From 17ddf44e37c7b6e88f5c28dd1ebc174b9b9c2205 Mon Sep 17 00:00:00 2001 From: ndr_brt Date: Fri, 22 Nov 2024 16:34:40 +0100 Subject: [PATCH 1/3] docs: update TRG 7-04 to permit to unbind DEPENDENCIES file from the main branch --- docs/release/trg-7/trg-7-01.md | 39 ++++++++++++++++++++++------------ docs/release/trg-7/trg-7-04.md | 4 ++-- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/docs/release/trg-7/trg-7-01.md b/docs/release/trg-7/trg-7-01.md index 1a92f280c59..2ba0b5d72c5 100644 --- a/docs/release/trg-7/trg-7-01.md +++ b/docs/release/trg-7/trg-7-01.md @@ -2,20 +2,23 @@ title: TRG 7.01 - Legal Documentation --- -| Status | Created | Post-History | -|--------|-------------|--------------------------------------| -| Active | 25-Apr-2024 | Updates for CC-BY-4.0 license | -| Active | 24-Aug-2023 | Updated SECURITY.md file | -| Active | 20-Jul-2023 | References to TRG 7.07, 7.08 updated | -| Active | 13-Apr-2023 | Moved from OSS Development | +| Status | Created | Post-History | +|--------|-------------|-------------------------------------------------| +| Active | 22-Nov-2024 | Add alternative way to handle DEPENDENCIES file | +| Active | 25-Apr-2024 | Updates for CC-BY-4.0 license | +| Active | 24-Aug-2023 | Updated SECURITY.md file | +| Active | 20-Jul-2023 | References to TRG 7.07, 7.08 updated | +| Active | 13-Apr-2023 | Moved from OSS Development | ## Why -Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0 ([Apache-2.0](https://spdx.org/licenses/Apache-2.0)). For non-code the default license is the Creative Commons Attribution 4.0 International ([CC-BY-4.0](https://spdx.org/licenses/CC-BY-4.0.html)). +Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0 +([Apache-2.0](https://spdx.org/licenses/Apache-2.0)). For non-code the default license is the Creative Commons Attribution 4.0 International ([CC-BY-4.0](https://spdx.org/licenses/CC-BY-4.0.html)). The legal obligations of the content must be observed in all forms of which the content is available. -This page contains information about legal documentation requirements in your repositories. The source of truth is always the [Eclipse Foundation Project Handbook](https://www.eclipse.org/projects/handbook/#legaldoc). +This page contains information about legal documentation requirements in your repositories. The source of truth is always +the [Eclipse Foundation Project Handbook](https://www.eclipse.org/projects/handbook/#legaldoc). :::info @@ -30,11 +33,14 @@ The following files must be part of your repository root folder: - LICENSE - LICENSE_non-code - NOTICE.md -- DEPENDENCIES - SECURITY.md - CONTRIBUTING.md - CODE_OF_CONDUCT.md +While the following can be omitted if appropriate actions are taken: + +- [DEPENDENCIES](#dependencies-file) + For examples look to the [Eclipse Tractus-X GitHub Organisation](https://github.com/eclipse-tractusx), e.g. the [sig-infra](https://github.com/eclipse-tractusx/sig-infra). ### LICENSE FILES @@ -75,22 +81,29 @@ Do the following changes: - Add both licenses to the "Declared Project Licenses" sections, see [example](https://github.com/eclipse-tractusx/sig-infra/blob/main/NOTICE.md) - Add the link to your repository -- Add the link(s) to your SBOM, e.g. the DEPENDENCY file (one or more) +- Add the link(s) to your SBOM, e.g. the DEPENDENCIES file (one or more) - Add information for third party content checks, if not covered by the Dash Tool (e.g. IP checks for icons, fonts, ...) [Further information](trg-7-04.md#checking-other-content-fonts-images-) and see the [Handbook#legaldoc-notice](https://www.eclipse.org/projects/handbook/#legaldoc-notice). -### DEPENDENCY FILE +### DEPENDENCIES FILE :::info -Third-party dependencies need to be checked regularly to reflect your code changes. The DEPENDENCY file must be updated accordingly. This is recommended for every contribution (e.g. PR) whenever possible. +Third-party dependencies need to be checked regularly to reflect your code changes. The DEPENDENCIES file must be updated +accordingly. This is recommended for every contribution (e.g. PR). ::: - Create it with the [Eclipse Dash License Tool](https://www.eclipse.org/projects/handbook/#ip-license-tool) -If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependency files. Use the naming convention DEPENDENCY_XYZ, e.g. DEPENDENCY_FRONTEND and DEPENDENCY_BACKEND. +If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependency files. +Use the naming convention `DEPENDENCIES_XYZ`, e.g. `DEPENDENCIES_FRONTEND` and `DEPENDENCIES_BACKEND`. + +These files can be kept either checked in the git repository or published to a static location (e.g. GitHub Pages) and +linked in the [NOTICE file](#notice-file) . +It is advisable to run the check after every commit or during the nightly, surely it is mandatory to run it before the +release, ensuring that no `rejected` or `restricted` dependencies are being part of delivered artifacts. [Further information](trg-7-04.md) diff --git a/docs/release/trg-7/trg-7-04.md b/docs/release/trg-7/trg-7-04.md index 286973bb54b..eee873080a1 100644 --- a/docs/release/trg-7/trg-7-04.md +++ b/docs/release/trg-7/trg-7-04.md @@ -30,7 +30,7 @@ All third-party content has to be checked and approved by the Eclipse Foundation - Creating an IP issue manually (e.g. fonts, images, ...) - Using the Eclipse Dash License Tool to creat IP issues in an automated way (libraries) -All third party content used has to be documented in the NOTICE file or in the DEPENDENCY file. [Further information](/docs/release/trg-7/trg-7-01.md) +All third party content used has to be documented in the NOTICE file or in the DEPENDENCIES file. [Further information](/docs/release/trg-7/trg-7-01.md) :::info @@ -56,7 +56,7 @@ You can request the status of your used libraries via the [Dash Licence Tool](ht - Create an issue in YOUR repository with the links to the IP Lab issues, [Example](https://github.com/eclipse-tractusx/daps-registration-service/issues/28) - Track your [issues](https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues?search=automotive.tractusx&sort=created_date&state=opened) - Provide support if an issue is labeled with "Help wanted" -- Add the summary as DEPENDENCY file to the according repository (root level) +- Add the summary as DEPENDENCIES file to the according repository (root level) **Example usage:** From a5d1438cfe7b17d12c7696e96ff9c880868f8b02 Mon Sep 17 00:00:00 2001 From: ndr_brt Date: Mon, 2 Dec 2024 14:51:46 +0100 Subject: [PATCH 2/3] pr remarks --- docs/release/trg-7/trg-7-01.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/release/trg-7/trg-7-01.md b/docs/release/trg-7/trg-7-01.md index 2ba0b5d72c5..690995dec55 100644 --- a/docs/release/trg-7/trg-7-01.md +++ b/docs/release/trg-7/trg-7-01.md @@ -13,12 +13,12 @@ title: TRG 7.01 - Legal Documentation ## Why Eclipse Tractus-X is an open source project hosted by the Eclipse Foundation licensed under the Apache License 2.0 -([Apache-2.0](https://spdx.org/licenses/Apache-2.0)). For non-code the default license is the Creative Commons Attribution 4.0 International ([CC-BY-4.0](https://spdx.org/licenses/CC-BY-4.0.html)). +([Apache-2.0](https://spdx.org/licenses/Apache-2.0)). For non-code the default license is the Creative Commons Attribution +4.0 International ([CC-BY-4.0](https://spdx.org/licenses/CC-BY-4.0.html)). The legal obligations of the content must be observed in all forms of which the content is available. -This page contains information about legal documentation requirements in your repositories. The source of truth is always -the [Eclipse Foundation Project Handbook](https://www.eclipse.org/projects/handbook/#legaldoc). +This page contains information about legal documentation requirements in your repositories. The source of truth is always the [Eclipse Foundation Project Handbook](https://www.eclipse.org/projects/handbook/#legaldoc). :::info @@ -37,7 +37,8 @@ The following files must be part of your repository root folder: - CONTRIBUTING.md - CODE_OF_CONDUCT.md -While the following can be omitted if appropriate actions are taken: +The following file **must** be present on root level for every released version but can be omitted in the main branch +if appropriate actions are taken: - [DEPENDENCIES](#dependencies-file) @@ -97,7 +98,7 @@ accordingly. This is recommended for every contribution (e.g. PR). - Create it with the [Eclipse Dash License Tool](https://www.eclipse.org/projects/handbook/#ip-license-tool) -If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependency files. +If different technologies / package managers (e.g. npm and maven) are used you are free to have several dependencies files. Use the naming convention `DEPENDENCIES_XYZ`, e.g. `DEPENDENCIES_FRONTEND` and `DEPENDENCIES_BACKEND`. These files can be kept either checked in the git repository or published to a static location (e.g. GitHub Pages) and From fce427fa5b38221d5fdf54b9e33fbcbcb2961d51 Mon Sep 17 00:00:00 2001 From: ndr_brt Date: Mon, 2 Dec 2024 17:19:34 +0100 Subject: [PATCH 3/3] pr remark --- docs/release/trg-7/trg-7-01.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-7/trg-7-01.md b/docs/release/trg-7/trg-7-01.md index 690995dec55..4a9e1488503 100644 --- a/docs/release/trg-7/trg-7-01.md +++ b/docs/release/trg-7/trg-7-01.md @@ -102,7 +102,7 @@ If different technologies / package managers (e.g. npm and maven) are used you a Use the naming convention `DEPENDENCIES_XYZ`, e.g. `DEPENDENCIES_FRONTEND` and `DEPENDENCIES_BACKEND`. These files can be kept either checked in the git repository or published to a static location (e.g. GitHub Pages) and -linked in the [NOTICE file](#notice-file) . +linked in the [NOTICE file](#notice-file). It is advisable to run the check after every commit or during the nightly, surely it is mandatory to run it before the release, ensuring that no `rejected` or `restricted` dependencies are being part of delivered artifacts.