To be clear, the requirement is that we have license information from a trusted source for intellectual property. IPZilla is one of those sources and ClearlyDefined is the other. We may potentially add other sources (when such sources present themselves).
We no longer require piggyback CQs. From the perspective of the IP Policy and EMO Intellectual property team, there is no longer any need to treat Orbit as special. That is, we'd like to see ATO eliminated. If a library is "license certified" or "approved" by any project, then it can just be used by any other project.
For ClearlyDefined, we consider the license information for content to be acceptable if the effective score is at least 50.
I've developed a
prototype tool that can be used to vet the license of content based on identifiers (e.g. Maven GAV). I'm moving this to Eclipse Dash. One of the things that the tool does now is cite the source of the vetted license information ("CQ999", "clearlydefined", or "projectcode"). I've been thinking of extending this to include a URL pointer to the source.
For this new regime to work, we depend on regular IP Log checks. We do IP Log checks when projects engage in release reviews. Per the EDP, a project needs to engage in a release review only once every year.
Since I believe that Eclipse Orbit engages in what could be considered releases, I believe that it is reasonable to require that the project engage in an annual review like every other open source project at the Eclipse Foundation. Feel free to argue with me.
Wayne