Skip to content

Due diligence

See the introduction to due diligence.

Due diligence analysis is required when open-sourcing a project. It is the responsibility of the group leader to ensure that appropriate due diligence has taken place. Such due diligence will generally be performed by the project developers, drawing where necessary on the support of the OSPO, the Knowledge Transfer group, and other experts at CERN.

Determining the authors of a project

It is essential to correctly determine the authors of a project such that the copyright holder(s) can be correctly identified.

For projects which have been developed over many years, this can be a daunting task. For software and gateware the first place to look may be in the VCS. Using git as an example, a list of all author email addresses can be obtained with:

$ git log --format="%ae" | sort -u | uniq -i

Additionally, a code review should be undertaken to ensure that there are no additional author / copyright assignments which exist in a project. These could come for example from snippets copied from sites such as StackOverflow, or from files copied into the project.

Continuous due diligence

Due diligence performed as part of open-sourcing a project should be seen as the bootstrapping step, not as the finish line: as the open-source project evolves, due diligence needs to continue. It can be embedded for instance in regular code review:

  • requiring a Developer Certificate of Origin from contributors;
  • ensuring code follows best practices (tests, documentation, etc);
  • review of wording, such as use of offensive language in comments or complaints about someone else's code.