Purpose and Intended Audience
Here we summarize the process of development at the Apache Software Foundation (ASF), with a focus on the legal side of things. It's intended for those who are interested as to what the ASF do to manage the ownership of their products.
Source code enters the foundation in one of the following ways:
- New project joining Apache
- A large one off code contribution
- Repeated contributions applied directly to the source
- Patches applied to issue trackers
Each of these methods has its own process:
- New projects join through the Apache Incubator project. All copyright holders have to sign Contributor License Agreements or Software Grants, and names are checked for trademark issues. CLAs tend to be for individuals who will continue to develop the software, while grants are for those who will not commit or for companies. You can learn more about that process here.
- One off code donations can come in through a software grant. You can see list of such grants at the IP Clearance page.
- Individuals who will repeatedly commit to the codebase sign a Contributor License Agreement. Sometimes they and their employer will also want to sign a Corporate CLA, however it is at the desire of employee and employer and not something the ASF require.
- Patches to the JIRA issue trackers contain a checkbox that users must check to 'Grant license to ASF for inclusion in ASF works'.
In addition to original code licensed to the Apache Software Foundation, Apache products may include third party code. Whether or not to distribute, or use, that third party code is discussed on the legal-discuss@ mailing list as to whether the license is acceptable. The very general philosophy is to avoid licenses adding terms beyond the ASF's AL 2.0 license, while also remaining pragmatic towards the needs of the user. Prior decisions may be viewed at here.
Finally, Apache projects record their export classifications here.
All releases require a successful vote from the releasing project's Project Management Committee (PMC). If a project is in the Incubator, then the PMC is the overall Incubator PMC and not the incubating project's PPMC.
In addition to technical quality - releases are checked to confirm source contains source headers, that LICENSE and NOTICE files are there and include any additional 3rd party requirements. The Incubator Project contains the Release Audit Tool (RAT) podling, a tool already in use across Apache to automate checking the quality of product releases.
Lastly, releases are checksummed with MD5/SHA1 so that downloads can be checked for quality; and securely signed with PGP to confirm it is the originally released material.