Last week, Wayne Beaton, director of open source projects at the Eclipse Foundation, took to his blog to disclose impending changes to the way third party content is managed.
Up until now, project teams wanting to include libraries and similar helpers that weren’t built or managed within the foundation had to check with the intellectual property team first. This was meant to make sure the licenses of the new dependencies were compatible with the project license and avoid legal disputes later.
The new approach however will give teams more leeway when looking into tooling or testing other external project additions. Once the new workflow is approved, they will be allowed to commit things like scripts, and code references to third party content without having to create a contribution questionnaire to request approval. Conformance validation will only be necessary at a later stage, namely, when a formal release is around the corner.
To make the whole process easier, and offer project teams a way of checking licenses themselves, the foundation has come up with a prototype tool for license evaluation. It is meant to create a so called “bill of materials”, a list of all third party libraries used.
They are described by a number of identifiers developed by the ClearlyDefined project, which include a tool’s name, namespace, version, type of content, and repository source. While this looks similar to how Maven would describe software, the choice fell on ClearlyDefined, since not every Eclipse project is strictly Java.
But back to the new tool: it determines the license of each item, and lets developers know whether its use is approved or restricted. Everything marked as restricted needs to be reviewed by the team responsible for intellectual property.
If all goes well, the tool will be used in the IP team and be available to projects as well, the hope being they will start integrating it into their builds. Like that, third party content that needs to be looked at by experts can be singled out automatically and be taken care off before the inrush of pre-release requests starts. However, at least in the short term, contribution questionnaires will still need to be filled in for that. But Beaton mentions plenty of opportunities for further automation, so there’s hope this is on the agenda as well.
Apparently, the presented changes are part of a general revamp of the foundation’s Intellectual Property Policy, with more details to be announced at a later time. The new approach could facilitate experimentation and help during transitional periods of third party libraries, since projects wouldn’t have to cease development until hearing from IP anymore if a dependency changed license. And with that happening more often lately, automated checks seem only sensible, given that Eclipse projects are still used quite a bit in enterprise environments.