Hi Alex, I'm not an expert on licensing requirements but the above sounds convincing to me. Your proposal sounds like a good plan. Re. question 3 I think it is okay to include the Apache licensed dependencies in the binary LICENSE too.
A minor note - have you seen https://github.com/apache/brooklyn/pull/15 "edit Brooklyn license info so that GitHub recognizes it"? I intend to merge this but added the comment to clarify whether we should do the same for all our repos (I assume so). I intend to raise PRs to do this if so. Geoff On Wed, 20 Jun 2018 at 13:47 Alex Heneveld <[email protected]> wrote: > > Hi Brooklyn devs- > > In prepping the new UI contribution I've been working on the LICENSE > file generation. It is rather extensive because by using Angular we > pull in hundreds of JS deps for the binary, most of them under MIT > license which as I understand it means copyright information must be > reproduced in the LICENSE for the binary dist. This is based on the MIT > clause "The above copyright notice and this permission notice shall be > included in all copies or substantial portions of the Software" in > accordance with the principle that copyright extends to translations. > While it would be tempting to treat the compiled/minified version as not > a copy and so not requiring the copyright -- and that may well be the > intention of many MIT license users (contrasted with BSD which > explicitly calls out binaries as requiring the copyright) -- I don't > believe we can hide behind that. (So JS devs please take note, please > use the Apache License! :) ) > > > Question 1: Is this correct, our binaries LICENSE files need to list > all MIT, BSD, ISC licensed dependencies whose minified/compiled output > is included in our binary dist? > > > In the process I've noticed we in Brooklyn don't currently distinguish > consistently between the source LICENSE and binary LICENSE. As I > understand it from [1], the LICENSE file included with source projects > -- including I believe the one at the root of the git repo -- should > refer to resources included in the source only. Dependencies that are > downloaded as part of the build and included in the binary should not be > listed in those LICENSE files, but they must be included in any binary > build (eg the RPM, TGZ). > > It's not yet a big issue as it doesn't matter for Apache licensed > dependencies as they do not require copyright inclusion or attribution > and these are the bulk of what we do. Where we do need to look more > closely I think are: > > (A) The Go CLI -- we use a few libraries (mainly MIT licensed) > downloaded at build time. The LICENSE file [2] includes these > libraries. This is included in the binary build, which is correct, but > it is also present at the root of that sub-project where it is > incorrect, and our source build also references these libraries which is > incorrect. > > (B) JS in "brooklyn-server" -- we have a few JS libraries included in > the source tree of brooklyn-server (not downloaded during the build), > for some of the CLI commands; these are indicated in that project's > LICENSE [3], correctly, and in the binary build's LICENSE, also > correctly. But the project source LICENSE [3] seems to include all the > JS used in the "brooklyn-ui" project which is not correct. > > (C) JS in existing (old) "brooklyn-ui" -- this source project includes > all the JS deps checked in, and it is listed in the LICENSE [4], > correctly, and is included in the build binary, also correctly; no > action is needed here > > (D) JS in new (proposed) "brooklyn-ui" -- this project updates to use > npm and package.json so downloads dependencies, with no dependencies in > the source tree, so the project source LICENSE shouldn't list any > dependencies. However the binary license should include the ~100 > dependencies that npm downloads and uglifies. Fortunately npm > license-checker [5] automates much of this (although the copyright line > will sometimes have to be teased out manually). > > > Question 2: Does the above sound right? > > > I'm reasonably confident of this so if no objections I will adjust our > LICENSE generation process to distinguish between binary and source, and > tidy up (A) and (B) above, and set up the contribution as per (D). > > Finally one more question -- it's easy to tweak the process to include > Apache-licensed dependencies used in the binary. While this isn't > legally required AFAIK it seems like a nice thing to do. > > > Question 3: Is everyone okay with giving a shout-out to Apache-licensed > deps in addition to MIT, BSD, etc, within our binary LICENSE ? > > > Best > Alex > > > [1] https://apache.org/dev/licensing-howto.html > [2] https://github.com/apache/brooklyn-client/blob/master/cli/LICENSE > [3] https://github.com/apache/brooklyn-server/blob/master/LICENSE > [4] https://github.com/apache/brooklyn-ui/blob/master/LICENSE > [5] https://www.npmjs.com/package/license-checker >
