Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IP Policy and License Review] gittuf Sandbox Entry #199

Closed
adityasaky opened this issue Sep 1, 2023 · 7 comments
Closed

[IP Policy and License Review] gittuf Sandbox Entry #199

adityasaky opened this issue Sep 1, 2023 · 7 comments
Labels
For Review help wanted Extra attention is needed Next Meeting

Comments

@adityasaky
Copy link
Contributor

gittuf is seeking admission to the OpenSSF as a sandbox project (#198) under the Supply Chain Integrity WG. As part of the sandbox application process, we are seeking the one-time IP policy and license review from the OpenSSF.

Repository License
https://github.com/gittuf/gittuf Apache-2.0
https://github.com/gittuf/demo Apache-2.0
https://github.com/gittuf/gittuf.github.io Apache-2.0
@adityasaky adityasaky changed the title [IP Policy and License Review] [IP Policy and License Review] gittuf Sandbox Entry Sep 1, 2023
@adityasaky adityasaky mentioned this issue Sep 1, 2023
Merged
@hythloda
Copy link
Member

Just wanted to let you know that this is still in the works with the Legal team.

@adityasaky
Copy link
Contributor Author

Thanks for the update!

@hythloda
Copy link
Member

hythloda commented Sep 25, 2023
edited
Loading

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: gittuf

  • This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX, you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: https://github.com/gittuf [pulled 22–Sept-2023]
3 repos scanned

PROJECT LICENSE: Apache-2.0

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.

  • We recommend that SPDX license identifiers be added to ALL source file headers. [see https://spdx.dev/ids for examples]

PERMISSIVE LICENSES: Apache-2.0

COPYLEFT LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: None found

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: The code is licensed under the Apache-2.0 license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found.

@hythloda
Copy link
Member

@adityasaky let me know if you have any follow-up questions on this. If you need some help with the SPDX license identifiers also let us know and we can spend some PMO cycles on it. If you ever need to chat live you can schedule something my calendar to discuss

@adityasaky adityasaky mentioned this issue Sep 25, 2023
Closed
@adityasaky
Copy link
Contributor Author

@hythloda I've opened a ticket over on the gittuf repo: gittuf/gittuf#124

Is the SPDX license identifier a necessary step at this point or can we close this issue given the report says "no license conflicts found"? Happy to add the identifiers right away if so!

@hythloda
Copy link
Member

The SPDX identifiers are "recommended", not required. This can be closed as you suggested and the process can proceed. It would be ideal to have the identifiers in the long term.

@adityasaky
Copy link
Contributor Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
For Review help wanted Extra attention is needed Next Meeting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adityasaky @hythloda @SecurityCRob