incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <>
Subject Re: Confusion over NOTICE vs LICENSE files
Date Tue, 26 Jan 2016 05:56:09 GMT

On 1/25/16, 6:19 PM, "Todd Lipcon" <> wrote:

>Hey folks,
>I'm working on tidying up the source for Apache Kudu (incubating) in order
>to prepare for our first ASF release, and ran into a couple bits of
>1) In the case that we've borrowed code from another Apache 2.0 licensed
>project, the licensing howto[1] says that there is no need to modify
>LICENSE unless it transitively has dependencies with such a requirement.
>this true even if the original dependency carries a copyright? For
>we bundle Twitter's Bootstrap library and currently have attribution in
>LICENSE file[2] indicating the copyright (even though it's also at the top
>of the relevant files). Not necessary? We can just entirely ignore such
>dependencies in LICENSE and NOTICE so long as the original header's

In this email [4], Sebb recommends mentioning non-ASF Apache-licensed
bundled dependencies in LICENSE.  So that's what I've been doing with
LICENSEs for release I manage.  I'm not a fan of including text of the
licenses, I prefer the "pointer" text as mentioned in [1].  IOW: "This
product bundles SuperWidget 1.2.3, which is available under a
"3-clause BSD" license.  For details, see deps/superwidget/."

>2) In other cases we've bundled MIT or BSD-licensed source. The license
>says that redistributions must retain the text of the license. Is it
>sufficient that that text be only in the source code, or should we also
>duplicate it into LICENSE.txt as we've done for code derived from
>AsyncHBase? [3]

Again, I prefer "pointer text" vs copying entire licenses, but AIUI, MIT
and BSD bundled dependencies must be mentioned in LICENSE.

>3) We have many thirdparty dependencies which are not "bundled" in the
>source release. Instead, our build process has a script which downloads
>them from the internet, unpacks, and compiles them. So, despite not being
>part of the artifact itself, they are required components for the build
>(and in most cases become static-linked into the binary). We currently
>all of these dependencies and their licenses in LICENSE.txt. Is this
>necessary, or should we move these into a separate file?

AIUI, only bundled dependencies should be mentioned in LICENSE, so
non-bundled dependencies should not be mentioned in LICENSE.  In releases
I manage, I put mention of those non-bundled dependencies in the README.

The reason I prefer pointers is that I like keeping this file short so
folks can read it more easily/quickly.  The text of these licenses are
easy to find elsewhere.

In my simple mental model, the LICENSE is the list of suppliers.  The ASF
is one supplier, every other supplier in the package is mentioned.  NOTICE
is legal stuff required by that list of suppliers.  README is for other
stuff like the list of other external dependencies (e.g. "batteries not
included", or "tools required to assemble this furniture")




View raw message