zenoh icon indicating copy to clipboard operation
zenoh copied to clipboard
verified publisher icon eclipse-zenoh

Engage in the Eclipse IP Due Diligence Process

Open waynebeaton opened this issue 2 months ago • 2 comments

Describe the release item

AFAICT, the Eclipse Zenoh project committers have made some changes to the dependencies since the last time you've engaged in the IP Due Diligence Process. Please review the intellectual property periodically (at least in advance of creating new releases).

I cloned this repository and used the Eclipse Dash License Tool to vet the dependencies based on the Cargo configuration.

It identified a number of this project's dependencies that require vetting via the Eclipse IP Due Diligence Process.

$ cargo tree -e normal --prefix none --no-dedupe | sort -u \
| grep -v '^[[:space:]]*$' | grep -v zenoh | sed -E 's|([^ ]+) v([^ ]+).*|crate/cratesio/-/\1/\2|' > dependencies.txt
$ java -jar org.eclipse.dash.licenses-1.1.1-SNAPSHOT.jar dependencies.txt -summary DEPENDENCIES
[main] INFO Querying Eclipse Foundation for license data for 418 items.
[main] INFO Found 138 items.
[main] INFO Querying ClearlyDefined for license data for 280 items.
[main] INFO Found 280 items.
[main] INFO License information could not be automatically verified for the following content:
[main] INFO 
[main] INFO crate/cratesio/-/async-std/1.13.2
[main] INFO crate/cratesio/-/bit-vec/0.7.0
[main] INFO crate/cratesio/-/bloomfilter/1.0.14
[main] INFO crate/cratesio/-/buddy_system_allocator/0.10.0
[main] INFO crate/cratesio/-/bzip2-sys/0.1.13+1.0.8
[main] INFO crate/cratesio/-/const_fn/0.4.10
[main] INFO crate/cratesio/-/erased-serde/0.4.5
[main] INFO crate/cratesio/-/http-types/2.12.0
[main] INFO crate/cratesio/-/librocksdb-sys/0.17.1+9.9.3
[main] INFO crate/cratesio/-/lz4-sys/1.11.1+lz4-1.10.0
[main] INFO crate/cratesio/-/petgraph/0.8.2
[main] INFO crate/cratesio/-/ron/0.11.0
[main] INFO crate/cratesio/-/serialport/4.5.0
[main] INFO crate/cratesio/-/tide/0.16.0
[main] INFO crate/cratesio/-/tokio-vsock/0.5.0
[main] INFO crate/cratesio/-/typeid/1.0.2
[main] INFO crate/cratesio/-/unescaper/0.1.5
[main] INFO crate/cratesio/-/vsock/0.4.0
[main] INFO crate/cratesio/-/zstd-sys/2.0.14+zstd.1.5.7
[main] INFO 
[main] INFO This content is either not correctly mapped by the system, or requires review.

AFAICT, the outstanding dependencies are likely all compatibly licensed and vetting them should be relatively straightforward.

The Eclipse Dash License Tool has a feature that creates issues to engage with the IP Team.

There's more information about the Eclipse Foundation's IP Due Diligence Process in the handbook.

Please initiate the IP Due Diligence process on this repository (and on all of the project repositories).

FYI @fuzzypixelz

waynebeaton avatar Oct 22 '25 18:10 waynebeaton

Thanks for the heads-up. I have created a series of issues on the IP Due Diligence repo using dash-licenses on eclipse-zenoh/zenoh. I will track them until this is resolved. Then we'll move onto other repositories as eclipse-zenoh/zenoh is the linchpin of the project and contains most if not all of the dependencies.

@diogomatsubara We might want to include the checks above in a nightly workflow.

fuzzypixelz avatar Oct 24 '25 14:10 fuzzypixelz

Nightly checks are not required. In fact, in order to conserve resources, it would be best if you can configure your workflows to only run the checks when actual changes have occurred.

waynebeaton avatar Oct 24 '25 15:10 waynebeaton