Hosted Project Tools and Immutable Records

All open source software projects make available the project’s source code for downstream recipients to use and modify themselves under the applicable open source license.

Some projects additionally host and operate a community-managed instance of that software. These “hosted project tools” could include situations where the technical goals of the project involve providing a single canonical, Internet-accessible instance to be used in a production capacity, such as a community-wide ledger or database. Other examples could include projects that offer a web-based demonstration version of the software for convenience and testing purposes.

In either case, hosted project tools may lead to the project’s maintainers and contributors needing to account for additional data privacy considerations. A project that only makes its source code available for others to obtain and run themselves might not collect any meaningful personal data (other than e.g. details about the project contributions under the DCO’s “personal information” notice). But a hosted project tool may collect and process a variety of data from its users, ranging from login credentials to personal data embedded in submissions to the tool.

Projects that operate hosted project tools should evaluate the types of data, including personal data, that they are collecting. They should be transparent with their community of end users about how that data is collected, processed, and shared, just as with any other hosted software service.

Additionally, some hosted project tools are designed to make it effectively impossible to alter or delete previously-submitted content. This immutable nature can be an essential characteristic of some tools, for purposes such as establishing contractual commitments, making public attestations, and ensuring security of the system. Hosted project tools that record data in an immutable manner should make their immutability extremely clear to users, and should take special care with regards to the receipt and hosting of personal data.

LF Projects, LLC has implemented a policy and procedure for projects that want to operate hosted project tools. This provides a legal framework (via terms of use, acceptable use policies, and a data transfer addendum) that is intended to facilitate projects making available hosted instances of their tools, while also ensuring that the underlying software itself remains fully available under open source licenses. Additionally, where a hosted project tool will collect immutable records, it puts in place a short policy and requirements intended to align such usage with data subjects’ reasonable expectations and the project’s legitimate interests.

Under the policy, the project maintainers answer questions about the nature of the hosted service, including details about what types of data are collected and their purposes and uses. The LF’s legal counsel then works with those maintainers to review the answers and adjust practices as appropriate.

Please see the “Hosted Project Tools” documents linked from the LF Projects, LLC Policies page for more details, as well as to access the review form and full policies.