Download to read offline
Uploaded byOW2
Open Source governance and the Eclipse Foundation, OW2online, June 2020
This document outlines the Eclipse Foundation's approach to open source software governance, focusing on intellectual property management and license compliance for commercial adoption. It details the due diligence review process for project code and the streamlined approach for third-party content, as well as tools and best practices for maintaining compliance. The document also highlights Eclipse's collaboration with initiatives like ClearlyDefined to enhance license data validity.
More Related Content
Similar to Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020
- 1. COPYRIGHT (C) 2020,ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)1 Open Source Software Governance Gaël Blondelle, Vice President, Ecosystem Development Sharon Corbett, Manager, Intellectual Property COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
- 2. 2 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)2 Eclipse Intellectual Property Management > Goal: Consume with Confidence for Commercial Adoption > Due Diligence Review Process • Full review of project code (license, provenance, scanning for anomalies) • License compliance model review for leveraged third party libraries > Board Approved IP Policy https://www.eclipse.org/org/documents/Eclipse_IP_Policy.pdf > Legal Agreements for committers, contributors and working group participants > Formal Contribution Mechanism
- 3. 3 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)3 Enhanced Approach 2019/2020 > Streamlined review of third party content to a license compliance model to support: • Agile development • New technologies • Project success: • Lightweight and automated • Software development activity • Faster Service/Increase project velocity • Provide greater flexibility/predictability for projects • Reduce administrivia While remaining Risk Focused!
- 4. 4 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) License Compliance Model - Third Party Content > License compatibility and licensing compliance focus for third party dependency libraries > Driven by a Board approved license whitelist https://www.eclipse.org/legal/licenses.php > Eclipse Projects enabled to self validate during development (trust but verify) > Full IP clearance required prior to formal releases > Leverage and trust other sources of license information 44
- 5. 5 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) Trusted Sources of License Data > Eclipse Database (IPzilla) • Painstakingly built database over the lifespan of the EF • Deeply vetted • Vast amount of data (>20,000 records) > ClearlyDefined (OSI Initiative) • License data including source location and attribution • Harvested and curated data • Crowd Sourced > Eclipse works closely with ClearlyDefined • Curation (Spirit of Contributing Back) • Participation
- 6. 6 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) Automated Tooling License Extraction Tool (Prototype at https://github.com/eclipse/dash-licenses) > Eclipse created an open source tool using CLI which generates a dependency file that maps against two sources of truth to resolve license information: • IPzilla (own database) • ClearyDefined’s service (score of 75 or higher/approved license(s)) • If dependencies are resolved as approved, no further action required by project • Unresolved license information or “restricted” content only requires closer scrutiny by the Eclipse IP Team > ScanCode Toolkit, Fossology and ClearlyDefined are also utilized directly by the IP Team
- 7. 7 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) Best Practices > License compliance as part of the open source software development process > Bill of Materials Creation > Document license information • SPDX Identifiers usage • Copyright and License headers in source files • Readme, Notice and License File(s) included in repositories > Crowd Source with the greater open source community
- 8. 8 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) Eclipse Projects - Open Source Compliance Eclipse Steady Secure use of open source components during application development. Discover, assess and mitigate known vulnerabilities with Eclipse Steady Eclipse SW360 Software catalogue application to provide a central place to share information on software components in the following areas: Component, License, Project, Vulnerability Eclipse SW360 Antenna Antenna scans artifacts of a project, downloads sources for dependencies, validates sources and licenses and creates dependencies with licenses as artifacts
- 9. 9 COPYRIGHT (C)2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) Thank You COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)9 Questions - [email protected] More Information can be read here