I'll have a look tomorrow Thomas Cheers Geoff
On Tue, 17 Jul 2018, 16:29 Thomas Bouron, <thomas.bou...@cloudsoftcorp.com> wrote: > Hi all. > > Alex went the extra mile[1] and revamped how we generate the LICENSE and > NOTICE files for Brooklyn projects, thanks for this Alex! > I went through it and it looks good to me. However, I'm not very familiar > with this topic so I would appreciate if someone else could eyeball it, > especially the updated `README.md`. > > Thanks! > > Best. > > [1] https://github.com/apache/brooklyn-dist/pull/123 > > On Tue, 26 Jun 2018 at 09:51 Richard Downer <rich...@apache.org> wrote: > > > Hi Alex, > > > > Catching up on this email thread. Sorry I'm late and if I cover things > that > > have already been discussed. > > > > Just as a general note I wrote this page on the Brooklyn website to turn > > the generic Apache legal requirements into something tailored for our > > Java+Maven+JS project. If during this exercise we discover an error or > > omission on that page, let's update it. > > https://brooklyn.apache.org/v/latest/dev/code/licensing.html > > > > On Wed, 20 Jun 2018 at 13:47, Alex Heneveld < > > alex.henev...@cloudsoftcorp.com> > > wrote: > > > > > In prepping the new UI contribution I've been working on the LICENSE > > > file generation. It is rather extensive because by using Angular we > > > pull in hundreds of JS deps for the binary, most of them under MIT > > > license which as I understand it means copyright information must be > > > reproduced in the LICENSE for the binary dist. This is based on the > MIT > > > clause "The above copyright notice and this permission notice shall be > > > included in all copies or substantial portions of the Software" in > > > accordance with the principle that copyright extends to translations. > > > While it would be tempting to treat the compiled/minified version as > not > > > a copy and so not requiring the copyright -- and that may well be the > > > intention of many MIT license users (contrasted with BSD which > > > explicitly calls out binaries as requiring the copyright) -- I don't > > > believe we can hide behind that. (So JS devs please take note, please > > > use the Apache License! :) ) > > > > > > > > > Question 1: Is this correct, our binaries LICENSE files need to list > > > all MIT, BSD, ISC licensed dependencies whose minified/compiled output > > > is included in our binary dist? > > > > > > > Yes I believe this is correct. Copyright generally follows "is X a > > derivative of Y", and if X is the compiler output from source Y then yes > it > > is a derivative - unless the license makes a distinction it's safest to > > assume that the compiled output is subject to the same license as the > > source input. > > > > https://www.apache.org/dev/licensing-howto.html contains some relevant > > information here. In particular, it clarifies that the license of all > > bundled dependencies must be included in LICENSE, and also that "what > > applies to canonical source distributions also applies to all > > redistributions, including binary redistributions", and that "when > > assembling binary distributions, it is common to pull in and bundle > > additional dependencies which are not bundled with the source > distribution. > > These additional dependencies must be accounted for in LICENSE and > NOTICE." > > > > In the process I've noticed we in Brooklyn don't currently distinguish > > > consistently between the source LICENSE and binary LICENSE. As I > > > understand it from [1], the LICENSE file included with source projects > > > -- including I believe the one at the root of the git repo -- should > > > refer to resources included in the source only. Dependencies that are > > > downloaded as part of the build and included in the binary should not > be > > > listed in those LICENSE files, but they must be included in any binary > > > build (eg the RPM, TGZ). > > > > > > > Yes this is true. Generally the ready-to-run binaries bundle a lot more > > stuff then the source archives so have a much bigger LICENSE. Just to > make > > life even more interesting, sometimes things in the source distribution > > disappear during compilation and don't appear in the binary! I believe > that > > this is the case for Google Auto Value - it's annotations are > compile-time > > only so don't appear in the JAR file, Auto Value does all its work during > > the build, and nothing of Auto Value itself appears in the compilation > > output. > > > > > > > > > It's not yet a big issue as it doesn't matter for Apache licensed > > > dependencies as they do not require copyright inclusion or attribution > > > and these are the bulk of what we do. Where we do need to look more > > > closely I think are: > > > > > [...] > > > > > Question 2: Does the above sound right? > > > > > > > Good catch on these. Yes they sound like there's some attention needed > > there. > > > > Finally one more question -- it's easy to tweak the process to include > > > Apache-licensed dependencies used in the binary. While this isn't > > > legally required AFAIK it seems like a nice thing to do. > > > > > > Question 3: Is everyone okay with giving a shout-out to > Apache-licensed > > > deps in addition to MIT, BSD, etc, within our binary LICENSE ? > > > > > > > I don't know of any reason why not. We're all one big happy family here, > > seems inappropriate to give big shouts to external dependencies but not > to > > our fellow ASF projects, without which we would not be here! > > > > Thanks for looking into this Alex. License compliance is an ugly task. > The > > PMC owes you a beer :-) > > > > Richard. > > > -- > > Thomas Bouron > Senior Software Engineer > > *Cloudsoft <https://cloudsoft.io/> *| Bringing Business to the Cloud > > GitHub: https://github.com/tbouron > Twitter: https://twitter.com/eltibouron > > Need a hand with AWS? Get a Free Consultation. >