioning check implementationsemver
package with internal semantic versioning check implementation
cae5bee
to
7cb6dd7
Compare
512d92b
to
098d5cd
Compare
Co-authored-by: Trent Mick <[email protected]>
098d5cd
to
678edf6
Compare
… in CNCF repos This came up in open-telemetry/opentelemetry-js#5305 Refs: open-telemetry#2504
Hi all, any update on this PR? Are we OK with the licensing question? |
… in CNCF repos (#2506) * Refer to CNCF allowlist for 3rd-party licenses approved for inclusion in CNCF repos This came up in open-telemetry/opentelemetry-js#5305 Refs: #2504 * mention and refer to the CNCF conditions for including third-party code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@serkan-ozal I made a number of suggestions for the license/copyright questions. Let me know if they seem reasonable to you.
CHANGELOG.md
Outdated
@@ -60,6 +60,7 @@ For semantic convention package changes, see the [semconv CHANGELOG](packages/se | |||
* refactor(sdk-trace-base): remove `BasicTracerProvider._registeredSpanProcessors` private property. [#5134](https://github.com/open-telemetry/opentelemetry-js/pull/5134) @david-luna | |||
* refactor(sdk-trace-base): rename `BasicTracerProvider.activeSpanProcessor` private property. [#5211](https://github.com/open-telemetry/opentelemetry-js/pull/5211) @david-luna | |||
* chore(selenium-tests): remove internal selenium-tests/ package, it wasn't being used @trentm | |||
* feat(opentelemetry-instrumentation): replace `semver` package with internal semantic versioning check implementation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: could add the link to the PR here. COuld also give the reason for the removal in that sentence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trentm done
experimental/packages/opentelemetry-instrumentation/src/semver.ts
Outdated
Show resolved
Hide resolved
experimental/packages/opentelemetry-instrumentation/src/semver.ts
Outdated
Show resolved
Hide resolved
experimental/packages/opentelemetry-instrumentation/src/semver.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For licensing of these two fixture files, how about the following?
- Move them to a "test/common/third-party/node-semver/range-{exclude,include}.js" to satisfy the "stored unmodified in a designated third-party folder" from https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
- Revert them to be an unmodified copy from node-semver.git. Then change the "semver.test.ts" driver to skip a fixture case if its third entry is
true
or{loose: true}
-- rather than the changes you have now to skip those cases. - Add the https://github.com/npm/node-semver/blob/main/LICENSE file to that test/common/third-party/node-semver dir.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trentm done
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Show resolved
Hide resolved
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Trent Mick <[email protected]>
…n/semver.test.ts Co-authored-by: Trent Mick <[email protected]>
Co-authored-by: Trent Mick <[email protected]>
Co-authored-by: Trent Mick <[email protected]>
…n/semver.test.ts Co-authored-by: Trent Mick <[email protected]>
@trentm I have applied your suggestions and updated PR according to your comments. Could you please check? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy with the licensing/copyright handling (after the couple suggestions I have here). With those changes, this PR LGTM.
The added semver.ts is a fair chunk of code to add, but hopefully there isn't any maintenance. The node-semver test fixture files that are being used for testing haven't changed in node-semver.git in over a year, so that seems somewhat stable.
@serkan-ozal Did you happen to have an idea of how much this change saves on an AWS Lambda coldstart? Or some data around how the semver init was contributing to cold start time? That data might be interesting for future maintenance.
/* | ||
* Copyright The OpenTelemetry Authors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
// Imported from https://github.com/npm/node-semver/blob/868d4bbe3d318c52544f38d5f9977a1103e924c2/test/fixtures/range-include.js | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I think this block should be removed. My read of the intent of the "stored unmodified in a designated third-party folder" is that they should be completely unchanged from the source repo, if possible. Then we don't need to apply the OTel copyright and license to these files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok. it is just left over. Just removed.
.../packages/opentelemetry-instrumentation/test/common/third-party/node-semver/range-exclude.js
Outdated
Show resolved
Hide resolved
Co-authored-by: Trent Mick <[email protected]>
…n/third-party/node-semver/range-exclude.js Co-authored-by: Trent Mick <[email protected]>
I have calculated these module require timings (
As you can see, |
@trentm Could you please check the PR one more time. Hopefully, it is OK to merge finally. |
# Conflicts: # CHANGELOG.md
Thanks for the Note to self: The 13ms to # Sum the top-level "NN ms" timings
% cat data.txt | rg '^\|' | gsed -e 's/^.*took \([0-9]\+\) ms$/\1/' | paste -sd+ - | bc
402
% node
> 13 / 402
0.03233830845771144 |
@@ -74,7 +74,6 @@ | |||
"@types/shimmer": "^1.2.0", | |||
"import-in-the-middle": "^1.8.1", | |||
"require-in-the-middle": "^7.1.1", | |||
"semver": "^7.5.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should include semver
as a development dependency to be used in tests. We could assert that our semver replacement functions output matches the semver
package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have imported tests from semver
package and test fixtures also include expected results (results of the actual semver
package). That is the reason that why I had removed semver
package dependency even from dev dependencies.
Which problem is this PR solving?
I am one of the OTEL FAAS SIG members and working on reducing coldstart overhead of the OTEL Lambda Node.js layer.
During my analysis, I have noticed that
semver
package has some initialization overhead (~15 ms
) and most of it is caused by thesemver
internal initialization here (You can see that there are many RegExp compiles there) .So I have been looking for way to reduce it and I believe that getting rid of
semver
dependency and providing an internal and simpler semantic versioning check implementation makes more sense.Short description of the changes
This PR removes
semver
package dependency and replaces its usages with internal semantic versioning implementation.Some parts of the internal semver implenentation is borrowed from actual
semver
package code base.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
experimental/packages/opentelemetry-instrumentation/test/common/semver.test.ts
Checklist: