You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This certificate confirms that your project’s licensing has been reviewed and validated. It indicates that the software licence has been selected, verified for compatibility with all components, and appropriately and transparently declared. It also confirms readiness for compliant distribution.

The certificate remains valid for future software versions indefinitely, provided they meet certification requirements. It does not cover patents or legal liability, although patent concerns may be addressed during the Software Licence Analysis (SLA) review.

You may use this document as a checklist template for your project's certification process.

Initial Steps

Requirements

Aligned with Verified Dependencies Certificate

  • Document all external libraries and code used in the project (having an internal list is mandatory, and it may be made public)
  • Document licences of all external libraries and code used in the project (in the list)
  • Confirm that all direct and transitive dependencies are under valid open source or proprietary licences
  • Ensure that all these licences are mutually compatible for use in your software
  • Review each dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services)
  • Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file)
  • Register the project in the GÉANT Software Catalogue

Additional Requirements

  • Complete the SLA Service review, confirming licensing compliance and artefacts
  • Obtain GÉANT approval of the licence, in line with the software’s context and intended distribution

Certification Process

  • Perform a software licence review using the SLA Service or an equivalent internal process.

  • Ensure that all direct and transitive dependencies are compatible with the selected project licence (or all output licences in case of multi-licensing)
  • Ensure that all dependency vulnerabilities are addressed

  • Create necessary project files. This can be guided by the Software Artefacts Checklist and related artefact templates.

  • Declare licence in repository metadata and in software UI if needed
  • Optionally integrate SCA scanning into the CI/CD pipeline
  • Send a request to the Licence Management Team

  • Provide clarifications or perform remediation if requested by the Licence Management Team

  • Reference the certificate in your documentation, metadata, project page, or communications. Otherwise, what would be the point of the effort?

Artefacts

  • Up-to-date list of all dependencies with licences and security status

Create necessary project artefacts based on available templates. These files will be reviewed and amended as part of the SLA Service.

  • README – Mandatory, with basic information about the software, licence, and copyright
  • LICENSE – Mandatory
  • COPYRIGHT – Mandatory
  • NOTICE – Optional, legal notices and attributions for third-party components may be required by the licence
  • CHANGELOG – Optional, but may be required by the licence or dependencies
  • CONTRIBUTING – Optional

Governance

Upon approval, your project will receive the Verified Software Licence Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Maintain ongoing licensing compliance and artefacts.

The Licence Management Team validates issuance, and may occasionally review the certificate status.

Revalidation may be required if there are fundamental changes to the software architecture or licensing model.

The certificate is valid indefinitely, unless revoked.

Additional Information

Further details are available in the Detailed Guide: Verified Software Licence Certificate.

  • No labels