Contribution proposal: Scorecard Monitor and Scorecard API Visualizer #238
Comments
|
Hi, |
The maintainers (@KoolTheba and myself) plan to continue maintaining the project and further involvement after the contribution/donation 👍 |
|
Spoke with @SecurityCRob and he'll take a look at this request soon! |
|
Hi Stephen - Thanks for flagging this for me. We'll want to follow the process documented in the TAC github for sandbox entry: 1.) Projects must have a minimum of two maintainers with different organization affiliations. Monitor Visualizer
Have you talked about these two projects with the Scorecard team and they were cool with the idea? CC'ing @laurentsimon (my point of contact for the Scorecard project to the BEST WG). On the whole, I am very positive about this and once I hear back from the project team, we can create the PR start the IP review stage in the TAC repo. Cool ideas, nice extensions of the existing Scorecard work! |
|
First of all, welcome! We're always glad to see people trying to improve security! To me, these look like new projects being proposed by @UlisesGascon and @KoolTheba - which is awesome! We'll need to do a quick legal review. I think these projects are all code projects, yes? All use Apache-2.0 or MIT licenses, correct? Those two are always fine for code (per OpenSSF charter). Please email me at dwheeler @ linuxfoundation.org, I'll forward you on to others for legal review. I don't expect any problems, but we always have to do a basic legal review. |
|
Thanks for flagging this @david-a-wheeler operations had missed this as we have only expected this IP Policy and License Review to come through TAC issued. We have moved this through the system, and legal will get back to us on the timeline for when they can finish the request. @justaugustus you should know to always ping [email protected] by now! :) We apologies for the delay. |
|
@hythloda - as always, thank you!! If it's just Apache-2.0 and MIT licenses there's usually no issues. Please let us know if you have trademarks, domain names, patents, etc. As I mentioned earlier, I expect no issues. |
|
Legal says they will get to it next week. |
|
@hythloda - nothing to apologize for. I figured we could get the legal review started sooner, so we can complete it sooner. |
lehors
changed the title
|
I took the liberty to change the title because the original one really conveyed the wrong idea. |
|
How did the legal review go? Are we good to merge and adopt some new friends? |
Still waiting on legal, they normally do Friday updates but haven't heard back yet :( |
|
Just to provide an update... Legal (and LF staff in general) were busy with LF Member Summit this week. Hoping for an update next week! |
|
Should get the update tomorrow |
|
`### LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: openssf-scorecard-monitor
CODE SCANNED: [pulled 01–Dec-2023] PROJECT LICENSE: MIT
SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.
PERMISSIVE LICENSES: MIT, Apache-2.0, BSD-3-Clause COPYLEFT LICENSES: None found PROPRIETARY LICENSES: None found LICENSE CONFLICTS: None found BINARY / PACKAGE FILES: None found THIRD PARTY CODE / DEPENDENCIES: Dependecies were found in package.json files. These dependencies were not scanned, and any potential license conflicts from them are not identified here.
THIRD PARTY NOTICE FILE: None found SUMMARY FINDINGS: The code is licensed under the MIT license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found. LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: openssf-scorecard-api-visualizer
CODE SCANNED: [pulled 01–Dec-2023] PROJECT LICENSE: Apache-2.0
SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.
PERMISSIVE LICENSES: Apache-2.0 COPYLEFT LICENSES: None found PROPRIETARY LICENSES: None found LICENSE CONFLICTS: None found BINARY / PACKAGE FILES: None found THIRD PARTY CODE / DEPENDENCIES: Dependecies were found in package.json files. These dependencies were not scanned, and any potential license conflicts from them are not identified here.
THIRD PARTY NOTICE FILE: None found SUMMARY FINDINGS: The code is licensed under the Apache-2.0 license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found. ` |
|
@jeffcshapiro - thanks for the scan! Adding license info to each source file is a good practice, but that won't prevent initial acceptance. License of the main code looks fine to me (let me know if I missed something). I presume there aren't other legal "IP" things to deal with beyond copyright, correct? I'm thinking trademarks, trade secrets, patents, domain name registrations, or government seals. I doubt any of that's an issue, but if it is please let us know. The goal is to make sure there are no legal "gotchas". |
Agreed - a good idea but no reason to cause any delay.
The project under MIT (which is a fine license) you may want to re-license under Apache-2.0 as I think that is what your charter specifies, or your board can approve a simple exception if needed.
I don't think there is anything else, but I will double-check with @mkdolan |
Actually the OpenSSF charter provides for code to be licensed under either the Apache 2.0 license or the MIT license so the code can stay with the MIT license. |
|
@lehors is correct, the charter specifically states that MIT or Apache-2.0 is fine. Other licenses are possible but require governing board approval. So the code can stay with the MIT license, there's no problem. |
|
@justaugustus : Are there any other legal "IP" things to deal with beyond copyright? E.g., trademarks, trade secrets, patents, domain name registrations, or government seals? I doubt any of that's an issue, but if there is something please let us know. The reviews above don't show any copyright-related issues. Really, this looks like all is smooth sailing, but we just need to confirm that there aren't any other potential issues (if there are issues, we want to quickly get them resolved). |
|
As far I know there are no other "IP" thing in any of the projects ( trademarks, trade secrets, patents, domain name registrations, or government seals). 👍 |
|
Is there anything that I can do to help with this? 🙂 |
|
@david-a-wheeler - since you were helping on the staff-side, could you check and see what we need to do to close this out? It looks like things are good, but just want official LF-word so we can let these folks keep rolling. |
|
@hythloda - as noted above, no legal issues have been identified. MIT license is fine, license scan saw no issues, no other legal issues have been identified (patent, trademark, domain name, etc.). I presume this is fine by today's end unless I hear otherwise...! |
|
My understanding is we are waiting on the Scorecard charter to be approved @justaugustus might know more. |
|
Do we know if the Scorecard charter was approved? (cc: @justaugustus ) |
|
any news? Just a friendly ping 😊 |
|
@hythloda or @justaugustus may know more. Any news? |
|
We've just completed review of the Scorecard project charter with LF Legal and it's over to them to establish the project officially. @afmarcum or I will provide an update on this issue weekly! |
|
Closing this, as any remaining items for the project donation are constrained within the scope of the OpenSSF Scorecard, which is now chartered, with donation requirements in draft. Thanks for the help here everyone! |
As suggested in the [updated] process for project donation, interested parties should submit a request to the relevant WG for consideration.
We've been having discussions with the maintainers of Scorecard Monitor and openssf-scorecard-api-visualizer and they are interested in donating these projects to OpenSSF as part of the Scorecard ecosystem.
Our ecosystem today:
Given Scorecard is already an OpenSSF project and its maintainers are interested in absorbing these new projects, what is the best way to move forward?
WG maintainers: @SecurityCRob @david-a-wheeler @drusso-rh
Scorecard maintainers: @ossf/scorecard-maintainers
xref: ossf/scorecard#3204, https://lists.openssf.org/g/openssf-tac/message/686
The text was updated successfully, but these errors were encountered: