Project Governance Documents #15
Comments
|
Thank you for putting this together! I'm taking a quick look before
hopping on a flight and had a few questions.
First, in 7 b (i), it says that "All new inbound code contributions to the
Project must be made using Community Specification License 1.0 (the
“Project License”)." Code contributions (i.e., implementations of parts of
SBOMit) would usually be under a license like Apache 2.0, whereas
specification edits, etc. would be under CSL 1.0.
Also, I wanted to note that as far as I know, we have not registered a
trademark. I'm not sure who (if anyone) would sign those documents.
…On Thu, Sep 28, 2023 at 8:52 AM Amanda L Martin ***@***.***> wrote:
Hello SBOMit!
The Linux Foundation has an initial set of documents for you to review
that we think are useful for SBOMit:
1. Technical Charter Draft
<https://docs.google.com/open?id=1hcSlXbVFQLAsGG8XJzEUS5ayRtH2GttlIsQqs8-V7Jc>
2. Contribution Agreement Draft
<https://docs.google.com/open?id=18WfW76fFFQ_W80tDRlLMLpSnU9oxaT-ip_V3dHfA7KI>
3. Series Agreement Draft
<https://docs.google.com/open?id=1IheIFiRb3FYZY0fhNcP-ltsYe5eSODxvZEP088CHYto>
Please review these materials and let us know if you have any questions.
To give you some background on these materials:
*Technical Project Charter Template*
A technical charter is created for all new projects to define both the
project operations and the IP policy. This document is used to set up an
LLC entity, and this becomes the core governance of that LLC. We have
proposed technical oversight for the project falls to a “Technical Steering
Committee” made up of the project’s committers. At a later date the TSC is
free to evolve how membership on the TSC is determined to accommodate
project growth and the evolution of its governance.
If you like this doc as is let me know and we can adopt it, if you have
changes then come to an agreement in together and then we can look at it
too.
*Project Contribution Agreement*
In order to enable collaboration across organizations, the Linux
Foundation and its project hosting entities hold project names, logos and
key accounts (e.g., domain names, GitHub accounts, etc.) for the benefit of
the project community. The way we do this is through the execution of the
Project Contribution Agreement with the project’s founding organization or,
in some cases, individual. While companies transferring project names and
logos to us can continue use those names and logos in accordance with our
trademark usage guidelines (please see
https://lfprojects.org/policies/trademark-policy/), project names should
not be used as part of a commercial product name. If you are currently
using the name of the project as part of a product name, please let us know.
While the Project Contribution Agreement will ask about any trademark
registrations, please note your organization may have common law trademark
rights in a project name even if a registration has not been filed.
Therefore, unless the project name has never been used publicly, we have
Project Contribution Agreements signed even if there are no trademark
registrations.
*Series Agreement*
You will note that the Technical Charter refers to the project as being
organized as a “series” of LF Projects, LLC. LF Projects, LLC is one of our
project hosting entities, and is a Delaware series limited liability
company. Using LF Projects, LLC allows us to give a form of legal identity
to projects. The document that gives existence to the project as a series
of LF Projects, LLC, is the ‘Series Agreement’. The Series Agreement is a
document signed by LF personnel, and no action is required on your part in
creation of the series. We are including a copy of the Series Agreement in
this packet because the Technical Charter will include references to the
Series Agreement and the Series Manager (an LF employee who can act on
behalf of the series).
*Next Steps:*
In terms of moving forward, the next steps are as follows:
- Come to agreement on the finalized language for the Technical
Charter.
- We (OpenSSF) are in the process of upgrading and transitioning our
GitHub to an Enterprise Account to https://github.com/openssf, so we
want to wait on this to avoid duplicate efforts but eventually we can host
your project there. In the mean time Add ‘thelinuxfoundation’ as an owner
of the GitHub org
- Send .svg of existing logo to ***@***.***
- We should prepare an announcement concerning the project launching
with the OpenSSF ***@***.***
- Add the following as a website footer in tandem with announcement:
Copyright © SBOMit a Series of LF Projects, LLC
For web site terms of use, trademark policy and other project policies
please see https://lfprojects.org/.
Should you have any questions, please do not hesitate to contact us. If
you’d like to set up time to discuss these documents in further detail,
please let us know a few suitable times.
*Contacts*
Your OpenSSF contact is Amanda Martin @hythloda
<https://github.com/hythloda> on GitHub or ***@***.***
with any questions. You can book a time in my Calendar
<https://www.linuxfoundation.org/meetings/amartin56> or invite me to any
of your meetings to discuss the documents and I will generally rearrange my
calendar to attend.
Project Formation
If you have any questions about the process of bringing your project to
the LF, please reach out to Scott Nicholas, VP of Project Formation, and
Todd Benzies, Senior Director of Project Formation, at
***@***.***
It's good to review the FAQ on Project formation
<https://docs.google.com/document/d/1TDshar1MIh43s7ehDskh8PbpEhd7eurrpxo7gM9WWco/edit>
.
Thank you!
—
Reply to this email directly, view it on GitHub
<#15>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD5RT2ZRV3ULMLRAUDTX4VXJXANCNFSM6AAAAAA5K5J7N4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Thanks! @JustinCappos I am working with the LF legal team now on the licensing issue. They originally wanted the spec license but now they are thinking Apache 2.0 for is best. I will have to get back to you On another note, are you all ready for the meetings to be hosted by the LF? We normally start a committee in LFX and that also creates a mailing list, the meetings get sent to all people on that list/committee and then it also goes onto the public calendar . We can also just put your NYU zoom link on the public calendar to start. Let us know how we can help! |
|
@hythloda we have a meeting tomorrow and can approach some of these items. We should get back to you pretty quick! |
|
Mostly out of curiosity, the only spot in these documents that reference the OpenSSF is the section referring to a designated TSC member as the point of contact for the OpenSSF. Is the OpenSSF governance over the project defined in any formal way? |
The above are the templates we got from OpenSSF staff ( @hythloda ), which I assume we shouldn't modify except as needed. We're super happy to add things like this on our website and everywhere else. |
|
The Technical Charter Draft is yours to modify and come to a consensus. Some groups like changing it more than others. LF likes it when it is all the same of course :) but it is how your group operates. You can see that other projects at OpenSSF like SigStore's are similar. As a project, you will report to the OpenSSF TAC and the expectation is that roughly every quarter, you will do a project update that has what you need, what you have been doing and so forth Here is an example of done by a working group. We should probably get you on the rotation in the notes, when do you think you would like to start? |
|
I don't think we have a strong preference on the start date for this. Maybe after we sort out the other issues makes sense though, so that we've formally joined? Speaking of that, any final determination on if it is fine for our code contributions to come in under Apache 2.0 instead of CSL 1.0? |
…to be released at the same time as the openssf sandbox announcement. Signed-off-by: Ian Dunbar-Hall <[email protected]>
|
SBOMit/website#10 is in draft state waiting to update the copyright in tandem with the OpenSSF announcement. |
|
Not a legal expert, but LGTM |
|
We talked with LF legal and @JustinCappos talked with NYU legal and we do not need any signatures!!! Just a vote in the next meeting to approve the charter. |
|
This looks good to me! |
|
Looks good. I approve |
|
This LGTM. I approve. |
|
Agree/approve with adopting the project governance documents. @trishankatdatadog I think you are the remaining vote. |
|
IANAL but LGTM ✅ |
Hello SBOMit!
The Linux Foundation has an initial set of documents for you to review that we think are useful for SBOMit:
Please review these materials and let us know if you have any questions. To give you some background on these materials:
Technical Project Charter Template
A technical charter is created for all new projects to define both the project operations and the IP policy. This document is used to set up an LLC entity, and this becomes the core governance of that LLC. We have proposed technical oversight for the project falls to a “Technical Steering Committee” made up of the project’s committers. At a later date the TSC is free to evolve how membership on the TSC is determined to accommodate project growth and the evolution of its governance.
If you like this doc as is let me know and we can adopt it, if you have changes then come to an agreement in together and then we can look at it too.
Project Contribution Agreement
In order to enable collaboration across organizations, the Linux Foundation and its project hosting entities hold project names, logos and key accounts (e.g., domain names, GitHub accounts, etc.) for the benefit of the project community. The way we do this is through the execution of the Project Contribution Agreement with the project’s founding organization or, in some cases, individual. While companies transferring project names and logos to us can continue use those names and logos in accordance with our trademark usage guidelines (please see https://lfprojects.org/policies/trademark-policy/), project names should not be used as part of a commercial product name. If you are currently using the name of the project as part of a product name, please let us know.
While the Project Contribution Agreement will ask about any trademark registrations, please note your organization may have common law trademark rights in a project name even if a registration has not been filed. Therefore, unless the project name has never been used publicly, we have Project Contribution Agreements signed even if there are no trademark registrations.
Series Agreement
You will note that the Technical Charter refers to the project as being organized as a “series” of LF Projects, LLC. LF Projects, LLC is one of our project hosting entities, and is a Delaware series limited liability company. Using LF Projects, LLC allows us to give a form of legal identity to projects. The document that gives existence to the project as a series of LF Projects, LLC, is the ‘Series Agreement’. The Series Agreement is a document signed by LF personnel, and no action is required on your part in creation of the series. We are including a copy of the Series Agreement in this packet because the Technical Charter will include references to the Series Agreement and the Series Manager (an LF employee who can act on behalf of the series).
Next Steps:
In terms of moving forward, the next steps are as follows:
Should you have any questions, please do not hesitate to contact us. If you’d like to set up time to discuss these documents in further detail, please let us know a few suitable times.
Contacts
Your OpenSSF contact is Amanda Martin @hythloda on GitHub or [email protected] with any questions. You can book a time in my Calendar or invite me to any of your meetings to discuss the documents and I will generally rearrange my calendar to attend.
Project Formation
If you have any questions about the process of bringing your project to the LF, please reach out to Scott Nicholas, VP of Project Formation, and Todd Benzies, Senior Director of Project Formation, at [email protected].
It's good to review the FAQ on Project formation.
Thank you!
The text was updated successfully, but these errors were encountered: