Skip to main content

TRG 7.01 - Legal Documentation

StatusCreatedPost-History
Active22-Nov-2024Add alternative way to handle DEPENDENCIES file
Active25-Apr-2024Updates for CC-BY-4.0 license
Active24-Aug-2023Updated SECURITY.md file
Active20-Jul-2023References to TRG 7.07, 7.08 updated
Active13-Apr-2023Moved from OSS Development

Why

Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0 (Apache-2.0). For non-code the default license is the Creative Commons Attribution 4.0 International (CC-BY-4.0).

The legal obligations of the content must be observed in all forms of which the content is available.

This page contains information about legal documentation requirements in your repositories. The source of truth is always the Eclipse Foundation Project Handbook.

info

The requirements described here must be met for each contribution.

Description

The following files must be part of your repository root folder:

  • LICENSE
  • LICENSE_non-code
  • NOTICE.md
  • SECURITY.md
  • CONTRIBUTING.md
  • CODE_OF_CONDUCT.md

The following file must be present on root level for every released version but can be omitted in the main branch if appropriate actions are taken:

For examples look to the Eclipse Tractus-X GitHub Organisation, e.g. the sig-infra.

LICENSE FILES

The Tractus-X project uses the following licenses:

  • Apache-2.0 for code
  • CC-BY-4.0 for non-code

Both licenses have to be put on root level of each repository, exampel.

Exception: Repositories that use ONLY the CC-BY-4.0 license, e.g. sldt-semantic-models. In these repositories the CC-BY-4.0 license in the only license and the file is named LICENSE.

See the Handbook#legaldoc-license.

LICENSE FILE

In Eclipse Tractus-X the outbound license for code is Apache-2.0.

  • File name: LICENSE
  • SPDX-License-Identifier: Apache-2.0
  • License Text

LICENSE_non-code FILE

The default license for non-code is the CC-BY-4.0.

  • File name: LICENSE_non-code
  • SPDX-License-Identifier: CC-BY-4.0
  • License Text

For more information, see TRG 7.08.

NOTICE FILE

Do the following changes:

  • Add both licenses to the "Declared Project Licenses" sections, see example
  • Add the link to your repository
  • Add the link(s) to your SBOM, e.g. the DEPENDENCIES file (one or more)
  • Add information for third party content checks, if not covered by the Dash Tool (e.g. IP checks for icons, fonts, ...)

Further information and see the Handbook#legaldoc-notice.

DEPENDENCIES FILE

info

Third-party dependencies need to be checked regularly to reflect your code changes. The DEPENDENCIES file must be updated accordingly. This is recommended for every contribution (e.g. PR).

If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependencies files. Use the naming convention DEPENDENCIES_XYZ, e.g. DEPENDENCIES_FRONTEND and DEPENDENCIES_BACKEND.

These files can be kept either checked in the git repository or published to a static location (e.g. GitHub Pages) and linked in the NOTICE file. It is advisable to run the check after every commit or during the nightly, surely it is mandatory to run it before the release, ensuring that no rejected or restricted dependencies are being part of delivered artifacts.

Further information

SECURITY FILE

The security file contain the information, where/how to report a vulnerability issue. See the Handbook#vulnerability and this example.

Content:

## Reporting a Vulnerability

Please do **not** report security vulnerabilities through public GitHub issues.

Please report vulnerabilities to this repository via **GitHub security advisories** instead.

How? Inside affected repository --> security tab

for contributor:
--> Report a vulnerability

for committer:
--> advisories --> New draft security advisory

In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/

See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)

CONTRIBUTING FILE

Due to changes in the Eclipse Project Handbook, make sure that you have included the section "Terms of Use", see the Legal Document Generator or the example.

See the Handbook#legaldoc-contributor

CODE OF CONDUCT

info

The Version 2.0 of the Eclipse Foundation Community Code of Conduct was released on Jan 01, 2023. Update the file in your repositories.

See the CODE OF CONDUCT and here in md format.

AUTHORS FILE (optional)

  • Add the authors and further contact information
  • Example