Date: Thu, 28 Mar 2024 10:01:35 +0000 (UTC) Message-ID: <117501138.1049.1711620095057@65012a6a44dd> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1048_825750830.1711620095057" ------=_Part_1048_825750830.1711620095057 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Support to be provided by: Jeff Shapiro <jshapiro@linuxfoun= dation.org>
For the projects described below, the following actions will be performe= d:
Run recurring scans, on the schedule described below, of the project=E2= =80=99s codebases using Fossology
Analyze and clear licenses, notices, and copyright statements contained = in the project codebases
Publish SPDX documents with the license conclusions and copyright statem= ents at https://github.com/lfscanni= ng/spdx-lfenergy (or a similar public location), for = broader community use in their own compliance processes
Produce summary reports for project leads / maintainers, with limited pu= blic visibility (or optionally public at the project=E2=80=99s discretion) = with the following:
catalog and summary of licenses detected, categorized, and identifying c= orresponding files
description of key findings, particularly relating to incompatibility wi= th project licenses and project IP policies
recommendations for remediation where necessary
guidance for best practices to improve project licensing notices and add= statements to files without existing notices
Correspond with developers to address questions about findings, where po= ssible without providing legal advice (see =E2=80=9CNotes=E2=80=9D section = below)
Upon request from the project, up to approximately two times per year (s= uch as prior to significant releases), assist with formal IP policy approva= ls under the project=E2=80=99s charter:
document the license scan findings as =E2=80=9Clicense exceptions=E2=80= =9D for approval by the Governing Board or technical leadership committee, = as applicable
prepare summary slide deck describing the requested exceptions
present to project Legal Committee or similar leadership body to describ= e the requested exceptions and facilitate approvals under the charter
= li>Stretch goals: will perform where feasible, subject to available resourc= es and time:
Run =E2=80=9Cred flag=E2=80=9D pre-intake scans, for net new projects:= p>
Run Fossology scan of the incoming codebase, prior to importing into a p= roject-controlled repository
Identify any =E2=80=9Cred flag=E2=80=9D or =E2=80=9Chigh priority=E2=80= =9D issues that would be likely to present a significant problem for licens= e compatibility
Correspond with developers regarding these issues where remediation is r= ecommended
Parallel to Fossology scans, also run dependency scans using WhiteSource= :
review and clear scanning results, researching potentially concerning fi= ndings as appropriate;
flag key issues to the project leads / maintainers;
work towards providing standardized reports of all dependencies; and
=work towards providing vulnerability findings as part of results.
Note that WhiteSource has recently been incorporated into the license sc= anning workflow, so some of this functionality will be subject to the conti= nued development of the scanning workflow automation.
The Linux Foundation is not able to provide legal advice to project comm= unity members. The support program is focused on providing transparency abo= ut identified project licenses, and where possible describing general commu= nity understandings of license requirements. However, questions about e.g. = whether a license is legally okay to use must be directed to the contributo= r=E2=80=99s own legal counsel and/or a project=E2=80=99s Legal Committee.= p>
The support program utilizes various automated tools supplemented by man= ual reviews. However, like any other scanning tool or process, the LF canno= t guarantee the completeness or accuracy of the license scanning results an= d does not guarantee that all possible license issues in a scanned codebase= will be identified.
Will periodically need assistance from the project manager or similar pr= oject staff support, to coordinate on preferred methods for communications = with appropriate project community members.
May periodically need LF IT assistance for configuring certain types of = scans, for those that are dependent on CI/CD processes that are managed by = LF IT (none presently anticipated for current projects/scan types)
NOTE: during the TAC meeting on Dec. 8, 2020, it was stated that not all= projects=E2=80=99 source code is currently available. It is possible that = the schedule below may be adjusted to accommodate sizing or changes in timi= ng for when the full code base is available.
All Projects
Screenshots from example SPDX document
Screenshots from example scan report for developers
Screenshots from example board decks
Screenshots from example SPDX document
Screenshots from example scan report for developers
Key findings and recommended actions:
Summary of findings:
Spreadsheet with detailed findings:
Screenshots from example board decks