osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LICENSE file questions - MIT, binary, process


I'll have a look tomorrow Thomas

Cheers
Geoff

On Tue, 17 Jul 2018, 16:29 Thomas Bouron, <thomas.bouron@xxxxxxxxxxxxxxxxx>
wrote:

> Hi all.
>
> Alex went the extra mile[1] and revamped how we generate the LICENSE and
> NOTICE files for Brooklyn projects, thanks for this Alex!
> I went through it and it looks good to me. However, I'm not very familiar
> with this topic so I would appreciate if someone else could eyeball it,
> especially the updated `README.md`.
>
> Thanks!
>
> Best.
>
> [1] https://github.com/apache/brooklyn-dist/pull/123
>
> On Tue, 26 Jun 2018 at 09:51 Richard Downer <richard@xxxxxxxxxx> wrote:
>
> > Hi Alex,
> >
> > Catching up on this email thread. Sorry I'm late and if I cover things
> that
> > have already been discussed.
> >
> > Just as a general note I wrote this page on the Brooklyn website to turn
> > the generic Apache legal requirements into something tailored for our
> > Java+Maven+JS project. If during this exercise we discover an error or
> > omission on that page, let's update it.
> > https://brooklyn.apache.org/v/latest/dev/code/licensing.html
> >
> > On Wed, 20 Jun 2018 at 13:47, Alex Heneveld <
> > alex.heneveld@xxxxxxxxxxxxxxxxx>
> > wrote:
> >
> > > In prepping the new UI contribution I've been working on the LICENSE
> > > file generation.  It is rather extensive because by using Angular we
> > > pull in hundreds of JS deps for the binary, most of them under MIT
> > > license which as I understand it means copyright information must be
> > > reproduced in the LICENSE for the binary dist.  This is based on the
> MIT
> > > clause "The above copyright notice and this permission notice shall be
> > > included in all copies or substantial portions of the Software" in
> > > accordance with the principle that copyright extends to translations.
> > > While it would be tempting to treat the compiled/minified version as
> not
> > > a copy and so not requiring the copyright -- and that may well be the
> > > intention of many MIT license users (contrasted with BSD which
> > > explicitly calls out binaries as requiring the copyright) -- I don't
> > > believe we can hide behind that.  (So JS devs please take note, please
> > > use the Apache License! :) )
> > >
> > >
> > > Question 1:  Is this correct, our binaries LICENSE files need to list
> > > all MIT, BSD, ISC licensed dependencies whose minified/compiled output
> > > is included in our binary dist?
> > >
> >
> > Yes I believe this is correct. Copyright generally follows "is X a
> > derivative of Y", and if X is the compiler output from source Y then yes
> it
> > is a derivative - unless the license makes a distinction it's safest to
> > assume that the compiled output is subject to the same license as the
> > source input.
> >
> > https://www.apache.org/dev/licensing-howto.html contains some relevant
> > information here. In particular, it clarifies that the license of all
> > bundled dependencies must be included in LICENSE, and also that "what
> > applies to canonical source distributions also applies to all
> > redistributions, including binary redistributions", and that "when
> > assembling binary distributions, it is common to pull in and bundle
> > additional dependencies which are not bundled with the source
> distribution.
> > These additional dependencies must be accounted for in LICENSE and
> NOTICE."
> >
> > In the process I've noticed we in Brooklyn don't currently distinguish
> > > consistently between the source LICENSE and binary LICENSE.  As I
> > > understand it from [1], the LICENSE file included with source projects
> > > -- including I believe the one at the root of the git repo -- should
> > > refer to resources included in the source only.  Dependencies that are
> > > downloaded as part of the build and included in the binary should not
> be
> > > listed in those LICENSE files, but they must be included in any binary
> > > build (eg the RPM, TGZ).
> > >
> >
> > Yes this is true. Generally the ready-to-run binaries bundle a lot more
> > stuff then the source archives so have a much bigger LICENSE. Just to
> make
> > life even more interesting, sometimes things in the source distribution
> > disappear during compilation and don't appear in the binary! I believe
> that
> > this is the case for Google Auto Value - it's annotations are
> compile-time
> > only so don't appear in the JAR file, Auto Value does all its work during
> > the build, and nothing of Auto Value itself appears in the compilation
> > output.
> >
> >
> >
> > > It's not yet a big issue as it doesn't matter for Apache licensed
> > > dependencies as they do not require copyright inclusion or attribution
> > > and these are the bulk of what we do.  Where we do need to look more
> > > closely I think are:
> > >
> > [...]
> >
> > > Question 2:  Does the above sound right?
> > >
> >
> > Good catch on these. Yes they sound like there's some attention needed
> > there.
> >
> > Finally one more question -- it's easy to tweak the process to include
> > > Apache-licensed dependencies used in the binary.  While this isn't
> > > legally required AFAIK it seems like a nice thing to do.
> > >
> > > Question 3:  Is everyone okay with giving a shout-out to
> Apache-licensed
> > > deps in addition to MIT, BSD, etc, within our binary LICENSE ?
> > >
> >
> > I don't know of any reason why not. We're all one big happy family here,
> > seems inappropriate to give big shouts to external dependencies but not
> to
> > our fellow ASF projects, without which we would not be here!
> >
> > Thanks for looking into this Alex. License compliance is an ugly task.
> The
> > PMC owes you a beer :-)
> >
> > Richard.
> >
> --
>
> Thomas Bouron
> Senior Software Engineer
>
> *Cloudsoft <https://cloudsoft.io/> *| Bringing Business to the Cloud
>
> GitHub: https://github.com/tbouron
> Twitter: https://twitter.com/eltibouron
>
> Need a hand with AWS? Get a Free Consultation.
>