Committer Due Diligence Guidelines

Last updated: September 29, 2014

Introduction

Eclipse Committers play a very important role in the operation of the Eclipse Foundation open source projects. This document outlines the responsibilities and explains some of the basic concepts Eclipse Committers need to understand in their role as a committer. If you are an Eclipse Committer, should you have any questions after reading this document, your questions should be submitted to your Project Management Committee (PMC) or the Eclipse Management Organization (EMO).

Contributors and Committers

Anyone who makes contributions to the Eclipse Foundation website and to Eclipse Foundation projects are considered to be Contributors. These Contributors submit contributions such as code, documentation, and other materials, through a number of channels including the forums, mailing lists, Gerrit code review system, and Bugzilla bug reporting system. In general, anyone may have access to these systems, although passwords may be used for spam control puproses. Contributions made through the forums and mailing lists are generally made when users chat and exchange ideas. Contribution of code is very rarely made through these channels. Code contributions would more likely be found attached to a Bugzilla report.

Contributors that have made significant contributions to Eclipse Foundation projects may be promoted to Committer status. A Contributor may become a Committer once having been nominated and voted in by other Committers. However, the appointment of a new Committer is subject to confirmation by the relevant PMC. Committers have a responsibility to help ensure that all content redistributed on the Eclipse Foundation servers is appropriate. In the case of forum and mailing list posts and Bugzilla reports, it is possible for Contributors to submit inappropriate content without the knowledge of Committers. If a Committer finds content on one of these systems that does not seem appropriate, based on the standards set out in this document or based on the Committer’s good judgement and experience, they should contact the EMO or a PMC member immediately.

Committers receive write-access to Eclipse Foundation systems that contributors do not have. Depending on the nature of their participation, this may include write-access to the source code repositories, the download servers, and the web site. Committed content in the source code repository becomes immediately available to Eclipse Foundation visitors and users. More importantly, this content is used to create daily builds that may be downloaded by thousands of people each day and may be incorporated into many free and commercially-available software products. Due to the potential for downstream redistribution, Committers are required to help ensure that inappropriate content is not placed in the source code repository. Content contributed to the webpages on the Eclipse Foundation web site are less likely to be incorporated into software products. However, by their nature, they may be seen by visitors to the web site and their impact is generally more immediate.

Committers are usually contributors as well. In addition to incorporating and releasing content contributed by others, Committers may commit, often significant, contributions which they have developed themselves. Some Committers may never commit any other content other than what they have authored themselves. Even though they may be more confident in the pedigree of their own contributions, they still need to ensure that their content is appropriate.

How Content is Received

All content submitted through any of the channels existing on the Eclipse Foundation website such as, the forums, mailing lists, Gerrit code review system, and Bugzilla bug reporting system or any of the other services, are licensed to others under the terms and conditions of the Eclipse.org Terms of Use (or one or more of the agreements or licenses it refers to). All content submitted through any channel other than the Eclipse Foundation website must be approved by the PMC, and submitted to the EMO, via the Contribution Questionnaire, for due diligence approval, prior to being committed to the source code repository. It is highly recommended that each committer review and understand the Eclipse Due Diligence Process.

How Content is Distributed

Users and recipients of content distributed by the Eclipse Foundation are granted rights to the content by the various licenses used by the Eclipse Foundation, primarily the EPL. The Eclipse Foundation Software User Agreement is the primary document used for distributing content. It is an umbrella agreement that defers to various notices and licenses including the EPL.

Due Diligence Procedures

Also please see this Eclipse Legal process overview document which provides a pictorial representation of the due diligence process.

Receiving contributions

IMPORTANT NOTE: Committers should never accept a contribution received via a private communication such as e-mail. It is important that all contributions are received through one of the channels described above to ensure that all necessary licenses are granted and that there is a public, timestamped, and archived record of the submission.

Before accepting each contribution, the Committer must check the following:

  1. The Contributor(s) must have an Eclipse Foundation Contributor License Agreement (CLA) on file. It is the responsibility of the Committer to verify that there is a valid CLA on file for the author(s) of each contibution.
  2. The Contributor must have signed-off the Contribution, indicating that they are in compliance with the Eclipse Foundation Contributor’s Certificate of Origin.

Appropriateness of Contributions

A Committer cannot always assume that contributed content can be freely used or redistributed. Committers are obligated to ensure the appropriate due diligence has been completed before incorporating and redistributing content received from others. The process for performing due diligence depends on whether the contribution is deemed to be a “significant” one. A "significant" contribution is a substantial amount of code or content that introduces major new functionality into the code base, or any code or module which will be distributed under any license other than the EPL. Any contribution greater than 1000 lines of code is deemed to be "significant". If necessary, the EMO can assist in determining whether a contribution should be classified as “significant”.

For “significant” contributions, the following three steps should be used in determining if the contributed content is suitable for committing to an Eclipse Foundation project,

  1. The Committer, possibly with assistance from the Contributors, must complete the Eclipse Foundation Contribution Questionnaire ("CQ").
  2. The PMC must approve of the content’s suitability for the Eclipse Foundation project, and indicate their approval on the CQ. The analysis performed by the PMC is usually one of a purely technical nature.
  3. The EMO must approve or not approve the contribution. This decision will be based upon the EMO’s due diligence review of the contribution’s content and licensing.

For simple bug fixes and minor enhancements contributed under the Eclipse Foundation Terms of Use, PMC and EMO approval is not required. However, the Committer is expected to ensure the appropriateness of the contribution and its availability for redistribution and modification by the Eclipse Foundation. There are many factors in making these determination, including things like license compatibility, confidentiality, copyright rights, patents, export control laws, no profanity, acceptable standards of code quality and coding style, etc. If a Committer has any concerns on these topics, they should seek assistance from the EMO.

If the contribution has any “legal” terms or conditions associated with it whatsoever (other than a simple statement saying the contribution is licensed under the EPL) the contribution must be approved by the appropriate PMC before being utilized. Possible “legal” terms or conditions include anything referring to “copyright”, “patent”, “trade secret”, “confidential”, “license” or “rights,” or any other language purporting to grant or reserve any rights to use or distribute the contribution, or limit public distribution of the contribution. The PMC (with assistance from the EMO as necessary) will determine if the “legal” language is consistent with the EPL as applicable.

Given the amount of time required to complete the due diligence process on these packages, the Committer should allow sufficient time for the appropriate review process to complete.

Cryptography

If the contribution is known or is believed to contain any type of encryption or decryption software, the contribution must be approved by the appropriate PMC before being utilized.

Cryptographic content from the Eclipse Foundation has been given a classification as Export Commodity Control Number (ECCN) 5D002.C.1 by the U.S. Government Department of Commerce, Bureau of Export Administration, and is deemed eligible for export under License Exception ENC Technology Software Unrestricted (TSU) for object code and (cryptographic) source code. However, under this license exception, the content may not contain cryptanalytic functionality, such as a cryptographic codebreaker. It is the Committer’s obligation to ensure that the content does not contain functionality that would require a change in export classification.

Any modifications, additions or removal of cryptographic code, should be brought to the PMC’s attention.

Any Contributions containing Cryptography should have information regarding the Cryptography documented in the “About” file for the plug-in that will contain the Contribution (example About file). The Committer should work with the EMO to ensure the About file has the appropriate documentation before the contribution is committed to the source code repository.

Code Quality and Style

Each project may have its own standards for quality and style. However, any profanity found in the code or its comments are considered unacceptable and should be removed before the content is contributed. For more details on the project’s standards, please consult with the PMC.

Legal Documentation

It is very important that all content contains the correct legal documentation. Please read the Guide to legal documentation for Eclipse-based content.

If you require assistance in preparing any of this documentation, contact your PMC or the EMO. All legal documentation should be approved by the EMO prior to committing the content.

Third-Party Content

There are cases where content redistributed at the Eclipse Foundation is not received as a contribution under the default license(s) of the project (which is typically the EPL). Rather, the content was obtained from another source and is redistributed under another license. The most common case is a Committer who wishes to redistribute content maintained by another open source project, outside of the Eclipse Foundation. Some examples of such packages currently being redistributed by the Eclipse Foundation are projects maintained by The Apache Software Foundation, Mozilla, GTK+, JUnit, JCraft, and others.

Before any such package can be redistributed by the Eclipse Foundation, the Committer must create a Contribution Questionnaire, providing details of the package to the EMO and the PMC. The package will then be reviewed as follows:

  • The PMC will decide whether the package’s functionality is required, and approve it for use by the project,
  • The EMO will decide on the compatibility of the contribution’s license with the EPL (or other default license(s) for the project), and
  • The EMO will initiate the IP due diligence review.
  • Tracking Contributions

    Tracking of each contribution within a project is very important from a legal point of view. As well, it allows for the appropriate aknowledgement of each contributor. Currently at the Eclipse Foundation, this information about each contribution is typically maintained within the standard copyright and license notice contained within the source files. However, it is advisable that each project maintain a Project IP Log file to track the summary information about each contribution and links to related Bugzilla reports within a project. A well maintained Project IP Log will be a valuable piece of information in anticipation of a major release. See Using the IPLog+ Flag in Bugzilla for helpful hints on maintaining your Project IP Log. To find out about the Project IP Log file related to your project, contact your PMC.

    Summary

    To avoid downstream problems, it is a necessity to exercise the appropriate due diligence. In addition to these specific standards, the community relies on Committers to exercise their own judgment with respect to other factors that may deem the contribution to be inappropriate for use. If a Committer has doubts about the appropriateness of the contribution for any reason, then that Committer should investigate and consult with the applicable PMC, who will call on or direct you to EMO resources if necessary.