As a follow up and discussion point for the RAVE-63 issue, I'd like to summarize
my view on what the rules for NOTICE and LICENSE files within a Apache
distribution are.
Using these rules, it should become relatively easy to determine what the
*legally* required 3rd party attributions are and thereby what should be in the
NOTICE and LICENSE files, and what *not*.
The rules for the NOTICE and LICENSE file contents have been debated a lot
within Apache and IMO there still isn't a single location where they have been
described fully, in detail and/or extensively.
Furthermore, the requirements have become more strict over the last few years
but not all (or not even a lot) Apache projects are yet following all these
requirements. This makes it very confusing and difficult to compare against what
other projects as some are doing too little while others are doing too much.
For established (TLP) Apache projects the responsibility for validating and
ensuring the correct legal attributions are met falls under their own PMCs.
For Incubator projects, it is the IPMC who has the final responsibility on this,
but expects the PPMC to do the hard work and "learn" the Apache way and rules on
this matter. As such, we are (and should) be under much higher scrutiny and can
expect our release distributions to be painstakingly checked against the legal
"rules" concerning LICENSE and NOTICE files.
Again, what I describe below is just how I interpret the current state and
requirements. As I am not a lawyer (AINAL), please don't take my view on this as
"the" requirements, but as just a best shot at interpretation :)
Other mentors and those feeling experienced in this area: please chime in and
provide your feedback. Getting this stuff "right" should be(come) easy over
time, but for that we need to get the "rules" straight first.
As IMO this isn't properly or extensively documented enough yet elsewhere (to my
knowledge), my intend is to get this somewhere put into the public Apache
Incubator and/or legal documentation so other projects will not have to hunting
for this again (and again, and again, ...).
The primary documentation I've been looking at for this are:
[1]
http://incubator.apache.org/guides/releasemanagement.html#best-practice-license
[2] http://www.apache.org/legal/resolved.html
[3] http://wiki.apache.org/legal/3party/notice
[4] http://wiki.apache.org/legal/3party/notice/discuss
A very important rule which is critical for understanding the NOTICE and LICENSE
requirements comes from [2] Software License Criteria #2:
"The license must not place restrictions on the distribution of independent
works that simply use or contain the covered work."
Based on this rule, an ASF based distribution may not contain anything which
license would place a restriction on merely the use of such a 3rd party product.
My interpretation of this is: if we for example include a test-case (under our
own copyright) which only *uses* xmlunit, but do not distribute xmlunit itself,
there is no (legal) requirement to put a NOTICE or LICENSE for xmlunit in that
distribution.
Please note that this Software License Criteria #2 (and #3 even more) *prohibit*
using Copy-Left based licenses like (L)GPL as those *would* require us to obey
to their requirements, even if we don't distribute the 3rd party product itself.
Another important "rule" is that the LICENSE and NOTICE files serve *only* a
legal purpose. Which means they *must* cover what is required, but not more.
Otherwise said: we should keep the content of these files to the minimum.
Adding unneeded notices and/or licenses therefore is "bad practice".
The result of this is that every distribution might require different content
for their N&L files.
What is a (release) distribution:
a) the (ASF obligatory) release source archive
b) the ASF svn repository (for the release, e.g. the release tag root folder)
c) all other downloadable/hosted release "artifacts" like:
- each published individual Maven artifact (Maven Central)
- binary distributions provided from the project dist area
Note that the svn repository itself also should be regarded as a "distribution"
(see [4]), which makes it required to have appropriate N&L files in the root
folder (of a release tag).
The a) and b) distributions mostly can be regarded as equal, although under some
conditions b) might contain some additional "sources" which are only used for
producing a), but not included in a). In that case b) can have higher
requirements for the svn repository N&L not needed for the source distribution
itself.
The N&L requirements for a a/b distribution are often very minimal as they only
cover the sources themselves. Only when 3rd party copyright/license covered
sources are included (checked in) then those need separate N&L attribution on
a/b level.
The N&L requirements for a c) type distributions however usually need to cover
much more as often 3rd party artifacts are packaged together during the build of
such distribution.
Any other "usage" or dependency not packaged within the distribution but which
are required (or optionally needed) at runtime can (should) be mentioned in the
accompanying README within the distribution, but there is no *legal* obligation
for this, as long as we stick to external usages which fall within the license
criteria as specified in [2]. The README is intended to support the end-users
(only). An example of this could be mentioning that the rave-portal uses
(depends on) jquery at runtime. As we currently don't package jquery ourselves
but let it be dynamically resolved by the browser at runtime, we have no legal
obligation to attribute jquery in the N&L files, but it might be appropriate to
mention it in the README for the end-users.
Finally, the ASF itself has the specific requirement to include (append) *all*
covered 3rd party licenses within the LICENSE file. While a 3rd party product
might only require attribution and possible linking to a online license URL, we
nonetheless should copy and merge that license within our ASF provided LICENSE file.
Concerning the current state of our N&L files: I think we still need to append a
few more 3rd party licenses to our war/dist packaged LICENSE files.
Furthermore, the NOTICE attribution for JUnit probably shouldn't needed and I'm
not sure but likely neither for JSMin and OpenAjax (yet).
And I noticed a license attribution for the "OpenSocial Javascript API" in the
main Shindig LICENSE file ([5]) which maybe we should include as well.
[5]
http://svn.apache.org/repos/asf/shindig/tags/shindig-project-3.0.0-beta2/LICENSE
Regrettably I don't have time left right now to actually fix the above remaining
tasks (if everyone agrees with the above that is), so I have to un-assign myself
from RAVE-63 for now.
I expect not to be able to pick it up again before end of tomorrow, so if anyone
else feels to jump in, please do :)
Ate
