Hosted Project Tools Review Policy
Effective Date: February 21, 2023
Background and Scope
The core purpose of LF Projects, LLC (“LF”) is to foster an ecosystem that supports the collaborative and public development of free and open source software and other open technology projects (each, a “Project”). The Project software developed by Project contributors and supported by LF is always available for anyone to download, use, modify and redistribute under the Project’s applicable open source license(s).
From time to time, a Project’s participants, maintainers and contributors (collectively, the “Project Community”) may additionally desire to operate, and provide general public access to, a hosted instance of the Project’s open source software. A Project Community-hosted instance of the Project software may be provided for convenience and easier access to the software, or may be hosted in order to provide a central reference instance to which the ecosystem as a whole can submit and process data.
As used herein, a “Hosted Project Tool” refers to this type of hosted instance of the Project software, where the core functionality of the Project software is made available over the Internet for access and use by the broader ecosystem.
For clarity, “Hosted Project Tool” does not refer to (and this policy does not apply to):
- download and use of the Project software by anyone in any other capacity, which remains subject solely to the Project’s applicable open source license;
- instances of the Project software that are operated by the Project for solely technical testing purposes, such as in a Project’s CI/CD system;
- mechanisms used solely for the collection of “telemetry data,” i.e. data collected through any “phone home” mechanism that may be utilized by Project software;
- hosted tools made available to Projects and Project Communities by LF or other third parties that do not consist of Project software.
Hosted Project Tools raise particular considerations for Project Communities, for a variety of reasons, such as the following:
- Provider of the instance: When a Hosted Project Tool is operated by and on behalf of the Project, it is seen by the ecosystem as being operated under the LF’s aegis. This perception may exist even where Project Community members operate the tool on their own and without LF oversight or awareness.
- Data privacy: Some Hosted Project Tools may function in a manner which encourages or requires users to submit personal data. In light of applicable data privacy and protection laws around the world, such personal data should be minimized and should take into account compliance with regulatory requirements.
- Publication and access to data: Depending on the nature of the Hosted Project Tool, content submitted by users might be made available to Project Community members and/or to the public at large. Users should be made clearly aware of the extent to which their submitted content will be made available to others, especially where personal data is involved.
- Acceptable use: While the Project software itself may be used under the applicable open source license(s) for any purpose (including in connection with content that the Project Community finds offensive), access to and use of the particular instance of the Hosted Project Tool may take into account Project Community standards and codes of conduct.
- Immutability: Finally, some Hosted Project Tools are designed to make it effectively impossible to alter or delete previously-submitted content. This immutable nature is an essential characteristic of establishment of contractual commitments, public attestations, and ultimately, ensuring security of the system. Where applicable, Hosted Project Tools that record data in an immutable manner (“Immutable Records”) should make their immutability extremely clear to users, and should take special care with regards to the receipt and hosting of personal data.
In light of the above considerations, the following policy describes LF’s current policy towards the operation of Hosted Project Tools by and for its project communities.
Current Policy
Prior to operating a Hosted Project Tool, Project maintainers must coordinate with members of the LF’s legal team to undergo a detailed review of the proposed Hosted Project Tool, its mechanism of operation and its handling of user-submitted content, including personal data.
While LF cannot provide legal advice to its Project Community members, the purpose of the review is to enable the LF legal team to identify potential concerns, focused on aligning the Hosted Project Tool’s operation with appropriate practices and improving compliance with applicable requirements.
The review of the Hosted Project Tool will include, among other matters, an analysis of the following:
- the specific types of content that users of the Hosted Project Tool are anticipated to submit;
- identifying in particular any submitted content that could arguably be considered data about an individual (such as personal data, personally identifiable information, or similar concepts under applicable laws); or that could be sensitive or confidential to users;
- transparency as to which members of the Project Community or the broader public will have visibility to any submitted content;
- mechanisms in the Hosted Project Tool to obtain user acceptance of the LF Hosted Project Tool Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/;
- where applicable, the nature of any Immutable Records maintained by the Hosted Project Tool, and minimization of any data about an individual included in the Immutable Record;
- where feasible, policies and processes for regular removal of submitted content where no longer necessary; and
- any notices and documentation made available to users regarding the above matters, the LF Privacy Policy at https://lfprojects.org/policies/privacy-policy/ and other related information.
Projects that desire to operate Hosted Project Tools should work with their LF project manager or other LF contacts to arrange for a review under this policy. Projects that are operating Hosted Project Tools prior to the effective date of this policy should similarly arrange for a review, but are not required to cease making their Hosted Project Tool available while the review is pending or in process.
Any Hosted Project Tool that is approved by LF: (1) must make publicly available full documentation as to the above matters; and (2) must operate in conformance with the details contained in the approved review and with the LF Privacy Policy at https://lfprojects.org/policies/privacy-policy/.
If a Project Community desires to modify an approved Hosted Project Tool in a manner that would alter the details contained in the approved review, the Project maintainers should contact LF for an updated review prior to implementing the changes.
Comments
This policy may be amended from time to time. Comments and feedback on this policy should be sent to manager@lfprojects.org.