• This repository has been archived on 01/Aug/2018
  • Stars
    star
    799
  • Rank 57,011 (Top 2 %)
  • Language
  • License
    Creative Commons ...
  • Created almost 9 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open Source guidance from Zalando, Europe's largest online fashion platform

OPEN SOURCE RULES AND STRATEGY

Deprecated document: this document has been replaced by the documentation on opensource.zalando.com and will not receive further updates - source files for the docs are available in the public openssource.zalando.com github repository


If you are an Zalando employee please use the internal version because in this public version internal links and contact persons are excluded.

  1. Purpose
  2. Contact
  3. Project Publication Process
  4. Rules
  5. Appendix 1: Philosophy/principles
  6. Appendix 2: Potential risks to Zalando’s competitive advantage
  7. Appendix 3: How Zalando organizes open source
  8. Appendix 4: Zalando’s public GitHub organizations
  9. Appendix 5: How to deprecate a project
  10. Appendix 6: MIT license
  11. Appendix 7: How to honor non-Zalando third-party OSS components
  12. Appendix 8: Why you must create a new repo

Purpose

These open source rules aim to make your OSS efforts more sustainable and successful by reinforcing development habits that improve our software, coding literacy, and craftsmanship. The rules offer guidance and clarify expectations regarding project quality, security, compliance, and usefulness beyond Zalando (see also our OS philosophy/principles in Appendix 1). They also aim to protect Zalando’s competitive advantage (see Appendix 2).

Contact

Please contact Zalando’s Open Source Review Group for open source-related questions and suggestions. For more details on how Zalando organizes open source, see Appendix 3.

Project Publication Process

To publish your project on GitHub.com, please follow these steps:

  1. Read all of these rules and make sure your project complies with them.
  2. Email the Review Group about your project with the following information:
    • Project name and link:
    • Do you plan to promote your project internally and externally, to build a community of users and contributors?
    • Does this project have any internal Zalando dependencies? (If "Yes," stop here.)
    • Who is your target audience?
    • How many hours per week will you devote to maintaining and growing the project?
    • What does this project solve for potential users, and how is it different (better, faster, simpler) than existing solutions?
    • Did you requested internal feedback?
  3. The Review Group will review your project and offer feedback and guidance to support your publication bid.
  4. The Review Group might ask you to present your project, but in most cases will request information over email/HipChat.
  5. For your project to go live, you must receive the following approvals from the Review Group: security, code quality, documentation, and agreement that the project does not risk our competitive advantage.
  6. Upon receiving the Review Group’s approval, you can push your project to the incubator where it can remain for up to six months. During this time, we expect you to take actions to grow your project. Find more information about Zalando’s public github organizations in Appendix 4.
  7. If your project grows and evolves, you may ask the Review Group to push your project to Zalando’s main Open Source organization. To initiate this process, please contact the Review Group.

Rules

All open source projects published since 2015 MUST comply to rules 1-9. Non-compliant projects must be deleted from github.com; see Appendix 5 for how to deprecate a project. To publish a new project, you MUST also follow rules 10. (If you are an Zalando employee please use the internal version because in this public version internal links and contact persons are excluded. )

  1. All projects MUST include an Maintainers.md/rst file listing at least two active maintainers by name and contact email.
  2. You MUST create a meaningful README that includes the items requested in Question #11 our application form.
  3. You MUST include a CONTRIBUTING.md/rst guidelines file.
  4. You MUST create a license file and state that the MIT license applies to all code owned by Zalando. (Please use the license text in Appendix 6). If you use third-party OSS, you MUST only use license-compatible projects/software. You MUST honor the original licenses used in those third-party projects in the license file (see example). For more information and guidance, see Appendix 7. Projects published before June 1, 2017 may keep their original license (e.g. Apache 2.0). Contact Legal for personal support on licensing.
  5. You SHOULD semantically version project artifacts. You MUST tag all versions in GitHub with the exact version name: e.g., 0.1.0.
  6. You SHOULD sign every commit.
  7. You MUST create a SECURITY. md file in the main root folder of your repository. This text is sufficient for the file: “If you have discovered a security vulnerability, please email [email protected].”
  8. Your repositories MUST NOT, at any time, include Zalando specifics such as credentials and private identifiers.
  9. You SHOULD review all merge requests for implanted security backdoors and vulnerable code fragments regardless of who is making the pull request. User impersonation is easy.

In addition to the above rules, the following also govern new open source projects you wish to publish on a Zalando-owned GitHub organization.

  1. You MUST create an entirely new Git repository before pushing the project to GitHub. More info in Appendix 8.

Appendix 1: Philosophy / Principles

OSS development is integral to our engineering practices and culture for these reasons:

  • Facilitates skills acquisition (coding, communication, project management, product mindset) that benefits internal and personal development
  • Engages highly skilled external contributors who improve our software quality and relevance
  • Brings about knowledge exchange and innovation through collaborative partnerships with other companies
  • Sends a positive “giving back” massage to a community upon which we rely
  • Implicitly shows developers why working for Zalando will be an enriching and challenging experience, and therefore serves as a highly authentic “employer branding” asset

Appendix 2: Potential Risks to Zalando’s Competitive Advantage

Anything that risks Zalando’s competitive advantage is not permissible for publication on GitHub.com. This typically means technologies we build that are intrinsic to generating or reinforcing the uniqueness of our customer experience. This could include (but is not limited to):

  • confidential source code
  • recommendation algorithms
  • search functionalities that give us an edge over competitors We advise you to take a conservative approach and reach out to our Legal team for any ambiguous cases.

Appendix 3: How Zalando organizes open source

There are two relevant organizations at Zalando: the OSS Review Group and the Open Source Guild. An OS Team is planned but does not exist yet.

OSS Review Group

  • Purpose
    • Guide Zalando technologists to create high-quality projects that meet our standards.
    • Offer peer review and feedback.
    • Develop policies and processes that reinforce open source development based on quality, end-to-end ownership, broad usefulness to non-Zalandos, and innovation as key values.
  • Responsibility:
    • Meet every two week to approve/reject projects awaiting public release
    • Update and manage the OSS Priority Project List (quarterly)
    • Help Incubator projects graduate to /zalando, the main Zalando organization
    • Manage all Zalando GitHub organizations. The group has the right to remove non-compliant projects from GitHub. (To deprecate a project, see Appendix 5.)
  • Membership:
    • VP(s) Engineering
    • Open Source Evangelist (RG leader)
    • 3-5 engineers, delivery leads, and (at least one) dedicated owners
    • Tech Security
    • IT-Compliance
    • Legal
  • Membership Process: Please mail the OSS Review Group if you would like to become a member.

Open Source Guild Founded in spring 2015, the Guild exists for Zalando technologists to discuss OSS topics and development. Members maintain a lively Google Group that all Zalandos are encouraged to use for these purposes:

  • Announcing new projects and asking for feedback
  • Requesting/offering project demos
  • Knowledge exchange: sharing articles, talks, videos, etc.
  • Generating discussions

Once formed, the OSS Team will offer guidance to structure the Guild into working groups on mentoring, quality, external community building, and documentation.

Appendix 4: Zalando’s Public GitHub organizations

  • zalando: Where we showcase our strongest projects
  • zalando-incubator: Where we incubate new projects, giving them six months to grow audiences and develop.
  • zalando-stups: Setup/purpose in review.
  • zalando-nakadi: For all repos related to the Nakadi project. Setup/purpose in review.
  • zalando-zmon: For all repos related to the ZMON project. Setup/purpose in review.
  • zalandoresearch: For all repos and code samples generated by Zalando Research. Setup/purpose in review.

Appendix 5: How to deprecate a project

Please follow this process to remove a project from GitHub.com:

  1. File a JIRA ticket for your repository deletion process.
  2. Archive a version of your repository in your GHE org of choice and follow these steps:
    • You MUST ensure that commit ID’s in the new GHE repo are exactly the same as in the old GitHub repo
    • You MUST register the application in YourTurn/Kio, unless the repo is a library, document, or locally used tool
    • You MUst ensure the SCM URL in YourTurn/Kio is entered correctly (for GHE)
  3. Wait for IT-Compliance to approve the request.
  4. If your OS project is public on maven, pip, or npm or similar public repositories, please contact Review Group for further instructions.

Appendix 6: MIT License

Replace the [yyyy] field with the year that you created the project, and do not update it. Do not provide multiple years.

The MIT License (MIT) Copyright © [yyyy] Zalando SE, https://tech.zalando.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Appendix 7: How to honor non-Zalando/third-party OSS components

Copyleft: Copyleft is a legal obligation that Zalando must fulfill when you modify and/or distribute and/or make third party material publicly available (so-called “copyleft trigger”).

Examples: changing the program code, uploading to public GitHub, sending it to someone else from another company. Copyleft may oblige Zalando to license its modifications also under the license whose copyleft was triggered. In legal terms, “modification” can be interpreted very broadly—e.g. whole libraries or code that you added (so-called “scope of copyleft”).

For Modification + Internal and/or Publishing, do not use reciprocal licenses that trigger the copyleft already during internal modification—e.g. RPL or APSL 2.1, AGPLv3.

For Modification + Publishing:

  • See above (RPL, ASPL 2.1, AGPLv3, etc.).
  • Do not use licenses with strict copyleft, e.g. GPLv2, GLPLv3, unless you have clearance from Legal.
  • If you use licenses with limited copyleft (e.g. LGPLv2.1, LGPLv3, MPLv2, CPL), please make sure you can fulfill their specific requirements to restrict the copyleft from taking over Zalando’s or other third-party’s code. → reach out to Legal.

License Template for Multi-Licensed Projects without Copyleft

“This {name} Project is in general licensed under the following MIT license except the files named underneath (see corresponding notice files below)

(Insert Zalando MIT from Appendix 6 above)

Notice file for (path)/(other file)

(Insert license text & copyright notice from the original file here)

Notice file for (path)/(other file)

(Insert license text & copyright notice from the original file here)

(...)

Appendix 8: Why you must create a new repo

“You MUST create an entirely new Git repository before pushing the project to GitHub.”

This rule is a trade-off. On the one hand, we lose information when creating a new git repository. On the other hand, keeping a long history in an existing repository is too-high risk; specifics like credentials could be published by mistake. Security comes first.

More Repositories

1

patroni

A template for PostgreSQL High Availability with Etcd, Consul, ZooKeeper, or Kubernetes
Python
6,267
star
2

postgres-operator

Postgres operator creates and manages PostgreSQL clusters running in Kubernetes
Go
3,686
star
3

skipper

An HTTP router and reverse proxy for service composition, including use cases like Kubernetes Ingress
Go
3,088
star
4

restful-api-guidelines

A model set of guidelines for RESTful APIs and Events, created by Zalando
CSS
2,605
star
5

zalenium

A flexible and scalable container based Selenium Grid with video recording, live preview, basic auth & dashboard.
Java
2,385
star
6

SwiftMonkey

A framework for doing randomised UI testing of iOS apps
Swift
1,947
star
7

logbook

An extensible Java library for HTTP request and response logging
Java
1,788
star
8

tailor

A streaming layout service for front-end microservices
JavaScript
1,728
star
9

tech-radar

Visualizing our technology choices
1,581
star
10

spilo

Highly available elephant herd: HA PostgreSQL cluster using Docker
Python
1,225
star
11

intellij-swagger

A plugin to help you easily edit Swagger and OpenAPI specification files inside IntelliJ IDEA
Java
1,172
star
12

problem-spring-web

A library for handling Problems in Spring Web MVC
Java
1,031
star
13

nakadi

A distributed event bus that implements a RESTful API abstraction on top of Kafka-like queues
Java
928
star
14

zally

A minimalistic, simple-to-use API linter
Kotlin
903
star
15

problem

A Java library that implements application/problem+json
Java
869
star
16

go-keyring

Cross-platform keyring interface for Go
Go
689
star
17

gin-oauth2

Middleware for Gin Framework users who also want to use OAuth2
Go
579
star
18

zappr

An agent that enforces guidelines for your GitHub repositories
JavaScript
542
star
19

pg_view

Get a detailed, real-time view of your PostgreSQL database and system metrics
Python
494
star
20

engineering-principles

Our guidelines for building new applications and managing legacy systems
376
star
21

gulp-check-unused-css

A build tool for checking your HTML templates for unused CSS classes
CSS
359
star
22

zmon

Real-time monitoring of critical metrics & KPIs via elegant dashboards, Grafana3 visualizations & more
Shell
355
star
23

expan

Open-source Python library for statistical analysis of randomised control trials (A/B tests)
Python
325
star
24

PGObserver

A battle-tested, flexible & comprehensive monitoring solution for your PostgreSQL databases
Python
316
star
25

riptide

Client-side response routing for Spring
Java
292
star
26

jackson-datatype-money

Extension module to properly support datatypes of javax.money
Java
240
star
27

grafter

Grafter is a library to configure and wire Scala applications
Scala
240
star
28

opentracing-toolbox

Best-of-breed OpenTracing utilities, instrumentations and extensions
Java
180
star
29

elm-street-404

A fun WebGL game built with Elm
Elm
176
star
30

tokens

Java library for conveniently verifying and storing OAuth 2.0 service access tokens
Java
169
star
31

innkeeper

Simple route management API for Skipper
Scala
166
star
32

public-presentations

List of public talks by Zalando Tech: meetup presentations, recorded conference talks, slides
165
star
33

python-nsenter

Enter kernel namespaces from Python
Python
139
star
34

faux-pas

A library that simplifies error handling for Functional Programming in Java
Java
132
star
35

dress-code

The official style guide and framework for all Zalando Brand Solutions products
CSS
129
star
36

beard

A lightweight, logicless templating engine, written in Scala and inspired by Mustache
Scala
121
star
37

friboo

Utility library for writing microservices in Clojure, with support for Swagger and OAuth
Clojure
117
star
38

spring-cloud-config-aws-kms

Spring Cloud Config add-on that provides encryption via AWS KMS
Java
99
star
39

zalando.github.io

Open Source Documentation and guidelines for Zalando developers
HTML
86
star
40

failsafe-actuator

Endpoint library for the failsafe framework
Java
52
star
41

package-build

A toolset for building system packages using Docker and fpm-cookery
Ruby
35
star
42

ghe-backup

Github Enterprise backup at ZalandoTech (Kubernetes, AWS, Docker)
Shell
30
star
43

rds-health

discover anomalies, performance issues and optimization within AWS RDS
Go
26
star
44

backstage-plugin-api-linter

API Linter is a quality assurance tool that checks the compliance of API's specifications to Zalando's API rules.
TypeScript
12
star
45

.github

Standard github health files
1
star