Software Licensing Certificates Series
- Software Licensing Certificates
Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
- Using Issued Certificates
This certificate confirms that your software project’s licensing has been reviewed and validated. It indicates that the selected licence has been verified for compatibility with all components, appropriately and transparently declared, and that the software is ready for compliant release when it comes to licensing and reasonable dependency checks.
The certificate builds upon the Verified Dependencies Certificate, extending its scope to include licence selection, Software Licence Analysis (SLA) review, and approval of required artefacts. The certificate remains valid indefinitely for future software versions, provided certification requirements continue to be met. It does not cover patents or legal liability, although patent concerns may be addressed during the SLA review.
A full specification of software licensing certificates is also available for GÉANT participants.
Prerequisites
Ensure your software project:
Is intended for distribution
Has all direct and transitive dependencies identified and verified
Uses a clear software licence compatible with all dependencies, confirmed by the GÉANT IPR Manager
- Has internally assessed licensing compliance and produced the required artefacts
- Is registered in the GÉANT Software Catalogue
Also ensure that:
- Project artefacts include the required licence and copyright
- Compliance requirements of all dependencies are fulfilled
Step-by-Step Process
Review Dependencies
Identify all direct and transitive dependencies. You may use the GÉANT Software Composition Analysis (SCA) service, or obtain a Verified Dependencies Certificate.
Document all external libraries, code, and other third-party intellectual property used in the project.
Record the licences of all external components.
Manually review all third-party intellectual property (source code, content, designs, models, etc.), which may be recorded in the NOTICE file.
Address all critical vulnerabilities, typically by upgrading dependencies.
Select and Verify Licence
Initiate the GÉANT Software Licence Analysis (SLA) service, conduct an internal review, or rely on an equivalent process.
- Select a candidate licence or licences appropriate for the project’s context and intended distribution.
Confirm that all dependency licences are compatible with the selected licence.
- Confirm the selected licence with the Licence Management Team, and obtain approval from the GÉANT IPR Manager.
Document any conflicts, resolutions, and rationales.
Prepare Required Artefacts
Use the GÉANT SLA service, or the Software Artefacts Checklist and templates for GÉANT participants.
Mandatory artefacts:
LICENSE– full text of the selected licenceCOPYRIGHT– copyright notices and attributionsREADME– includes basic information, licence declaration, and copyright
If applicable or required by the licence:
NOTICE– third-party notices and attributionsCHANGELOG– version history, including licence-related changesCONTRIBUTING– contribution policy or guidelines
Ensure that artefacts clearly and explicitly declare the selected licence, copyright ownership, and are in compliance with the terms of all dependencies.
Declare Licence in Metadata and User Interface
Declare the licence in:
Repository metadata or settings
Software user interface (if required by the licence)
Documentation, help files, and release notes
Submit Request
Send a request to the Licence Management Team, including:
Results of the SLA or equivalent review
Access to the repository with all relevant artefacts
Supporting documentation or clarifications, such as descriptions of third-party components or internal reports on dependencies, licences, and vulnerabilities
Refer to Contact Us for instructions on communicating with the team.
Respond to Review Feedback
Cooperate with the Licence Management Team to:
Provide requested clarifications
Remediate licence conflicts or vulnerabilities
Update artefacts and documentation as needed
Use Certificate
Upon approval, your project will receive the Verified Software Licence Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.
Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this.
After Certification
Maintain Compliance
To keep the certificate valid:
- Keep dependency, licence, and vulnerability data accurate and up to date.
- Monitor for new vulnerabilities or licence conflicts, which may be newly discovered or introduced by dependency or licence changes.
- Address identified issues promptly.
- Clearly mark which software versions are actively maintained.
- Maintain up-to-date licensing artefacts and compliance documentation.
- Avoid changing the project’s licence without prior review and re-approval.
Inform the Licence Management Team of any major project changes that may affect licensing and IPR.
Respond to compliance-related queries from users or third parties.
Substantial changes to the software’s architecture, licensing model, or component replacements under a different licence may require revalidation.
Certificate Validity
The certificate is valid indefinitely, provided issues are promptly addressed and certification requirements continue to be met.
The Licence Management Team may periodically check the software and request revalidation if necessary.
Optional: Continuous Dependency and Licence Scanning
Integrate SCA scanning into the CI/CD pipeline to detect licence or vulnerability issues early, and maintain long-term compliance.