Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

You may want to common on / watch what happens with this:
https://issues.apache.org/jira/browse/LEGAL-234

(Re ASF license copyright lines in NOTICE)

Thanks,
Justin

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Sat, Feb 6, 2016 at 6:34 PM, Justin Mclean  wrote:
> Here what I worked out needs to be added to LICENSE and NOTICE for each type
> of bundled license.

Good stuff!

Here's a old (2002) but succinct snippet on combining licenses:

http://www.catb.org/esr/Licensing-HOWTO.html#compatibility

When two licenses A and B are combined, the following things can happen:
(1) A subsumes B, (2) B subsumes A, (3) A adds to B so that you must
observe the requirements of both, or (4) A and B clash — they cannot both
be satisfied.

As I understand it, when bundling works under other license terms into one of
our distibutions, we have two main objectives:

* Fulfill all requirements of the other licenses.
* Ensure that Apache-2.0 subsumes all other licenses.  This means that
  users who satisfy the terms of Apache-2.0 satisfy all requirements for all
  works in the package, and allows us to advertise the package as available
  under "Apache-2.0", rather than "Apache-2.0 plus FooLicense-3.0 plus
  BarLicense-1.2".

Here's a more recent article (2011) on combining licenses:

https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility

> CC-A   Y  N

I believe you're referring to the Creative Commons Attribution license, which
normally goes by the acronym "CC-BY".

CC-BY is category B now -- it was moved -- so it can't be bundled in a source
release.  (See LEGAL-167.)

> Does anyone know what goes in NOTICE for Apache 1.1 licensed software?

There are no active products using Apache-1.1 -- though old releases are still
available -- so this question is mostly academic.  But it's very interesting
historically!

Here is the relevant clause from Apache-1.1:

3. The end-user documentation included with the redistribution,
   if any, must include the following acknowledgment:
   "This product includes software developed by the
Apache Software Foundation (http://www.apache.org/)."
   Alternately, this acknowledgment may appear in the software itself,
   if and wherever such third-party acknowledgments normally appear.

If the "This product..." line ends up in NOTICE, then Apache-2.0 can be said
to subsume Apache-1.1.  Otherwise, they "add" (by the terms of the catb.org
article quoted above).

It turns out that that "attribution" clause prevents Apache-1.1 from being
subsumed by the GPL, even though Apache-1.1 is otherwise very similar to
BSD-3-clause.  The primary reason that the NOTICE file was added in Apache-2.0
was to make it possible to move that notice out of the license, because the
GPL allows the preservation of notices even though it must subsume all other
licenses[1].

In other words, the NOTICE file originated as a clever legal hack to enable
subsumption of Apache-1.1 by Apache-2.0 while facilitating subsumption of
Apache-2.0 by the GPL.

> Oddly the BSD with advertising clause is not listed in the Category A, B or
> X lists so while it seems to have been discussed (at length) it may not
> actually be able to be bundled.

The BSD-4-clause license with the advertising clause is not approved for use
by ASF projects.  It's not even OSI approved, and it's vanishingly rare these
days, anyway.  We don't have to worry about it.

Marvin Humphrey

[1] http://s.apache.org/XAf

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Wed, Feb 3, 2016 at 7:43 PM, Justin Mclean  wrote:

>>> Does the policy need to be made clearer first?
>>
>> Yes, I think that's important -- it will help us to persuade PMCs that our
>> proposed changes are both correct and worthwhile.
>
> OK lets work on that.

Based on insights gleaned from recent conversations over on
legal-discuss@apache, I feel good about incorporating the ideas in
this thread into some revisions for the Licensing How-To.  Give me a
week or two to polish something up.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> There are no active products using Apache-1.1 -- though old releases are still
> available -- so this question is mostly academic.

May be the case for some binary releases using old software. I can think of one 
project that may need to check that.

>  But it's very interesting historically!

Thanks for that now it’s clear what goes in NOTICE if it does ever show up.

> The BSD-4-clause license with the advertising clause is not approved for use
> by ASF projects.  It's not even OSI approved, and it's vanishingly rare these
> days, anyway. 

Last week I run into an incubating project that had several BSD-4 clause 
licenses. It (IMO) was not an issue as it turns out the clause had been 
rescinded (in 1999!) in this particular case. [1][2] But I assume any 
BSD-4-cluase not covered by that would not be allowed to be bundled.

Thanks,
Justin

1. https://opensource.org/licenses/BSD-3-Clause 

2. ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change 

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

Here what I worked out needs to be added to LICENSE and NOTICE for each type of 
bundled license.

Bundled Code licenseLICENSE NOTICE
Apache 1.1  Y   Y   Not 
sure what need to be added to NOTICE here
ASF Apache 2.0  N   N/Y From NOTICE If 
required 
non ASF Apache 2.0  N   Y   Name and 
copyright from NOTICE and from NOTICE if required
BSD Y   N
BSD (advertising)   Y   Y   
Advertising clause
MIT Y   N
CC-AY   N
OFL*Y   N
MPL*Y   Y   How to 
obtain a copy of source code
CDDL*   Y   Y   How to 
obtain a copy of source code
Eclipse*Y   Y   
How to obtain a copy of source code
GPL -   -
LGPL-   -

N = do nothing
Y = required to add 
* In binary form only
- Not allowed in Apache software

Does anyone know what goes in NOTICE for Apache 1.1 licensed software?

For Apache licensed software if required usually means 3rd party required 
notices or relocated copyrights that exist the NOTICE file.

Oddly the BSD with advertising clause is not listed in the Category A, B or X 
lists so while it seems to have been discussed (at length) it may not actually 
be able to be bundled.

Only case where there seem to be differing of opinions seems to be for bundling 
an ASF Apache license. Should the project name and copyright be placed in 
NOTICE? As far as I can tell the Apache License [1][2] doesn’t contain a 
requirement for a required 3rd party notice. But this [3] may mean than name 
and/or copyright needs to be added to NOTICE.  If this is the case it would 
have a large impact on existing (particularly binary) releases. Has there been 
a discussion on this, that I may of missed, somewhere that would clarify?

Assembled from here:
https://issues.apache.org/jira/browse/LEGAL-59
https://issues.apache.org/jira/browse/LEGAL-62
https://issues.apache.org/jira/browse/LEGAL-185
http://markmail.org/thread/ze722s7ovb5pjdnn
http://apache.markmail.org/thread/4nihn35nczynajvb
(and probably a few other places)

Thanks,
Justin

1. http://www.apache.org/legal/src-headers.html#notice 

2. http://apache.org/legal/resolved.html#required-third-party-notices 

3. http://www.apache.org/dev/licensing-howto.html#bundle-asf-product

Re: Confusion over NOTICE vs LICENSE files

[Sean Busbey]

Encouraging use of Whisker from the Apache Creadur project is another
avenue:

http://creadur.apache.org/whisker/

On Thu, Feb 4, 2016 at 5:54 PM, Justin Mclean 
wrote:

> Hi,
>
> >> But better conventions on the format and content of the files that would
> >> make automated processing easier would also be a great thing, but that
> >> might be too late already.
> >
> > Right, the hardest part of this problem is the spec, which SPDX provides.
>
> SPDX looks good - how there been any interest to implement this at Apache?
>
> BTW I see their NOTICE file has a few issues :-) [1] (It mentions Apache,
> MIT and BSD software). What we put in NOTICE is policy right rather than a
> legal requirement so I guess 3rd parties can do just about anything and
> that’s OK?
>
> A fair number of non ASF Apache software is usually missing a NOTICE file
> or has other issues. What do we do when you bundle a non ASF Apache license
> software that is missing a NOTICE file? Nothing or be a little more polite
> or assume a minimal NOTICE file and add that to ours?
>
> Thanks,
> Justin
>
> 1. https://github.com/spdx/tools/blob/master/NOTICE
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>


-- 
Sean

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> When I saw this topic in the past, the answer was "nothing" [1]

What we’re legally required to do (i.e. nothing) is reasonably clear, but what 
policy or culturally is the best option is perhaps unclear. 

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Serge Huber]

As an engineer that's not an expert at legal stuff I was wondering if there 
isn't a way to solve this with tooling ?

I've seen a few Maven plugins out there but they don't seem to work properly, 
especially for binary distributions.

I've started a plugin myself here [1] but it's still in heavy development. 
Basically it's aimed at help building license and notice files for binary 
distributions by scanning all the jars in a directory recursively, trying to 
find notice, license or Pom.xml files and I was even then looking at connecting 
it to scm systems or using search.maven.org to find project metadata.

But better conventions on the format and content of the files that would make 
automated processing easier would also be a great thing, but that might be too 
late already.

Cheers,
  Serge

[1] https://github.com/sergehuber/Legal-Maven-Plugin


Serge Huber
CTO & Co-Founder

T +41 22 361 3424
9 route des Jeunes | 1227 Acacias | Switzerland
jahia.com
SKYPE | LINKEDIN | TWITTER | VCARD
  

> JOIN OUR COMMUNITY to evaluate, get trained and to discover why Jahia is a 
> leading User Experience Platform (UXP) for Digital Transformation.

> Le 3 févr. 2016 à 19:54, Justin Mclean  a écrit :
> 
> HI,
> 
>> [4] https://nifi.apache.org/licensing-guide.html 
>> 
> BTW nicely put together, it's well worth a read and clearly explains quite 
> tricky LICENSE and NOTICE issues.
> 
> Thanks,
> Justin

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

>> But better conventions on the format and content of the files that would
>> make automated processing easier would also be a great thing, but that
>> might be too late already.
> 
> Right, the hardest part of this problem is the spec, which SPDX provides.

SPDX looks good - how there been any interest to implement this at Apache?

BTW I see their NOTICE file has a few issues :-) [1] (It mentions Apache, MIT 
and BSD software). What we put in NOTICE is policy right rather than a legal 
requirement so I guess 3rd parties can do just about anything and that’s OK?

A fair number of non ASF Apache software is usually missing a NOTICE file or 
has other issues. What do we do when you bundle a non ASF Apache license 
software that is missing a NOTICE file? Nothing or be a little more polite or 
assume a minimal NOTICE file and add that to ours?

Thanks,
Justin

1. https://github.com/spdx/tools/blob/master/NOTICE
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Thu, Feb 4, 2016 at 3:54 PM, Justin Mclean  wrote:

> What we put in NOTICE is policy right rather than a
> legal requirement so I guess 3rd parties can do just about anything and
> that’s OK?

The Apache License 2.0 doesn't restrict what can go in NOTICE.  You could put
the lyrics to "Happy Birthday" in there.  Or the complete works of William
Shakespeare.  Or the copyright history of the Wu Tang Clan catalog.

Roy used to have to work hard to persuade Apache projects not to use NOTICE
for crediting contributors, or as a change log.

All of that stuff would be pointless but legal in NOTICE.

But larding up NOTICE with that kind of garbage makes it more expensive for
downstream consumers who are making good faith efforts to comply with our
licensing.  And so it is the policy of the ASF that LICENSE and NOTICE be kept
minimal.

http://www.apache.org/legal/release-policy#licensing-documentation

... LICENSE and NOTICE MUST NOT provide unnecessary information about
materials which are not bundled in the package, such as separately
downloaded dependencies.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Thu, Feb 4, 2016 at 3:05 AM, Serge Huber  wrote:
> As an engineer that's not an expert at legal stuff I was wondering if
> there isn't a way to solve this with tooling ?

If you're going to go this route, I suggest taking a look at SPDX:

  http://spdx.org/about-spdx

  Our Mission

  Develop and promote adoption of a specification to enable any party in a
  software supply chain, from the original author to the final end user, to
  accurately communicate the licensing information for any piece of
  copyrightable material that such party may create, alter, combine, pass on,
  or receive, and to make such information available in a consistent,
  understandable, and re-usable fashion, with the aim of facilitating license
  and other policy compliance.

Perhaps a way forward would be to create one or more .spdx files describing
an Apache project's licensing -- then write something (ad hoc to begin with)
which uses the SPDX data to generate LICENSE and NOTICE.

> But better conventions on the format and content of the files that would
> make automated processing easier would also be a great thing, but that
> might be too late already.

Right, the hardest part of this problem is the spec, which SPDX provides.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Alex Harui]

On 2/4/16, 3:54 PM, "Justin Mclean"  wrote:

>A fair number of non ASF Apache software is usually missing a NOTICE file
>or has other issues. What do we do when you bundle a non ASF Apache
>license software that is missing a NOTICE file? Nothing or be a little
>more polite or assume a minimal NOTICE file and add that to ours?

When I saw this topic in the past, the answer was "nothing" [1] or work
with that software community so they put a NOTICE in their future releases
[2]

HTH,
-Alex

[1] 
https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201406.mbox/%3c
CAM1oqKqL+1A90=wkqda-gjyqto5gah+ep3wvitrmf9etiai...@mail.gmail.com%3e

[2] 
https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201508.mbox/%3c
CAM1oqKp-iimxUS4+b11WTt6FuoDwLxL_vQjCio=xrx34jsd...@mail.gmail.com%3e


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> Speaking from the NiFi side I can assure you an enormous amount of
> time, energy, and communication go into LICENSE and NOTICE handling
> for this project.

Sorry if you thought my message applied otherwise, there’s certainly no harm 
intended. 

I was just pointing out (with some examples) that a little confusion seems to 
occurs at TLP as well.

It was just a casual glance at your NOTICE, certainly not a formal or thorough 
review, but I would guess that these lines:

This product includes the following work from the Apache Hadoop project:
BoundedByteArrayOutputStream.java adapted to 
SoftLimitBoundedByteArrayOutputStream.java

Doesn’t need to be include in your NOTICE file as per [1]. It would be nice to 
mention this somewhere but I’m guessing NOTICE isn’t the correct place?

Of course something as minor as this may not even matter as it imposes little 
on any down stream projects.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#bundle-asf-product




-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Joe Witt]

Justin,

Speaking from the NiFi side I can assure you an enormous amount of
time, energy, and communication go into LICENSE and NOTICE handling
for this project.  We've had discussions with PMC and committers of
other projects to learn their approach as well as to encourage them to
follow these policies as well.

We attempt to adhere to both spirit and letter of policy regarding
licensing and notice information.  The NOTICE [1] you reference for us
is only the source release NOTICE and I believe it to be correct for
the source release.  Can you share what you see is missing?

We also maintain a notice that specifically applies to any convenance
binaries we produce [2].  In fact, we also do that level of artifact
specific NOTICE resolution for any bundling of dependencies we do (for
example [3]).

We produced and frequently reference this guide to help our community
stay consistent with the policy as we understood/understand it [4].

And here you can see that we are pretty strict in following the
understanding of the policy even when it deviates from otherwise
accepted practice [5].

I very much welcome efforts to improve this guidance.  I think some of
the work Todd Lipcon has initiated recently is a great start.

Now I write this realizing you are an excellent contributor to the
licensing/notice discussions and you provided some of the best RC
reviews in this area as well for us in incubation.  So I write this
fully respecting you just want things to be done right.  if we're
actually doing something wrong let us know and we'll sort it out.

[1] https://github.com/apache/nifi/blob/master/NOTICE
[2] https://github.com/apache/nifi/blob/master/nifi-assembly/NOTICE
[3] 
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/src/main/resources/META-INF/NOTICE
[4] https://nifi.apache.org/licensing-guide.html
[5] https://issues.apache.org/jira/browse/LEGAL-230

On Wed, Feb 3, 2016 at 7:01 PM, Justin Mclean  wrote:
> Hi
>
> It seems that some of the confusion comes from what top level projects have 
> done and not keep up with policy? From a 5 minute search (and not to pick on 
> / point out any particular project) here’s some examples were I think 
> improvement could be made to NOTICE files. [1][2][3][4][5][6][7]
>
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little 
> more consistent with current policy? Any suggestion on how we would go about 
> this? Does the policy need to be made clearer first?
>
> Thanks,
> Justin
>
> 1. https://github.com/apache/spark/blob/master/NOTICE 
> 
> 2. https://github.com/apache/flink/blob/master/NOTICE 
> 
> 3. https://github.com/apache/nifi/blob/master/NOTICE 
> 
> 4. https://github.com/apache/accumulo/blob/master/NOTICE 
> 
> 5. https://github.com/apache/camel/blob/master/NOTICE.txt 
> 
> 6. https://github.com/apache/phoenix/blob/master/NOTICE 
> 
> 7. https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt 
> 
>
>
>
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi

It seems that some of the confusion comes from what top level projects have 
done and not keep up with policy? From a 5 minute search (and not to pick on / 
point out any particular project) here’s some examples were I think improvement 
could be made to NOTICE files. [1][2][3][4][5][6][7]

Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little 
more consistent with current policy? Any suggestion on how we would go about 
this? Does the policy need to be made clearer first?

Thanks,
Justin

1. https://github.com/apache/spark/blob/master/NOTICE 

2. https://github.com/apache/flink/blob/master/NOTICE 

3. https://github.com/apache/nifi/blob/master/NOTICE 

4. https://github.com/apache/accumulo/blob/master/NOTICE 

5. https://github.com/apache/camel/blob/master/NOTICE.txt 

6. https://github.com/apache/phoenix/blob/master/NOTICE 

7. https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt 

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

HI,

> [4] https://nifi.apache.org/licensing-guide.html 
> 
BTW nicely put together, it's well worth a read and clearly explains quite 
tricky LICENSE and NOTICE issues.

Thanks,
Justin

Re: Confusion over NOTICE vs LICENSE files

[Roman Shaposhnik]

On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean  wrote:
> Hi
>
> It seems that some of the confusion comes from what top level projects have 
> done and not keep up with policy?
> From a 5 minute search (and not to pick on / point out any particular 
> project) here’s some examples were
> I think improvement could be made to NOTICE files. [1][2][3][4][5][6][7]
>
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little 
> more consistent with current policy?
> Any suggestion on how we would go about this? Does the policy need to be made 
> clearer first?

FWIW I must echo Justin's sentiment: there's quite a few TLPs out
there that prove
to be far from ideal role models for the podlings. In fact, even in my
own case, I was
looking at a few examples that proved to be an unfortunate choice of
'prior art'.

Thanks,
Roman.

P.S. Justin, I don't think we thank you enough for your diligence
around these areas. So. THANK YOU

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Julian Hyde]

I can see how a TLP would not be receptive to someone nit-picking their 
LICENSE/NOTICE files. Asking for patches, as Marvin suggests, is one approach 
that might work. Another approach is for someone with expertise in licensing to 
approach a TLP and offer to take them through a licensing review. Of course the 
TLP is at liberty to refuse, but if they accepted, some knowledge would 
undoubtedly rub off. I can speak only for the Calcite project, but I think we’d 
be happy to go through such a process every couple of years.

Julian


> On Feb 3, 2016, at 6:32 PM, Marvin Humphrey  wrote:
> 
> On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean  wrote:
>> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little
>> more consistent with current policy?
> 
> I approached a bunch of Lucene PMC members about this at ApacheCon a couple
> years back and they were receptive to the idea.
> 
> However, I don't think we should approach any other TLPs, to be honest.  A lot
> of the issues we'd like to fix in TLP LICENSE and NOTICE files would improve
> compliance with Apache *policy*, not law.  TLPs are the Board's purview -- the
> Incubator's writ only extends to podlings.
> 
> We can let the Board know that poor TLP compliance with Apache licensing
> policy is complicating our work in the Incubator, and perhaps the Board will
> solicit our help as volunteers to work on that problem.  But I think that if
> an initiative to tackle TLP licensing documentation originates on
> general@incubator, that's asking for trouble.  The last thing we need is
> conflict with the Board over ostensible IPMC overreach.
> 
>> Any suggestion on how we would go about this?
> 
> For any TLP we approach, I think we need to ensure that any proposed revisions
> are real, valuable contributions to the community.
> 
> *   Provide patches, rather than point out flaws.
> *   Explain persuasively and coherently to the PMC why these patches should be
>applied, while minimizing what we ask of them in terms of review and
>research.
> *   If possible, provide project-specific improvements which will help the PMC
>handle licensing better and with less effort in the future.
> 
> We need to bear in mind that we are outsiders while a project's PMC members
> are charged with legal oversight of their project, and that there is generally
> limited energy and patience for dealing with legal stuff.
> 
>> Does the policy need to be made clearer first?
> 
> Yes, I think that's important -- it will help us to persuade PMCs that our
> proposed changes are both correct and worthwhile.
> 
> Marvin Humphrey
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
> 


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean  wrote:
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little
> more consistent with current policy?

I approached a bunch of Lucene PMC members about this at ApacheCon a couple
years back and they were receptive to the idea.

However, I don't think we should approach any other TLPs, to be honest.  A lot
of the issues we'd like to fix in TLP LICENSE and NOTICE files would improve
compliance with Apache *policy*, not law.  TLPs are the Board's purview -- the
Incubator's writ only extends to podlings.

We can let the Board know that poor TLP compliance with Apache licensing
policy is complicating our work in the Incubator, and perhaps the Board will
solicit our help as volunteers to work on that problem.  But I think that if
an initiative to tackle TLP licensing documentation originates on
general@incubator, that's asking for trouble.  The last thing we need is
conflict with the Board over ostensible IPMC overreach.

> Any suggestion on how we would go about this?

For any TLP we approach, I think we need to ensure that any proposed revisions
are real, valuable contributions to the community.

*   Provide patches, rather than point out flaws.
*   Explain persuasively and coherently to the PMC why these patches should be
applied, while minimizing what we ask of them in terms of review and
research.
*   If possible, provide project-specific improvements which will help the PMC
handle licensing better and with less effort in the future.

We need to bear in mind that we are outsiders while a project's PMC members
are charged with legal oversight of their project, and that there is generally
limited energy and patience for dealing with legal stuff.

> Does the policy need to be made clearer first?

Yes, I think that's important -- it will help us to persuade PMCs that our
proposed changes are both correct and worthwhile.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> We can let the Board know that poor TLP compliance with Apache licensing
> policy is complicating our work in the Incubator

+1 to that it makes reviewing releases a lot harder. Recently a few release 
candidates have waited too long for a vote here and that may be a factor.

Some incubating projects understandably tend to look at what TLP have done and 
copy that rather than find and wade through all of the policy documentation.

>  The last thing we need is conflict with the Board over ostensible IPMC 
> overreach.

Certainly not.

>> Does the policy need to be made clearer first?
> 
> Yes, I think that's important -- it will help us to persuade PMCs that our
> proposed changes are both correct and worthwhile.

OK lets work on that.

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

I took a look at all the LICENSE, NOTCE and DISCLAIMER files in the non 
documentation / non web site github repos of all incubating projects. 

I was assisted by scripts and make a few assumptions for expediency so may of 
missed a couple/included a graduated or retired project.

Some data points:
- 10 repos are missing a LICENSE file
- There's some (very) minor variations of text in the LICENSE appendix
- 39 repos use a boiler plate LICENSE file
- 1 LICENSE file is missing Apache boilerplate test
- 1 repo is missing the LICENSE appendix part
- 2 repos have a non standard LICENSE appendix (filled in copyright line)
- 10 LICENSE files have the long form of MIT/BSD licenses where the short form 
is preferred
- 1 LICENSE file oddly / verbosely lists out the MIT/BSD license of all 
individual files
- at least 1 LICENSE file lists Apache licensed ASF software
- at least 8 LICENSE files list non ASF Apache licensed software
- 14 repos are missing a NOTICE file
- in the NOTICE file 14 repos use the name "Apache  (incubating)”, 55 use 
"Apache ”, and 3 use just “XXX”  (missing Apache)
- 29 repos have a NOTICE file copyright year before 2016
- 2 use the older “developed by” instead of “developed at” in the NOTICE file
- 2 have incorrect text in the NOTICE files
- at least 8 including licensing information in NOTICE that should be in 
LICENSE (IMO from a quick look)
- at least 1 has excessive copyright lines which may be incorrect
- 21 repos are missing DISCLAIMER files
- There's some (minor) variation on the DISCLAIMER wording

Projects are works in progress or may not have made a release or updated the 
files for the next release or the expected files may not be in the 1/2 dozen 
places my scripts looked at. Just take these numbers as a rough indication. I 
really didn’t want to spend too long on this.

A few NOTICE / LICENSE files have TODO’s which is nice to see. I would pass an 
IPMC vote on a release if I saw this.

It looks like a few projects are getting confused with what goes in LICENSE and 
NOTICE. The two issues seem to be adding MIT, BSD or Apache licenses to NOTICE 
when it is not required and adding extra copyright notices to NOTICE. An update 
on policy documentation to make it clearer what goes in both files would help 
here I think - which is already under way.

There also seems be some confusion around what to do with bundled Apache 
licensed software. This existing documentation is not entirely clear on how to 
handle non ASF Apache software and this has come up on the list a few times 
with some differing opionions.

A few questions on incubator policy that may need to be clarified:
- A release must include a NOTICE file, but should a repo include one?
- Likewise should a DISCLAIMER file be present in the repo?
- I thought incubating projects should be named "Apache  (incubating)” but 
the majority are named "Apache ” missing the “(incubating)" in the NOTICE 
file.
- What is the correct way to handle non ASF Apache license software? Currently 
policy (AFAIK) is not to add to LICENSE but not an error if you do so. What 
advice should we give to podlings here?

I think some of these issues are likely to occur from copy and paste from other 
projects files. Would it make sense when creating new source repos to add 
boiler plate LICENSE, NOTICE and DISCLAIMER files?

Anyone have any other views / opionions / insights based on the above data?

Now I don’t want to look at a LICENSE or NOTICE file for a week or so and need 
a stiff drink.

Thanks,
Justin

PS If anyone is interested in the simple scripts/process to get those numbers 
just ask offline. I used grep, wc and sort a fair bit to narrow down which 
files to look at.
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

If no one else steps forward to pick up the task of integrating this new
material into the Licensing How-To, I'm happy to.

Marvin Humphrey

On Fri, Jan 29, 2016 at 8:28 AM, Anthony Baker  wrote:
> Thanks so much for helping to clarify these details.  Having just worked
> through some of these questions I can say I would have definitely benefitted
> from having this information available.
>
> Anthony
>
>> On Jan 26, 2016, at 12:08 PM, Marvin Humphrey  wrote:
>>
>>> On Tue, Jan 26, 2016 at 11:42 AM, Todd Lipcon  wrote:
>>> I started a Google doc to try to clear this up in a simple "if/then" type
>>> layout:
>>> https://docs.google.com/document/d/1eftfjrWpOG-dRkw9dZWRfcj3p_qCeE5xC-G0Y5j29Ck/edit
>>
>> Nice work!
>>
>>> I have a bunch of confusion/open questions still, and email threads don't
>>> seem to be the best way to clear these things up, because different people
>>> have different opinions. Perhaps people could take a look at the above doc
>>> and add comments? This could then become a reference guide (or adendum to
>>> the existing licensing howto?).
>>
>> The structure of this document is actually pretty close to what I had
>> in mind with the first draft of the licensing how-to. I think we
>> should seek to integrate this material into that document.
>>
>> Once we have a patch we're happy with, we should run it by 
>> legal-discuss@apache.
>>
>> Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Anthony Baker]

Thanks so much for helping to clarify these details.  Having just worked 
through some of these questions I can say I would have definitely benefitted 
from having this information available.

Anthony


> On Jan 26, 2016, at 12:08 PM, Marvin Humphrey  wrote:
> 
>> On Tue, Jan 26, 2016 at 11:42 AM, Todd Lipcon  wrote:
>> I started a Google doc to try to clear this up in a simple "if/then" type
>> layout:
>> https://docs.google.com/document/d/1eftfjrWpOG-dRkw9dZWRfcj3p_qCeE5xC-G0Y5j29Ck/edit
> 
> Nice work!
> 
>> I have a bunch of confusion/open questions still, and email threads don't
>> seem to be the best way to clear these things up, because different people
>> have different opinions. Perhaps people could take a look at the above doc
>> and add comments? This could then become a reference guide (or adendum to
>> the existing licensing howto?).
> 
> The structure of this document is actually pretty close to what I had
> in mind with the first draft of the licensing how-to. I think we
> should seek to integrate this material into that document.
> 
> Once we have a patch we're happy with, we should run it by 
> legal-discuss@apache.
> 
> Marvin Humphrey
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
> 

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> LICENSE lists the licenses of bundled software that require it. Apache 
> licensed software doesn’t require that. [1]

I should clarify that’s only in the case when the software is already under an 
Apache license. Basically there’s no need to list the license twice.

Thanks,
Justin
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi,

> In this email [4], Sebb recommends mentioning non-ASF Apache-licensed
> bundled dependencies in LICENSE.

I think you are misrepresenting Sebb here but I'll let him clarify if need be.

The case you refer to the file in question was a binary file whose license 
wasn’t obvious. When adding one (or more) source files they would have an 
Apache header naming the copyright owner so there is no requirement to list 
them in LICENSE. Adding them to LICENSE is not an error but it is not required. 
If it was required then there would be many Apache releases with incorrect 
licenses.

> In my simple mental model, the LICENSE is the list of suppliers.  The ASF
> is one supplier, every other supplier in the package is mentioned.  NOTICE
> is legal stuff required by that list of suppliers.

LICENSE lists the licenses of bundled software that require it. Apache licensed 
software doesn’t require that. [1]

NOTICE contains copyright and attribution statements that the licenses of 
bundled software require. [2][3] (And any removed copyright statements.)

Thanks,
Justin

1. 
http://incubator.apache.org/guides/releasemanagement.html#best-practice-license
2, http://www.apache.org/licenses/LICENSE-2.0 (see 4 c/4 d)
3. http://www.apache.org/dev/licensing-howto.html#mod-notice

Re: Confusion over NOTICE vs LICENSE files

[Jean-Baptiste Onofré]

Hi Justin,

Starting from the licensing howto 
(http://www.apache.org/dev/licensing-howto.html#mod-notice), and 
regarding what you said, it's not obvious to me, and a bit confusing.


Maybe, we can enhance a bit the licensing howto to be more "straight 
forward", using some existing examples to illustrate how to proceed for 
"newbies" (or even veterans ;)).


WDYT ?

Thanks,
Regards
JB

On 01/26/2016 08:46 AM, Justin Mclean wrote:

Hi, 


1) In the case that we've borrowed code from another Apache 2.0 licensed
project, the licensing howto[1] says that there is no need to modify
LICENSE unless it transitively has dependencies with such a requirement.


That is the current policy yes so there is no need to list them.


Is this true even if the original dependency carries a copyright?


Yes. The copyright should be in a NOTICE file and if that exists need it needs 
be be added to your NOTICE file. [1]

BTW bootstrap in now MIT not Apache so you may want to double check the 
version/license you are using.


For example, we bundle Twitter's Bootstrap library and currently have 
attribution in our
LICENSE file[2] indicating the copyright (even though it's also at the top
of the relevant files). Not necessary?


It’s not required under current policy, but there’s no harm in adding it.


2) In other cases we've bundled MIT or BSD-licensed source. The license
says that redistributions must retain the text of the license. Is it
sufficient that that text be only in the source code, or should we also
duplicate it into LICENSE.txt as we've done for code derived from
AsyncHBase? [3]


You should add the full text or better still a pointer to it. [2]


3) We have many thirdparty dependencies which are not "bundled" in the
source release. Instead, our build process has a script which downloads
them from the internet, unpacks, and compiles them. So, despite not being
part of the artifact itself, they are required components for the build
(and in most cases become static-linked into the binary). We currently list
all of these dependencies and their licenses in LICENSE.txt. Is this
necessary, or should we move these into a separate file?


Only items bundled should be mentioned in LICENSE/NOTICE. [3]

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#alv2-dep
2. http://www.apache.org/dev/licensing-howto.html#permissive-deps
3. http://www.apache.org/dev/licensing-howto.html#guiding-principle


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org



--
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Alex Harui]

On 1/26/16, 12:07 AM, "Justin Mclean"  wrote:

>Hi,
>
>> In this email [4], Sebb recommends mentioning non-ASF Apache-licensed
>> bundled dependencies in LICENSE.
>
>I think you are misrepresenting Sebb here but I'll let him clarify if
>need be.
>
>The case you refer to the file in question was a binary file whose
>license wasn’t obvious. When adding one (or more) source files they would
>have an Apache header naming the copyright owner so there is no
>requirement to list them in LICENSE. Adding them to LICENSE is not an
>error but it is not required. If it was required then there would be many
>Apache releases with incorrect licenses.

Here's a related link where sebb seems to be saying it applies to source
packages as well:
http://s.apache.org/7mq


-Alex

RE: Confusion over NOTICE vs LICENSE files

[Roberta Marton]

+1

As someone who just went through the process of figuring out the LICENSE and
NOTICE files and am still unclear. I agree with JB - examples would be
great.

Regards,
Roberta

-Original Message-
From: Jean-Baptiste Onofré [mailto:j...@nanthrax.net]
Sent: Tuesday, January 26, 2016 5:19 AM
To: general@incubator.apache.org
Subject: Re: Confusion over NOTICE vs LICENSE files

Hi Justin,

Starting from the licensing howto
(http://www.apache.org/dev/licensing-howto.html#mod-notice), and regarding
what you said, it's not obvious to me, and a bit confusing.

Maybe, we can enhance a bit the licensing howto to be more "straight
forward", using some existing examples to illustrate how to proceed for
"newbies" (or even veterans ;)).

WDYT ?

Thanks,
Regards
JB

On 01/26/2016 08:46 AM, Justin Mclean wrote:
> Hi,>
>> 1) In the case that we've borrowed code from another Apache 2.0
>> licensed project, the licensing howto[1] says that there is no need
>> to modify LICENSE unless it transitively has dependencies with such a
>> requirement.
>
> That is the current policy yes so there is no need to list them.
>
>> Is this true even if the original dependency carries a copyright?
>
> Yes. The copyright should be in a NOTICE file and if that exists need
> it needs be be added to your NOTICE file. [1]
>
> BTW bootstrap in now MIT not Apache so you may want to double check the
> version/license you are using.
>
>> For example, we bundle Twitter's Bootstrap library and currently have
>> attribution in our LICENSE file[2] indicating the copyright (even
>> though it's also at the top of the relevant files). Not necessary?
>
> It’s not required under current policy, but there’s no harm in adding it.
>
>> 2) In other cases we've bundled MIT or BSD-licensed source. The
>> license says that redistributions must retain the text of the
>> license. Is it sufficient that that text be only in the source code,
>> or should we also duplicate it into LICENSE.txt as we've done for
>> code derived from AsyncHBase? [3]
>
> You should add the full text or better still a pointer to it. [2]
>
>> 3) We have many thirdparty dependencies which are not "bundled" in
>> the source release. Instead, our build process has a script which
>> downloads them from the internet, unpacks, and compiles them. So,
>> despite not being part of the artifact itself, they are required
>> components for the build (and in most cases become static-linked into
>> the binary). We currently list all of these dependencies and their
>> licenses in LICENSE.txt. Is this necessary, or should we move these into
>> a separate file?
>
> Only items bundled should be mentioned in LICENSE/NOTICE. [3]
>
> Thanks,
> Justin
>
> 1. http://www.apache.org/dev/licensing-howto.html#alv2-dep
> 2. http://www.apache.org/dev/licensing-howto.html#permissive-deps
> 3. http://www.apache.org/dev/licensing-howto.html#guiding-principle
>
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

--
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Todd Lipcon]

Yea, even after this thread I'm not entirely sure on whether copyright
statements need to be duplicated from original source files into NOTICE or
not. For example, Subversion's LICENSE file mentions the 'linenoise'
library and its copyrights, but its NOTICE file doesn't. Not sure if this
is an error or fine because the copyright statements are still in the
original source.

A nice "if/then" style decision framework, or a flow chart would be nice..
eg:

IF the source code in question is not shipped directly in the source
release, THEN it should not be mentioned in any way. This includes if it's
automatically downloaded during the build process.
IF the source code in question is Apache licensed:
-- IF the Apache-licensed source files have copyright headers.
 IF the headers are maintained in the source files themselves (i.e. not
"relocated" or "removed"):
-- THEN the copyright should NOT be mentioned in LICENSE or NOTICE.
etc, etc.

In other words, a single straightforward place to reference for these
items, which could be updated to reflect the policy as it evolves. Right
now I find myself going back and forth between several docs (release
guides, licensing HOWTO) and mailing list threads, sometimes with seemingly
conflicting information.

-Todd



On Tue, Jan 26, 2016 at 8:16 AM, Roberta Marton <roberta.mar...@esgyn.com>
wrote:

> +1
>
> As someone who just went through the process of figuring out the LICENSE
> and
> NOTICE files and am still unclear. I agree with JB - examples would be
> great.
>
> Regards,
> Roberta
>
> -Original Message-
> From: Jean-Baptiste Onofré [mailto:j...@nanthrax.net]
> Sent: Tuesday, January 26, 2016 5:19 AM
> To: general@incubator.apache.org
> Subject: Re: Confusion over NOTICE vs LICENSE files
>
> Hi Justin,
>
> Starting from the licensing howto
> (http://www.apache.org/dev/licensing-howto.html#mod-notice), and regarding
> what you said, it's not obvious to me, and a bit confusing.
>
> Maybe, we can enhance a bit the licensing howto to be more "straight
> forward", using some existing examples to illustrate how to proceed for
> "newbies" (or even veterans ;)).
>
> WDYT ?
>
> Thanks,
> Regards
> JB
>
> On 01/26/2016 08:46 AM, Justin Mclean wrote:
> > Hi,>
> >> 1) In the case that we've borrowed code from another Apache 2.0
> >> licensed project, the licensing howto[1] says that there is no need
> >> to modify LICENSE unless it transitively has dependencies with such a
> >> requirement.
> >
> > That is the current policy yes so there is no need to list them.
> >
> >> Is this true even if the original dependency carries a copyright?
> >
> > Yes. The copyright should be in a NOTICE file and if that exists need
> > it needs be be added to your NOTICE file. [1]
> >
> > BTW bootstrap in now MIT not Apache so you may want to double check the
> > version/license you are using.
> >
> >> For example, we bundle Twitter's Bootstrap library and currently have
> >> attribution in our LICENSE file[2] indicating the copyright (even
> >> though it's also at the top of the relevant files). Not necessary?
> >
> > It’s not required under current policy, but there’s no harm in adding it.
> >
> >> 2) In other cases we've bundled MIT or BSD-licensed source. The
> >> license says that redistributions must retain the text of the
> >> license. Is it sufficient that that text be only in the source code,
> >> or should we also duplicate it into LICENSE.txt as we've done for
> >> code derived from AsyncHBase? [3]
> >
> > You should add the full text or better still a pointer to it. [2]
> >
> >> 3) We have many thirdparty dependencies which are not "bundled" in
> >> the source release. Instead, our build process has a script which
> >> downloads them from the internet, unpacks, and compiles them. So,
> >> despite not being part of the artifact itself, they are required
> >> components for the build (and in most cases become static-linked into
> >> the binary). We currently list all of these dependencies and their
> >> licenses in LICENSE.txt. Is this necessary, or should we move these into
> >> a separate file?
> >
> > Only items bundled should be mentioned in LICENSE/NOTICE. [3]
> >
> > Thanks,
> > Justin
> >
> > 1. http://www.apache.org/dev/licensing-howto.html#alv2-dep
> > 2. http://www.apache.org/dev/licensing-howto.html#permissive-deps
> > 3. http://www.apache.org/dev/licensing-howto.html#guiding-principle
> >
> >
> > 

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Tue, Jan 26, 2016 at 9:10 AM, Todd Lipcon  wrote:
> Yea, even after this thread I'm not entirely sure on whether copyright
> statements need to be duplicated from original source files into NOTICE or
> not.

Copyright statements on their own within a source file?  They do not.

> For example, Subversion's LICENSE file mentions the 'linenoise' library and
> its copyrights, but its NOTICE file doesn't.

That is the propagation of the *entire* BSD-2 *license* for linenoise from the
source file to the LICENSE file. All members of the BSD license family are
templates which require insertion of a copyright statement.

http://svn.apache.org/viewvc/subversion/trunk/LICENSE?revision=1714640=markup#l369

Legally, not even the propagation of the BSD-2 license to LICENSE is required.
So long as the bundled source files for linenoise retain that license header,
the BSD-2 license is satisfied and redistribution is legally permitted.

However, it is the policy of the ASF that the top level LICENSE file summarize
information about the licensing of bundled dependencies. This provides a
service to downstream consumers of ASF products -- they can examine the
top-level LICENSE file instead of having to look through every last source
file.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Todd Lipcon]

For the sake of all of these discussions, are "bundled dependencies" and
"work derived from other projects source code" 100% equivalent? In many
cases we've copied (or ported) small bits of code from other projects and
believe them to be 'derived work' from a copyright standpoint. My
assumption is that there's no difference between that and "bundling" in
which you are typically taking a release artifact as-is from another
project.

-Todd

On Tue, Jan 26, 2016 at 10:52 AM, Marvin Humphrey 
wrote:

> On Tue, Jan 26, 2016 at 9:10 AM, Todd Lipcon  wrote:
> > Yea, even after this thread I'm not entirely sure on whether copyright
> > statements need to be duplicated from original source files into NOTICE
> or
> > not.
>
> Copyright statements on their own within a source file?  They do not.
>
> > For example, Subversion's LICENSE file mentions the 'linenoise' library
> and
> > its copyrights, but its NOTICE file doesn't.
>
> That is the propagation of the *entire* BSD-2 *license* for linenoise from
> the
> source file to the LICENSE file. All members of the BSD license family are
> templates which require insertion of a copyright statement.
>
>
> http://svn.apache.org/viewvc/subversion/trunk/LICENSE?revision=1714640=markup#l369
>
> Legally, not even the propagation of the BSD-2 license to LICENSE is
> required.
> So long as the bundled source files for linenoise retain that license
> header,
> the BSD-2 license is satisfied and redistribution is legally permitted.
>
> However, it is the policy of the ASF that the top level LICENSE file
> summarize
> information about the licensing of bundled dependencies. This provides a
> service to downstream consumers of ASF products -- they can examine the
> top-level LICENSE file instead of having to look through every last source
> file.
>
> Marvin Humphrey
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>


-- 
Todd Lipcon
Software Engineer, Cloudera

Re: Confusion over NOTICE vs LICENSE files

[Ted Dunning]

There really isn't a difference between things copied without modification
and things copied with modification insofar as copyright is concerned.

Copying without modification into a larger work is just a special case of a
derived work. The change introduced is represented by adding the rest of
the work.



On Tue, Jan 26, 2016 at 11:01 AM, Todd Lipcon  wrote:

> For the sake of all of these discussions, are "bundled dependencies" and
> "work derived from other projects source code" 100% equivalent? In many
> cases we've copied (or ported) small bits of code from other projects and
> believe them to be 'derived work' from a copyright standpoint. My
> assumption is that there's no difference between that and "bundling" in
> which you are typically taking a release artifact as-is from another
> project.
>
> -Todd
>
> On Tue, Jan 26, 2016 at 10:52 AM, Marvin Humphrey 
> wrote:
>
> > On Tue, Jan 26, 2016 at 9:10 AM, Todd Lipcon  wrote:
> > > Yea, even after this thread I'm not entirely sure on whether copyright
> > > statements need to be duplicated from original source files into NOTICE
> > or
> > > not.
> >
> > Copyright statements on their own within a source file?  They do not.
> >
> > > For example, Subversion's LICENSE file mentions the 'linenoise' library
> > and
> > > its copyrights, but its NOTICE file doesn't.
> >
> > That is the propagation of the *entire* BSD-2 *license* for linenoise
> from
> > the
> > source file to the LICENSE file. All members of the BSD license family
> are
> > templates which require insertion of a copyright statement.
> >
> >
> >
> http://svn.apache.org/viewvc/subversion/trunk/LICENSE?revision=1714640=markup#l369
> >
> > Legally, not even the propagation of the BSD-2 license to LICENSE is
> > required.
> > So long as the bundled source files for linenoise retain that license
> > header,
> > the BSD-2 license is satisfied and redistribution is legally permitted.
> >
> > However, it is the policy of the ASF that the top level LICENSE file
> > summarize
> > information about the licensing of bundled dependencies. This provides a
> > service to downstream consumers of ASF products -- they can examine the
> > top-level LICENSE file instead of having to look through every last
> source
> > file.
> >
> > Marvin Humphrey
> >
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
> >
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
>

Re: Confusion over NOTICE vs LICENSE files

[Todd Lipcon]

I started a Google doc to try to clear this up in a simple "if/then" type
layout:
https://docs.google.com/document/d/1eftfjrWpOG-dRkw9dZWRfcj3p_qCeE5xC-G0Y5j29Ck/edit

I have a bunch of confusion/open questions still, and email threads don't
seem to be the best way to clear these things up, because different people
have different opinions. Perhaps people could take a look at the above doc
and add comments? This could then become a reference guide (or adendum to
the existing licensing howto?).

-Todd

On Tue, Jan 26, 2016 at 11:35 AM, Ted Dunning  wrote:

> There really isn't a difference between things copied without modification
> and things copied with modification insofar as copyright is concerned.
>
> Copying without modification into a larger work is just a special case of a
> derived work. The change introduced is represented by adding the rest of
> the work.
>
>
>
> On Tue, Jan 26, 2016 at 11:01 AM, Todd Lipcon  wrote:
>
> > For the sake of all of these discussions, are "bundled dependencies" and
> > "work derived from other projects source code" 100% equivalent? In many
> > cases we've copied (or ported) small bits of code from other projects and
> > believe them to be 'derived work' from a copyright standpoint. My
> > assumption is that there's no difference between that and "bundling" in
> > which you are typically taking a release artifact as-is from another
> > project.
> >
> > -Todd
> >
> > On Tue, Jan 26, 2016 at 10:52 AM, Marvin Humphrey <
> mar...@rectangular.com>
> > wrote:
> >
> > > On Tue, Jan 26, 2016 at 9:10 AM, Todd Lipcon 
> wrote:
> > > > Yea, even after this thread I'm not entirely sure on whether
> copyright
> > > > statements need to be duplicated from original source files into
> NOTICE
> > > or
> > > > not.
> > >
> > > Copyright statements on their own within a source file?  They do not.
> > >
> > > > For example, Subversion's LICENSE file mentions the 'linenoise'
> library
> > > and
> > > > its copyrights, but its NOTICE file doesn't.
> > >
> > > That is the propagation of the *entire* BSD-2 *license* for linenoise
> > from
> > > the
> > > source file to the LICENSE file. All members of the BSD license family
> > are
> > > templates which require insertion of a copyright statement.
> > >
> > >
> > >
> >
> http://svn.apache.org/viewvc/subversion/trunk/LICENSE?revision=1714640=markup#l369
> > >
> > > Legally, not even the propagation of the BSD-2 license to LICENSE is
> > > required.
> > > So long as the bundled source files for linenoise retain that license
> > > header,
> > > the BSD-2 license is satisfied and redistribution is legally permitted.
> > >
> > > However, it is the policy of the ASF that the top level LICENSE file
> > > summarize
> > > information about the licensing of bundled dependencies. This provides
> a
> > > service to downstream consumers of ASF products -- they can examine the
> > > top-level LICENSE file instead of having to look through every last
> > source
> > > file.
> > >
> > > Marvin Humphrey
> > >
> > > -
> > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > > For additional commands, e-mail: general-h...@incubator.apache.org
> > >
> > >
> >
> >
> > --
> > Todd Lipcon
> > Software Engineer, Cloudera
> >
>



-- 
Todd Lipcon
Software Engineer, Cloudera

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey]

On Tue, Jan 26, 2016 at 11:42 AM, Todd Lipcon  wrote:
> I started a Google doc to try to clear this up in a simple "if/then" type
> layout:
> https://docs.google.com/document/d/1eftfjrWpOG-dRkw9dZWRfcj3p_qCeE5xC-G0Y5j29Ck/edit

Nice work!

> I have a bunch of confusion/open questions still, and email threads don't
> seem to be the best way to clear these things up, because different people
> have different opinions. Perhaps people could take a look at the above doc
> and add comments? This could then become a reference guide (or adendum to
> the existing licensing howto?).

The structure of this document is actually pretty close to what I had
in mind with the first draft of the licensing how-to. I think we
should seek to integrate this material into that document.

Once we have a patch we're happy with, we should run it by legal-discuss@apache.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Alex Harui]

On 1/25/16, 6:19 PM, "Todd Lipcon"  wrote:

>Hey folks,
>
>I'm working on tidying up the source for Apache Kudu (incubating) in order
>to prepare for our first ASF release, and ran into a couple bits of
>confusion:
>
>1) In the case that we've borrowed code from another Apache 2.0 licensed
>project, the licensing howto[1] says that there is no need to modify
>LICENSE unless it transitively has dependencies with such a requirement.
>Is
>this true even if the original dependency carries a copyright? For
>example,
>we bundle Twitter's Bootstrap library and currently have attribution in
>our
>LICENSE file[2] indicating the copyright (even though it's also at the top
>of the relevant files). Not necessary? We can just entirely ignore such
>dependencies in LICENSE and NOTICE so long as the original header's
>maintained?

In this email [4], Sebb recommends mentioning non-ASF Apache-licensed
bundled dependencies in LICENSE.  So that's what I've been doing with
LICENSEs for release I manage.  I'm not a fan of including text of the
licenses, I prefer the "pointer" text as mentioned in [1].  IOW: "This
product bundles SuperWidget 1.2.3, which is available under a
"3-clause BSD" license.  For details, see deps/superwidget/."

>
>2) In other cases we've bundled MIT or BSD-licensed source. The license
>says that redistributions must retain the text of the license. Is it
>sufficient that that text be only in the source code, or should we also
>duplicate it into LICENSE.txt as we've done for code derived from
>AsyncHBase? [3]

Again, I prefer "pointer text" vs copying entire licenses, but AIUI, MIT
and BSD bundled dependencies must be mentioned in LICENSE.

>
>3) We have many thirdparty dependencies which are not "bundled" in the
>source release. Instead, our build process has a script which downloads
>them from the internet, unpacks, and compiles them. So, despite not being
>part of the artifact itself, they are required components for the build
>(and in most cases become static-linked into the binary). We currently
>list
>all of these dependencies and their licenses in LICENSE.txt. Is this
>necessary, or should we move these into a separate file?

AIUI, only bundled dependencies should be mentioned in LICENSE, so
non-bundled dependencies should not be mentioned in LICENSE.  In releases
I manage, I put mention of those non-bundled dependencies in the README.

The reason I prefer pointers is that I like keeping this file short so
folks can read it more easily/quickly.  The text of these licenses are
easy to find elsewhere.

In my simple mental model, the LICENSE is the list of suppliers.  The ASF
is one supplier, every other supplier in the package is mentioned.  NOTICE
is legal stuff required by that list of suppliers.  README is for other
stuff like the list of other external dependencies (e.g. "batteries not
included", or "tools required to assemble this furniture")

HTH,
-Alex

>
>[1] http://www.apache.org/dev/licensing-howto
>[2]
>https://git1-us-west.apache.org/repos/asf?p=incubator-kudu.git;a=blob;f=LI
>CENSE.txt;h=347de4f88b5e6240f6e560b2b1208364d6042c55;hb=HEAD#l424
>[3]
>https://git1-us-west.apache.org/repos/asf?p=incubator-kudu.git;a=blob;f=LI
>CENSE.txt;h=347de4f88b5e6240f6e560b2b1208364d6042c55;hb=HEAD#l553

[4] http://s.apache.org/qDa

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean]

Hi, 

> 1) In the case that we've borrowed code from another Apache 2.0 licensed
> project, the licensing howto[1] says that there is no need to modify
> LICENSE unless it transitively has dependencies with such a requirement.

That is the current policy yes so there is no need to list them.

> Is this true even if the original dependency carries a copyright?

Yes. The copyright should be in a NOTICE file and if that exists need it needs 
be be added to your NOTICE file. [1]

BTW bootstrap in now MIT not Apache so you may want to double check the 
version/license you are using.

> For example, we bundle Twitter's Bootstrap library and currently have 
> attribution in our
> LICENSE file[2] indicating the copyright (even though it's also at the top
> of the relevant files). Not necessary?

It’s not required under current policy, but there’s no harm in adding it.

> 2) In other cases we've bundled MIT or BSD-licensed source. The license
> says that redistributions must retain the text of the license. Is it
> sufficient that that text be only in the source code, or should we also
> duplicate it into LICENSE.txt as we've done for code derived from
> AsyncHBase? [3]

You should add the full text or better still a pointer to it. [2]

> 3) We have many thirdparty dependencies which are not "bundled" in the
> source release. Instead, our build process has a script which downloads
> them from the internet, unpacks, and compiles them. So, despite not being
> part of the artifact itself, they are required components for the build
> (and in most cases become static-linked into the binary). We currently list
> all of these dependencies and their licenses in LICENSE.txt. Is this
> necessary, or should we move these into a separate file?

Only items bundled should be mentioned in LICENSE/NOTICE. [3]

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#alv2-dep
2. http://www.apache.org/dev/licensing-howto.html#permissive-deps
3. http://www.apache.org/dev/licensing-howto.html#guiding-principle


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Confusion over NOTICE vs LICENSE files

[Todd Lipcon]

Hey folks,

I'm working on tidying up the source for Apache Kudu (incubating) in order
to prepare for our first ASF release, and ran into a couple bits of
confusion:

1) In the case that we've borrowed code from another Apache 2.0 licensed
project, the licensing howto[1] says that there is no need to modify
LICENSE unless it transitively has dependencies with such a requirement. Is
this true even if the original dependency carries a copyright? For example,
we bundle Twitter's Bootstrap library and currently have attribution in our
LICENSE file[2] indicating the copyright (even though it's also at the top
of the relevant files). Not necessary? We can just entirely ignore such
dependencies in LICENSE and NOTICE so long as the original header's
maintained?

2) In other cases we've bundled MIT or BSD-licensed source. The license
says that redistributions must retain the text of the license. Is it
sufficient that that text be only in the source code, or should we also
duplicate it into LICENSE.txt as we've done for code derived from
AsyncHBase? [3]

3) We have many thirdparty dependencies which are not "bundled" in the
source release. Instead, our build process has a script which downloads
them from the internet, unpacks, and compiles them. So, despite not being
part of the artifact itself, they are required components for the build
(and in most cases become static-linked into the binary). We currently list
all of these dependencies and their licenses in LICENSE.txt. Is this
necessary, or should we move these into a separate file?

Thanks
-Todd

[1] http://www.apache.org/dev/licensing-howto
[2]
https://git1-us-west.apache.org/repos/asf?p=incubator-kudu.git;a=blob;f=LICENSE.txt;h=347de4f88b5e6240f6e560b2b1208364d6042c55;hb=HEAD#l424
[3]
https://git1-us-west.apache.org/repos/asf?p=incubator-kudu.git;a=blob;f=LICENSE.txt;h=347de4f88b5e6240f6e560b2b1208364d6042c55;hb=HEAD#l553

-- 
Todd Lipcon
Software Engineer, Cloudera