!16009 开源合规文档补充

Merge pull request !16009 from 高亮（Kubi）/master

zh-cn/contribute/OpenHarmony社区开源合规规范及指导.md

+# OpenHarmony社区开源合规规范及指导
+
+## 目的
+
+本文档定义的规范确保OpenHarmony社区遵守开源软件许可条款和价值，并遵从第三方知识产权，从开源软件的使用中受益。本文档提供了OpenHarmony社区遵守开源软件合规的共同框架确保许可证合规性，并基于业界最佳实践提升OpenHarmony社区开源合规治理能力，方便社区成员了解如何使用开源软件以及为开源社区进行贡献。
+
+## 范围
+
+本指导适用于所有参与OpenHarmony社区的贡献者，项目适用范围包含：[OpenHarmony主线](https://gitee.com/openharmony)下代码仓和[OpenHarmony-SIG](https://gitee.com/openharmony-sig)下的代码仓所涉及的项目。
+
+## 本文的改进和修订说明
+
+1. 本文档由合规SIG主导起草和维护。最新版本可以在 [这里](OpenHarmony社区开源合规规范及指导.md)找到。
+2. 任何对于本文中涉及的规则的增加，修改，删除都必须可追溯 。
+3. 最终规则经过社区充分的讨论后，由PMC评审定稿。
+
+
+## 术语和缩略语
+
+  [开源合规术语与缩略语参考]()
+
+## 各阶段合规规范及指导
+
+### 引入阶段
+
+#### 开源软件许可证使用及评审规范
+
+1. [OpenHarmony项目代码许可证规则与特殊许可证评审指导](许可证与特殊许可证评审指导.md)
+
+2. [OpenHarmony社区项目已使用代码许可协议说明](https://gitee.com/openharmony#%E8%AE%B8%E5%8F%AF%E5%8D%8F%E8%AE%AE)
+ 
+#### 第三方开源软件开源引入及退出
+
+[第三方开源软件引入及退出指导](第三方开源软件引入指导.md)
+
+
+### 开发阶段
+
+#### 开源开发许可证、版权、元数据合规规范
+
+1. [代码仓许可证与版权声明规范](许可证与版权规范.md)
+
+2. [SPDX信息声明规范]()
+
+3. 第三方开源软件中补充[上游开源软件元数据声明文件README.OpenSource规范](第三方开源软件上游软件元数据READMEOpenSource文件规范.md)
+
+#### 开源开发合规门禁规范
+
+1. [开源合规开发门禁要求](https://gitee.com/openharmony/community/blob/master/sig/sig_qa/%E4%BB%A3%E7%A0%81%E9%97%A8%E7%A6%81%E8%A6%81%E6%B1%82.md#codecheck%E6%A3%80%E6%9F%A5)
+
+2. [开源门禁工具OAT功能及问题确认说明](https://gitee.com/openharmony-sig/tools_oat#oat%E5%BC%80%E6%BA%90%E5%AE%A1%E6%9F%A5%E5%B7%A5%E5%85%B7)
+
+#### 参与上游社区贡献规范
+
+[OpenHarmony社区上游开源项目贡献最佳实践及建议](上游开源项目贡献最佳实践及建议.md)
+                                                                                                                                                              
+
+### 发布阶段
+
+#### 开源义务履行
+
+[开源合规交付制品管理规范及指导](开源义务履行合规交付制品管理规范及指导.md)
+
+#### 软件物料清单（SBOM）规范
+
+1. [OpenHarmony SBOM 生成及交付说明]()
+
+2. [OpenHarmony SBOM 审视及问题处理规则]()
+
+#### 社区版本发布及SIG孵化毕业开源合规要求
+
+1. [SIG 孵化项目毕业开源合规标准](https://gitee.com/openharmony/community/blob/master/sig/sig_qa/guidance_for_incubation_project_graduation_cn.md#sig%E5%AD%B5%E5%8C%96%E9%A1%B9%E7%9B%AE%E6%AF%95%E4%B8%9A%E8%AF%84%E5%AE%A1%E6%A3%80%E6%9F%A5%E9%A1%B9)
+
+2. [版本发布开源合规标准](https://gitee.com/openharmony/community/blob/master/sig/sig_qa/%E7%89%88%E6%9C%AC%E8%B4%A8%E9%87%8F%E8%A6%81%E6%B1%82.md)
+
+
+## 二进制合规规范
+
+[二进制合规规范]()
+
+## 开源合规类issue管理流程
+
+[OpenHarmony社区开源合规issue管理流程指导](开源合规类问题管理.md)
+
+## 开源合规角色和责任
+
+[《开源合规角色职责及能力要求》](https://gitee.com/openharmony/community/blob/master/sig/sig_compliance/docs/%E5%BC%80%E6%BA%90%E5%90%88%E8%A7%84%E8%A7%92%E8%89%B2%E8%81%8C%E8%B4%A3%E5%8F%8A%E8%83%BD%E5%8A%9B%E8%A6%81%E6%B1%82.md)
+
+## 开源合规培训资源及要求
+
+[《开源合规培训计划》](https://gitee.com/openharmony/community/blob/master/sig/sig_compliance/docs/%E5%BC%80%E6%BA%90%E5%90%88%E8%A7%84%E5%9F%B9%E8%AE%AD%E8%AE%A1%E5%88%92.md)
+
+## 未能遵守的后果
+
+必须遵守此规范，这一点很重要。不这样做可能会导致： 
+- 使用的代码中的版权或其他知识产权持有人提出法律索赔； 
+- 代码的接收者提出的索赔； 
+- 无意中发布了不允许发布的代码； 
+- 违反监管义务可能导致罚款； 
+- 名誉损失； 
+- 资金损失； 
+- 违反合约。
+
+因此，我们会严肃对待违反本规范的行为，任何违反本政策的个人都可能会受到纪律处分。
+
+## 开源合规负面事件响应策略
+《社区开源合规负面事件响应策略》，请参照法务与合规组策略。
+
+## 参考文档
+
+本文档参考LinuxFoundation compliance generic policy FOSS policy template 

zh-cn/contribute/上游开源项目贡献最佳实践及建议.md

+# 上游开源项目贡献最佳实践及建议
+
+## Upstream First 原则
+OpenHarmony 社区软件版本在特性开发过程中遵照业界最佳实践，会引入第三方开源软件做为OpenHarmony 软件版本的一部分（参见[第三方开源软件引入指导](第三方开源软件引入指导.md)）。
+
+在OpenHarmony社区中我们建议社区开发者优先采用业界最佳实践 “**Upstream First**”，即上游优先的方式来对引入的第三方开源软件进行维护。
+
+## 第三方开源软件贡献及维护
+
+对于OpenHarmony社区引入的第三方开源软件， bugfix、新特性等优先合入上游社区，减少未来与上游软件分叉的可能性，降低增量内容成为技术债务的风险。当bugfix合入上游社区后，再升级OpenHarmony社区中所引入的三方开源软件版本，保持更新。
+
+若因版本节奏，交付计划等原因，需要优先在OpenHarmony社区代码仓内合入的内容，应由合入人制定合理的向上游回合的计划，以保障修改内容尽可能合入上游项目（若经评估，无法被上游接纳的除外）。
+
+社区开发者向上游社区贡献时，可能被要求签署DCO（原创证明）、CLA（贡献者许可协议）或其他文件，由于相关代码版权归属于贡献者本人或贡献者所在公司或单位，涉及法务问题建议咨询对应组织法务；若仍有疑问，您也可以向OpenHarmony[法务与合规组](https://www.openharmony.cn/GLA)咨询。
+
+## 第三方开源项目安全漏洞处理要求
+针对涉及第三方开源软件漏洞修复等安全相关活动，请遵照[OpenHarmony社区安全漏洞处理流程](https://www.openharmony.cn/security/vulnerability-process)。
+
+

zh-cn/contribute/开源义务履行合规交付制品管理规范及指导.md

+# 开源义务履行合规交付制品管理规范及指导
+
+## 概述
+社区开发者在引入和使用和再次分发第三方开源软件时，需要依据开源软件所包含的开源许可证中的条款要求，履行相应的开源义务，以满足开源合规要求。常见的开源义务分为：开源使用声明义务，代码对外开源义务，修改声明义务。 开源义务履行时所需的交付件，统称为开源合规交付制品。 本规范重点说明社区开源合规交付制品的规则和要求。 
+
+## 开源软件使用声明义务履行合规制品管理规范
+履行开源软件使用声明，业界常见方式为在版本发布时随版本发布NOTICE文档，在该文档中写明其中所使用的开源软件名、版权信息和许可证信息，并附上免责声明。
+
+### 开源软件NOTICE使用场景
+
+分发的二进制文件中包含有第三方开源软件，则需要提供以“NOTICE”命名的文件，进行开源软件使用声明。
+
+### 开源软件NOTICE包含内容要求
+
+开源软件NOTICE文件以纯文本格式描述包含的所有第三方开源软件名称、软件版本、权利人声明、License信息。
+
+### 开源软件NOTICE生成规则及要求
+
+[OpenHarmony开源软件Notice自动生成及收集策略说明](https://gitee.com/openharmony/build/blob/master/docs/%E5%BC%80%E6%BA%90%E8%BD%AF%E4%BB%B6Notice%E6%94%B6%E9%9B%86%E7%AD%96%E7%95%A5%E8%AF%B4%E6%98%8E.md)
+
+### 开源软件NOTICE存放位置
+
+#### OS设备镜像存放位置要求
+
+1. 标准设备OS镜像tar包中system.img -> system/etc/NOTICE.txt。
+
+2. 系统中存放在/system/etc/NOTICE.txt。
+
+#### 应用软件存放位置要求
+NOTICE文件通常放置在发布文件夹或压缩包的顶层目录，对于".jar"格式的文件，许可证可位于META-INF目录。
+
+### 开源软件NOTICE的生命周期
+NOTICE文件的生命周期，跟随发布二进制的生命周期，按照[OpenHarmony生命周期规则](https://gitee.com/openharmony/release-management/blob/master/OpenHarmony%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E5%8F%91%E5%B8%83%E5%85%AC%E5%91%8A.md)，支撑LTS、Release等版本。
+
+### 开源软件NOTICE模板
+
+完整的开源软件NOTICE 应包含以下内容。
+
+```
+OPEN SOURCE SOFTWARE NOTICE
+
+Please note we provide an open source software notice for the third party open source software along with this software and/or this software component (in the following just “this SOFTWARE”). The open source software licenses are granted by the respective right holders.
+
+Warranty Disclaimer
+THE OPEN SOURCE SOFTWARE IN THIS PRODUCT IS DISTRIBUTED IN THE HOPE THAT IT WILL BE USEFUL, BUT WITHOUT ANY WARRANTY, WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SEE THE APPLICABLE LICENSES FOR MORE DETAILS.
+
+Copyright Notice and License Texts
+----------------------------------------------------------------------
+
+Software: XXXX vXX
+
+Copyright notice:
+Copyright 2023 XXXX Co. LTD  
+Copyright 2022 XXXX Co. LTD  
+License: Apache License 2.0
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+```
+
+
+## 代码对外开源义务履行合规制品管理规范
+
+1. 由于OpenHarmony版本是由OpenHarmony开源社区发布，代码本身已在OpenHarmony社区开源，因此无需额外提供开源软件包；[开源软件包生成](https://gitee.com/openharmony/build/blob/master/docs/%E7%94%9F%E6%88%90%E5%BC%80%E6%BA%90%E8%BD%AF%E4%BB%B6%E5%8C%85.md)
+主要提供一种下游集成时需要自动生成的OpenHarmony所涉及的开源软件包的辅助工具和参考实现，OpenHarmony社区不对最终下游产品开源义务履行负责。
+2. 针对开源许可证中条款，应满足对应许可证规则的义务要求，如：开源代码必须能够编译通过，且编译结果与分发软件制品中开源部分一致；在开源软件包中应附上编译指导，说明编译所需要的环境、工具及操作步骤，确保用户可以根据指导完成编译操作等。
+
+
+## 修改声明履行合规制品管理规范
+
+修改声明义务是按照部分开源许可证条款要求开发者对开源软件进行修改后，需对修改时间，修改的代码及修改过的文件做出声明的要求。
+
+1. 若对开源软件的已有文件进行了修改，在被修改的文件头上附上修改声明，可参考以下模板。
+
+```
+*  20XX.XX.XX -  XXXXX（修改内容，简要说明修改）
+                 Copyright(c)20XX. XXXXXXX （修改人版权声明，年份为代码修改年份）
+```
+
+2. 若对开源软件中新增了文件，需在文件头附上对应贡献者的版权和开源软件允许许可证及免责声明。

zh-cn/contribute/第三方开源软件上游软件元数据READMEOpenSource文件规范.md

+# README.OpenSource 文件规范
+
+## 目的
+
+为更好追溯第三方开源软件的原始上游信息，特在[《第三方开源软件引入指导》](第三方开源软件引入指导.md)中对相关信息进行了要求 “新引入的开源软件必须在其根目录提供README.OpenSource文件，在该文件中准确描述其软件名、许可证、许可文件位置、版本、对应版本的上游社区地址、软件的维护Owner、功能描述以及引入的原因。” 但社区开发者常见问题是对于README.OpenSource 写作要求和规范并不清晰，对于其中多License情况，多开源软件情况等场景如何规范填写并不清晰，因此，本文旨在规范化README.OpenSource文件的写作要求，并将相关要求基线化，在工程能力成熟后，README.OpenSource文件可按照本规范，在选型引入时，自动基于引入的信息由IT系统生成此文件。
+
+## 范围
+
+本指导适用于所有参与OpenHarmony社区的贡献者、特别是当引入第三方开源软件到OpenHarmony项目中。
+
+## 本文的改进和修订说明
+
+1. 本文档由OpenHarmony合规SIG主导起草和维护。本文档的最新版本总可以在 [这里](第三方开源软件上游软件元数据READMEOpenSource文件规范.md)找到。
+2. 任何对于本文中涉及的规则的增加，修改，删除都必须被追踪，请进入该追踪系统。
+3. 最终规则经过社区充分的讨论后，由PMC评审定稿。
+
+
+
+## README.OpenSource 字段规则说明
+README.OpenSource 样例
+
+```
+[
+    {
+        "Name": "linux",                   # 上游开源软件名全称
+        "License": "GPL-2.0+",             # 上游开源软件中包含的许可证信息
+        "License File": "COPYING",         # 许可证所在文件路径
+        "Version Number": "5.10.93",       # 该软件的版本
+        "Owner": "xxx@xxx.com",            # 开源软件在OpenHarmony组织下对应的维护人及邮箱
+        "Upstream URL": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/snapshot/linux-5.10.93.tar.gz",   # 上游软件包发布地址
+        "Description": "XXXXXXX"           # 开源软件功能描述
+    },
+    {
+        ...
+    }
+]
+```
+
+1. **Name** : 在本代码仓中**包含源码**的上游开源软件全称。若有多个软件，则写个{}进行描述。
+
+注意：
+
+假设A软件依赖B软件，若通过将B软件源码放置在本仓库中，来满足A对B的依赖关系，即A*包含依赖*B， **则A、B软件均需要声明**； 若B软件已在OpenHarmony组织下建立其专属代码仓，仅在编译构建时通过GN指定其他代码仓目录进行依赖，不是以**源码形式**存放在本代码仓库的，即A开源软件*编译依赖*B软件，则不用在此处声明。
+
+2. **License** : 上游开源软件中包含的许可证信息此处不可随意填写，需使用SPDX Identitifer简写，每次只能写一个许可证信息； 若存在许可证二选一的情况，在此明确具体选择了哪个许可证； 若代码仓存在多许可证共存的情况，则需要在本文件的最外层数组[]中，再增加一组开源软件元数据的{}描述，对其他许可证及其对应的文件路径进行描述。
+
+3. **License File** : 许可证文件和本代码仓根目录的相对路径，包含最终的文件名。 多个许可证文件的处理方式，参考**License**字段的处理规则，配合完成。
+
+4. **Version Number** : 上游软件正式发布的版本号，应与上游版本号的文本内容保持完全一致。
+
+5. **Owner** : 该开源软件在本代码对应组织下的维护者，注：此Owner仅表示在本仓的软件维护者，不同于软件的实际作者。
+
+6. **Upstream URL** ： 源码引入时上游软件对应版本的源码包的发布地址。
+
+7. **Description** : 开源软件功能的简要描述。
+