TRG 7.01 - Legal Documentation
| Status | Created | Post-History |
|---|---|---|
| Active | 24-Aug-2023 | Updated SECURITY.md file |
| Active | 20-Jul-2023 | References to TRG 7.07, 7.08 updated |
| Active | 13-Apr-2023 | Moved from OSS Development |
Why
Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0. The legal obligations of the content must be observed in all forms of which the content is available.
This page contains information about legal documentation requirements in your repositories. The source of truth is always the Eclipse Foundation Project Handbook.
The requirements described here must be met for each contribution.
Description
The following files must be part of your repository root folder:
- LICENSE
- NOTICE.md
- DEPENDENCIES
- SECURITY.md
- CONTRIBUTING.md
- CODE_OF_CONDUCT.md
For examples look to the Eclipse Tractus-X GitHub Organisation, e.g. the APP Dashboard.
LICENSE FILE
In Eclipse Tractus-X the primary outbound license is Apache-2.0.
- SPDX-License-Identifier: Apache-2.0
- License Text
See the Handbook#legaldoc-license.
For specifically defined documentation files the Creative Commons Attribution 4.0 International (CC BY 4.0) is required, see TRG 7.08.
NOTICE FILE
- Add the link to your repository
- Add the link(s) to your SBOM, e.g. the DEPENDENCY file (one or more)
- Add information for third party content checks, if not covered by the Dash Tool (e.g. IP checks for icons, fonts, ...)
Further information and see the Handbook#legaldoc-notice.
DEPENDENCY FILE
Third-party dependencies need to be checked regularly to reflect your code changes. The DEPENDENCY file must be updated accordingly. This is recommended for every contribution (e.g. PR) whenever possible.
- Create it with the Eclipse Dash License Tool
If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependency files. Use the naming convention DEPENDENCY_XYZ, e.g. DEPENDENCY_FRONTEND and DEPENDENCY_BACKEND.
SECURITY FILE
The security file contain the information, where/how to report a vulnerability issue. See the Handbook#vulnerability and this example.
Content:
## Reporting a Vulnerability
Please do **not** report security vulnerabilities through public GitHub issues.
Please report vulnerabilities to this repository via **GitHub security advisories** instead.
How? Inside affected repository --> security tab
for contributor:
--> Report a vulnerability
for committer:
--> advisories --> New draft security advisory
In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/
See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)
CONTRIBUTOR GUIDE
See the Handbook#legaldoc-contributor
CODE OF CONDUCT
The Version 2.0 of the Eclipse Foundation Community Code of Conduct was released on Jan 01, 2023. Update the file in your repositories.
See the CODE OF CONDUCT and here in md format.
AUTHORS FILE (optional)
- Add the authors and further contact information
- Example