Hi, my team would use Loggregator-release V102 and to approve that I've to verify all its licenses and those of its dependencies chain, analyzing their source code.

Now Loggregator-release V102 has Arch (at https://github.com/golang/arch) as dependency; Arch include a file at "arch/x86/x86avxgen/testdata/xedpath/all-dec-instructions.txt", that contains some pieces of code Intel Confidential, here below the Legal text of that code:

#BEGIN_LEGAL
#INTEL CONFIDENTIAL

#Copyright (c) 2017, Intel Corporation. All rights reserved.

#The source code contained or described herein and all documents
#related to the source code ("Material") are owned by Intel Corporation
#or its suppliers or licensors. Title to the Material remains with
#Intel Corporation or its suppliers and licensors. The Material
#contains trade secrets and proprietary and confidential information of
#Intel or its suppliers and licensors. The Material is protected by
#worldwide copyright and trade secret laws and treaty provisions. No
#part of the Material may be used, copied, reproduced, modified,
#published, uploaded, posted, transmitted, distributed, or disclosed in
#any way without Intel's prior express written permission.

#No license under any patent, copyright, trade secret or other
#intellectual property right is granted to or conferred upon you by
#disclosure or delivery of the Materials, either expressly, by
#implication, inducement, estoppel or otherwise. Any license under such
#intellectual property rights must be express and approved by Intel in
#writing.
#END_LEGAL

Based on that, to use Arch (that contain that Intel code) an Intel's prior express written permission it's needed, and if you have already obtained I can allow the use of Arch.

So, my question is: do you have obtained the permission to use that code coming from Arch?

Or do you know that it could not be needed for any reason that I don't imagine?

Thanks a lot for your support.

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/166062614

The labels on this github issue will be updated when the story is started.

Hi there,

Thanks for the heads up on this. Looking through the source code, I don't see any reference go golang/arch. It's not in our src directory and grep isn't turning up anything either.

Would you mind linking to the dependency? Thanks!

Let me explain shortly how we get to that .

The all-dec-instructions.txt which contains the INTEL CONFIDENTIAL label comes from this chain:

1. loggregator references golang/go1.9.4.linux-amd64.tar.gz in blobs.yml

2. running the following commands you get the blob:
   git clone https://github.com/cloudfoundry/loggregator-release
   git checkout tags/v102.0
   git submodule update --recursive --init
   bosh sync-blobs

3. un-tarring the go1.9.4.linux-amd64.tar.gz you get ./loggregator-release-v102.0/loggregator-release/blobs/golang/go1.9.4.linux-amd64/go/src/cmd/internal/objfile/disasm.go

4. in disasm.go there is the import "golang.org/x/arch/x86/x86asm"

5. cloning it with
   git clone ssh://git@github.com/golang/arch
   you obtain the sources that include ./x86/x86avxgen/testdata/xedpath/all-dec-instructions.txt

So the issue seems with arch package that is an external dependency of go1.9.4.linux-amd64 rather than loggregator code itself

Hello @mlicursi @luisapace

We've looked into this and discovered a couple of things. The library you found is only linked and distributed when built against ARM architecture. We're shipping source rather than binaries and we don't compile against ARM. As a result, we're not distributing any proprietary code.

@luisapace @mlicursi +1 to the statement from @MasslessParticle above.
We're not distributing any proprietary code, as we don't compile against ARM architecture either.