incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: LICENSE/NOTICE revisited (was Release Apache Marmotta 3.0.0-incubating (RC8))
Date Tue, 23 Apr 2013 15:39:04 GMT
Not so fast about dispensing with Category B requirements for pointers to source code.

In MPL 2.0, a common case, it is very clear that location of the source code is one of the
requirements for distribution of the code in executable form or within a larger work (distributed
in binary), that there must be identification of the origin of the code and where source code
is available.  It is insufficient to simply include the license (by reference or otherwise).

MPL 2.0 has a handy Appendix (which I have never seen followed, but I don't get out much)
that stipulates a suitable notice.  The key is that it must be possible for a recipient of
the executable to directly find the specific source code at a suitably archival location.

This is also a requirement for distribution of most Category X works in binary form, and that
applies in some cases where Category X licenses are bundled in binary distributions under
sanitary conditions that satisfy ASF requirements.

 - Dennis

PS: That these requirements are typically satisfied in the breach is not, it seems to me,
something that is appropriate for the ASF to countenance.  That there are projects out there
that have never complied with such requirements is not justification.  For me, it does not
serve the public interest, nor does it demonstrate the care for the provenance of contributions
(and dependencies) that should be the norm.  Most of all, being careless about this undervalues
the gift that such dependencies represent to projects that find reuse more convenient than

PPS: There is also a forensic value to satisfying these license requirements.  In these days
of rapid disclosures of security flaws all over the landscape, it is important for a recipient
of executable code to know whether or not vulnerability disclosures apply to dependencies
in the distribution they are relying upon and whether mitigation is called for.  (Although
this is also of some benefit to adversaries, it must always be assumed that determined adversaries
already know.)

-----Original Message-----
From: Sergio Fernández [] 
Sent: Tuesday, April 23, 2013 00:32
Cc: Marvin Humphrey
Subject: Re: LICENSE/NOTICE revisited (was Release Apache Marmotta 3.0.0-incubating (RC8))

Hi Marvin,

thanks for your time analysing our release. Please, find my reply inline.

On 18/04/13 02:30, Marvin Humphrey wrote:
> On Wed, Apr 17, 2013 at 11:00 AM, Sebastian Schaffert  wrote:
[ ... ]
>> - for dependencies of category B, [2] specifies that "Although the source
>>    must not be included in Apache products, the NOTICE file, which is
>>    required to be included in each ASF distribution, must point to the source
>>    form of the included binary (more on that in the forthcoming "Receiving
>>    and Releasing Contributions" document).", a fact that is not mentioned in
>>    any of the other documents.
> This passage has somehow escaped my notice until now.  Based on my
> understanding about the origins of the NOTICE file, it does not ring true.  It
> seems to me that what works for category A should also work for category B:
> reference/quote the license in LICENSE and address mandatory attribution
> requirements in NOTICE.  The goal is to satisfy the licensing requirements of
> the dependency, not to give credit -- so IMO linking only makes sense if
> that's a requirement of the dependency's license.

So keep in NOTICE only those which require additional attribution 

> Does anybody know any TLPs that are actually following the advice to link to
> source for category B dependencies in binary NOTICE files?

[ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message