Lightening the Release Review Burden

The Eclipse Architecture Council is in the process of making a change to how the Eclipse Development Process (EDP) defines the Reviews that Eclipse open source projects are required to engage in. Foremost on our minds is the nature of Release Reviews which the EDP current requires ahead of all major and minor releases (service releases are excused from the requirement).

The current thinking is that we will decouple Releases from Reviews and instead require a regular (probably annual) equivalent to the Release Review.

This is actually not as big a departure from the current process as you might think. The EDP describes the Release Review as an opportunity “to summarize the accomplishments of the release, to verify that the IP Policy has been followed and all approvals have been received, to highlight any remaining quality and/or architectural issues, and to verify that the project is continuing to operate according to the principles and purposes of Eclipse.” That is, it is far less about the current release than it is about ensuring that the process is being followed and that the project is doing the right sorts of things to attract and grow community.

Likewise, the purpose of an IP Log is not to accurately represent the contents of any particular release, but rather to provide a checkpoint to ensure that the project is correctly following the Eclipse IP Due Diligence Process (so project teams can continue to receive contributions or engage in other activities that might change the IP Log between the point in time when it is reviewed and approved, and the project makes a release).

Eclipse committers are required to observe the Eclipse IP Policy and IP Due Diligence Process at all times, and so our open source projects must always be in correct state with regard to intellectual property management.

For those of you who have made it this far, it would be great if you could weigh in on Bug 534828 which includes an effort to more precisely define “Release”. We’re tracking all of our plans to update the EDP via Bug 484593. Input is welcome.


Posted in Community, Eclipse 101, Project Management | Leave a comment

The Eclipse Committer Election Workflow

In the world of open source, Committers are ones who hold they keys. Committers decide what code goes into the code base, they decide how a project builds, and they ultimately decide what gets delivered to the adopter community. With awesome power, comes awesome responsibility, and so it’s no mistake that the Open Source Rules of Engagement described by the Eclipse Development Process, puts Meritocracy on equal footing with Transparency and Openness: becoming a committer isn’t necessarily hard, but it does require a demonstration of commitment (committer… commitment… see what I did there?)

There’s two ways to become an Eclipse Committer. The first way is to be listed as an initial committer on a new project proposal. When projects come to the Eclipse Foundation we need them to actually start with committers, and so we include this as part of the bootstrapping. As part of the process of community vetting a new project proposal, the committers listed are themselves vetted by the community. That’s why we include space for a merit statement for every committer listed on a proposal (in many cases, the merit statement is an implied “these are the people who worked on the code that is being contributed”). In effect, the project proposal process also acts as a committer election that’s open to the entire community.

The second way to become a committer is to get voted in via Committer Election. This starts with a nomination by an existing committer that includes a statement of merit that usually takes the form of a list various contributions that the individual has made to the project. What constitutes a sufficient demonstration of merit varies by project team and PMC. Generally, though, after an individual has made a small number of high quality contributions that demonstrate that they understand how the project works, it’s pretty natural for them to be invited to join the team.

There’s actually a third way. In cases where a project is dysfunctional, the project leadership has an option to add and remove committers and project leads. In the rare cases where this option is exercised, it is first discussed in the corresponding Project Management Committee‘s (PMC) mailing list.

Last week, we rolled out some new infrastructure to support Committer Elections.

Every project page in the Project Management Infrastructure (PMI) includes a block of Committer Tools on the right side of the page. From this block, project committers can perform various actions, including the new Nominate a Committer action.

Screenshot from 2018-02-06 10-34-43

Committer Tools

Clicking this will bring up the nomination form where the existing committer will provide the name and email address of the nominee along with the statement of merit.

Screenshot from 2018-02-06 10-35-15

What the committer sees when they nominate a new committer.

When you click the Nominate button, the Committer Election begins by sending a note to the project mailing list inviting existing project committers to vote. Committers visit the election page to cast their vote and—since this is a transparent process—everybody else can watch the election unfold.

According to our election rules, an election ends when either everybody votes in the affirmative or seven days has passed. If at the end of the election we have at least three affirmative votes and no negative votes, the vote is considered successful and it passed on to the PMC for approval (note that when a project has fewer than three committers, success is declared if everybody votes in the affirmative). The PMC will validate that the merit statement is sufficient and that the election was executed correctly, and either approve or veto it. PMC-approved elections get passed into the next piece of the workflow: Committer Paperwork.

Regardless of how a developer becomes a committer (by vote, by proposal, or by appointment), they are required to complete legal paperwork before we can grant them write access to project resources. The Eclipse Foundation needs to ensure that all committers with write access to the code, websites, and issue tracking systems understand their role in the intellectual property process; and that we have accurate records of the people who are acting as change agents on the projects. Committers must provide documentation asserting that they have read, understood, and will follow the committer guidelines; and must gain their employers consent to their participation in Eclipse Foundation open source projects.

Our Commmitter Paperwork process is initiated whenever a developer joins us as a new committer, or—since paperwork is tied to a specific employer—when a committer changes employers.

Screen Shot 2018-02-07 at 11.54.35 AM

The exact nature of the type of paperwork required varies based on the individual’s employment status and the Eclipse Foundation membership status of their employer. Again, a full discussion of this is out-of-scope for this post, but we need to have either an Individual Committer Agreement or a Member Committer Agreement on file for every committer. The workflow guides the new committer through the options.

Note that we’ve just gotten approval on an update to the Individual Committer Agreement that eliminates the need for the companion Eclipse Foundation Committer Employer Consent Form. This should make it easier for new committers to get started. We’re rolling the new version out now.

We owe this great new implementation of this workflow to the tireless efforts of the entire Eclipse IT Team, and especially Eric, Chris, and Matt. Big Thanks!

Posted in Eclipse 101, EDP, Intellectual Property, Project Management | Leave a comment

Decoding the Eclipse IP Policy: Third Party Dependencies

The term Intellectual Property (IP) refers to any sort of creative work, be it literature, art, or software. In the realm of open source software, artifacts like source code, documentation, and images are considered intellectual property. Unless otherwise stated, intellectual property is the property of its creator, who may grant permission for others to use that intellectual property by providing a license.

The ease with which software can be copied and combined makes it challenging to know with confidence if content can be used without running into legal issues. Any sort of serious software development effort must be accompanied by a well-defined IP Due Diligence process that can ferret out issues and mitigate the risk of leveraging the work of others. IP Due Diligence is a time consuming process that requires specialized skills and a keen eye for detail.

There are different kinds of content (source code, documentation, images, …) to consider. Project Code is content that is produced and maintained by the open source project committers and contributors. Third Party Content generally takes the form of libraries (modules, components, …), source files, images, or other forms of IP that are produced and maintained outside of the scope of the open source project. To mitigate the risk associated with adopting open source in products, the Project Code and Third Party Content that it leverages need to be vetted to ensure that the copyrights expressed are correct, licensing is valid and compatible, and other issues have been uncovered and properly investigated.

The Eclipse Foundation has a well-defined IP Policy, corresponding IP Due Diligence Process, and a dedicated team of professional IP specialists who perform the heavy lifting in the due diligence process. Committers, the software developers who decide what will become Project Code and how an Eclipse open source project will leverage Third Party Content, are responsible for bringing IP issues to the attention of the Eclipse IP Team.

Most of the Project Code produced by committers can just be pushed into a project repository without any sort of legal review. However, at least in some cases, the IP Team needs to be engaged to review Project Code that comes from contributors (who are not committers); and there are some cases where even the work of committers needs to be reviewed. I’ll discuss Project Code with more detail in a future post.

The sort of effort that the Eclipse IP Team brings to bear on Third Party Content varies depending on the type. The Guidelines for the Review of Third Party Dependencies defines three different types: Prerequisite, Exempt Prerequisite, and Works With Dependency.

The simplest form of Third Party Content is Prerequisite. Prerequisites are required by the Eclipse project content to provide core functionality. Prerequisite content is not generally stored in an Eclipse project’s source code repositories, but is likely included in build scripts and referenced as runtime dependencies. Since adopters of Eclipse project content are compelled to adopt the Prerequisite content, that content must also be vetted by the IP Team. The vetting requirement applies recursively: the entire transitive closure of a Prerequisite’s dependencies needs to reviewed (the dependencies of a Prerequisite are themselves Prerequisites).


The transitive closure requirement only applies when an Eclipse project makes a direct reference to Third Party Content (the Eclipse Project Handbook provides some examples of what constitutes a direct reference). In the case where an Eclipse project references code from a second Eclipse project that itself references Prerequisites, no further vetting of that chain of Prerequisite content is required (the IP Team will have already vetted it on behalf of the second project team). Eclipse project teams should take care to only reference release versions of other Eclipse projects in their own releases to ensure that the IP process has been completed.


When you follow this all the way to the bottom, the entire runtime environment including virtual machines and the operating system are included in the transitive closure of dependencies. Clearly, having the IP team vet virtual machines and operating systems is not a great use of time, and—in the case of closed source operating systems—just not be possible.

The Eclipse IP process guidelines provide for a notion of Exempt Prerequisite dependencies, which are not subject to review. According to the guide, content may be considered exempt if it “is pervasive in nature, expected to be already on the user’s machine, and/or an IP review would be either impossible, impractical, or inadvisable.” The Eclipse IP Team does not review the source code associated with an Exempt Prerequisite.

One of the key aspects of an Exempt Prerequisite is that the user or adopter is typically the one that actually installs the software and so is the one who must agree to the licensing terms. Content that is declared an Exempt Prerequisite should never be directly distributed by an Eclipse project or otherwise made available without some explicit action from the consumer. Exempt Prerequisites must be approved by the Eclipse Foundation’s Executive Director.

The Eclipse IP process guidelines also define the notion of a Works With Dependency (commonly referred to as a “works with”) that applies in two different cases. Third Party Content may be declared a Works With Dependency when:

  • the functionality of Eclipse project content is enhanced by the presence of the software, but is otherwise functional and useful without it; or
  • there are multiple choices and vetting all of them is impractical or impossible.

A Works With Dependency is, literally, a dependency that the Eclipse Project Code will work with when it is available. The fundamental requirement is the Eclipse Project Code must be useful and adoptable without the Works With Dependency. That is, either the Project Code provides useful functionality without the Works With Dependency or the Works With Dependency is a suitable alternative for a Prerequisite.

It’s enough to just register the use of Works With Dependency without seeking IP Team approval for its dependencies. The consumer is responsible for making that content available and otherwise agreeing to the terms for that content.


As with an Exempt Prerequisite, a Works With Dependency should never be directly distributed or otherwise made available without some explicit action from the consumer. Works With Dependencies must be approved by the Eclipse project’s Project Management Committee.

As an example, if Eclipse Project Code will make use of a specific database implementation when it is available, but otherwise provides useful functionality when that database is not present, that database may be a Works With Dependency. If, however, a specific database must be available for the Eclipse Project Code to provide any sort of core functionality, then that database is likely a Prerequisite which must be fully vetted. Or, if the Project Code must have access to some database, then the IP process requires that at least one specific database be fully vetted as a Prerequisite and other options can be declared as Works With Dependencies.

Eclipse committers engage the Eclipse IP Process is by filing a Contribution Questionnaire (which is commonly referred to as a CQ). Committers can find a link to create a CQ on their project page in the Eclipse Project Management Infrastructure (PMI).

As always, if you’re just not sure… ask. We’re here to help.

Posted in EDP, Intellectual Property, Project Management | Leave a comment

Running a Successful Open Source Project

This post is based on a talk that Gunnar Wagenknecht and I delivered at the Open Source Leadership Summit 2017 and Devoxx US 2017. This content was recently published in the All Eyes on Open Source issue of JAX Magazine.

Running a Succesful Open Source Project - Slides

Running an open source project is easy. All you have to do is make your source code available and you’re open source, right? Well, maybe. Ultimately, whether or not an open source project is successful depends on your definition of success. Regardless of your definition, creating an open source project can be a lot of work. If you have goals regarding adoption, for example, then you need to be prepared to invest. While open source software is “free as in beer”, it’s not really free: time and energy are valuable resources and these valuable resources need to be invested in the project.

So, how do you invest those resources?

Define success. Before you can consider running a successful open source project, you need to have a clear definition of success. There are many factors to consider. Is it enough to just get some code into a publicly accessible repository or do you want more for your project? Is collaboration and adoption important to you? Are you just trying to build your reputation as as software developer? Does your definition of success long include long term viability? Do you want to grow a community around the project? Do you care about commercial adoption? Your answer to these questions can help you decide how many of the rest of our recommendations you’ll need to adopt.

Be transparent. Transparency is pretty simple to understand: make it so that the community can watch and understand what you’re doing: use a publicly accessible source code repository that’s easy to find, use public facing issue tracking software, post your release plans where the community can find them, and capture meeting minutes in public forums (e.g. mailing lists with archives).

Be open. For a lot of open source projects, “transparency” and “openness” mean the same thing, but the terms really are quite different. Being open is more than just being “open book” (which is essentially the same thing as transparency). For many, the “open” in open source means open to new ideas, or open to participation. The rules for participating in an open source project should be the same for everybody (“level playing field”): it’s not enough to just accept a few patches, you have to be open to new ideas. In short, you have to let others in and give up absolute control of the project.

Keep the “Playing Field Level”.  This doesn’t necessarily mean that you have to let just anybody join the project, but rather that you ensure that the same set of rules apply to everybody (the playing field may be level, but you still have to earn your way onto the field). Meritocracy is about earning your way in.  Some projects implement meritocracy, for example, by requiring that developers make some number of contributions to demonstrate that they understand the code, rules, and culture of the project before inviting them to join the project team. Make sure that the process for adding new developers to your project are well known and that the process is operated transparently (e.g. a public vote).

Be vendor neutral. In order to be truly open, people need to feel welcome to contribute. This is easier if the project is vendor neutral. A vendor neutral project is not dominated by any organization or organizations; meritocracy should be based on the contributions of an individual, not the goals or hiring practices of any specific organization. Hosting at vendor neutral foundation is one way to achieve this.

Have well defined and documented standards. Be sure to document your project’s code formatting rules (make code formatter preferences easily accessible), expectations with regard to test coverage, development methodology, software and tools required, channels to connect with the project team, and other important information for potential contributors. Capture all of this information and make it as easy as possible to find. It’s a good practice to include a contribution guide in the root of your projects source code repositories (with DVCS, it’s entirely possible that potential contributors will find a copy of a copy of a copy of your repository; having the contribution guide in the repository will make it easy for potential contributors to find their way home).

Ensure that the project code is always buildable. Include build scripts and instructions with the project code. Make it as easy as possible to successfully build and test the project code.

Connect with your user community. The user community is that group of people who use the products of your open source project. The user community rarely contributes anything directly to the project code, but does tend to ask a lot of questions. Make sure that those questions get answered. A healthy user community feeds an adopter community.

Connect with your adopter community. An obvious sign of success for an open source project is that other groups start to use your open source project in their own products, or build extensions. This community is more willing to give back to the project and will be the project’s best source of contributions. Some number of those contributors will be great candidates to join your project’s team. Development of an eco-system of adopters and extenders is a great way to ensure the longevity of your project.

Connect with your development community. The development community is comprised of your project’s team members and contributors. Provide well-known channels for communication within this community. Having clear lines of communication will help developers collaborate.

Have a plan. It’s easy to lapse into a pattern of just letting software development happen, but like any process (especially a software development process), having  some method to the madness is critical. Make sure that your project employs a development methodology and make sure that somebody owns the process (e..g a project lead). Having a plan helps developers know where they can contribute the most value and makes it easier for adopters and extenders to implement their own plans (and thereby be successful). Treat your open source project like any other software development project.

Manage your brand. Your project will have a brand. The project’s name is its identity; as is the project logo, along with the names of any products (it’s typical that an the products of an open source project share the name of the project, but some projects produce more than one product). Claim the project’s brand as a trademark and consider registering that trademark. Establish trademark usage guidelines so that adopters know how to use your brand. This is an area where working with an open source software foundation can add value. A foundation can hold and defend the project’s trademarks on behalf of the community. This avoids letting any particular individual or organization hold the project’s name hostage (this happens).

Manage Intellectual property and copyright. The code, documentation, and other artifacts contributed to the project is intellectual property. Who owns that intellectual property? Do the authors retain their ownership, or do they assign it to another entity? Make sure that the rights and responsibilities of contributors are understood by all contributors. Consider having contributors sign a developer certificate of origin (DCO) or a contributor license agreement (CLA). Ensure that copyright notices are included with the source code and in notices.

Note that it is unlikely that the project itself is a legal entity that can hold copyrights. This is another way in which an open source foundation can provide a valuable service.

Pick an OSI-approved open source license. Don’t create your own custom license; that will just add legal hurdles for anybody who wants to use your code. Make sure that the license that you choose is compatible with the manner in which you intend for the code to be used. Further, ensure that the license is compatible with any third party content (e.g. libraries) that your project code needs. Include the SPDX code for your license in the headers for all source files.

Move your project to an open source foundation. We’ve mentioned foundations a few times already. A foundation can first and foremost help you to keep your project vendor neutral, which will help adoption: a bit part of the appeal of open source software is that adopters can avoid being beholden to a particular organization. A foundation can hold onto and defend the project’s trademarks, establish a governance model, help you manage your brand, provide intellectual property management services, and just generally provide assistance and advice for operating a successful open source project. Being a part of an open source foundation provides a value feedback loop. The foundation provides credibility for your open source project which in turn provides credibility to the foundation.

Running an open source project is a lot of work. But, as we’ve suggested, how much work it takes really depends on your definition of success. Fall back on the core principles of open source development: transparency, openness, and meritocracy. Everything else comes from that.

Posted in Community, Eclipse 101, Intellectual Property | Leave a comment

Automatic License Certification By The Numbers

In 2016, we introduced the notion of license certification intellectual property (IP) due diligence (“Type A”) into the Eclipse IP Policy with a goal in mind to automate the certification process. At that time, we started a process of evaluating tools that could be used for automatic validation and eventually discovered Scancode.

In our testing, we found that Scancode does a very good job of discovering licenses (and copyrights, which we may take better advantage of later), with the added bonus of having a very simple-to-use command-line interface (CLI) that produces reports in a handful of handy formats (including JSON and SPDX) that are easily machine readable.

The Eclipse Webmaster integrated Scancode into the Eclipse Genie process. Genie jumps into action when it notices a “Type A” third party content review request (“Contribution Questionnaire”) with attached source code, and PMC approval. If the licenses discovered in the attached content are compatible with the project license, Genie automatically license certifies the content.

After running for a few months, it looks like we’re getting about a 50% hit rate. That is, about half of all third party content license certification requests are being automatically approved without needing to engage the Eclipse IP Team.


Note that some of the older bumps in the graph come from requests that were retroactively designated as “Type A”, and that little bump in automatic approvals in March is from Webmaster testing.

I’ll admit that it’s a little suspect to me that the graphs line up so closely starting in July. I’m pretty confident in the query and have reviewed the data, so it’s accurate as far as I know.

It’ll be interesting to see how the pattern tracks over time.

Posted in Eclipse 101, EDP, Intellectual Property | Leave a comment

Legal Documentation Requirements for Eclipse Projects

Late last week, I pushed out an update to our documentation regarding the legal documentation requirements for Eclipse projects that Sharon Corbett and I have been working on over the past quarter. In the process, we moved the guidelines off of the main website and rolled them in to the Eclipse Project Handbook. Our primary goal in revising this documentation was to make it more generally applicable to all open source projects and bring us more in line with what the rest of the open source world does.

Update probably isn’t the right word. It’s more accurate to say that we’ve pushed out some general guidelines and that the old/existing documentation becomes instructions for how to apply those general guidelines in the case where your project builds Eclipse Platform Plug-ins and Features.  In this regard, the existing documentation was very much concerned with the technical aspects of how to provide legal documentation in a manner that they can be presented to the user via the “About Eclipse” dialog (there’s no particular value in changing how all that works).

That is, if you’re building Eclipse Platform Plug-ins and Features under the Eclipse Public License (EPL) 1.0, we’re not asking you to change anything. 

I’m going to repeat that. Don’t panic. If you’re building Eclipse Platform Plug-ins and Features, just keep doing what you’re doing. If you’re planning to update to the Eclipse Public License 2.0 (EPL-2.0), we’ll need to talk (more on this later).

The gist of it is that in the general case, project teams are required to include license and notices in both their project repositories and in the output form of their project code (generally the result of compiling/building, e.g. JAR files). For consistency across our own projects and the greater community, we’re recommending that these files be named LICENSE and NOTICE (with optional extensions). Variations based on technical limitations are acceptable. The license and notice files should be in plain text. The use of a favourite markup language is fine, but not required.

There’s a lot more information in the document, so I’ll avoid trying to repeat it here. One thing that you’ll notice is that we’ve tightened up the copyright header text a bit by removing the “All rights reserved”. There’s no need to change any headers that include this statement: it’s not necessarily wrong to include the statement, it just doesn’t really add any value.

You’ll notice that there’s an appendix in the document for projects that are building Eclipse Platform Plug-ins and Features under the EPL-2.0. There’s a few rough edges here that we still need to work out (there a link to an issue in Bugzilla if you want to contribute your thoughts). One thing that we discovered while working on these changes is that basically nobody in the open source community has anything like our Software User Agreement (SUA) which is effectively an End User License Agreement (EULA). Since a project that updates to the EPL-2.0 will have to update all of their legal documentation, we figured that we use the opportunity to drop the SUA and instead just use the license text in places that call for a license (AFAICT most third party plug-in providers do this).

To make getting the legal documentation right a little easier for project teams, I’ve started working on an experimental script that uses the information in the Eclipse Foundation database to generate at least some or all of the required documentation.

Take note that this script is experimental and may not be entirely correct (maybe consider using this as a template or a starting point; ultimately it’s up to the project teams to make sure that the notice file is correct). If you do notice something that seems wrong with the data (e.g. wrong license or trademark statement), send a quick note to; if it looks like the rendering is wrong or that there is some technical issue, please open a bug against Community/Process.

EclipseCon Europe 2017

Posted in Eclipse 101, EDP, Intellectual Property | Leave a comment

Running Eclipse IDE on Java 9

Update: Note that as of October 11/2017, Java 9 is 100% supported “out of the box” by Eclipse IDE, Oxygen Edition; Java 9 can be used to run your Eclipse IDE, Oxygen Edition, and can be used to build Java 9 applications without additional configuration. Download or update today.

Out of the box, Java 9 makes only a subset of the modules available to applications. If your application makes use of APIs from other modules, you need to configure the JVM to make those modules available. The Eclipse IDE its itself a Java application that uses APIs from modules outside of that default group, so a little extra configuration is needed to make it run on Java 9.

In your Eclipse IDE installation directory, you’ll find the eclipse.ini file that your Eclipse IDE uses for configuration information. Add --add-modules=ALL-SYSTEM after the -vmargs argument (basically anything that follows the -vmargs argument is passed to the VM at start up (note that most VMs will barf if you pass in arguments that they don’t know or expect; adding this option when running on a Java 8 JVM will result only in disappointment and frustration).


There’s more information in the Eclipse wiki.

Note that we’re pushing out some updates to make it so that the modification is not required. But that will only apply on future versions of Eclipse IDE (e.g. the Oxygen point releases, Photon, and later). For all older versions of Eclipse IDE, you’ll need to make this configuration change.

If you want to learn more about Java 9 support in the Eclipse IDE, including the Java development tools (JDT) and other great features like Eclipse Web Tools, Eclipse Code Recommenders and Eclipse Maven Integration, etc., consider attending EclipseCon Europe in Ludwigsburg, Germany from October 24 – 26, 2017.

There’s an entire Java and JDT track that includes the following:

There will also be BoFs, along with all sorts of opportunities to network and learn.

EclipseCon Europe 2017

If you want to learn more about the great features available in the Eclipse IDE, follow @EclipseJavaIDE on Twitter (follow me while you’re at it).

Posted in Community, Conferences, Eclipse 101, Java | 1 Comment