Committer Due Diligence Guidelines

Introduction

Eclipse Committers play a very important role in the operation of the Eclipse Foundation open source projects. This document outlines the responsibilities and explains some of the basic concepts Eclipse Committers need to understand in their role as a committer. If you are an Eclipse Committer, should you have any questions after reading this document, your questions should be submitted to your Project Management Committee (PMC) or the Eclipse Management Organization (EMO).

Contributors and Committers

Anyone who makes contributions to the Eclipse Foundation website and to Eclipse Foundation projects are considered to be Contributors. These Contributors submit contributions such as code, documentation, and other materials which must be received as Git commits (e.g., merge or pull requests) using infrastructure provided by the Eclipse Foundation.

Contributors that have made significant contributions to Eclipse Foundation projects may be promoted to Committer status. A Contributor may become a Committer once having been nominated and voted in by other Committers. The appointment of a new Committer is subject to confirmation by the relevant PMC.

Committers have a responsibility to help ensure that all content redistributed on the Eclipse Foundation servers is appropriate. In the case of mailing list posts and issue reports, it is possible for Contributors to submit inappropriate content without the knowledge of Committers. If a Committer finds content on one of these systems that does not seem appropriate, based on the standards set out in this document or based on the Committer’s good judgement and experience, they should contact the EMO or a PMC member immediately.

Committers receive write-access to Eclipse Foundation resources and services that contributors do not have. This includes write-access to the source code repositories, the download servers, and the web site. Committed content in the source code repository becomes immediately available to Eclipse Foundation visitors and users. More importantly, this content is used to create daily builds that may be downloaded by thousands of people each day and may be incorporated into many free and commercially-available software products. Due to the potential for downstream redistribution, Committers are required to help ensure that inappropriate content is not placed in the source code repository. Content contributed to the webpages on the Eclipse Foundation website are less likely to be incorporated into products. However, by their nature, they may be seen by visitors to the web site and their impact is generally more immediate.

Committers are usually contributors as well. In addition to incorporating and releasing content contributed by others, Committers may commit (often significant) contributions which they have developed themselves. Some Committers may never commit any content other than what they have authored themselves. Even though they may be more confident in the pedigree of their own contributions, they still need to ensure that their content is appropriate.

How Content is Received

All content must be received as Git commits via infrastructure provided by the Eclipse Foundation. All content submitted through any channel other than the Eclipse Foundation infrastructure must be approved by the PMC, and submitted to the EMO for IP due diligence review prior to being committed to the source code repository. It is highly recommended that each Committer review and understand Intellectual Property Management at the Eclipse Foundation and the Eclipse Foundation’s IP Due Diligence Process in particular.

How Content is Distributed

Users and recipients of content distributed by the Eclipse Foundation are granted rights to the content by the declared project licence(s). The project licence(s) are described on the each project’s website, the licence and notice files in the project’s software repositories, and in the copyright headers of individual source files.

Due Diligence Procedures

The Eclipse Foundation Project Handbook describes the IP Due Diligence Process.

Receiving contributions

IMPORTANT NOTE: Committers should never accept a contribution received via a private communication such as email. It is important that all contributions are received through one of the channels described above to ensure that all necessary licences are granted and that there is a public, timestamped, and archived record of the submission.

Before accepting every contribution, the Committer must check the following:

1. That the name and email address of the Contributors are accurately captured in the Git commit header; and
2. That the Contributors are covered by an Eclipse Foundation contributor agreement (one of the ECA,ICA, or MCCA).

NOTE: Eclipse project Git repositories are configured to check whether or not a contributor is covered by a contributor agreement (e.g., GitHub).

It is the responsibility of the Committer to verify that there is a valid ECA on file for the author(s) of each contribution.

Appropriateness of Contributions

A Committer cannot always assume that contributed content can be freely used or redistributed. Committers are obligated to ensure the appropriate due diligence has been completed before incorporating and redistributing content received from others. The process for performing due diligence depends on whether the contribution is deemed to be a “significant” one. A “significant” contribution is a substantial amount of code or content that introduces major new functionality, or any code, module, or content which will be distributed under any licence other than the project licence(s).

Any contribution greater than 1,000 lines of content is deemed to be “significant”. If necessary, the EMO can assist in determining whether a contribution should be classified as “significant”.

For “significant” contributions, the Committer, possibly with assistance from the Contributors, must engage in the IP Due Diligence Process for Project Content.

For simple bug fixes and minor enhancements contributed under the Eclipse Foundation Terms of Use, PMC and EMO approval is not required. However, the Committer is expected to ensure the appropriateness of the contribution and its availability for redistribution and modification by the Eclipse Foundation. There are many factors in making these determination, including things like licence compatibility, confidentiality, copyright rights, patents, export control laws, no profanity, acceptable standards of code quality and coding style, etc. If a Committer has any concerns on these topics, they should seek assistance from the EMO.

If the contribution has any “legal” terms or conditions associated with it whatsoever (other than a simple statement saying the contribution is licensed under the project licence(s)) the contribution must be approved by the appropriate PMC before being utilised. Possible “legal” terms or conditions include anything referring to “copyright”, “patent”, “trade secret”, “confidential”, “licence” or “rights,” or any other language purporting to grant or reserve any rights to use or distribute the contribution, or limit public distribution of the contribution. The PMC (with assistance from the EMO as necessary) will determine if the “legal” language is consistent with the project licence(s) as applicable.

Given the amount of time required to complete the due diligence process, the Committer should allow sufficient time for the appropriate review process to complete.

Cryptography

If the contribution is known or is believed to contain any type of encryption or decryption software, the contribution must be approved by the appropriate PMC before being utilised.

Cryptographic content from the Eclipse Foundation has been given a classification as Export Commodity Control Number (ECCN) 5D002.C.1 by the U.S. Government Department of Commerce, Bureau of Export Administration, and is deemed eligible for export under 15 CFR §742.15(b), and deemed not subject to Export Administration Regulations as publicly available encryption source code classified ECCN 5D002. However, under this licence exception, the content may not contain cryptanalytic functionality, such as a cryptographic codebreaker. It is the Committer’s obligation to ensure that the content does not contain functionality that would require a change in export classification. If you have any questions regarding cryptography or export controls, please contact license@eclipse-foundation.org.

Any modifications, additions, or removal of cryptographic code, should be brought to the PMC’s attention.

Any Contributions containing Cryptography should have information regarding the Cryptography documented in notices  for the source code repository and distribution forms that contain the Contribution. The Committer should work with the EMO to ensure the notices file has the appropriate documentation before the contribution is committed to the source code repository.

Code Quality and Style

Each project may have its own standards for quality and style. However, any profanity found in the code or its comments are considered unacceptable and should be removed before the content is contributed. For more details on a specific project’s quality or style standards, please connect directly with the project team, or consult with the PMC.

Legal Documentation

It is very important that all content contains the correct legal documentation. Please read the Legal Documentation Requirements.

If you require assistance in preparing any of this documentation, contact your PMC or the EMO. All legal documentation should be approved by the EMO prior to committing the content.

Third-Party Content

There are cases where content redistributed at the Eclipse Foundation is not received as a contribution under the the project licence(s). The most common case is a Committer who wishes to redistribute content maintained by another open source project, outside of the Eclipse Foundation. Some examples of such packages currently being redistributed by the Eclipse Foundation are projects maintained by The Apache Software Foundation, Mozilla, GTK+, JUnit, JCraft, and others.

Before any such package can be redistributed by the Eclipse Foundation, the Committer must engage in the IP Due Diligence Process for Third Party Content.

Tracking Contributions

Tracking of each contribution within a project is very important from a legal point of view. As well, it allows for the appropriate acknowledgement of each contributor. This information about each contribution is typically maintained within Git commit records, and the standard copyright headers contained within individual source files.

Each project team must take steps to ensure that intellectual property is properly received, so that it can be tracked.

Summary

To help support downstream adoption of Eclipse Foundation projects, it is a necessity to exercise the appropriate due diligence. In addition to these specific standards, the community relies on Committers to exercise their own judgment with respect to other factors that may deem the contribution to be inappropriate for use. If a Committer has doubts about the appropriateness of the contribution for any reason, then that Committer should investigate and consult with the applicable PMC, who will call on or direct you to EMO resources if necessary.