| Info | ||
|---|---|---|
| ||
|
This certificate confirms that your software project’s licensing has been reviewed and validated. It indicates that the selected licence is appropriate, compatible has been verified for compatibility with all dependenciescomponents, adequately appropriately and transparently declared, and that the software is ready for distribution compliant release when it comes to licensing and reasonable dependency checks.
The certificate builds upon the Verified Dependencies Certificate, extending its scope to include licence selection, Software Licence Analysis (SLA) review, and approval of required artefacts. The certificate remains valid valid indefinitely for future software versions, provided certification requirements continue to be met. It does not cover patents or legal liability, although patent aspects concerns may be addressed during the Software Licence Analysis ( SLA ) review.
A full specification of of software licensing certificates is also available (the document is available for GÉANT participants).
Prerequisites
Ensure that your software project:
Is intended for distribution
Has all direct and transitive dependencies identified and verified
Uses a clear software licence
, compatible with all dependencies,
and confirmed by the GÉANT IPR Manager
- Has internally assessed licensing compliance and produced the required artefacts
- Is registered in the GÉANT Software Catalogue
Also ensure Ensure that:
- Project artefacts include the required licence and copyright
- Compliance requirements of all dependencies are fulfilled
Step-by-Step Process
Review Dependencies
Identify all direct and transitive dependencies. You may use the GÉANT Software Composition Analysis (SCA) service, or obtain a Verified Dependencies Certificate.
Document all external libraries, code, and other third-party intellectual property used in the project.
Record the licences of all external components.
Manually review all third-party intellectual property (source code, content, designs, models, etc.), which may be recorded in the NOTICE file.
Address all critical vulnerabilities, typically by upgrading dependencies.
Select and Verify Licence
- Use
Initiate the GÉANT Software Licence Analysis (SLA) service, conduct an internal review, or rely on an equivalent
methodprocess.
- Select a candidate licence or licences appropriate for the project’s context and intended distribution.
Confirm that all dependency licences are compatible with the selected licence.
- Confirm the selected licence with the Licence Management Team, and obtain approval from the GÉANT IPR Manager .Verify that all dependency licences are compatible with the selected licence
- .
Document any conflicts, resolutions, and
rationalerationales.
Prepare Required Artefacts
Use the GÉANT SLA service, or the Software Artefacts Checklist and templates (for GÉANT participants).
Mandatory artefacts:
LICENSE– full text of the selected licenceCOPYRIGHT– copyright notices and attributionsREADME– includes basic information, licence declaration, and copyright
If applicable or required by the licence:
NOTICE– third-party notices and attributionsCHANGELOG– version history, including licence-related changesCONTRIBUTING– contribution guidelinespolicy or guidelines
Ensure these that artefacts clearly and explicitly declare the selected licence and , copyright ownership, and reflect are in compliance with the terms of all dependencies.
Declare Licence in Metadata and User Interface
Declare the licence in:
Repository metadata or settings
or project metadata- User
Software user interface (if required by the licence)
Documentation, help files, and release notes
Submit Request
Send a request to the Licence Management Team, including:
Results of the SLA or equivalent review
Access to the repository with all relevant artefacts
Clarifications or supporting notes, if needed
Supporting documentation or clarifications, such as descriptions of third-party components or internal reports on dependencies, licences, and vulnerabilities
Refer to See Contact Us for instructions on communicating with the team.
...
Cooperate with the Licence Management Team to:
Provide requested clarifications
Remediate licence conflicts or vulnerabilities
Update artefacts and documentation as needed
Use Certificate
Upon approval, your project will receive the Verified Software Licence Certificate, which will be visible in the visible at certificates.software.geant.org and in the GÉANT Software Catalogue.
You may reference Reference the certificate in your documentation, metadata, project pagepages, or communications. The Licence Management Team will provide guidance on how to do this.
...
To keep the certificate valid:
- Keep licensing artefacts and documentation
- dependency, licence, and vulnerability data accurate and up to date.
Review new dependencies for licence compatibility
Avoid licence changes without - Monitor for new vulnerabilities or licence conflicts, which may be newly discovered or introduced by dependency or licence changes.
- Address identified issues promptly.
- Clearly mark which software versions are actively maintained.
- Maintain up-to-date licensing artefacts and compliance documentation.
- Avoid changing the project’s licence without prior review and re-approval.
Inform the Licence Management Team of any major project changes that may affect licensing and IPR.
Respond to compliance-related queries from users or third parties.
Fundamental Substantial changes to software the software’s architecture or , licensing model, or component replacements under a different licence may require revalidation.
Certificate Validity
The certificate is valid indefinitely, provided issues are promptly addressed and certification requirements continue to be met.
The Licence Management Team may periodically check the software and request revalidation if necessary.
Optional:
...
Continuous Dependency and Licence Scanning
Integrate SCA scanning into your the CI/CD pipeline to detect licence or vulnerability issues early.
Certificate Validity
The certificate is valid indefinitely, unless revoked, and maintain long-term compliance.