Presentation by Gael Blondelle, Managing Director at Eclipse Foundation.
Abstract:
In this talk, we will cover two complementary topics: The different Eclipse projects related to Open Source governance, like Eclipse SW360, SW360 Antenna, and Eclipse Steady, as well as the opportunity to leverage SW360 as the core of a larger Open Source governance initiative.
The Eclipse IP Process that has been applied to hundreds of Eclipse projects for more than 15 years and is going through a modernization process that involves both simplification from the developer point of view, and openness to new source of trusted data like Clearly Defined.
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Open Source governance and the Eclipse Foundation, OW2online, June 2020
1. COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)1
Open Source Software Governance
Gaël Blondelle, Vice President, Ecosystem Development
Sharon Corbett, Manager, Intellectual Property
COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
2. 2 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)2
Eclipse Intellectual Property Management
> Goal: Consume with Confidence for Commercial Adoption
> Due Diligence Review Process
• Full review of project code (license, provenance, scanning for anomalies)
• License compliance model review for leveraged third party libraries
> Board Approved IP Policy
https://www.eclipse.org/org/documents/Eclipse_IP_Policy.pdf
> Legal Agreements for committers, contributors and working group
participants
> Formal Contribution Mechanism
3. 3 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)3
Enhanced Approach 2019/2020
> Streamlined review of third party content to a license compliance
model to support:
• Agile development
• New technologies
• Project success:
• Lightweight and automated
• Software development activity
• Faster Service/Increase project velocity
• Provide greater flexibility/predictability for projects
• Reduce administrivia
While remaining Risk Focused!
4. 4 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
License Compliance Model - Third Party Content
> License compatibility and licensing compliance focus
for third party dependency libraries
> Driven by a Board approved license whitelist
https://www.eclipse.org/legal/licenses.php
> Eclipse Projects enabled to self validate during
development (trust but verify)
> Full IP clearance required prior to formal releases
> Leverage and trust other sources of license
information
44
5. 5 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
Trusted Sources of License Data
> Eclipse Database (IPzilla)
• Painstakingly built database over the lifespan of the EF
• Deeply vetted
• Vast amount of data (>20,000 records)
> ClearlyDefined (OSI Initiative)
• License data including source location and attribution
• Harvested and curated data
• Crowd Sourced
> Eclipse works closely with ClearlyDefined
• Curation (Spirit of Contributing Back)
• Participation
6. 6 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
Automated Tooling
License Extraction Tool (Prototype at https://github.com/eclipse/dash-licenses)
> Eclipse created an open source tool using CLI which generates a dependency file
that maps against two sources of truth to resolve license information:
• IPzilla (own database)
• ClearyDefined’s service (score of 75 or higher/approved license(s))
• If dependencies are resolved as approved, no further action required by
project
• Unresolved license information or “restricted” content only requires closer
scrutiny by the Eclipse IP Team
> ScanCode Toolkit, Fossology and ClearlyDefined are also utilized directly by the
IP Team
7. 7 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
Best Practices
> License compliance as part of the open source software development process
> Bill of Materials Creation
> Document license information
• SPDX Identifiers usage
• Copyright and License headers in source files
• Readme, Notice and License File(s) included in repositories
> Crowd Source with the greater open source community
8. 8 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
Eclipse Projects - Open Source Compliance
Eclipse Steady
Secure use of open source
components during application
development.
Discover, assess and mitigate
known vulnerabilities with
Eclipse Steady
Eclipse SW360
Software catalogue application
to provide a central place to
share information on software
components in the following
areas:
Component, License, Project,
Vulnerability
Eclipse SW360
Antenna
Antenna scans artifacts of a
project, downloads sources for
dependencies, validates sources
and licenses and creates
dependencies with licenses as
artifacts
9. 9 COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)
Thank You
COPYRIGHT (C) 2020, ECLIPSE FOUNDATION, INC. | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)9
Questions - license@eclipse.org
More Information can be read here