TRG 7.01 - Legal Documentation
| Status | Created | Post-History |
|---|---|---|
| Active | 25-Apr-2024 | Updates for CC-BY-4.0 license |
| Active | 24-Aug-2023 | Updated SECURITY.md file |
| Active | 20-Jul-2023 | References to TRG 7.07, 7.08 updated |
| Active | 13-Apr-2023 | Moved from OSS Development |
Why
Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0 (Apache-2.0). For non-code the default license is the Creative Commons Attribution 4.0 International (CC-BY-4.0).
The legal obligations of the content must be observed in all forms of which the content is available.
This page contains information about legal documentation requirements in your repositories. The source of truth is always the Eclipse Foundation Project Handbook.
The requirements described here must be met for each contribution.
Description
The following files must be part of your repository root folder:
- LICENSE
- LICENSE_non-code
- NOTICE.md
- DEPENDENCIES
- SECURITY.md
- CONTRIBUTING.md
- CODE_OF_CONDUCT.md
For examples look to the Eclipse Tractus-X GitHub Organisation, e.g. the sig-infra.
LICENSE FILES
The Tractus-X project uses the following licenses:
- Apache-2.0 for code
- CC-BY-4.0 for non-code
Both licenses have to be put on root level of each repository, exampel.
Exception: Repositories that use ONLY the CC-BY-4.0 license, e.g. sldt-semantic-models. In these repositories the CC-BY-4.0 license in the only license and the file is named LICENSE.
See the Handbook#legaldoc-license.
LICENSE FILE
In Eclipse Tractus-X the outbound license for code is Apache-2.0.
- File name: LICENSE
- SPDX-License-Identifier: Apache-2.0
- License Text
LICENSE_non-code FILE
The default license for non-code is the CC-BY-4.0.
- File name: LICENSE_non-code
- SPDX-License-Identifier: CC-BY-4.0
- License Text
For more information, see TRG 7.08.
NOTICE FILE
Do the following changes:
- Add both licenses to the "Declared Project Licenses" sections, see example
- Add the link to your repository
- Add the link(s) to your SBOM, e.g. the DEPENDENCY file (one or more)
- Add information for third party content checks, if not covered by the Dash Tool (e.g. IP checks for icons, fonts, ...)
Further information and see the Handbook#legaldoc-notice.
DEPENDENCY FILE
Third-party dependencies need to be checked regularly to reflect your code changes. The DEPENDENCY file must be updated accordingly. This is recommended for every contribution (e.g. PR) whenever possible.
- Create it with the Eclipse Dash License Tool
If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependency files. Use the naming convention DEPENDENCY_XYZ, e.g. DEPENDENCY_FRONTEND and DEPENDENCY_BACKEND.
SECURITY FILE
The security file contain the information, where/how to report a vulnerability issue. See the Handbook#vulnerability and this example.
Content:
## Reporting a Vulnerability
Please do **not** report security vulnerabilities through public GitHub issues.
Please report vulnerabilities to this repository via **GitHub security advisories** instead.
How? Inside affected repository --> security tab
for contributor:
--> Report a vulnerability
for committer:
--> advisories --> New draft security advisory
In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/
See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)
CONTRIBUTING FILE
Due to changes in the Eclipse Project Handbook, make sure that you have included the section "Terms of Use", see the Legal Document Generator or the example.
See the Handbook#legaldoc-contributor
CODE OF CONDUCT
The Version 2.0 of the Eclipse Foundation Community Code of Conduct was released on Jan 01, 2023. Update the file in your repositories.
See the CODE OF CONDUCT and here in md format.
AUTHORS FILE (optional)
- Add the authors and further contact information
- Example