[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LICENSE file questions - MIT, binary, process

Hi Brooklyn devs-

In prepping the new UI contribution I've been working on the LICENSE file generation. It is rather extensive because by using Angular we pull in hundreds of JS deps for the binary, most of them under MIT license which as I understand it means copyright information must be reproduced in the LICENSE for the binary dist. This is based on the MIT clause "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software" in accordance with the principle that copyright extends to translations. While it would be tempting to treat the compiled/minified version as not a copy and so not requiring the copyright -- and that may well be the intention of many MIT license users (contrasted with BSD which explicitly calls out binaries as requiring the copyright) -- I don't believe we can hide behind that. (So JS devs please take note, please use the Apache License! :) )

Question 1: Is this correct, our binaries LICENSE files need to list all MIT, BSD, ISC licensed dependencies whose minified/compiled output is included in our binary dist?

In the process I've noticed we in Brooklyn don't currently distinguish consistently between the source LICENSE and binary LICENSE. As I understand it from [1], the LICENSE file included with source projects -- including I believe the one at the root of the git repo -- should refer to resources included in the source only. Dependencies that are downloaded as part of the build and included in the binary should not be listed in those LICENSE files, but they must be included in any binary build (eg the RPM, TGZ).

It's not yet a big issue as it doesn't matter for Apache licensed dependencies as they do not require copyright inclusion or attribution and these are the bulk of what we do. Where we do need to look more closely I think are:

(A) The Go CLI -- we use a few libraries (mainly MIT licensed) downloaded at build time. The LICENSE file [2] includes these libraries. This is included in the binary build, which is correct, but it is also present at the root of that sub-project where it is incorrect, and our source build also references these libraries which is incorrect.

(B) JS in "brooklyn-server" -- we have a few JS libraries included in the source tree of brooklyn-server (not downloaded during the build), for some of the CLI commands; these are indicated in that project's LICENSE [3], correctly, and in the binary build's LICENSE, also correctly. But the project source LICENSE [3] seems to include all the JS used in the "brooklyn-ui" project which is not correct.

(C) JS in existing (old) "brooklyn-ui" -- this source project includes all the JS deps checked in, and it is listed in the LICENSE [4], correctly, and is included in the build binary, also correctly; no action is needed here

(D) JS in new (proposed) "brooklyn-ui" -- this project updates to use npm and package.json so downloads dependencies, with no dependencies in the source tree, so the project source LICENSE shouldn't list any dependencies. However the binary license should include the ~100 dependencies that npm downloads and uglifies. Fortunately npm license-checker [5] automates much of this (although the copyright line will sometimes have to be teased out manually).

Question 2:  Does the above sound right?

I'm reasonably confident of this so if no objections I will adjust our LICENSE generation process to distinguish between binary and source, and tidy up (A) and (B) above, and set up the contribution as per (D).

Finally one more question -- it's easy to tweak the process to include Apache-licensed dependencies used in the binary. While this isn't legally required AFAIK it seems like a nice thing to do.

Question 3: Is everyone okay with giving a shout-out to Apache-licensed deps in addition to MIT, BSD, etc, within our binary LICENSE ?


[1]  https://apache.org/dev/licensing-howto.html
[2] https://github.com/apache/brooklyn-client/blob/master/cli/LICENSE
[3]  https://github.com/apache/brooklyn-server/blob/master/LICENSE
[4]  https://github.com/apache/brooklyn-ui/blob/master/LICENSE
[5]  https://www.npmjs.com/package/license-checker