[
https://issues.apache.org/jira/browse/NIFI-291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299515#comment-14299515
]
Joseph Witt commented on NIFI-291:
----------------------------------
Great comments from Marvin Humphreys in reponse to a legal discuss question
from apache lens (incubating):
Marvin Humphrey
2:41 PM (5 hours ago)
to legal-discuss
LICENSE and NOTICE must always reflect the exact content being distributed.
Libraries available under CDDL/GPL dual licensing cannot be bundled with an
official Apache source release, and therefore their licensing information does
not belong in the LICENSE and NOTICE embedded in the canonical source release
artifacts.
Should a community member supply "convenience binaries"[1], any embedded
LICENSE and NOTICE files will likely need to diverge from those embedded in
the official source release if additional intellectual property is bundled.
Therefore, your question applies only to convenience binaries for Lens which
bundle CDDL/GPL libraries.
I'm prepared to offer some informal commentary to help keep the Lens community
from getting mired in debates over binary licensing details, but the crucial
task is getting the canonical source release correct. The Apache Software
Foundation releases open source software. Compiled artifacts, while they may
be derived from open source, are not themselves open source and do not satisfy
the ASF's mission.
Under normal circumstances, it is not legally required to copy the complete
dependency license text into the top-level LICENSE file. The dependency's own
embedded licensing info should cover its portion of the distribution; so long
as such licensing info is left intact, any obligation of redistributors to
supply a copy of the license text ought to be satisfied. For example,
consider this sentence from the CDDL 1.0 section 3.1:
http://opensource.org/licenses/CDDL-1.0
You must include a copy of this License with every copy of the Source Code
form of the Covered Software You distribute or otherwise make available.
That sentence does not specify *where* the copy of the CDDL must live, only
that it must be included somewhere. Thus, for the top-level LICENSE file, it
suffices to supply a pointer -- and even then such a pointer consitutes
"licensing documentation" rather than fulfillment of a legal obligation.
Here's an example pointer taken from our Licensing How-to:
http://www.apache.org/dev/licensing-howto.html
This product bundles SuperWidget 1.2.3, which is available under a
"3-clause BSD" license. For details, see deps/superwidget/.
For Lens's bundled use of javax and jersey, I suggest adapting that example
for each to mention that the dependency is dual-licensed under the CDDL and
GPL and to reference a specific location within the binary artifacts where its
licensing lives.
Additionally, CDDL 1.0 section 3.1 contains this provision:
You must inform recipients of any such Covered Software in Executable form
as to how they can obtain such Covered Software in Source Code form in a
reasonable manner on or through a medium customarily used for software
exchange.
To satisfy that requirement, a brief entry in NOTICE with a web link should
suffice.
HTH,
Marvin Humphrey
[1] The term "convenience binaries" is our shorthand for "binary/bytecode
packages [...] produced as a convenience to users" as described at
http://www.apache.org/dev/release#what
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
And Ross Gardler's Reponse:
Just a little more info to add to Marvin’s response:
Legal Affairs keep a record of what is/is not allowed at
http://www.apache.org/legal/resolved.html
On this page you will find CDDL listed as an acceptable weak copyleft license,
with guidance on how to include it (see Marvin’s response for more detail).
You will also find GPL listed as a license that may NOT be included with Apache
products.
Ross
++=-=-=-=-
Bottom line is that this guidance should help inform what we do . We clearly
need a LICENSE (for source) and a LICENSE.bin which gets used for binary
releases. Or we need to ensure we specifically call out in the LICENSE text
itself whether the 'src' release bundles or the 'binary' release bundles. That
actually seems cleaner. This is true of the notice as well.
> Address findings from 0.0.1 release process
> -------------------------------------------
>
> Key: NIFI-291
> URL: https://issues.apache.org/jira/browse/NIFI-291
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Affects Versions: 0.1.0
> Reporter: Joseph Witt
> Assignee: Joseph Witt
>
> Josh Elser:
> - Readme.txt should have License Header
> - nbactions.xml is odd in rat exclusions: perhaps we can comment why it is
> there (for netbeans users)
> Andrew Purtell:
> - Organizations is wrong in pom. It says
> <url>http://nifi.incubating.apache.org/</url>
> but should be:
> <url>http://nifi.incubator.apache.org/</url>
> Billie Rinaldi:
> The nar and war files deployed in the
> orgapachenifi-1022 repository seem to have default LICENSE files that don't
> have license info for their bundled dependencies, but they do all have
> DEPENDENCIES files listing this information. I haven't worked with these
> dependencies files before. Are they sufficient for communicating license
> information?
> Justin Mclean:
> Some suggestions:
> - Consider having separate licence and notice file for the binary release
> - The NOTICE file is a little odd in that while it mentions what licenses
> effect notice it
> doesn't list the software, but they are listed in the license file. Perhaps
> take a look at
> what other projects have done.
> As per [1] the source LICENSE should only mention what's bundled in the
> source bundle and
> the binary LICENSE should only mention what's bundled in the binary release.
> I think you have the content right (hence my +1) just that there's no need
> to mention the
> binary parts in the source release LICENSE. Having extra content in license
> is not as bad
> than having missing licences.
> I'd suggest (and it's only a suggestion) having two files (eg LICENSE.src and
> LICENSE.bin)
> in version control and put in right one into each bundle (and rename to
> LICENSE) as part of
> your release process. There are other approaches ie construct each LICENSE
> file from parts,
> but this seems the simplest way to me.
> Thanks,
> Justin
> 1. http://www.apache.org/dev/licensing-howto.html#guiding-principle
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> Jan I:
> I am a bit confused about the mangling of license/notice files in respect
> of the source/binary releases.
> Can I please ask you to make a clear distinction between source and binary
> (which is not official ASF release) in the next release.
> Billie R:
> Beware that the license does not currently cover all of the dependencies
> bundled in the nars/wars. (As the license for the source package, it
> doesn't have to.) The one I noticed was nifi-kafka-nar, but there could be
> others.
> -- Items found in the bundled dependencies of the kafka Nar
> -rw-rw-r--. 1 joe joe 6418368 Jan 23 09:27 scala-library-2.8.2.jar
> -rw-rw-r--. 1 joe joe 521157 Jan 23 09:27 mail-1.4.7.jar
> -rw-rw-r--. 1 joe joe 391834 Jan 23 09:27 log4j-1.2.15.jar
> -rw-rw-r--. 1 joe joe 106813 Jan 23 09:27 nifi-utils-0.0.1-incubating.jar
> -rw-rw-r--. 1 joe joe 604182 Jan 23 09:27 zookeeper-3.3.4.jar
> -rw-rw-r--. 1 joe joe 4229 Jan 23 09:27 metrics-annotation-2.2.0.jar
> -rw-rw-r--. 1 joe joe 62983 Jan 23 09:27 activation-1.1.jar
> -rw-rw-r--. 1 joe joe 17148 Jan 23 09:27
> nifi-security-utils-0.0.1-incubating.jar
> -rw-rw-r--. 1 joe joe 53244 Jan 23 09:27 jopt-simple-3.2.jar
> -rw-rw-r--. 1 joe joe 1251514 Jan 23 09:27 snappy-java-1.0.5.jar
> -rw-rw-r--. 1 joe joe 412739 Jan 23 09:27 commons-lang3-3.3.2.jar
> -rw-rw-r--. 1 joe joe 3223773 Jan 23 09:27 kafka_2.8.2-0.8.1.jar
> -rw-rw-r--. 1 joe joe 32753 Jan 23 09:27
> nifi-kafka-processors-0.0.1-incubating.jar
> -rw-rw-r--. 1 joe joe 82123 Jan 23 09:27 metrics-core-2.2.0.jar
> -rw-rw-r--. 1 joe joe 64009 Jan 23 09:27 zkclient-0.3.jar
> -rw-rw-r--. 1 joe joe 42716 Jan 23 09:27
> nifi-processor-utils-0.0.1-incubating.jar
> -rw-rw-r--. 1 joe joe 87325 Jan 23 09:27 jline-0.9.94.jar
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
