All Apps and Add-ons

Governance and Licensing for Add-on Builder developed apps

SplunkTrust
SplunkTrust

I'm building an app with a modular input using the Add-on Builder. For now, let's call it TA-parfait. (Because EVERYBODY likes parfait) I have concerns.

First of all, I notice that there's a bunch of opaque, minified Javascript in SPLUNK_HOME/etc/apps/TA-parfait/appserver. I didn't write this, but I have no idea what the license is on it, nor what all is even contained in it. I assume that some or all of the 3rd party softwares listed here - http://docs.splunk.com/Documentation/AddonBuilder/2.1.2/UserGuide/Thirdpartysoftwarecredits - are there, but I also assume that Splunk has their own code in there as well.

Also there's a bunch of Splunk-developed and non-Splunk-developed code inside of SPLUNK_HOME/etc/apps/TA-parfait/bin. It's at least not minified so there's that.

My first concern is around licensing. How many of the 3rd party components listed in the AOB's credits are part of AOB itself versus being part of AOB's output? What all components do I need to account for in my own open source attributions? Some of the code added to my app by Add-on Builder is Splunk's own code - how is it licensed, and how do I need to attribute it? How does it affect my distribution of my app if I want to (say) sell my app commercially?

My second concern is around updates and security vulnerabilities. I trust (hope?) that the team supporting AOB at splunk is tracking security advisories for the components they use within the product. But, I don't know for sure at this point what all is even in my own app in order to track it. If - for instance - there is a security patch against Jinja2 (which is included in my TA by AOB) ... I don't know for sure which version of Jinja2 AOB included within my app. Do I wait for Splunk to patch AOB and then will AOB automatically update the copy of jinja2 within my TA? Or am I on my own to just "know" to update all the 3rd party code in my AOB-built add-on?

Are my concerns founded? Or am I being silly?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Hi dwaddle, great questions!

To address the first part of your question: I've added a section in the doc for the recently released 2.2.0 version that I hope will cover what you need. Each credit also specifies which version of the library is included.
See http://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Validate#Credit_third-party_librar...

Please upgrade to 2.2.0 and repackage any existing TA projects with this new version to bring your libraries up to date.

Your points above and in comments below about the Splunk license agreement make sense, so we've updated the license that applies to Add-on Builder with this new one: https://www.splunk.com/en_us/legal/splunk-app-end-user-license-agreement.html
Note that the license in the 2.2.0 package currently is out of date, and there's a known issue filed to fix that in the next release.

For the second part of your question, I've asked an engineer whether AOB would auto-update the library packaged in your TA if you edit it with a later version of AOB (assuming that later version of AOB includes a later version of the library.) The answer is yes. If any dependency changes in the new version of AOB, it will be updated in the TA when you repackage it with the new version of AOB.

View solution in original post

Splunk Employee
Splunk Employee

Hi dwaddle, great questions!

To address the first part of your question: I've added a section in the doc for the recently released 2.2.0 version that I hope will cover what you need. Each credit also specifies which version of the library is included.
See http://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Validate#Credit_third-party_librar...

Please upgrade to 2.2.0 and repackage any existing TA projects with this new version to bring your libraries up to date.

Your points above and in comments below about the Splunk license agreement make sense, so we've updated the license that applies to Add-on Builder with this new one: https://www.splunk.com/en_us/legal/splunk-app-end-user-license-agreement.html
Note that the license in the 2.2.0 package currently is out of date, and there's a known issue filed to fix that in the next release.

For the second part of your question, I've asked an engineer whether AOB would auto-update the library packaged in your TA if you edit it with a later version of AOB (assuming that later version of AOB includes a later version of the library.) The answer is yes. If any dependency changes in the new version of AOB, it will be updated in the TA when you repackage it with the new version of AOB.

View solution in original post

Splunk Employee
Splunk Employee

Watchers, I've updated the Answer above with the latest information. Thanks for raising these issues!

SplunkTrust
SplunkTrust

This is about the best I could have asked for in this situation. From what I can tell, the new AOB license is almost straightforward enough for a layperson to understand it, and it enables me to do what I think I need to with my derivative works. And all of the 3rd party code is (seemingly) clearly laid out there. I really appreciate the efforts and the clarity brought here.

0 Karma

SplunkTrust
SplunkTrust

I agree. Reading the new license it looks like a great improvement. Nice Work! I hope it's the shape of some things to come - there are some other splunk-owned things that would be much happier if they were licensed under this as well.

0 Karma

SplunkTrust
SplunkTrust

[Edited this comment, now that the answer above has actually been pretty significantly changed]

Formerly the answer above was that the code inserted by Add On Builder was licensed under Splunk's standard license agreement, which was a terrible answer in many ways.
-- the license granted was nontransferable and nonsublicensable. So as soon as the third party distributed their app to anyone they violated the splunk master SLA.
-- the third party was left with no right to modify, adapt, or create derivative works. So they were stuck with this software but as soon as they edited it to fix anything they violate the splunk master SLA.

Also note - the credit third parties link did not actually specify under what license any of this third party content is distributed.

Great to see positive change happening here. In review, basically anything that Splunk ships under Master Software SLA, no developer should ever be copying any of that into any app that they wish to develop and distribute. And to the extent that Splunk is putting other third party code into developer's apps, you need to specify explicitly what licenses the app developer has to accept and pass on. This stuff does matter - out in the ecosystem app developers have to certify to third party content licensing and IP infringement issues and they need this information.

SplunkTrust
SplunkTrust

The updates to the docs are a really great start. However, I think "more is needed" because I did a quick scan of the minified common.js hairball that AOB ships and I see jQuery and a bunch of other things inside the hairball.

Similar to @sideview's concerns I'm not sure that I feel comfortable with Splunk's standard software license terms being attached to something I'm building. That puts me in a potential pickle if I either open-source my app, or try to commercially license it. Granted, I would hope that Splunk would not have an incentive to litigate an ecosystem partner that is releasing apps built on Add-On Builder. However, it would be an expensive thing on my part to deal with.

Finally, are there plans to ensure that when AOB-integrated 3rd party code does get updated due to a security issue that there is a public advisory within the Splunk Security Portal so that we know to come repackage our TAs to pick up the updates?

Honestly, truly, not trying to kill AOB in a pile of oversight, but I'm deeply concerned about using it for shipping product.

0 Karma

Splunk Employee
Splunk Employee

Thanks, dwaddle and sideview both. I'm working with the product team on all these excellent questions and will update with answers when I have them.

0 Karma

Splunk Employee
Splunk Employee

I've updated my answer with some further info about the second part of the question, and will update it again with better information about the licensing for the Splunk code. Thanks!

0 Karma