diff --git a/.github/ISSUE_TEMPLATE/extension.yaml b/.github/ISSUE_TEMPLATE/extension.yaml index cea772f..93b241c 100644 --- a/.github/ISSUE_TEMPLATE/extension.yaml +++ b/.github/ISSUE_TEMPLATE/extension.yaml @@ -38,6 +38,21 @@ body: validations: required: true + - type: input + id: debian-package-name + attributes: + label: Debian Package Name + description: | + The name of the [DFSG](https://www.debian.org/social_contract#guidelines)-compliant Debian package. The PGDG (PostgreSQL Global + Development Group) repository is the recommended source, but other trusted, + auditable Debian repositories are acceptable. Verify availability by running + `apt search ` inside a + `ghcr.io/cloudnative-pg/postgresql:-minimal-` container, + and provide the repository URL if not PGDG. + placeholder: ex. postgresql-$PGMAJOR-pgvector + validations: + required: true + - type: input id: website-url attributes: @@ -65,20 +80,48 @@ body: validations: required: true + - type: dropdown + id: license-spdx + attributes: + label: Extension License (SPDX identifier) + description: | + Select the SPDX license identifier for the extension. Only licenses on the + [CNCF Allowlist License Policy](https://github.com/cncf/allowed-third-party-license-policy/blob/main/Exceptions.md) + are accepted for distribution through this project. If your extension is + licensed under something not listed here, select "Other" and verify it against + the Allowlist before submitting — unlisted licenses will not be accepted. + options: + - PostgreSQL + - MIT + - Apache-2.0 + - BSD-2-Clause + - BSD-3-Clause + - Other — verify against the CNCF Allowlist before submitting + validations: + required: true + - type: checkboxes id: license-check attributes: label: License Compliance - description: Please confirm the license of the extension complies with the **allowed licenses** for this project. + description: | + All components distributed in this extension image (including the extension itself + and any transitive dependencies) must be covered by a license on the + [CNCF Allowlist License Policy](https://github.com/cncf/allowed-third-party-license-policy/blob/main/Exceptions.md). + Extensions that include components under any other license will not be accepted. options: - - label: The extension's license (linked above) complies with the list of allowed licenses. + - label: I confirm that all components distributed in this extension image are covered by a license on the CNCF Allowlist. required: true - type: textarea id: dependent-extensions attributes: label: Known Dependent Extensions - description: List any other PostgreSQL extensions that MUST be installed before or alongside this extension (e.g., if this extension requires 'plpgsql' or 'postgis' to be present). If none, please state "None". + description: | + List any other PostgreSQL extensions that must be present for this extension to + function (i.e. extensions that must be created via `CREATE EXTENSION` before this + one). This covers PostgreSQL-level dependencies only — OS-level system library + dependencies are handled separately by the build system. If none, state "None". placeholder: ex. postgis validations: required: true diff --git a/CONTRIBUTING_NEW_EXTENSION.md b/CONTRIBUTING_NEW_EXTENSION.md index d3568f2..0d6c3e4 100644 --- a/CONTRIBUTING_NEW_EXTENSION.md +++ b/CONTRIBUTING_NEW_EXTENSION.md @@ -1,4 +1,4 @@ -# Contributing: Adding a New PostgreSQL Extension + This guide walks you through the lifecycle of adding a new extension, from setting up your environment to submitting a Pull Request. @@ -13,7 +13,8 @@ setting up your environment to submitting a Pull Request. Before proposing a change, ensure your local machine is compatible with the [build stack](BUILD.md). -1. **Fork** the [cloudnative-pg/postgres-extensions-containers](https://github.com/cloudnative-pg/postgres-extensions-containers) repository. +1. **Fork** the [cloudnative-pg/postgres-extensions-containers](https://github.com/cloudnative-pg/postgres-extensions-containers) + repository. 2. **Clone** your fork and enter the directory: ```sh git clone https://github.com//postgres-extensions-containers.git @@ -33,9 +34,12 @@ Before proposing a change, ensure your local machine is compatible with the To maintain high standards and avoid duplicated effort or architectural conflicts, every new extension begins with a formal proposal. -During this phase, you must verify that the extension is available in the PGDG -(PostgreSQL Global Development Group) repositories and identify its versioning -logic. +During this phase, you must verify that the extension is available as a +[DFSG](https://www.debian.org/social_contract#guidelines)-compliant Debian +package from a trusted, auditable repository, and identify its versioning +logic. The PGDG (PostgreSQL Global Development Group) repository is the +recommended source; other Debian repositories are acceptable provided they meet +the same standards. ### Identifying the Package & Version @@ -111,18 +115,23 @@ submit your proposal: 1. Point your browser to ["New Extension Proposal"](https://github.com/cloudnative-pg/postgres-extensions-containers/issues/new/choose). 2. Provide the package name, versioning info, and a link to the upstream source. -3. State the license clearly: - - CNCF-Allowed: licenses on the [CNCF Allowlist](https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md) (e.g., Apache-2.0, MIT, or PostgreSQL) are generally pre-approved. - - Other Open Source: licenses like FSF-approved (GNU GPL) will be evaluated on a case-by-case basis. - - Redistribution: since we redistribute unmodified software, ensure you - identify where the upstream source code can be found (required for GNU - GPL compliance). +3. State the license clearly. Every component in the extension image must be + covered by a license on the + [CNCF Allowlist](https://github.com/cncf/allowed-third-party-license-policy/blob/main/Exceptions.md) + (e.g., Apache-2.0, MIT, PostgreSQL License). CNCF policy requires a formal + exception for any component not covered by the Allowlist; as project + maintainers we have decided not to pursue exceptions. Only Allowlisted + components will be accepted for distribution through this project. This is a + governance decision, not a legal limitation — contributors whose extension + cannot meet this requirement are welcome to adopt the same build tooling and + distribute images independently. > [!NOTE] -> You do not need to wait for maintainer approval to begin development or -> submit your PR. You are encouraged to proceed immediately; however, please be -> aware that if a fundamental issue (e.g., licensing) is discovered during the -> proposal review, you may need to modify or discard your work. +> You may begin development before receiving maintainer approval on most +> issues. However, please be aware that if a fundamental issue (e.g., a +> non-Allowlisted license) is discovered during the proposal review, your work +> will not be mergeable. Verify license compliance before investing significant +> development effort. --- diff --git a/README.md b/README.md index 0b9b4ed..358a681 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,9 @@ they are maintained by their respective authors, and PostgreSQL Debian Group | **[pgvector](pgvector)** | Vector similarity search for PostgreSQL | [github.com/pgvector/pgvector](https://github.com/pgvector/pgvector) | | **[PostGIS](postgis)** | Geospatial database extension for PostgreSQL | [postgis.net/](https://postgis.net/) | +> [!NOTE] +> PostGIS is licensed under GPL-2.0, which is not on the CNCF Allowlist. Its +> inclusion in this project is subject to a formal CNCF license exception request. Extensions are provided only for the OS versions already built by the [`cloudnative-pg/postgres-containers`](https://github.com/cloudnative-pg/postgres-containers) project, @@ -64,18 +67,28 @@ The project adheres to the following frameworks: When proposing a new extension, the following criteria must be met: - **Licensing and IP ownership:** We redistribute unmodified third-party - software as container images. We prioritize licenses explicitly allowed by the - [CNCF License Policy](https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md), - which includes the PostgreSQL License (relevant to this project). Other - open-source licenses, such as FSF-approved licenses (e.g., GNU GPL), will be - considered on a case-by-case basis to ensure compliance with redistribution - requirements. + software as container images. Every component in an extension image must be + covered by a license on the + [CNCF Allowlist License Policy](https://github.com/cncf/allowed-third-party-license-policy/blob/main/Exceptions.md), + which includes Apache-2.0, MIT, and the PostgreSQL License. CNCF policy + requires a formal exception for any component not covered by the Allowlist; + as project maintainers we have decided not to pursue exceptions, so only + Allowlisted components will be accepted for distribution through this project. + This is a governance decision, not a legal limitation — contributors whose + extension cannot meet this requirement are welcome to adopt the same build + tooling and distribute images independently. - **Structure:** only one extension can be included within an extension folder. -- **Debian Packages:** Extension images must be built using a Debian package - provided by a trusted source like the - [PostgreSQL Global Development Group (PGDG)](https://wiki.postgresql.org/wiki/Apt). - This ensures compatibility with the base images and standard package - management procedures. +- **Debian Packages:** Extension images must be built **exclusively** from + [DFSG](https://www.debian.org/social_contract#guidelines)-compliant Debian packages sourced from a trusted, auditable repository. + The [PostgreSQL Global Development Group (PGDG)](https://wiki.postgresql.org/wiki/Apt) + is the recommended source, but other Debian repositories are acceptable + provided they meet the same standards. This is a hard requirement for two + reasons: (a) Debian DEP-5 machine-readable copyright files are the mechanism + used to satisfy attribution obligations — they are copied into + `/licenses//` in the final `FROM scratch` image at build time; (b) + [DFSG](https://www.debian.org/social_contract#guidelines) compliance + guarantees that non-free components have been removed by the package + maintainers, ensuring licence hygiene. - **License inclusion:** all necessary license agreements for the extension and its dependencies must be included within the extension folder (refer to the examples in the `pgvector` and `postgis` folders).