Skip to content

Registering CQs

Marc Dumais edited this page Apr 8, 2019 · 43 revisions

This is an effort to have a central place to guide committers who need to register CQs for the project, instead of having these instructions in some PR. There are many cases to cover, and the goal is not to re-write the Eclipse Foundation documentation on this subject. Consult the .pdf below to confirm in which scenario a specific case falls under.

Eclipse Foundation Legal Process Poster(.pdf)

Note in many (probably most) cases it's not necessary to register a CQ for a contribution/PR; e.g. completely original content written by a committer or someone from the same company, containing no cryptography, the whole thing being under the project's license and introducing no new dependencies (prereq or workswith).

Outside of a few simple cases like the one above, many contributions will end-up falling under the "Everything else" blue box on page 1 of the above .pdf.

Case: 3rd party project code copied/forked from another project, into Eclipse Theia (maintained by us)

Assuming the upstream project is not hosted at the Eclipse Foundation, etc. (see .pdf for details about when it's not necessary to register a CQ) and that the license is an approved one:

This case corresponds to this, from the PDF:

  • Page 2 -> Everything else -> project is not Eclipse Foundation one -> license is approved (EPL1, Apache2, ...).

image

  1. navigate to our project page and log-in
  2. On the right side of the page, under "Intellectual Property", chose "Create a Contribution Questionnaire"
  3. type of contribution: "Contribution of code to be maintained by an Eclipse Foundation project"
  4. Fill-in first page:
  • name: 'code copied from project <project> <version/release>'
  • descr: e.g.: "we want to copy content from project <project>, version: <version> for Theia to use. This code will be modified.
  • reason: select "New Feature but not initial contribution"
  • contribution record: URL of the upstream repo we copied from
  • Authors: original authors if known. e.g. paste one copyright notice
  1. Click continue and submit CQ
  2. We then need to attach the copied code (from original project) to the CQ, as a zip or tar archive. It should contain only the copied file(s) as well as file(s) containing potentially relevant license info. e.g. if we copied file foo.ts from directory src/node and there is not relevant license-related file in src, we could create the following archive to attach to the PR:
LICENSE.txt
src/node/foo.ts

Case: new or updated NPM production dependency

[WIP] - New "ECD Theia Intellectual Property Clearance, Approach (Experimental)"

The foundation has proposed a new, less rigid process, where we will be able, in some/most cases, to self-check, for license compatibility of 3rd party dependencies, without the need for a CQ.

If we are not able to complete the license check on our own or have doubts, we can register a CQ to ask the Foundation's IP Team for help. Worst case, we can follow the old process - see Fallback: old process section below.

See below for the ECD Theia Intellectual Property Clearance Approach (Experimental), to see the text provided by the Foundation. This can be referred-to for the principles. Here we'll try to apply this, in a practical way.

Tools needed

ClearlyDefined web tool

Eclipse Foundation approved "Third Party Content Licenses" list.

HOWTO

At a minimum the new or updated dependency should be checked on its own (vs checking the whole recursive set of production dependencies that also includes the new one).

Using the ClearlyDefined workspace link above, enter the name of your dependency; if recognized there should be an auto-complete, that suggests potentially different versions of that dependency. Chose the one we want to add or update.

In the "Workspace", the chosen dependency will be listed. On the right side, there are buttons. Click on the magnifier glass (tooltip: "dig into this definition"). In the "Licensed" section, look at fields Declared and Discovered.

Verify that all licenses in the fields above are part of Foundation's the approved "Third Party Content Licenses" list.

If all licenses are approved: Assuming we have no reason to think that this information is incorrect or incomplete, we're done. else: open a CQ and ask for help, about what to do with the non-approved license(s) or other issue(es) noticed.

Example

In a recent example, we switched from vscode/nsfw v1.0.17 to Axosoft/nsfw v1.22.

In ClearlyDefined, check for the new version of the dependency: type "nsfw" in the text field. Many versions of this package will be suggested, as completions. In this case, select "npm/npmjs/-/nsfw/1.2.2". Then click on the magnifier glass button to see details. In the "Licensed" section:

  • Declared: MIT
  • Discovered: MIT

ClearlyDefined detailed results for nsfw v1.22

Conclusion: Looks good!

Fallback: old process

e.g. a PR adds a new production (i.e. non-"dev-dependency") npm dependency in one of Eclipse Theia's package.json, or updates the version of such a dependency.

Current Way: for production/runtime dependencies, it's necessary to analyse license compatibility of the dependencies themselves (as defined in our various package.json files) and as well as their own recursive runtime dependencies.

  1. navigate to our project page and log-in
  2. On the right side of the page, under "Intellectual Property", chose "Create a Contribution Questionnaire"
  3. type of contribution: Third-Party Code Request
  4. Fill-in first page:
  • Name and Version of the Library: Theia npm node click "Continue"
  • Due Diligence Type: Type A
  • description: This is a request for all of the production node.js/NPM dependencies for Eclipse Theia
  • cryptography: A few of the npm dependencies look like they might be cryptography-related: bcrypt-pbkdf,crypt, cryptiles,crypto-browserify,crypto-random-string,https-browserify
  • License: --- Other Licenses ---
  • Other Licenses: MIT AND BSD-3-Clause AND ISC AND Apache-2.0 AND BSD-2-Clause AND Zlib AND X11 AND (BSD-3-Clause OR AFL-2.1) AND CC-By-4.0 AND CC
  • Distribution: Both Source and Binary
  • Modified: Unmodified (Usual Case)
  1. Click continue and submit CQ
  2. We then need to add an attachment to the CQ. See instructions below to generate this archive

Here are some rough instructions on how to generate the archive/zip to be attached to the CQ:

git clone https://github.com/theia-ide/theia.git && cd theia
yarn install --production

# find node_modules folders other than the main one in the root
npmlist=`find . -name node_modules | grep -v "^./node_modules"`

# Find the extensions where a Debug Adapter is Downloaded/used (defined in an "adapters" section in package.json)
grep "\"adapters" `find packages -name package.json`
# if there are changes, update list below

# list of the path where the Adapters are saved:
# note: this assumes each DA is in "unzipped" form. It it's not the case, we need to unzip it/them manually so it/they will be analysed correctly when submitted as part of the CQ.
DAlist="./packages/debug-nodejs/download ./packages/java-debug/download"

# Find the extensions where a Language Server is Downloaded/used under that extension (vs through the normal yarn install,
# that installs under the root node_modules) Such LS can be defined under the "ls" section in package.json
grep "\"ls" `find packages -name package.json`
# if there are changes, update list below
# note: only npm modules are of interest here. If the LS is not a npm module, it should be registered in its own, different CQ. e.g. jdt.ls
# note: "typescript-language-server" is already taken into account since it's in the root node_modules

# list of the path where the Language Servers are saved:
LSlist=""

# result: root npm_modules folder as well as any other we find elsewhere in the repo. Also we include the 
# Debug Adapters that are used as plugins:
tar czvf theia-npm-prod-dependencies.tar.gz ./node_modules $npmlist $DAlist $LSlist


TBD, clarifying this topic with the Eclipse Foundation. We may have a simplified way to do this in the near future.

Case: new or updated test/build dependency (e.g. devDependencies)

These are dependencies that are not distributed, but used only to build and test our project. They map to the "devDependencies" field in our various package.json files.

For these, the effort should be lower, since "These are processed as Workswith; and as a result, no IP review is involved."

More info here

  1. navigate to our project page and log-in
  2. On the right side of the page, under "Intellectual Property", chose "Create a Contribution Questionnaire"
  3. type of contribution: "Third-Party Code Request"
  4. Fill-in first page:
  • name: 'Build- and test-only NPM dependencies for Eclipse Theia'
  1. go to next page
  • Due Diligence: "Type A"
  • Description: This is an umbrella CQ for build and test dependencies

Then for each dev-dependency we seek approval-for, add an entry like this:

name: <dev-dependency name>
url: <repo URL>
license: <license>
version: <version> and later versions
  • Cryptography: answer depending on case
  • License: dependencies license(s). if more than 1, chose "Other Licenses" and list them in the next field.
  • Distribution: "both source and binary"?
  • Modified: Unmodified
  1. Click continue and submit CQ
  2. For 'build/test' CQ, no source code needs be attached. If the tool still asks for an attachment, you can attach something to it will be satisfied. It can be an empty archive or an Eclipse logo, for example

Such CQs registered so far:

References

ECD Theia Intellectual Property Clearance Approach (Experimental)

Project Licensed Content

CQs required based on Due Diligence Process (contributions >1K LOCS, Content to move to Eclipse, Initial Contributions, etc.)

Third Party Content (Modified)

Modifications are performed under the third party license; CQ required.

Third Party Dependencies (Non-Modified)

The Project will use tooling to run and analyze the applicable license(s) of third party content required for project releases. The applicable license(s) must conform to the White List as per [1].

Should the project be unclear of applicable licensing and/or the license is not contained in the White List, the project will raise an IP Request (CQ) seeking assistance from the IP Team.

Please note “No Assertion” and/or “Unknown” license information is not sufficient license terms. Further, WTFPL will be distributed subject to the MIT.

The project must perform this exercise each time a new dependency is introduced and/or when the dependency version rev is greater than a service revision. The project may use the output of Yarn Lock, package-lock.json, npm-shrinkwarp.json to confirm applicable licensing of javascript third party content. Package-lock.json and npm-shrinkwrap.json may be used in conjunction with ClearyDefined [2]. For non javascript content, the project may use scan code [3].

PRIOR TO RELEASE:

The project will enter necessary CQs to receive final IP clearance prior to a project release. This clearance will be a gate to releases.

[1] https://www.eclipse.org/legal/licenses.php#approved

[2] https://clearlydefined.io/workspace

[3] https://github.com/nexB/scancode-toolkit