toc
toc copied to clipboard
cncf
Best Practices for code attribution
The CNCF policy on copyright notices are here (specifically the case where third party code is included): https://github.com/cncf/foundation/blob/main/copyright-notices.md#what-about-third-party-code
However there are some best practices in several projects including guidance like:
- Have a well-marked directory indicating third-party code
- Ensure LICENSES and NOTICES of the third-party code is retained as-is
- When possible, import history and not just a snapshot of the code
- Ideally notify the folks who you are picking up code from in a public fashion (and wait for their response if possible)
What else?
PS: guidance in k8s community for third_party code is here
I'm sure there have been discussions about DCO/CLA, but that seems pretty important for existing contributions.
This might also tie into tracking bill of materials for projects, too. It's a slippery slope into SBOMs.
Agreed @jzelinskie. I want to start in the shoes of someone who wants to get something done and realizes that there is something already they could use (and how they can go about it the right way).
What's might further complicate things is derivative works or non-clean room implementations of things.
I can use a fairly concrete, but outlier example: when folks were attempting to reimplement a free version of Flash in the 2000s. Because so many developers had agreed to the terms of service to install Flash player, they were actually incapable of legally contributing towards the implementations. They had to find developers that had literally never installed Flash.
IANAL, but I suspect this is where the DCO fills in. I'm not sure what happens once the well is poisoned, though or what happens if a poisoned well has its ownership transferred to a foundation such as the CNCF.
@jzelinskie for sure there are plenty of things to game plan out.
for this issue, i want to gather some general guidelines that we can tell folks to reasonably follow (across projects), then projects can have their own higher bar for things.. oh also, we need to tell people to ask for help with situations that may be "smelly"
Has the CNCF thought about hiring a firm that would perform due diligence for IP donated? This is pretty standard in M&A of software businesses, so I think it probably makes sense here, too.
We have lawyers on staff that do this type of thing Jimmy.
We have someone that constantly scans CNCF project code bases on a quarterly basis too for licensing issues.
On Tue, Sep 13, 2022 at 9:45 PM Jimmy Zelinskie @.***> wrote:
Has the CNCF thought about hiring a firm that would perform due diligence for IP donated? This is pretty standard in M&A of software businesses, so I think it probably makes sense here, too.
— Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/877#issuecomment-1245937107, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIKC6AXEZBGS5FMBXEDV6DRXTANCNFSM54EAREYA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
TOC has an open request for the Legal Committee to prep content to be added to the Foundation repo or other appropriate (contribute.cncf.io ?) CC: @ joannalee333 @jberkus @CathPag @geekygirldawn
Sounds like a valuable resource for maintainers, which makes it a good fit for contribute.cncf.io as far as I can see.
https://github.com/cncf/foundation/issues/650 is where this will be worked on!
