All projects hosted at the LF AI and Data Foundation will have quarterly license scans completed to assist with license compliance and project IP policies. This is done as a project support program from the Linux Foundation.
Support to be provided by: Steve Winslow <swinslow@linuxfoundation.org>
For the projects described below, the following actions will be performed:
or technical leadership committee, as applicable
prepare a summary slide deck describing the requested exceptions
present to project Legal Committee or similar leadership body to describe the requested exceptions and facilitate approvals under the charter
Stretch goals: will perform where feasible, subject to available resources and time:
Run “red flag” pre-intake scans, for net new projects:
Run Fossology scan of the incoming codebase, prior to importing into a project-controlled repository
Identify any “red flag” or “high priority” issues that would be likely to present a significant problem for license compatibility
Correspond with developers regarding these issues where remediation is recommended
Parallel to Fossology scans, also run dependency scans using WhiteSource:
review and clear scanning results, researching potentially concerning findings as appropriate;
flag key issues to the project leads / maintainers;
work towards providing standardized reports of all dependencies; and
work towards providing vulnerability findings as part of results.
Note that WhiteSource has recently been incorporated into the license scanning workflow, so some of this functionality will be subject to continued development of the scanning workflow automation.
Notes:
The Linux Foundation is not able to provide legal advice to project community members. The support program is focused on providing transparency about identified project licenses, and where possible describing general community understandings of license requirements. However, questions about e.g. whether a license is legally okay to use must be directed to the contributor’s own legal counsel and/or a project’s Legal Committee.
The support program utilizes various automated tools supplemented by manual reviews. However, like any other scanning tool or process, the LF cannot guarantee the completeness or accuracy of the license scanning results and does not guarantee that all possible license issues in a scanned codebase will be identified.
Dependencies on other LF and project teams:
Will periodically need assistance from the project manager or similar project staff support, to coordinate on preferred methods for communications with appropriate project community members.
May periodically need LF IT assistance for configuring certain types of scans, for those that are dependent of CI/CD processes that are managed by LF IT.
Acumos: LF IT manages configuration for Sonatype NexusIQ tooling
Full details of the program are also outlined in this PDF.
Cycle 1: January, April, July, October
Cycle 2: February, May, August, November
Cycle 3: March, June, September, December
Anticipate up to approximately 10 new small-to-medium projects to come in during 2021. Will perform pre-intake scans and allocate to cycles based on project sizing.