You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This certificate confirms that your project was developed following good development practice.

It requires your team to self-evaluate key points about dependencies, licences, and security.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

  • Document all directly used external libraries and code (having an internal list is mandatory, and it may be made public)
  • Document licences of these libraries and code (in the same list)
  • Confirm that all direct dependencies are under valid open source or proprietary licences
  • Ensure that all these licences are mutually compatible for use in your software
  • Review each direct dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services)
  • Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file)
  • Information on direct dependencies and third-party IP (name, version, licence) recorded in a README, NOTICE, or internal document, available on request with vulnerability details.
  • Register the project in the GÉANT Software Catalogue

Certification Process

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

  • Internal list of direct dependencies and licences

Consider drafting public artefacts based on available templates. Having them is good practice – a README is a starting point for documented and licensed software.

  • README – Optional, but it is good to capture basic information about software early
  • NOTICE – Also optional, but legal notices and attributions for third-party components may be required

Governance

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data up to date.

The certificate is valid for five years, covering all released versions within that period, if issues are promptly addressed.

Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes (e.g., component replacement under a different licence, or inclusion of new components).

Additional Information

Further details are available in the Detailed Guide: Self-Assessed Dependencies Certificate.

  • No labels