| Full title | Manage sideground Intellectual Property (externally created libraries, components, used source code or other dependencies) |
|---|
| Objective | Achieve IPR compliance with the GÉANT IPR Policy and the project's software licence |
|---|
| Applicability | This practice concerns the design and development phase of the project. |
|---|
| Context | The practice applies to projects that use external libraries or components provided by third-party vendors (including OSS projects). |
|---|
| Addressed elements in SMM | 2.4. Management of IPR and dependencies |
|---|
| Actions | - Learn about your licences of the libraries and other software incorporated in your product
- Establish basic understanding and awareness of IPR and GÉANT IPR Policy within the team (learn/ask GLAD and the GÉANT IPR Coordinator (iprcoordinator@geant.org) for support)
- Identify, analyze and document the used libraries (e.g., using a dedicated tool)
- Verify if the licences conform to constraints imposed by GÉANT and licence compatibility requirements
- Determine the overall IPR orientation (e.g, permissive or copyleft), then the specific tentative licence (e.g., MIT or GPL3+) for the project/product
- Authoritatively verify and document present licences (with an SCA tool or at licensors' websites and correct or refine the information in the tool or document) and check their requirements and compatibility
- Make sure that requirements set in applicable licenses and rules and recommendations from the GÉANT IPR Policy are met, including documenting the licence, including a copyright notice and publishing code changes in the source repository and on the project website
- Establish tracking of present licences, adjustments and compliance
- Trigger re-evaluation of the license compliance in the event of changes in the used libraries, licences and rules (in policy or knowledge base)
- Detect, document and communicate changes
|
|---|
| Risks | - License requirements and rights are misinterpreted
- The GÉANT IPR Policy is revised to clarify ambiguities or improve the interpretation
- The used tools or recorded rules need to be updated and the assessors informed about the change
- An inadequate licence has been chosen or it is not complied with
- The licence should be changed in consultation with the IPR Coordinator
- The licence compliance is achieved by IPR remediating actions (i.e., by replacing or removing some libraries)
|
|---|
| Related practices | BP-B.1: Assess available technologies |
|---|
