You are viewing a plain text version of this content. The canonical link for it is here.

Posted to legal-discuss@apache.org by Emmanuel Lécharny <el...@gmail.com> on 2012/05/17 06:52:14 UTC

transitive 3rd party dependencies Notice and Licenses

Hi guys,

I have a question : when we use a 3rd party dependency in a project, we 
have to include a reference to the License and some other information in 
the NOTICE file, plus add the original 3rd party License into our 
LICENCE file.

But what about transitive dependencies ?

For instance, if we use XStream, which include XPP, and if XSTREAM does 
not include (or even if it does !) the required licnese for XPP? should 
we add it ourselves ?

Thanks !

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: transitive 3rd party dependencies Notice and Licenses

Posted by David Jencks <da...@yahoo.com>.

On May 16, 2012, at 10:35 PM, Emmanuel Lécharny wrote:

> Le 5/17/12 7:21 AM, David Jencks a écrit :
>> On May 16, 2012, at 9:52 PM, Emmanuel Lécharny wrote:
>> 
>>> Hi guys,
>>> 
>>> I have a question : when we use a 3rd party dependency in a project, we have to include a reference to the License and some other information in the NOTICE file, plus add the original 3rd party License into our LICENCE file.
>>> 
>>> But what about transitive dependencies ?
>>> 
>>> For instance, if we use XStream, which include XPP, and if XSTREAM does not include (or even if it does !) the required licnese for XPP? should we add it ourselves ?
>>> 
>> Hi Emmanuel,
>> 
>> I'm not sure I understand what you mean by "use".
> "Use" in this context means we have added it as a dependency in one of the project's pom.
> 
>> The LICENSE and NOTICE files refer to what's actually in the artifact, not anything that might be needed to use it.
>> 
>> Lets consider some examples:
>> 
>> svn checkout points are expected to have LICENSE and NOTICE files at the root applying to what's actually checked out from svn, not including anything that might be pulled into and included in built artifacts.
>> 
>> source artifacts (the buildable project, what is actually voted on for a release) need LICENSE and NOTICE files for what's actually in the file: typically this will be the same as the svn checkout.
>> 
>> "convenience" binary artifacts such as jars need LICENSE and NOTICE files applying to whats actually inside.  This might be compiled apache-licensed source from the project, and it might include stuff pulled in from other dependencies (such as xstream, and xpp in your example).  If the artifact includes stuff from elsewhere, it needs the additional info: if not it doesn't
>> 
>> something like a server assembly (e.g. a geronimo assembly, unpack and you get a working server) that includes a lot of third party jars needs the info for everything included in the LICENSE and NOTICE files.
>> 
>> And since I looked into this or a similar combination once.... if you are talking about an artifact such as xstream that appears to ignore the legal requirements for xpp code which is included in the xstream jar, and you have an artifact that includes both, I prefer to try to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm not 100% sure it was xstream that ignored the xpp requirements)
> XStream is just mentionned because it includes XPP, and XPP license says that it should be mentionned. I don't remember, from the top of my head, if XStream complies or not, but let say -rethoricaly- that XStream does not include the required mention of XPP license : should we, 'users' of XStream, fix this by including XPP license into our package ? (because we won't be able to fix every single 3rd party we are using...)
>> 
>> hope this is sufficiently accurate to be useful :-)
> Almost, almost :)

Adding a dependency to a pom can have a lot of effects.  If the only use is to help compile your code, then you don't need to mention xstream (or xpp) at all in any LICENSE or NOTICE file.  If one of the effects is that some of the contents of the xstream jar get included in some artifact X you are releasing, then X's LICENSE and NOTICE files have to include appropriate legal info for whatever gets included (so if xpp code is included, then I think you should try to track down the appropriate legal info and comply, even if xstream didn't)  Note there are at least two ways the e.g. xstream code can be included: as a whole jar in something like an "assembly" or by including some of a jar's contents in your jar, like xstream does with xpp.

words are so unclear :-)

david jencks


> 
> Thanks !
> 
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: transitive 3rd party dependencies Notice and Licenses

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 5/17/12 7:21 AM, David Jencks a écrit :
> On May 16, 2012, at 9:52 PM, Emmanuel Lécharny wrote:
>
>> Hi guys,
>>
>> I have a question : when we use a 3rd party dependency in a project, we have to include a reference to the License and some other information in the NOTICE file, plus add the original 3rd party License into our LICENCE file.
>>
>> But what about transitive dependencies ?
>>
>> For instance, if we use XStream, which include XPP, and if XSTREAM does not include (or even if it does !) the required licnese for XPP? should we add it ourselves ?
>>
> Hi Emmanuel,
>
> I'm not sure I understand what you mean by "use".
"Use" in this context means we have added it as a dependency in one of 
the project's pom.

> The LICENSE and NOTICE files refer to what's actually in the artifact, not anything that might be needed to use it.
>
> Lets consider some examples:
>
> svn checkout points are expected to have LICENSE and NOTICE files at the root applying to what's actually checked out from svn, not including anything that might be pulled into and included in built artifacts.
>
> source artifacts (the buildable project, what is actually voted on for a release) need LICENSE and NOTICE files for what's actually in the file: typically this will be the same as the svn checkout.
>
> "convenience" binary artifacts such as jars need LICENSE and NOTICE files applying to whats actually inside.  This might be compiled apache-licensed source from the project, and it might include stuff pulled in from other dependencies (such as xstream, and xpp in your example).  If the artifact includes stuff from elsewhere, it needs the additional info: if not it doesn't
>
> something like a server assembly (e.g. a geronimo assembly, unpack and you get a working server) that includes a lot of third party jars needs the info for everything included in the LICENSE and NOTICE files.
>
> And since I looked into this or a similar combination once.... if you are talking about an artifact such as xstream that appears to ignore the legal requirements for xpp code which is included in the xstream jar, and you have an artifact that includes both, I prefer to try to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm not 100% sure it was xstream that ignored the xpp requirements)
XStream is just mentionned because it includes XPP, and XPP license says 
that it should be mentionned. I don't remember, from the top of my head, 
if XStream complies or not, but let say -rethoricaly- that XStream does 
not include the required mention of XPP license : should we, 'users' of 
XStream, fix this by including XPP license into our package ? (because 
we won't be able to fix every single 3rd party we are using...)
>
> hope this is sufficiently accurate to be useful :-)
Almost, almost :)

Thanks !


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: transitive 3rd party dependencies Notice and Licenses

Posted by David Jencks <da...@yahoo.com>.

On May 16, 2012, at 9:52 PM, Emmanuel Lécharny wrote:

> Hi guys,
> 
> I have a question : when we use a 3rd party dependency in a project, we have to include a reference to the License and some other information in the NOTICE file, plus add the original 3rd party License into our LICENCE file.
> 
> But what about transitive dependencies ?
> 
> For instance, if we use XStream, which include XPP, and if XSTREAM does not include (or even if it does !) the required licnese for XPP? should we add it ourselves ?
> 

Hi Emmanuel,

I'm not sure I understand what you mean by "use".  The LICENSE and NOTICE files refer to what's actually in the artifact, not anything that might be needed to use it.

Lets consider some examples:

svn checkout points are expected to have LICENSE and NOTICE files at the root applying to what's actually checked out from svn, not including anything that might be pulled into and included in built artifacts.

source artifacts (the buildable project, what is actually voted on for a release) need LICENSE and NOTICE files for what's actually in the file: typically this will be the same as the svn checkout.

"convenience" binary artifacts such as jars need LICENSE and NOTICE files applying to whats actually inside.  This might be compiled apache-licensed source from the project, and it might include stuff pulled in from other dependencies (such as xstream, and xpp in your example).  If the artifact includes stuff from elsewhere, it needs the additional info: if not it doesn't

something like a server assembly (e.g. a geronimo assembly, unpack and you get a working server) that includes a lot of third party jars needs the info for everything included in the LICENSE and NOTICE files.

And since I looked into this or a similar combination once.... if you are talking about an artifact such as xstream that appears to ignore the legal requirements for xpp code which is included in the xstream jar, and you have an artifact that includes both, I prefer to try to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm not 100% sure it was xstream that ignored the xpp requirements)

hope this is sufficiently accurate to be useful :-)

david jencks

> Thanks !
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org