Home
Open-source code refers to software that is freely available for use, study, modification, and distribution, subject to meeting the conditions of the corresponding license. Failure to comply with the license conditions can lead to legal disputes, financial liabilities, the requirement to disclose intellectual property, and reputational damage.
In projects with numerous external dependencies, it can be challenging to track license obligations accurately. Additionally, when multiple collaborators are involved, the risk of unintentional license violations, such as through copy-pasting code snippets, increases. Furthermore, there are nuanced situations like dependencies with dual licensing or licenses that may change due to ownership, purpose, or legislative alterations. These factors can potentially turn previously safe dependencies into unsafe ones over time.
To address these license-related risks for open-source code, we have developed the License Pre-Validation Service (LPVS). This tool provides a solution to mitigate potential license issues. By analyzing the project, LPVS identifies its components and their respective licenses at every commit. It then generates a list of potential issue cases, which are communicated as comments on GitHub. LPVS offers a comprehensive description of possible license violations, including details on the location of risky code and an overview of the specific license-related issues.
With LPVS, we aim to assist developers and project teams in ensuring license compliance for their open-source code. By providing insights into potential license violations and their implications, LPVS enables proactive management of license-related risks throughout the development process.
We believe that LPVS will be an invaluable tool for maintaining the integrity of open-source projects and safeguarding against license infringements.
-
License Scanners: LPVS integrates with the SCANOSS license scanner, allowing for comprehensive license analysis of the project's components. SCANOSS helps identify the licenses associated with the codebase, ensuring compliance with open-source license requirements. By leveraging SCANOSS, LPVS provides accurate and up-to-date information on the licenses used in the project.
-
GitHub Review System Integration: LPVS seamlessly integrates with the GitHub review system, enhancing the collaboration and code review process. LPVS automatically generates comments on GitHub, highlighting potential license violations or issues within the codebase. This integration streamlines the review process, making it easier for developers and collaborators to identify and address license-related concerns directly within the GitHub environment.
-
Comprehensive Issue Description: LPVS provides a detailed and comprehensive description of possible license violations within the project. This includes specific information on the location of potentially risky code and an overview of the license-related issues at hand. By offering this comprehensive insight, LPVS enables developers to have a clear understanding of the license-related risks within their codebase and take appropriate action to mitigate them.
-
Continuous Monitoring: LPVS facilitates continuous monitoring of license-related risks throughout the development process. By analyzing each commit, LPVS ensures that any changes or additions to the codebase are assessed for potential license violations. This ongoing monitoring allows developers to proactively manage license compliance and address any issues that arise in a timely manner.
-
Risk Mitigation: LPVS aims to mitigate license-related risks by providing early detection and identification of potential violations. By alerting developers to potential issues and providing the necessary information to understand and address them, LPVS empowers teams to take proactive steps to ensure compliance with open-source licenses. This helps mitigate the risk of legal disputes, financial liabilities, and reputational damage associated with license violations.
With these features, LPVS assists developers in effectively managing license compliance for their open-source projects. By integrating with license scanning tools, supporting the GitHub review system, and providing comprehensive issue descriptions, LPVS offers a robust solution for identifying and addressing license-related risks in the software development lifecycle.
The Technical Steering Committee (TSC) is a committee composed of technical leaders from the open source project responsible for oversight of the technical codebase, the technical community and release process.
The TSC is responsible for:
- coordinating the technical direction of the LPVS Project;
- appointing representatives to work with other open source or open standards communities;
- establishing community norms, workflows, issuing releases, and security issue reporting policies;
- approving and implementing policies and processes for contributing (to be published in the CONTRIBUTING file);
- discussions, seeking consensus, and where necessary, voting on technical matters relating to the code base.
| Name | Role | |
|---|---|---|
| Peter Moonki Hong | moonki1.hong@samsung.com | Maintainer |
| Taewan Kim | t25.kim@samsung.com | Maintainer |
| Oleg Kopysov | o.kopysov@samsung.com | Maintainer |
| Mykola Rudyk | m.rudyk@samsung.com | Developer |
| Oleg Konoval | o.konoval@samsung.com | Developer |
| Tetiana Naumenko | t.naumenko@samsung.com | Developer |
| Taras Drozdovskyi | t.drozdovsky@samsung.com | Developer |
In various situations the LPVS Project TSC shall hold a vote. These votes can happen on the phone, email, etc. TSC members can either respond "agree, yes, +1", "disagree, no, -1", or "abstain". Decisions by vote at a meeting require a majority vote, provided quorum is met.
To decide whether to accept the code (Pull Request) into the main branch, 2 or more approvals are required.
- Command Line Interface (CLI)
- Microservice architecture
- Integration with GitLab
- Implement LPVS as github-action workflow