Context
Following an exchange with the CNCF legal team regarding the distribution of PostgreSQL extension OCI images under the CloudNativePG project umbrella, several compliance requirements have been clarified that are not currently reflected in the project documentation.
The key outcomes of that review are as follows:
Licence compliance gate. CNCF policy requires a formal licence exception for any component distributed via a CNCF project that is not covered by the CNCF Allowlist Licence Policy. As project maintainers, we have decided not to pursue the exceptions process — only Allowlisted components will be accepted for distribution through this project. This is a governance decision; contributors whose extension cannot meet this requirement are free to adopt the same build tooling and distribute images independently.
Debian packages are mandatory. Building extension images from DFSG-compliant Debian packages sourced from a trusted, auditable repository is a hard requirement, not a preference. The PGDG repository is the recommended source, but other Debian repositories meeting the same standards are acceptable. The requirement exists for two reasons: (a) Debian DEP-5 machine-readable copyright files satisfy attribution obligations — they are copied into /licenses/<pkg>/ in the final FROM scratch image at build time; (b) DFSG compliance guarantees that non-free components have been removed by the package maintainers.
Attribution mechanism confirmed adequate. The CNCF legal team has confirmed that copying Debian DEP-5 copyright files into /licenses/ inside the final image is sufficient to satisfy attribution obligations for vendored components.
Base image GPL libs: no exception needed. GPL system libraries originating from the upstream Debian Slim base image and not actively re-installed by this project do not require a licence exception.
Changes required
The following files need to be updated to reflect the above:
README.md — tighten the licensing and Debian packages bullets in the Extension Requirements section; add a note against PostGIS acknowledging its GPL-2.0 licence and the pending exception requestCONTRIBUTING_NEW_EXTENSION.md — replace the "case-by-case" licence language with the Allowlist-only policy; update the NOTE about proceeding before maintainer approval.github/ISSUE_TEMPLATE/extension.yaml — add a required Debian package name field; replace the generic licence compliance checkbox with an SPDX licence dropdown and a separate attestation checkbox; tighten the dependent extensions description
Follow-up
PostGIS is licensed under GPL-2.0, which is not on the CNCF Allowlist. A separate CNCF licence exception request must be filed by a project maintainer for PostGIS to remain in the project. This will be tracked in a dedicated issue.
Context
Following an exchange with the CNCF legal team regarding the distribution of PostgreSQL extension OCI images under the CloudNativePG project umbrella, several compliance requirements have been clarified that are not currently reflected in the project documentation.
The key outcomes of that review are as follows:
Licence compliance gate. CNCF policy requires a formal licence exception for any component distributed via a CNCF project that is not covered by the CNCF Allowlist Licence Policy. As project maintainers, we have decided not to pursue the exceptions process — only Allowlisted components will be accepted for distribution through this project. This is a governance decision; contributors whose extension cannot meet this requirement are free to adopt the same build tooling and distribute images independently.
Debian packages are mandatory. Building extension images from DFSG-compliant Debian packages sourced from a trusted, auditable repository is a hard requirement, not a preference. The PGDG repository is the recommended source, but other Debian repositories meeting the same standards are acceptable. The requirement exists for two reasons: (a) Debian DEP-5 machine-readable copyright files satisfy attribution obligations — they are copied into
/licenses/<pkg>/in the finalFROM scratchimage at build time; (b) DFSG compliance guarantees that non-free components have been removed by the package maintainers.Attribution mechanism confirmed adequate. The CNCF legal team has confirmed that copying Debian DEP-5 copyright files into
/licenses/inside the final image is sufficient to satisfy attribution obligations for vendored components.Base image GPL libs: no exception needed. GPL system libraries originating from the upstream Debian Slim base image and not actively re-installed by this project do not require a licence exception.
Changes required
The following files need to be updated to reflect the above:
README.md— tighten the licensing and Debian packages bullets in the Extension Requirements section; add a note against PostGIS acknowledging its GPL-2.0 licence and the pending exception requestCONTRIBUTING_NEW_EXTENSION.md— replace the "case-by-case" licence language with the Allowlist-only policy; update the NOTE about proceeding before maintainer approval.github/ISSUE_TEMPLATE/extension.yaml— add a required Debian package name field; replace the generic licence compliance checkbox with an SPDX licence dropdown and a separate attestation checkbox; tighten the dependent extensions descriptionFollow-up
PostGIS is licensed under GPL-2.0, which is not on the CNCF Allowlist. A separate CNCF licence exception request must be filed by a project maintainer for PostGIS to remain in the project. This will be tracked in a dedicated issue.