Date: Thu, 28 Mar 2024 10:00:49 +0000 (UTC) Message-ID: <2127072672.9007.1711620049465@aws-us-west-2-dlf-confluence-1.web.codeaurora.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_9006_539959619.1711620049465" ------=_Part_9006_539959619.1711620049465 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
All projects hosted at the LF AI and Data Foundation will have q= uarterly license scans completed to assist with license compliance and proj= ect IP policies. This is done as a project support program from the Linux F= oundation.
Support to be provided by: Steve Winslow <swinslow@linuxfoundation.org>
For the projects described below, the following actions will be pe= rformed:
or technical leadership com= mittee, as applicable
prepare a summary slide deck = describing the requested exceptions
present to project Legal Comm=
ittee or similar leadership body to describe the requested
Stretch goals: will perform where feasible, subject to available r= esources and time:
Run =E2=80=9Cred flag=E2=80=9D pre-intake scans, for net new p= rojects:
Run Fossology scan of the incoming codebase, prior to importin= g into a project-controlled repository
Identify any =E2=80=9Cred flag=E2=80=9D or =E2=80=9Chigh prior= ity=E2=80=9D issues that would be likely to present a significant problem for license compatibility
Correspond with developers regarding these issues where remedi= ation is recommended
Parallel to Fossology scans, also run dependency scans using W= hiteSource:
review and clear scanning results, researching potentially con= cerning findings as appropriate;
flag key issues to the project leads / maintainers;
=work towards providing standardized reports of all dependencie= s; and
work towards providing vulnerability findings as part of resul= ts.
Note that WhiteSource has recently = been incorporated into the license scanning workflow, so some of this funct= ionality will be subject to continued development of the scanning workflow = automation.
Notes:
The Linux Foundation is not able to provide legal advice to pr= oject community members. The support program is focused o= n providing transparency about identified project licenses, and where possi= ble describing general community understandings of license requirements. Ho= wever, questions about e.g. whether a license is legally okay to use must b= e directed to the contributor=E2=80=99s own legal counsel and/or a project= =E2=80=99s Legal Committee.
The support program utilizes various automated tools supplemen= ted by manual reviews. However, like any other scanning tool or process, th= e LF cannot guarantee the completeness or accuracy of the license scanning = results and does not guarantee that all possible license issues in a scanne= d codebase will be identified.
Dependencies on other LF and project teams:
Will periodically need assistance from the project manager or = similar project staff support, to coordinate on preferred= methods for communications with appropriate project community members.
May periodically need LF IT assistance for configuring certain= types of scans, for those that are dependent of CI/CD process= es that are managed by LF IT.
Acumos: LF IT manages configuration for Sonatype = NexusIQ tooling
Full details of the program are also outlined in this PDF.
Cycle 1: January, April, July, October
Cycle 2: February, May, August, November
Cycle 3: March, June, September, December
Anticipate up to approximately 10 new small-to-medium projects to = come in during 2021. Will perform pre-intake scans and allocate to cycles b= ased on project sizing.