Eclipse Committer Due Diligence Guidelines
Eclipse Committers play a very important role in the operation of the Eclipse Foundation open source projects. This document outlines the responsibilities and explains some of the basic concepts Eclipse Committers need to understand in their role as a committer. If you are an Eclipse Committer, should you have any questions after reading this document, your questions should be submitted to your Project Management Committee (PMC) or the Eclipse Management Organization (EMO).
Anyone who makes contributions to the Eclipse Foundation website and to Eclipse Foundation projects are considered to be Contributors. These Contributors submit contributions such as code, documentation, and other materials which must be received as Git commits using infrastructure provided by the Eclipse Foundation.Contributors that have made significant contributions to Eclipse Foundation projects may be promoted to Committer status. A Contributor may become a Committer once having been nominated and voted in by other Committers. The appointment of a new Committer is subject to confirmation by the relevant PMC. Committers have a responsibility to help ensure that all content redistributed on the Eclipse Foundation servers is appropriate. In the case of mailing list posts and issue reports, it is possible for Contributors to submit inappropriate content without the knowledge of Committers. If a Committer finds content on one of these systems that does not seem appropriate, based on the standards set out in this document or based on the Committer’s good judgement and experience, they should contact the EMO or a PMC member immediately.
Committers receive write-access to Eclipse Foundation resources and services that contributors do not have. This includes write-access to the source code repositories, the download servers, and the web site. Committed content in the source code repository becomes immediately available to Eclipse Foundation visitors and users. More importantly, this content is used to create daily builds that may be downloaded by thousands of people each day and may be incorporated into many free and commercially-available software products. Due to the potential for downstream redistribution, Committers are required to help ensure that inappropriate content is not placed in the source code repository. Content contributed to the webpages on the Eclipse Foundation website are less likely to be incorporated into software products. However, by their nature, they may be seen by visitors to the web site and their impact is generally more immediate.
Committers are usually contributors as well. In addition to incorporating and releasing content contributed by others, Committers may commit (often significant) contributions which they have developed themselves. Some Committers may never commit any content other than what they have authored themselves. Even though they may be more confident in the pedigree of their own contributions, they still need to ensure that their content is appropriate.
All content must be received as Git commits via infrastructure provided by the Eclipse Foundation. All content submitted through any channel other than the Eclipse Foundation infrastructure must be approved by the PMC, and submitted to the EMO, via a Contribution Questionnaire for due diligence approval, prior to being committed to the source code repository. It is highly recommended that each Committer review and understand Intellectual Property Management at the Eclipse Foundation and the Eclipse Foundation’s Due Diligence Process in particular.
Users and recipients of content distributed by the Eclipse Foundation are granted rights to the content by the declared project license(s). The project license(s) are described on the each project’s website, the license and notice files in the project’s software repositories, and in the copyright headers of individual source files..
Please see this Eclipse Legal process overview document which provides a pictorial representation of the due diligence process.
IMPORTANT NOTE: Committers should never accept a contribution received via a private communication such as email. It is important that all contributions are received through one of the channels described above to ensure that all necessary licenses are granted and that there is a public, timestamped, and archived record of the submission.
Before accepting every contribution, the Committer must check the following:
That the name and email address of the Contributors are accurately captured;
That the Contributors have signed the Eclipse Contributor Agreement (ECA); and .
That the Contributor has signed-off the Contribution, indicating that they are in compliance with the Developer Certificate of Origin as defined in the ECA.
It is the responsibility of the Committer to verify that there is a valid ECA on file for the author(s) of each contribution.
A Committer cannot always assume that contributed content can be freely used or redistributed. Committers are obligated to ensure the appropriate due diligence has been completed before incorporating and redistributing content received from others. The process for performing due diligence depends on whether the contribution is deemed to be a "significant" one. A "significant" contribution is a substantial amount of code or content that introduces major new functionality into the code base, or any code or module which will be distributed under any license other than the project license(s).
Any contribution greater than 1,000 lines of code is deemed to be "significant". If necessary, the EMO can assist in determining whether a contribution should be classified as "significant".
For "significant" contributions, the following three steps should be used in determining if the contributed content is suitable for committing to an Eclipse Foundation project,
The Committer, possibly with assistance from the Contributors, must complete the Eclipse Foundation Contribution Questionnaire ("CQ").
The PMC must approve of the content’s suitability for the Eclipse Foundation project, and indicate their approval on the CQ. The analysis performed by the PMC is usually one of a purely technical nature.
The EMO must approve the contribution. This decision will be based upon the EMO’s due diligence review of the contribution’s content and licensing.
If the contribution has any "legal" terms or conditions associated with it whatsoever (other than a simple statement saying the contribution is licensed under the project license(s)) the contribution must be approved by the appropriate PMC before being utilized. Possible "legal" terms or conditions include anything referring to "copyright", "patent", "trade secret", "confidential", "license" or "rights," or any other language purporting to grant or reserve any rights to use or distribute the contribution, or limit public distribution of the contribution. The PMC (with assistance from the EMO as necessary) will determine if the "legal" language is consistent with the project license(s) as applicable.
Given the amount of time required to complete the due diligence process on these packages, the Committer should allow sufficient time for the appropriate review process to complete.
If the contribution is known or is believed to contain any type of encryption or decryption software, the contribution must be approved by the appropriate PMC before being utilized.
Cryptographic content from the Eclipse Foundation has been given a classification as Export Commodity Control Number (ECCN) 5D002.C.1 by the U.S. Government Department of Commerce, Bureau of Export Administration, and is deemed eligible for export under 15 CFR §742.15(b), and deemed not subject to Export Administration Regulations as publicly available encryption source code classified ECCN 5D002.. However, under this license exception, the content may not contain cryptanalytic functionality, such as a cryptographic codebreaker. It is the Committer’s obligation to ensure that the content does not contain functionality that would require a change in export classification. If you have any questions regarding cryptography or export controls, please contact firstname.lastname@example.org.
Any modifications, additions or removal of cryptographic code, should be brought to the PMC’s attention.
Any Contributions containing Cryptography should have information regarding the Cryptography documented in notices for the source code repository and distribution forms that contain the Contribution. The Committer should work with the EMO to ensure the notices file has the appropriate documentation before the contribution is committed to the source code repository.
Each project may have its own standards for quality and style. However, any profanity found in the code or its comments are considered unacceptable and should be removed before the content is contributed. For more details on a specific project’s quality or style standards, please connect directly with the project team, or consult with the PMC.
It is very important that all content contains the correct legal documentation. Please read the Legal Documentation Requirements.
If you require assistance in preparing any of this documentation, contact your PMC or the EMO. All legal documentation should be approved by the EMO prior to committing the content.
There are cases where content redistributed at the Eclipse Foundation is not received as a contribution under the the project license(s). The most common case is a Committer who wishes to redistribute content maintained by another open source project, outside of the Eclipse Foundation. Some examples of such packages currently being redistributed by the Eclipse Foundation are projects maintained by The Apache Software Foundation, Mozilla, GTK+, JUnit, JCraft, and others.
Before any such package can be redistributed by the Eclipse Foundation, the Committer must create a Contribution Questionnaire, providing details of the package to the EMO and the PMC. The package will then be reviewed as follows:
The PMC will decide whether the package’s functionality is required, and approve it for use by the project,
The EMO will decide on the compatibility of the contribution’s license with the project license(s), and
The EMO will initiate the IP due diligence review.
Tracking of each contribution within a project is very important from a legal point of view. As well, it allows for the appropriate acknowledgement of each contributor. This information about each contribution is typically maintained within Git commit records, and the standard copyright headers contained within individual source files.
To help support downstream adoption of Eclipse Foundation projects, it is a necessity to exercise the appropriate due diligence. In addition to these specific standards, the community relies on Committers to exercise their own judgment with respect to other factors that may deem the contribution to be inappropriate for use. If a Committer has doubts about the appropriateness of the contribution for any reason, then that Committer should investigate and consult with the applicable PMC, who will call on or direct you to EMO resources if necessary.
Last updated: December 19/2017