osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LICENSE file questions - MIT, binary, process


Great news, thanks Geoff!

Best.

On Wed, 18 Jul 2018 at 16:27 Geoff Macartney <geoff.macartney@xxxxxxxxxxxx>
wrote:

> Hi Thomas, Alex,
>
> Changes look good to me, have merged the various PRs.
>
> Cheers
> Geoff
>
> On Tue, 17 Jul 2018 at 18:20 Geoff Macartney <geoff.macartney@xxxxxxxxx>
> wrote:
>
> > I'll have a look tomorrow Thomas
> >
> > Cheers
> > Geoff
> >
> > On Tue, 17 Jul 2018, 16:29 Thomas Bouron, <
> thomas.bouron@xxxxxxxxxxxxxxxxx
> > >
> > wrote:
> >
> > > Hi all.
> > >
> > > Alex went the extra mile[1] and revamped how we generate the LICENSE
> and
> > > NOTICE files for Brooklyn projects, thanks for this Alex!
> > > I went through it and it looks good to me. However, I'm not very
> familiar
> > > with this topic so I would appreciate if someone else could eyeball it,
> > > especially the updated `README.md`.
> > >
> > > Thanks!
> > >
> > > Best.
> > >
> > > [1] https://github.com/apache/brooklyn-dist/pull/123
> > >
> > > On Tue, 26 Jun 2018 at 09:51 Richard Downer <richard@xxxxxxxxxx>
> wrote:
> > >
> > > > Hi Alex,
> > > >
> > > > Catching up on this email thread. Sorry I'm late and if I cover
> things
> > > that
> > > > have already been discussed.
> > > >
> > > > Just as a general note I wrote this page on the Brooklyn website to
> > turn
> > > > the generic Apache legal requirements into something tailored for our
> > > > Java+Maven+JS project. If during this exercise we discover an error
> or
> > > > omission on that page, let's update it.
> > > > https://brooklyn.apache.org/v/latest/dev/code/licensing.html
> > > >
> > > > On Wed, 20 Jun 2018 at 13:47, Alex Heneveld <
> > > > alex.heneveld@xxxxxxxxxxxxxxxxx>
> > > > wrote:
> > > >
> > > > > In prepping the new UI contribution I've been working on the
> LICENSE
> > > > > file generation.  It is rather extensive because by using Angular
> we
> > > > > pull in hundreds of JS deps for the binary, most of them under MIT
> > > > > license which as I understand it means copyright information must
> be
> > > > > reproduced in the LICENSE for the binary dist.  This is based on
> the
> > > MIT
> > > > > clause "The above copyright notice and this permission notice shall
> > be
> > > > > included in all copies or substantial portions of the Software" in
> > > > > accordance with the principle that copyright extends to
> translations.
> > > > > While it would be tempting to treat the compiled/minified version
> as
> > > not
> > > > > a copy and so not requiring the copyright -- and that may well be
> the
> > > > > intention of many MIT license users (contrasted with BSD which
> > > > > explicitly calls out binaries as requiring the copyright) -- I
> don't
> > > > > believe we can hide behind that.  (So JS devs please take note,
> > please
> > > > > use the Apache License! :) )
> > > > >
> > > > >
> > > > > Question 1:  Is this correct, our binaries LICENSE files need to
> list
> > > > > all MIT, BSD, ISC licensed dependencies whose minified/compiled
> > output
> > > > > is included in our binary dist?
> > > > >
> > > >
> > > > Yes I believe this is correct. Copyright generally follows "is X a
> > > > derivative of Y", and if X is the compiler output from source Y then
> > yes
> > > it
> > > > is a derivative - unless the license makes a distinction it's safest
> to
> > > > assume that the compiled output is subject to the same license as the
> > > > source input.
> > > >
> > > > https://www.apache.org/dev/licensing-howto.html contains some
> relevant
> > > > information here. In particular, it clarifies that the license of all
> > > > bundled dependencies must be included in LICENSE, and also that "what
> > > > applies to canonical source distributions also applies to all
> > > > redistributions, including binary redistributions", and that "when
> > > > assembling binary distributions, it is common to pull in and bundle
> > > > additional dependencies which are not bundled with the source
> > > distribution.
> > > > These additional dependencies must be accounted for in LICENSE and
> > > NOTICE."
> > > >
> > > > In the process I've noticed we in Brooklyn don't currently
> distinguish
> > > > > consistently between the source LICENSE and binary LICENSE.  As I
> > > > > understand it from [1], the LICENSE file included with source
> > projects
> > > > > -- including I believe the one at the root of the git repo --
> should
> > > > > refer to resources included in the source only.  Dependencies that
> > are
> > > > > downloaded as part of the build and included in the binary should
> not
> > > be
> > > > > listed in those LICENSE files, but they must be included in any
> > binary
> > > > > build (eg the RPM, TGZ).
> > > > >
> > > >
> > > > Yes this is true. Generally the ready-to-run binaries bundle a lot
> more
> > > > stuff then the source archives so have a much bigger LICENSE. Just to
> > > make
> > > > life even more interesting, sometimes things in the source
> distribution
> > > > disappear during compilation and don't appear in the binary! I
> believe
> > > that
> > > > this is the case for Google Auto Value - it's annotations are
> > > compile-time
> > > > only so don't appear in the JAR file, Auto Value does all its work
> > during
> > > > the build, and nothing of Auto Value itself appears in the
> compilation
> > > > output.
> > > >
> > > >
> > > >
> > > > > It's not yet a big issue as it doesn't matter for Apache licensed
> > > > > dependencies as they do not require copyright inclusion or
> > attribution
> > > > > and these are the bulk of what we do.  Where we do need to look
> more
> > > > > closely I think are:
> > > > >
> > > > [...]
> > > >
> > > > > Question 2:  Does the above sound right?
> > > > >
> > > >
> > > > Good catch on these. Yes they sound like there's some attention
> needed
> > > > there.
> > > >
> > > > Finally one more question -- it's easy to tweak the process to
> include
> > > > > Apache-licensed dependencies used in the binary.  While this isn't
> > > > > legally required AFAIK it seems like a nice thing to do.
> > > > >
> > > > > Question 3:  Is everyone okay with giving a shout-out to
> > > Apache-licensed
> > > > > deps in addition to MIT, BSD, etc, within our binary LICENSE ?
> > > > >
> > > >
> > > > I don't know of any reason why not. We're all one big happy family
> > here,
> > > > seems inappropriate to give big shouts to external dependencies but
> not
> > > to
> > > > our fellow ASF projects, without which we would not be here!
> > > >
> > > > Thanks for looking into this Alex. License compliance is an ugly
> task.
> > > The
> > > > PMC owes you a beer :-)
> > > >
> > > > Richard.
> > > >
> > > --
> > >
> > > Thomas Bouron
> > > Senior Software Engineer
> > >
> > > *Cloudsoft <https://cloudsoft.io/> *| Bringing Business to the Cloud
> > >
> > > GitHub: https://github.com/tbouron
> > > Twitter: https://twitter.com/eltibouron
> > >
> > > Need a hand with AWS? Get a Free Consultation.
> > >
> >
>
-- 

Thomas Bouron
Senior Software Engineer

*Cloudsoft <https://cloudsoft.io/> *| Bringing Business to the Cloud

GitHub: https://github.com/tbouron
Twitter: https://twitter.com/eltibouron

Need a hand with AWS? Get a Free Consultation.