Guidelines and Procedures
Indiana University encourages and supports the establishment and publishing of open source code repositories under the following conditions and guidelines:
- Everyone who is involved in the creation, management, maintenance, or approval of an IU open source repository must read and understand these conditions and guidelines.
- Before deciding to create an open source repository, consider the repository’s open source value. Does it have utility outside of Indiana University? Does it represent something novel or innovative? In releasing code as open source, IU is sharing its intellectual property with the world and this work should ideally represent the best of what we have to offer.
- Creating an open source repository is a business decision made by the responsible unit. All requests to create an open source repository must be approved in advance by an appropriately authorized individual of at least director level or above within the associated unit. Each unit may have their own process for how this approval is obtained or who will have authority to provide that approval. The unit may also contact the Innovation and Commercialization Office (ICO) with any commercialization questions regarding the contemplated open source repository.
- Open source repositories should be hosted on GitHub.com . Two-factor authentication will be required for all interactions with GitHub.
- All repositories must be licensed BSD 3-Clause. If a different license is desired, please contact the IU Open Source Administrators at email@example.com to discuss.
- All repositories must have an appropriate LICENSE file containing the BSD 3 copyright notice and license text in the root of the repository. The copyright year should be the year of first publication.
- Adding a license header to source files within the repository is recommended but is not required. For details why you may want to include them and instructions on how to do so may be found on the Source File Licensing page.
- No non-public IU data may be stored in a repository. Please ensure you are familiar with the institutional data classifications.
- Take extra care to ensure no secrets (passwords, keys, etc.) are stored within a repository!
- If secrets or non-public information makes its way into a repository, notify firstname.lastname@example.org and email@example.com immediately and without delay so that appropriate action may be taken. Remember, simply deleting an offending file from a git repository will not delete its history! It can still be retrieved.
- Only IU employees should have write and/or admin access to the repository.
- Contributions from external collaborators may be accepted via Pull Request pursuant to the GitHub Terms of Service, so long as the repository contains proper notice of license by having a LICENSE file in the root of the repository, as noted previously.
- Remember that you are representing Indiana University to the outside world by participating in a published open source project. Ensure that any discussion on issues or pull requests are civil.
- Each unit or team will manage its interaction with any communities that are established as a result of its open source products as it sees fit. This includes notifications about releases, security fixes, and other types of communication.
Procedures for Publishing Open Source
- Obtain approval from the appropriate level within your unit to publish the target intellectual property as open source.
- Have all IU employees who should have admin and/or write access to the GitHub repository read the above Conditions and Guidelines and then create accounts on github.com, or identify their existing accounts.
- By default, all approved open source repositories will be created within the official indiana-university organization on GitHub.com which is maintained by the IU Open Source Administrators.
- Units may alternatively create and manage their own organizations in GitHub.com provided they have obtained director level or higher approval to do so. If a different organization is needed, contact the administrators at firstname.lastname@example.org, including the approval for the creation of the organization. There are additional guidelines that will be provided and which must be followed for the proper creation and administration of one of these organizations.
- Email email@example.com with the following information:
- Requested repository name
- Description of the open source project
- Approval details from authorized individual within the unit
- Name of GitHub team to create (including list of GitHub accounts to include as members) or name of existing team within the organization to grant “Admin” permission to the new repository
- The administrators will review your request and, if approved, will do the following:
- Add any GitHub accounts to the organization who aren’t already members.
- Send a copy of the Conditions and Guidelines to each new person added to the organization.
- Create your repository and team (if applicable) within the target organization
- Grant your team “Admin” permissions to the repository
Archiving an Open Source Repository
It is expected that some projects which are published as open source will eventually become abandoned or no longer relevant. In these cases, it is in the best interest of Indiana University to remove these from the public GitHub. Requests for archival should go through firstname.lastname@example.org and can proceed in one of two ways:
- Request that the repository be archived in GitHub.
- Request that the repository be deleted in GitHub. This is destructive and cannot be undone!
Responding to Security or Data Breach
While it is the responsibility of everyone participating in an open source project to ensure no secretes or non-public information makes its way into a repository by accident, accidents do happen. If you suspect or know of the existence of sensitive data in a public open source repository, notify email@example.com and firstname.lastname@example.org immediately and without delay so that appropriate action may be taken. The open source administrators will immediately transfer your repository to a private repository so that it can be quarantined for further analysis without risking additional exposure. They will then contact you for further details on how to proceed.
Remember, simply deleting an offending file from a git repository will not delete its history!
Please follow these same procedures if you suspect that someone has gained unauthorized commit access to your repository.
Proper administration of organizations in GitHub.com that contain open source repositories is critical to ensuring security of the code contained therein and controlling the university’s risk. This document is intended for the IU Open Source Administrators who are responsible for maintaining the indiana-university organization as well as those who have a need to administer their own GitHub.com organization that contains open source repositories.
Organization Administration Guidelines
The administrators of a GitHub.com organization used for publishing open source repositories are responsible for the following:
- When creating an organization, the “This account is owned by a business” option must be selected and “Indiana University” must be entered into the text box.
- The “Require two-factor authentication for everyone” option must be enabled for the organization.
- Only IU employees should be included as members of the organization, and only those that need to be on teams that have write/admin access to the repositories within.
- Anyone added as a member to the organization must first be provided a copy of the “Guidelines and Procedures” document for the Indiana University Open Source Program and instructed to adhere to those in the publishing of their open source project.
- Accounts representing a “system” or “bot” may be added as a member of the organization for the purpose of integration with continuous integration and other tools. Access to these accounts should be managed appropriately by the administrators.
- Ensure that approval has been obtained for the creation of the open source repository and maintain a record of that approval.
- Membership in the organization must be updated over time and as soon as possible after people leave the university or teams within the organization.
- There must be a mechanism in place to allow for repositories to easily and quickly be made private in the case of a suspected or actual sensitive data disclosure. This will mean either paying for the GitHub organization where the repository is hosted or having the ability to transfer it to another paid organization where it can be made private.
IU Open Source Administrators
A small cross-UITS group will be established with the following responsibilities:
- Administration of the “indiana-university” GitHub.com organization pursuant to the “Organization Administration Guidelines” previously established.
- Administration of a separate paid organization that can be used for transferring repositories for purposes of making them private in case of a sensitive data disclosure. This will have the fewest members possible in order to reduce cost (GitHub bills per organization member).
- Review and approval of requests for new open source repositories within the Indiana-university organization
- Review and approval of requests for new organizations that wish to host open source repositories.
- Creation and monitoring of a shared request queue that can be reached at email@example.com. This should be tied to Jira or Footprints for recordkeeping.
- Each member will be well-versed in the conditions and guidelines around approval and creation of open source repositories and may act unilaterally when a request is received, provided that appropriate approval is supplied.
- Will engage with the Innovation and Commercialization Office when questions or requests about open source licensing come up which are not covered by the existing guidelines.
- Will do their best to serve as open source advocates and experts within the university community.
The indiana-university organization in GitHub will be configured as follows:
- All of the IU Open Source Administrators will have the “Owner” role
- Repository Creation – disabled
- Repository Deletion – disabled
- Repository Visibility Change – disabled
- Default Repository Permissions – none
- Two-Factor Authentication – required
- Verified Domains – verify iu.edu
- Projects (organization and repository) – enabled
- Team Discussions - enabled