You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This certificate confirms that your project was developed following good development practice.

It requires your team to internally evaluate key points about dependencies, licences, and security, and to provide verification material to the Licence Management Team.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

Aligned with Self-Assessed Dependencies Certificate

  • Confirm that all direct dependencies are under valid open source or proprietary licences
  • Ensure that all these licences are mutually compatible for use in your software
  • Review each direct dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services)
  • Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file)
  • Register the project in the GÉANT Software Catalogue

Additional Requirements

  • Document all external libraries and code used in the project, including transitive ones (having an internal list is mandatory, and it may be made public)
  • Document licences of all external libraries and code used in the project (in the same list) 

Certification Process

  • Send a request to the Licence Management Team, including:
    • SCA results or a reference to the GÉANT SCA service performed
    • Third-party IP details, if any
    • Any supporting documentation
  • Provide clarifications or perform remediation if requested by the Licence Management Team
  • Reference the certificate in your documentation, metadata, project page, or communications

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

  • Internal list of all dependencies and licences (including transitive ones)

Consider drafting public artefacts based on available templates. Having them is good practice – a README is a starting point for documented and licensed software.

  • README – Optional, but it is good to capture basic information about software early
  • NOTICE – Also optional, but legal notices and attributions for third-party components may be required

Governance

Upon approval, your project will receive the Verified Dependencies Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data up to date.

The certificate is valid for five years, covering all released versions within that period, if issues are promptly addressed.

Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes (e.g., component replacement under a different licence, or inclusion of new components).

Additional Information

Further details are available in the Detailed Guide: Verified Dependencies Certificate.

  • No labels