Google Git
Sign in
eclipse / dash / org.eclipse.dash.handbook / 6e1dc32bb25d188b9069d8ded7edf3a21c532464 / . / source / chapters / ip.adoc
blob: e41d2d53e00f5a6e1444108d0f11fa8ed87f4bed [file] [log] [blame]
////
* Copyright (C) 2015 Eclipse Foundation, Inc. and others.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* SPDX-License-Identifier: EPL-2.0
////
////
We regard the following to be proper names:
IP Due Diligence Process (when referring to the Eclipse IP DD process)
IP Team
Contribution Questionnaire
Piggyback CQ
Prerequisite
Exempt Prerequisite
Works With Dependency
The terms "intellectual property", "project code" and "third party content" are not considered proper nouns.
////
[[ip]]
== Intellectual Property
The term intellectual property (IP) refers to any sort of creative work, be it literature, art, or software. In the realm of open source software, artifacts like source code, documentation, and images are considered intellectual property. Unless otherwise stated, intellectual property is the property of its creator, who may grant permission for others to use that intellectual property by providing a license.
The ease with which software can be copied and combined makes it challenging to know with confidence if content can be used without running into legal issues. Any sort of serious software development effort must be accompanied by a well-defined IP due diligence process that can ferret out issues and mitigate the risk of leveraging the work of others. IP due diligence is a time consuming process that requires specialized skills and a keen eye for detail.
There are different kinds of content (e.g., source code, documentation, and images) to consider. <<ip-project-code,_Project code_>> (or _project content_) is content that is produced and maintained by the open source project committers and contributors. <<ip-third-party,_Third party content_>> generally takes the form of libraries (e.g. modules, or components), source files, images, or other forms of IP that are produced and maintained outside of the scope of the open source project. To mitigate the risk associated with adopting open source in products, the _project code_ and the _third party content_ that it leverages need to be reviewed to ensure that the copyrights expressed are correct, licensing is valid and compatible, and that other issues have been uncovered and properly investigated.
The Eclipse Foundation has a well-defined {ipPolicyUrl}[IP Policy], corresponding IP Due Diligence Process, and an _IP Team_ of dedicated professional IP specialists who perform the heavy lifting in the due diligence process. Committers, the software developers who decide what will become _project code_ and how {aForgeName} open source project will leverage _third party content_, are responsible for bringing IP issues to the attention of the Eclipse IP Team.
Most of the _project code_ produced by committers can just be pushed into a project repository without any sort of legal review. However, at least in some cases, the IP Team needs to be engaged to review project code that comes from contributors (who are not committers); and there are some cases where even the work of committers needs to be reviewed. These cases are highlighted in the IP Due Diligence Process.
The IP Due Diligence Process focuses on source content. For the purposes of the IP Due Diligence Process, the term _source code_ (or _source content_) refers to the pre-compiled content, including programming language source, configuration and property files, as well as binary things that don't have a pre-compiled form like icons. The IP Due Diligence Process is concerned with reviewing the IP that is either consumed (third party content) or produced (project code) by the Eclipse open source project. The process doesn't generally focus on compiled content (e.g. the IP Team looks at source code, not JAR files).
The IP Due Diligence Process does not dictate how source code repositories are structured. When the IP Team signals that content can be used, the project team can put content into their repositories in whatever structure makes the most sense. Similarly, the IP Due Diligence Process is not concerned with how third party content is represented (e.g. how it is integrated into builds) or how it is disseminated.
[NOTE]
====
The {edpUrl}[Eclipse Development Process] does restrict how content can be disseminated based on the state of the IP review. A Project team can create and distribute milestone builds of any content that has been granted _check-in_ from the IP Team. All content must be approved by the IP Team before the project can engage in a formal <<release, release>>.
====
The entry point into the IP Due Diligence Process is the <<ip-cq,Contribution Questionnaire>>, or _CQ_. Project teams should create a single CQ for the <<ip-initial-contribution,initial contribution>> of project code. The initial contribution is a special type of project code contribution in the sense that it is the first thing that the IP Team will review on behalf of the project team.
[[ip-ipzilla]]
=== IPZilla
{ipzillaUrl}[IPZilla] is a modified instance of Bugzilla that tracks the progress of the IP due diligence review and approval process. It is the main interaction point between committers and the IP Team. IPZilla is accessible only by committers, Eclipse Foundation member company representatives, and other specifically-designated individuals. Authorized users can review both completed and ongoing reviews via IPZilla.
[[ip-cq]]
=== Contribution Questionnaires
A Contribution Questionnaire (CQ) is the main interface between {forgeName} committers and the IP Team.
A CQ is started when a committer completes a _questionnaire_ regarding a project code contribution or third party content. In literal terms, a CQ is a record in IPZilla that tracks the progress of the approval process. The CQ record is the primary communication channel between the submitting committer and the IP Team. CQ records persist indefinitely.
[TIP]
====
Use the <<pmi-commands-cq, Create a Contribution Questionnaire>> tool on a specific <<pmi-project-page, project page>> in the <<pmi,Project Management Interface (PMI)>> to create a CQ.
====
All significant contributions of code to be maintained by {aForgeName} project, as defined by the Eclipse IP Due Diligence Process require a CQ. Projects further require a CQ for every piece of third party content that project code makes direct use of (regardless of whether or not the content is directly distributed by the project.
CQs are not generally required for ongoing work done by project committers. Consult the IP Due Diligence Process document for more information.
[[ip-initial-contribution]]
=== Initial Contribution
Code provenance tracking is critical (the source of all code that ends up in Eclipse Foundation repositories must be well known). To that end, all new projects are required to make an _initial contribution_ before *any* code is committed to a project's source code repository.
[graphviz, images/ip_ic_overview, svg, width=800px]
.How The Initial Contribution Fits into the Project Creation Process
----
digraph {
bgcolor=transparent;
rank=same;rankdir=LR
node [shape=box;style=filled;fillcolor=white;fontsize=12];
{
rankdir=TB;
creation[label="EMO declares\nsuccessful\nCreation Review"];
provision[label="Eclipse\nWebmaster\nProvisions"];
}
initial[label="Committer submits\nInitial\nContribution"];
checkin[label="IP Team\ngrants\n\"check-in\""];
{
rankdir=TB;
push[label="Committer\npushes to\nProject Git"];
develop[label="Work\nbegins!"]
}
creation -> provision;
provision -> initial;
initial -> checkin;
checkin -> push;
push -> develop;
}
----
Following a successful Creation Review, the EMO will initiate the provisioning process (Committers provide required paperwork and the Webmaster creates project resources (Git, downloads, website, etc.);
The initial contribution, like any other <<ip-project-code,project code>> contribution, should contain *only* project code/content. Any <<ip-third-party,third party content>> that might be included in the existing source tree should be excluded from the initial contribution and submitted as separate <<ip-cq,CQs>>.
The IP Team will review the initial contribution to ensure that it hasn't been copied inappropriately, that licenses are being used correctly, and so forth. As part of this process, the IP Team will research the source of all code; depending on the size of the contribution, this can be a time-consuming process.
Because a full review can be time-consuming, the IP Team will in most cases start with a cursory review of the content, and--assuming that no significant issues are uncovered by that cursory review--will grant _check-in_ indicating that the project team can push/merge the initial contribution into their Git repository (or initiate the transfer of their existing repository) and start working with the code while the IP team continues their review in _parallel_ (they will add completing the review to their work queue and address it in turn).
After _check-in_ has been granted for the initial contribution, the project team should start the process of engaging the IP Team with their <<ip-third-party,third party content>> review requests.
Any project committer can initiate the review process by <<pmi-commands-cq, creating>> a <<ip-cq,CQ>>.
[TIP]
====
Eclipse Foundation systems use email to inform and remind interested parties of the various steps in this process. Only the committer who creates a CQ is notified by default, but other committers can be added to a CQ's _CC list_ to be included in the communication.
The email address that is associated with your Eclipse Foundation account is used; be sure to check spam filters to ensure that these messages are not missed. Send a note to mailto:{emoEmail}[EMO] if you are concerned that you are not receiving these notification.
====
A project cannot make a <<release, release>> until the due diligence on the IP contained in that release--including project code contributions and third party content--is complete.
The IP Team is not able to review the history of project code being moved to {aForgeName} project. The IP Team will review a snapshot of the project code as the initial contribution.
[[ip-project-code]]
=== Project Code Contributions
In general, contributions made by project committers do not require review and can be pushed directly into a project repository (though, some project teams may impose additional review restrictions).
Some contributions of code to maintained by the project (i.e. committed to a project source code repository and maintained by the project team) must be reviewed by the IP Team. The {ipDueDiligenceUrl}[IP Due Diligence Process] provides help to determine whether or not the contribution needs to be reviewed by the IP Team (when uncertain, Project teams should connect with their project mentors or PMC for assistance).
All contributions of project code must be tracked in the project's <<ip-iplog,IP Log>>. This is done automatically when the author information is correctly specified in <<resources-commit,Git commit records>>.
Any project committer can <<pmi-commands-cq, create>> a <<ip-cq,CQ>> to submit a project code contribution for review by the IP Team. The project code must be attached to the CQ in source form.
[[ip-ownership]]
==== Ownership
The author of a contribution (or their employer) retains ownership of the intellectual property contained in the contribution. As part of the contribution process, the contributor licenses their contribution under the project license.
[[ip-third-party]]
=== Third Party Content
The sort of effort that the Eclipse IP Team brings to bear on third party content varies depending on the type. The {ipThirdParty}[Guidelines for the Review of Third Party Dependencies] defines three different types: _Prerequisite_, _Exempt Prerequisite_, and _Works With Dependency_.
[NOTE]
====
The term contribution questionnaire is a bit misleading when it comes to third party content. Third party content is not a really a contribution to the project, but since the requirements for tracking project code and third party content is very similar, the same mechanism is used for both.
====
[[ip-third-party-prereq]]
==== Prerequisites
The simplest form of third party content is the _Prerequisite_ (or _prereq_). Prerequisites are required by the Eclipse project content to provide core functionality. Prerequisite content is not generally stored in an Eclipse project's source code repositories, but is likely included in build scripts and referenced as runtime dependencies. Since adopters of Eclipse project content are compelled to adopt the Prerequisite content, that content must also be reviewed by the IP Team. The review requirement applies recursively: the entire transitive closure of a Prerequisite's dependencies needs to reviewed (the dependencies of a Prerequisite are themselves Prerequisites).
[graphviz, images/prereq_dependencies, svg]
.Eclipse Project Dependencies
----
digraph {
graph [ranksep="0.25"; nodesep="0.25"; fontsize=12];
bgcolor=transparent
rankdir=LR;
node [shape=box;style=filled;fillcolor=white;fontsize=12;label="Content"]
edge [fontsize=12]
root[label="Eclipse Project\nContent"];
subgraph cluster_prereq {
node [fontsize=10;label="Third Party\nContent"]
prereq1; prereq2;
ref1; ref2; ref3; ref4;
label="\"Prerequisite\" Dependencies\n(licenses must be verified)";
graph[style=dotted];
}
root -> prereq1;
root -> prereq2;
prereq1 -> ref1;
prereq2 -> ref2 -> ref3
ref2 -> ref4;
}
----
Examples of Prerequisite dependencies:
* the Java/OSGi manifest for one of the project bundles makes a direct reference to third party content (either a bundle or package);
* project code includes an import statement for a package from third party content;
* project code imports a third party library's header file;
* project code uses reflection or other means to reference APIs and implementation;
* project code uses OSGi Services to make a reference to a specific implementation of a service; or
* project code invokes a _command line interface_.
This list is not intended to be exhaustive, but rather to provide common examples. Fundamentally, when project code makes some kind of use of third party content, then that content is likely a Prerequisite. Under certain conditions, the content may also be classified as an <<ip-third-party-exempt,Exempt Prerequisite>> or a <<ip-third-party-workswith,Works With Dependency>> (see below).
In the case where {aForgeName} project references code from <<ip-other-projects,another {forgeName} project>> that itself references Prerequisites, no further review of that chain of Prerequisites is required (the IP Team will have already reviewed it on behalf of the second project team). Eclipse project teams should take care to only reference release versions of other Eclipse projects in their own releases to ensure that the IP Due Diligence Process has been completed.
[graphviz, images/eclipse_dependencies, svg]
.Eclipse Project Dependencies
----
digraph {
graph [ranksep="0.25"; nodesep="0.25"; fontsize=12];
bgcolor=transparent
rankdir=LR;
node [shape=box;style=filled;fillcolor=white;fontsize=12;label="Content"]
edge [fontsize=12]
root[label="Eclipse Project\nContent"];
subgraph cluster_eclipse {
graph[style=dotted];
label="No further review required";
node [fontsize=10;label="Content from\na different\nEclipse Project"]
prereq1;
node [fontsize=10;label="Third Party\nContent"]
ref1;
}
subgraph cluster_thirdparty {
graph[style=dotted];
label="\"Prerequisite\" Dependencies\n(licenses must be verified)";
node [fontsize=10;label="Third Party\nContent"]
prereq2;
ref2;
}
root -> prereq1;
root -> prereq2;
prereq1 -> ref1;
prereq2 -> ref2;
}
----
Any project committer can <<pmi-commands-cq, create>> a <<ip-cq,CQ>> to submit a Prerequisite for review by the IP Team. The source code that was used to build the content must be attached to the CQ.
Project teams must create a separate CQ for each source (e.g. open source project) of third party content. Source code must be provided for all Prerequisite CQs. CQs for Prerequisite content are <<ip-third-party-versions,version specific>>, so separate CQs are required for each different version.
[NOTE]
====
The project team can provide the IP Team with finer-grained requests if that's easier. That is, a project team can ask the IP Team to review the source for specific subsets of content (e.g. individual JAR files or modules), or an entire source tree that's used to build several components. The IP Team's focus is on _source content_; they do not generally review built content or focus on how the source code is assembled (i.e. they don't generally review JAR files).
====
Many third party libraries have already been approved by the IP Team. The first stage of the CQ creation process involves a search of existing content; if the content has already been approved, the project team can piggyback on the already-approved content (via a <<ip-piggyback,_Piggyback CQ_>>). _Piggyback CQs_ are approved automatically and immediately.
[[ip-third-party-versions]]
===== Versions of Prerequisites
Reviews of Prerequisites are version specific. That is, project teams are required to engage the IP Team with each separate version of Prerequisite content they require. When the project team adopts a new version of some third party content, a new CQ with a new source attachment must be created and taken through the process.
This applies specifically to major and minor versions of Prerequisites.
Project teams are not required to engage with the IP Team to review service releases for third party content, provided that the service release is based on a release that has either been _license certified_ or approved by the IP Team. A service release is defined as a release that is backwards compatible and contains only bug fixes. If a project team isn't sure whether or not a particular release is a service release, they should submit the content for review and let the IP Team decide.
[[ip-third-party-prereq-types]]
===== Due Diligence for Prerequisites
The {ipPolicyUrl}[Eclipse IP Policy] defines two types of due diligence review for Prerequisites. These types are used to refer to the third party content itself, the type of the CQ, and to the overall process.
_Type A_ Prerequisites are reviewed to ensure that the licenses contained in the content align with the project license. Successful application of the _Type A Due Diligence Process_ results in a CQ that is _license certified_. _Type B_ content undergoes a far more thorough due diligence process that validates license certification, confirms the provenance of the content, and scans for various anomalies; successful application of the _Type B Due Diligence Process_ results in a CQ that is _approved_.
The notion of due diligence types extends to projects and releases. A project team may specify a default <<pmi-due-diligence,due diligence type>> for the project, which both indicates intent to the community, and specifies the default value (which may be overridden) when creating new CQs for the project. When a <<release,release>> makes reference to any _Type A Prerequisite_ software, then the release must also be designated _Type A_. If all of the Prerequisites referenced by a release are _Type B_, then than release may be designated as _Type B_. A project team can decide what level of due diligence is required for each separate release. Hypothetically, a project team could opt to make several _Type A_ releases followed by a _Type B_ release, and then switch back (project teams that need to engage in short release cycles may adopt this sort of cycle).
_Type A_ CQs are processed automatically by the Eclipse Genie process. When a single license is identified for all files in the source content attached to a Type A CQ, and that license is on the Eclipse Foundation's {licenseWhitelistUrl}[Third Party Content Licenses White List], then the CQ is automatically marked _license_certified_, indicating the project team is free to use that content. When multiple licenses, blacklisted licenses, or otherwise problematic licenses are detected (i.e. anything other a single white listed license), then the CQ is sent to the Eclipse IP Team for further investigation.
[TIP]
====
The Eclipse IP Team encourages new project teams to start with one or two Prerequisites and then work with the IP Team to ensure that the process is well understood, so that the process can be engaged in as efficiently as possible (for all parties).
====
[[ip-third-party-exempt]]
==== Exempt Prerequisites
When one follows a dependency graph all the way to the bottom, the entire runtime environment including virtual machines and the operating system are included in the transitive closure of dependencies. Clearly, having the IP team review virtual machines and operating systems is not a great use of time, and--in the case of closed source operating systems--just not be possible.
The Eclipse IP Due Diligence Process guidelines provide for a notion of _Exempt Prerequisite_ dependencies, which are not subject to review. According to the guide, content may be considered exempt if it "is pervasive in nature, expected to be already on the user's machine, and/or an IP review would be either impossible, impractical, or inadvisable." The Eclipse IP Team does not review the source code associated with an Exempt Prerequisite.
One of the key aspects of an Exempt Prerequisite is that the user or adopter is typically the one that actually installs the software and so is the one who must agree to the licensing terms. Content that is declared an Exempt Prerequisite should never be directly distributed by an Eclipse project or otherwise made available without some explicit action from the consumer.
Any project committer an create a <<ip-cq,CQ>> to submit an Exempt Prerequisite for review by the IP Team. Exempt Prerequisites must be approved by the Eclipse Foundation's Executive Director.
[[ip-third-party-workswith]]
==== Works With Dependencies
The Eclipse IP Due Diligence Process guidelines also define the notion of a _Works With Dependency_ (commonly referred to simply as a Works With) that applies in two different cases. Third party content may be declared a Works With Dependency when:
* the functionality of Eclipse <<ip-project-code,project code>> is enhanced by the presence of the software, but is otherwise functional and useful without it; or
* there are multiple choices and reviewing all of them is impractical or impossible.
A Works With Dependency is, literally, a dependency that the Eclipse project code will work with when it is available. The fundamental requirement is the Eclipse project code must be useful and adoptable without the Works With Dependency. That is, either the project code provides useful functionality without the Works With Dependency or the Works With Dependency is a suitable alternative for a <<ip-third-party-prereq,Prerequisite>>.
[graphviz, images/prereq_and_workswith, svg]
.Prerequisite and "Works with" Dependencies
----
digraph {
graph [ranksep="0.25"; nodesep="0.25"; fontsize=12];
bgcolor=transparent
rankdir=LR;
node [shape=box;style=filled;fillcolor=white;fontsize=12;label="Content"]
edge [fontsize=12]
adopter[label="Consumer"];
root[label="Eclipse Project\nContent"];
subgraph cluster_prereq {
label="\"Prereq\" Dependencies\n(licenses must be verified)";
graph[style=dotted];
node [fontsize=10;label="Third Party\nContent"]
prereq1; prereq2;
ref1; ref2; ref3; ref4;
}
subgraph cluster_workswith {
graph[style=dotted];
node [fontsize=10;label="Third Party\n\"Works With\" Content\n(must be reviewed by IP Team)"]
workswith;
subgraph cluster_workswith_transitive {
label="\"Works With\" Dependencies\n(No review required)";
graph[style=dotted];
node [fontsize=10;label="Third Party\nContent"]
workswith1; workswith2; workswith3;
}
}
adopter -> root;
adopter -> workswith [xlabel="requires"];
root -> prereq1 [label="requires"];
root -> prereq2 [label="requires"];
prereq1 -> ref1;
prereq2 -> ref2 -> ref3
ref2 -> ref4;
root -> workswith[style="dotted";label="optional"];
workswith -> workswith1;
workswith -> workswith2 -> workswith3;
}
----
As with an <<ip-third-party-exempt,Exempt Prerequisite>>, a Works With Dependency should never be directly distributed or otherwise made available without some explicit action from the consumer. The consumer is responsible for making the Works With Dependency content available and otherwise agreeing to the terms for that content.
It's enough to just create a <<ip-cq,CQ>> to register the use of Works With Dependency without seeking IP Team approval for its dependencies. Works With Dependencies must be approved by the Eclipse project's PMC.
[[ip-piggyback]]
==== Piggyback CQs
Many third party libraries have already been approved for use in {forgeName} projects. While these libraries have already been cleared for use by all projects, their use must be tracked so that--in the event that a issue is uncovered following the due diligence process--we can mitigate the impact of that issue.
A _Piggyback CQ_ can be created on top of an existing resolved CQ. Piggyback CQs share the due <<ip-third-party-prereq-types,diligence type>> of the CQ that they reference (when a CQ's due diligence type changes, Piggyback CQs are also changed).
Piggyback CQs are generally approved very quickly as the due diligence work has already been completed.
[[ip-other-projects]]
==== Content from Other Eclipse Projects
IP Team review or approval is *not* required for {aForgeName} open source project to use _released_ content from another {forgeName} open source project as part of a release (a project may use unreleased content from another project in milestone builds). A release of one project should *never* include unreleased content from another project.
A CQ is not required for third party content that is indirectly used by virtue of consuming content from another {forgeName} open source project. If {aForgeName} projects makes direct use of third party content inherited by consuming another {forgeName} open source project, then a <<ip-piggyback,Piggyback CQ>> is required
[[ip-cq-workflow]]
=== CQ Workflow
The workflow for creating a CQ for third party content starts with a search of existing CQs. If an existing CQ can be found that is concerned with the same content and version, then a <<ip-piggyback,Piggyback CQ>> is created. Piggyback CQs are automatically and immediately approved.
If an existing CQ cannot be found, a new one must be created. Once created, the source code for the third party content must be attached to the record by the committer. The PMC must then approve the record. If the project is eligible to leverage the <<ip-parallel-ip,Parallel IP Process>>, the IP Team performs a cursory review of the record and--if the CQ meets with the requirements--tentatively approves the use of the content while the full review is undertaken in _parallel_.
The Eclipse IP team may require assistance from the project team it performs a deep analysis of the content. Once that analysis is complete and the Eclipse IP Team has made a decision, they will outline the next steps. These next steps may--in the event that the content is rejected--require that the content be removed from the project's source code repository, or that some part be removed. Most often, the content is _approved_ and the CQ is marked as such.
Be advised that this process may take a while. The actual amount of time that it takes to process a CQ depends on numerous factors including the size of the queue, and the nature and size of the contribution.
[[ip-parallel-ip]]
==== Parallel IP Process
The _Parallel IP Process_ allows {forgeName} projects to make use of project code contributions and third party content before they are fully approved by the IP Team. In practical terms, the Parallel IP Process permits--with preliminary approval from the IP Team--a project to check-in code contributions into their source code repository and run builds against third party content without having to wait for the full IP Due Diligence Process to compete.
[NOTE]
====
There is some risk associated with the Parallel IP Process. The IP Team will grant preliminary approval based on a cursory review of the contribution; but during their full review, they may uncover issues that require mitigation. This may require, for example, that some parts of a contribution be removed completely (history and all) from a source code repository.
====
To leverage the Parallel IP Process, projects still submit a CQ. The difference is that once a CQ has been reviewed for license compatibility, the project will be authorized via <<ip-ipzilla,IPZilla>> to _check-in_ the code and start working on it.
All IP must be fully resolved before it is included in a release.
[[ip-iplog]]
=== IP Logs
An IP Log is a record of the intellectual property contributions to a project. This includes such as a list of all committers, past and present, that have worked on the code and (especially) those who have made contributions to the current code base.
[NOTE]
====
An IP Log is a record of intellectual property for an entire project. The purpose of the IP Log review is to confirm that the project team understands the {ipPolicyUrl}[Eclipse IP Policy] and is implementing the supporting processes. An IP Log is not intended to reflect the intellectual property included with any particular release.
====
The IP Log is a big part of the official <<release, release cycle>>. You are required to submit your project's IP Log prior to scheduling a release, or restructuring review. We encourage you to keep your IP log current rather than rushing at the end. The IP Log includes important information about your project that lets adopters know where all the code comes from, who owns the copyrights, and so forth.
Specifically, the log tracks:
* Licenses;
* Past and present committers;
* Third party content; and
* Contributions from outside the project (i.e. non-committers)
[[ip-iplog-generator]]
==== IP Log Generator
The Automated IP Log Tool automatically generates an IP Log using information that is available to the Eclipse Foundation. The list of contributors, for example is automatically generated using information extracted out of the project's source code repositories.
The IP Log generator pulls information from multiple location to assemble the log:
[graphviz, images/ip-log-generator, svg]
.Sources for the IP Log generator
----
digraph {
// Graph properties
bgcolor=transparent
graph [ranksep="0.25", nodesep="0.25"];
// Nodes that define the key points in the process
node [shape=box;style=filled;fillcolor=white;fontsize=12]
git [label="Git", group="g1"]
committer [label="Committer Activity", group="g2"]
pmi [label="Repositories\n(PMI)", group="g1"]
contributions [label="Git Contributions"]
licenses [label="Licenses\n(Foundation DB)", group="g2"]
generator [label="IP Log Generator", group="g1"]
contributions_bugzilla [label="Contributions\n(Bugzilla)"]
iplog [label="IP Log", group="g1"]
git -> committer
git -> contributions
pmi -> generator
pmi -> committer
pmi -> contributions
committer -> generator
contributions -> generator
licenses -> generator
contributions_bugzilla ->generator
generator -> iplog
}
----
* The list of third party content used by the project comes from _IPZilla_;
* The project source code repositories are scanned to identify non-committer authors of contributions;
* The committer list, which includes everybody who has ever held committer status the project (regardless of whether or not they have ever made any contributions of intellectual property) comes from the _Foundation_ database; and
* License information is obtained from the _Foundation_ database
To fully leverage the value of the Automated IP Log Tool, the project team needs to:
* Keep project <<pmi-metadata,metadata>> up-to-date;
* Follow the guidelines for handling <<resources-commit,Git contributions>>; and
* Create <<ip-cq,CQ>> (CQs) where appropriate
The Automated IP Log tool populates the _Contributors_ section with information gathered from the project's source code repositories (source code repository paths specified in the the _Source Repositories_ section in the project metadata). This section lists contributions from non-committers (this is time-sensitive, so contributions made by current committers before they became committers will also be included). Only non-committer contributions are recorded in the generated log.
<<resources-commit,Git commits>> contributed by non-committers are identified by the author credentials on the commit record; the _Author_ field must be set to the identity of the actual author of the commit.
The Third Party Software section of the log is populated from IPZilla. The IP Team will mark your contributions in such a way that they will appear in the log. If third party software is not appearing properly, contact the mailto:{ipTeamEmail}[EMO IP Team] to make corrections.
[TIP]
====
Use the <<pmi-commands-iplog, Generate IP Log>> tool on a specific <<pmi-project-page, project page>> in the <<pmi,Project Management Interface (PMI)>> to generate and submit the IP Log for review.
====
[[ip-faq]]
=== Frequently Asked Questions
[qanda]
Can <<ip-third-party,third party content>> be included in an Eclipse project's source code repository? ::
Yes. Third party content can be included in binary form (e.g. source and binary JAR files) in a project's source code repository if that makes technical sense for the project.
+
Third party content that is stored in the project repository is effectively a _fork_ of that third party content. This is a bit of a grey area in that it is _third party content_ that will be ultimately treated as <<ip-project-code,_project code_>> (i.e. contributors may potentially modify it).
+
Third party _source code_ must be reviewed by the EMO IP Team (i.e., open a <<ip-cq,CQ>>) before it may be include in a project repository.
The IP Due Diligence Process says that I need to create a CQ for project code contributions that exceed 1,000 lines of code; how do I calculate lines of code? ::
The short version is that the Eclipse Foundation trusts the judgement of Eclipse committers regarding how lines of code should be calculated. What we're interested in is net new intellectual property. With this in mind, it's not generally correct to just add the number of lines added to the lines removed; it's also not generally correct to use the difference of these numbers to determine the true number of lines in a contribution. Again, as a committer we trust your judgement.
+
If a contribution contains significant new functionality, or if you are not certain of the provenance or are otherwise concerned that there may be intellectual property issues with a contribution (of any size), then the IP Team needs to be engaged.
+
If you're not sure, create the <<ip-cq,CQ>>.
Can my release use unreleased content from another Eclipse open source project? ::
No. A release may only use released content from other projects. A project may disseminate milestone builds that include unreleased content, but the upstream content must be released before a downstream project can include the content in their own release.
Are project websites subject to the IP Due Diligence Process? ::
Website content is separate from project code. Project teams are expected to respect licenses for all web site content, but are not required to submit website content (including third party libraries) for review by the IP Team.
Can project code be license certified by the _Type A_ due diligence process? ::
No. Only third party <<ip-third-party-prereq,Prerequisites>> can be _license certified_. Project code is reviewed using a process that is similar to that employed for _Type B Prerequisite_ content.
Is my project eligible to choose _Type A_ level IP Review? ::
Yes, all Eclipse projects are eligible to choose <<ip-third-party-prereq-types,Type A or Type B>> for its Prerequisites by choosing the preferred option when creating a CQ.
How does a Project Lead document their project as _Type A_? ::
The Project Lead and all committers have the ability to designate their project as Type A via the <<pmi-due-diligence, project metadata>>.
Can a project use a combination of _Type A_ and _Type B_ CQs? ::
Yes. A project that has at least one _Type A_ CQ must be designated _Type A_.
Can a release use a combination of _Type A_ and _Type B_ CQs? ::
Yes. A release that has at least one _Type A_ CQ must be designated _Type A_.
Can a _Type A_ project have _Type B_ releases? ::
Yes. It is possible for a _Type A_ project to have some subset of its CQs be _Type B_. When a particular release contains only _Type B_ CQs, that release is _Type B_.
If my project requests _Type A_ review for a CQ, can we later change the request to _Type B_? ::
Yes.
How do I change a CQ from _Type A_ to _Type B_? ::
Add a comment to the CQ asking the IP Team to change the due diligence type. If you want to change multiple CQs from _Type A_ to _Type B_, the Project Lead should contact the mailto:{ipTeamEmail}[IP Team] to coordinate and discuss scheduling and timelines.
Can a project join a simultaneous release if it has chosen _Type A_ due diligence? ::
From the point of view of the Eclipse Foundation and the Eclipse Development Process, it is completely acceptable for a project to join a simultaneous release while leveraging _Type A_ content. The parties that manage the simultaneous release, however, may impose additional restrictions.
Can a project release and/or graduate if it has chosen Type A CQs? ::
Yes. There is no barrier to releasing and/or graduating based on the IP due diligence type chosen.
My project is new to the Eclipse Foundation, am I eligible for _Type A_ or _Type B_? ::
That is entirely up to the project. However, during the bootstrapping process, new projects will automatically be configured to employ _Type A_ due diligence for all Prerequisite content in order to get the project up and running.
Can a _Type B_ only project consume other projects/releases that are _Type A_ or combination _Type A/B_? ::
This is an individual project choice. If a project decides this does not work for them, it is up to the projects work together to resolve any issue.
Do I need to create a CQ for a service release of third party content? ::
A CQ is not required for a service release that is based on an resolved version of third party content. That is, if one version of third party content is resolved as either license certified (_Type A_) or approved (_Type B_), then service releases that include only bug fixes that extend that release may be used without creating a CQ.
Is an IP Log _Type A_ or _Type B_? ::
IP Logs are not themselves intellectual property and so are neither Type A nor B.
The IP Log references _Type A_ content, but my release is _Type B_. What should I do? ::
The purpose of the IP Log review is to checkpoint the IP Due Diligence Process; an IP Log is not intended to be an accurate reflection of exactly what is in any particular release. If your project engages in a combination of Type A and Type B releases, then it is natural for the IP Log to include both. It is the project team's responsibility to ensure that the content specifically associated with a a _Type B Release_ includes only _Type B Prerequisites_.
What do you do with the IP Log? ::
IP Log reviews occur in two stages. In the first stage, the EMO performs a technical assessment to make sure that the artifacts produced by the project are properly accounted for in the IP log. You may be asked to assist with the resolution of any discrepancies found during this assessment. In the second stage, the IP Team reviews the log to ensure that it matches their records. The IP log review concludes with approval by the IP Team.
When should I submit the IP Log for review? ::
The IP Log should be submitted for review by the IP Team two weeks before the planned end date for a <<release-review, review>> or (if code moves are involved) a restructuring review. Note that the date of your review may be different from the date of the actual release.
How precise must the "required by" date for the IP Log be? ::
The "required by" date is intended to give the IP Team help to prioritize the processing of the IP Log against other requirements. The date selected should be at least one week in advance of the conclusion date any corresponding <<release-review, review>>.
We submitted an IP Log for our release, but we've made some changes since then that will end up in the release, should we resubmit the IP Log? ::
The purpose of the IP Log review is to checkpoint the IP Due Diligence Process and ensure that nothing is slipping through the cracks; an IP Log is not intended to be an accurate reflection of exactly what is in any particular release.
Are there other reasons to submit the IP Log for review? ::
Generally no. If the IP Team requires an IP Log review outside of the context of a release or restructuring review, they'll ask for it. It is not generally necessary to submit an IP Log for review outside of the context of a review. It is, however, good practice to do your own review of the generated IP Log periodically to make sure that it accurately reflects the state of the project.
How do I fix problems with the generated IP Log? ::
The IP Log is generated based on data from Eclipse Foundation servers. If the log is being generated incorrectly, then the underlying data needs to be fixed. If you spot a problem, send a note to mailto:{emoEmail}[EMO].