You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "amareshwarisr ." <am...@gmail.com> on 2015/02/08 07:30:17 UTC
Re: CDDL + GPL license
Thanks Marvin.
I have updated LICENSE and NOTICE required for source and convenient binary
distribution for Apache Lens. Raised review request at
https://reviews.apache.org/r/30770/ and https://reviews.apache.org/r/30772
If you can provide your feedback on them that would be great.
Thanks
Amareshwari
On Sat, Jan 31, 2015 at 11:32 PM, Marvin Humphrey <ma...@rectangular.com>
wrote:
> On Sat, Jan 31, 2015 at 8:17 AM, amareshwarisr . <am...@gmail.com>
> wrote:
> > Thank you all for the quick responses.
> >
> > Here is what i understand, please correct me if I'm wrong.
> >
> > For source distribution- LICENSE and NOTICE will contain only Apache
> License
> > and nothing else.
>
> Assuming that the source release for Lens does not bundle any dependencies,
> that's almost correct. You'll also need some content in NOTICE as
> described
> here:
>
> http://www.apache.org/legal/src-headers.html#notice
>
> > For convenience binary distribution, top level LICENSE file can contain
> > Apache License, and NOTICE file must contain dependency dual licensing
> > information with a web link.
>
> The short blurb describing the dependency licensing (in this case dual
> licensing under the CDDL and GPL) should go in LICENSE. The web link
> should
> go in NOTICE.
>
> NOTICE is not informational; it is specifically reserved for notices which
> are
> *legally required*, and section 4d of the Apache License 2.0 imposes extra
> demands on downstream consumers with regards to content in NOTICE.
>
> https://www.apache.org/licenses/LICENSE-2.0#redistribution
>
> The web link pointing to the source for a bundled binary CDDL dependency
> is an
> example of such a legally required notice -- without it, a distribution
> does
> not comply with the CDDL, leaving the redistributor without a license for
> the
> redistributed content and in violation of copyright law.
>
> In contrast, omitting the dual-licensing blurb from the top-level
> LICENSE/NOTICE does not result in copyright violation. That blurb is what
> some of us call "licensing documentation", and getting it wrong results in
> what is sometimes called a "licensing documentation bug".
>
> Like other bugs, licensing documentation bugs can have mild or severe
> impact
> on users and may or may not precipitate new releases or release candidates.
> We have far less flexibility when it comes to copyright violation.
>
> Please work hard to keep LICENSE and NOTICE both correct and minimal, to
> keep
> down the legal costs of using our work. People like me who participate in
> licensing review (for either commercial or open source products) will
> appreciate it.
>
> > Ross, I'm assuming when a dependency is available under dual license and
> one
> > of them is compatible with apache license, then it is an acceptable
> > distribution.
>
> Correct.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: CDDL + GPL license
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Tue, Feb 10, 2015 at 9:09 PM, amareshwarisr . <am...@gmail.com> wrote:
> Thanks Marvin. The detailed feedback provided not just improved LICENSE and
> NOTICE of the project, but got to learn a lot with respect to how to update
> them.
Glad to hear that, Amareshwari -- and thank you for your persistence and for
striving to understand these challenging issues. While we surely do not get
everything right all the time, such efforts are part of what makes Apache
products attractive, particularly to businesses.
> For source release :
>
> For changes in license suggested, I have a question that how is it conveyed
> that the source files that are missing license headers are fine?
>
> I see the following in http://www.apache.org/legal/src-headers.html,
>
> Why is a licensing header necessary?
>
> License headers allow someone examining the file to know the terms for the
> work, even when it is distributed without the rest of the distribution.
> Without a licensing notice, it must be assumed that the author has
> reserved all rights, including the right to copy, modify, and
> redistribute.
>
> So, how do we convey that the files with missing headers are actually with
> Apache license. I could not get an answer from the page
> http://www.apache.org/legal/src-headers.html
The key phrase in that passage is "Without a licensing notice". When files
without licensing headers are included in a package, it's reasonable to assume
that they are available under the global licensing of the package. Such files
do not need to be called out individually in the top-level licensing files,
and there is benefit to downstream in keeping things short. (If there's a
whitelist of licensed files in LICENSE, what does it mean a file is missing
from that list??)
> For Binary distribution :
---->8 snip 8<----
> For MIT and BSD notice, Full text of license and copyright is already part
> of top level LICENSE and a web link is provided in NOTICE file.
I disagree with adding web links for BSD and MIT dependencies to the NOTICE
file for a convenience binary. However, this is only my opinion and the
existence of such links should not block the addition of a convenience
binary to a project dist area.
Apache's present release policy page indicates that PMCs are "responsible" for
the content of their dist area.
http://www.apache.org/dev/release#what-must-every-release-contain
Note that the PMC is responsible for all artifacts in their distribution
directory, which is a subdirectory of www.apache.org/dist/ ; and all
artifacts placed in their directory must be signed by a committer,
preferably by a PMC member. It is also necessary for the PMC to ensure that
the source package is sufficient to build any binary artifacts associated
with the release.
However, it doesn't spell out just what "responsible" means, and we have
established that release VOTEs only endorse the the offical source release as
an act of the Foundation.
In my view, it suffices for a PMC to trust the judgment of whoever supplied
any convenience binaries unless there is a clear legal violation, and that
lazy consensus applies for PMC approval of artifacts to be uploaded. Others
may hold divergent views. :)
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: CDDL + GPL license
Posted by "amareshwarisr ." <am...@gmail.com>.
Thanks Marvin. The detailed feedback provided not just improved LICENSE and
NOTICE of the project, but got to learn a lot with respect to how to update
them.
For source release :
For changes in license suggested, I have a question that how is it
conveyed that the source files that are missing license headers are
fine?
I see the following in http://www.apache.org/legal/src-headers.html,
Why is a licensing header necessary?
License headers allow someone examining the file to know the terms for the
work, even when it is distributed without the rest of the distribution.
Without a licensing notice, it must be assumed that the author has reserved
all rights, including the right to copy, modify, and redistribute.
So, how do we convey that the files with missing headers are actually with
Apache license. I could not get an answer from the page
http://www.apache.org/legal/src-headers.html
Will do following changes in source release :
- Remove entries in LICENSE file which are ALV2
- Remove copyright notice from NOTICE file for MIT licenses.
For Binary distribution :
Will do following changes along with both the above:
- Fix typo for For org.hsqldb,
For MIT and BSD notice, Full text of license and copyright is already part
of top level LICENSE and a web link is provided in NOTICE file.
And Yes, I confirm that licensing documentation actually matches the
bundled content, etc
Thanks
Amareshwari
On Tue, Feb 10, 2015 at 8:23 AM, Marvin Humphrey <ma...@rectangular.com>
wrote:
> On Sat, Feb 7, 2015 at 10:30 PM, amareshwarisr . <am...@gmail.com>
> wrote:
>
> > I have updated LICENSE and NOTICE required for source and convenient
> binary
> > distribution for Apache Lens. Raised review request at
> > https://reviews.apache.org/r/30770/ and
> https://reviews.apache.org/r/30772
> >
> > If you can provide your feedback on them that would be great.
>
> I'll go over LICENSE and NOTICE in both official source release and
> convenience binary in turn.
>
> ---
>
> First, LICENSE in the official source release:
>
> It is unusual and IMO not desirable to list dozens of individual PNG,
> powerpoint, data, README, and dotfiles in LICENSE. Especially when they
> are
> under the ALv2. I suggest stripping out this list.
>
> The MIT licenses look acceptable. Some of us might have preferred to see
> pointers rather multiple copies of the MIT license, but your approach
> complies
> with policy.
>
> ---
>
> Second, NOTICE in the official source release:
>
> The required text at the top (as specified in src-headers.html) seems
> right.
>
> However, it is not appropriate to add copyright notices for MIT-licensed
> dependencies to NOTICE under ordinary circumstances.
>
> The NOTICE file is not for conveying information to downstream consumers
> -- it
> is a way to *compel* downstream consumers to *relay* certain required
> notices.
> For a source distribution, the MIT license is satisfied by leaving any
> license
> headers intact in any bundled source files. There is no need to add any
> mention of them to NOTICE, and adding such bloat to NOTICE makes it more
> complicated and expensive to determine how to comply with the licensing of
> our
> products.
>
> Here's past Board member Roy Fielding on the subject:
>
> http://s.apache.org/0e
>
> Hey, I'm all for people having opinions on development and credits and
> documentation. NOTICE and LICENSE are none of those. They are not
> open
> to anyone's opinions other than the copyright owners that require such
> notices, and they must not be added where they are not required. Each
> additional notice places a burden on the ASF and all downstream
> redistributors.
>
> Please, folks, I am not even a Sling committer. I am speaking as the
> author of the Apache License. Don't screw with what I have changed.
> I have way more experience in these matters than everyone else at the
> ASF combined. If you put stuff in NOTICE that is not legally required
> to be there, I will remove it as an officer of the ASF. If you add it
> back in, I will have to duplicate the effort of removing it again.
> That will not make me a happy camper.
>
> Sometimes, a copyright holder will insist on putting their copyright notice
> into the NOTICE file. Once that happens, we are compelled -- by law --
> not to
> remove or modify their copyright notice without their permission. But we
> should not be making decisions to propagate copyright notices into NOTICE
> unilaterally.
>
> ---
>
> Next, LICENSE for the convenience binary (and associated LICENSE-* files):
>
> As with LICENSE in the source release, I suggest stripping out the list of
> miscellaneous files under ALv2.
>
> This comma seems like a typo:
>
> For org.hsqldb,
>
> The approach taken in the rest of it seems OK. Kudos for not embedding the
> longer licenses, but instead including additional files like `LICENSE-EPL`.
>
> ---
>
> Finally, NOTICE for the convenience binary:
>
> The required info from src-headers.html seems right.
>
> The links for "category B" dependencies seem appropriate.
>
> Mentions for MIT or 2/3-clause BSD deps in the NOTICE file for *binary*
> distributions is an unsettled subject at the ASF as far as I know -- and
> since
> we don't release binaries, I don't know how soon there will be guidance, if
> ever. But note that both licenses contain relevant provisions (BSD is
> clear
> about binary redistribition, MIT is ambiguous):
>
> BSD:
>
> 2. Redistributions in binary form must reproduce the above
> copyright
> notice, this list of conditions and the following disclaimer in
> the
> documentation and/or other materials provided with the
> distribution.
>
> MIT:
>
> The above copyright notice and this permission notice shall be
> included in all copies or substantial portions of the Software.
>
> Note the both licenses require propagation of the *entire* license text,
> so a
> link in NOTICE does not suffice. I imagine that the appropriate place for
> achieving compliance is A) not NOTICE and B) dependent on the binary format
> and where a consumer would be expected to look for such licensing
> information.
> For a jar file, I'd speculate that inclusion in META-INF/LICENSE is good
> enough?
>
> ---
>
> Standard IANAL disclaimers apply. Licensing for the convenience binary is
> the
> primary responsibility of the producer, not the ASF. I only performed a
> superficial review -- going over such complicated licensing is exhausting
> and
> I didn't have time to go line by line, confirm that licensing documentation
> actually matches the bundled content, etc.
>
> HTH,
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: CDDL + GPL license
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Sat, Feb 7, 2015 at 10:30 PM, amareshwarisr . <am...@gmail.com> wrote:
> I have updated LICENSE and NOTICE required for source and convenient binary
> distribution for Apache Lens. Raised review request at
> https://reviews.apache.org/r/30770/ and https://reviews.apache.org/r/30772
>
> If you can provide your feedback on them that would be great.
I'll go over LICENSE and NOTICE in both official source release and
convenience binary in turn.
---
First, LICENSE in the official source release:
It is unusual and IMO not desirable to list dozens of individual PNG,
powerpoint, data, README, and dotfiles in LICENSE. Especially when they are
under the ALv2. I suggest stripping out this list.
The MIT licenses look acceptable. Some of us might have preferred to see
pointers rather multiple copies of the MIT license, but your approach complies
with policy.
---
Second, NOTICE in the official source release:
The required text at the top (as specified in src-headers.html) seems
right.
However, it is not appropriate to add copyright notices for MIT-licensed
dependencies to NOTICE under ordinary circumstances.
The NOTICE file is not for conveying information to downstream consumers -- it
is a way to *compel* downstream consumers to *relay* certain required notices.
For a source distribution, the MIT license is satisfied by leaving any license
headers intact in any bundled source files. There is no need to add any
mention of them to NOTICE, and adding such bloat to NOTICE makes it more
complicated and expensive to determine how to comply with the licensing of our
products.
Here's past Board member Roy Fielding on the subject:
http://s.apache.org/0e
Hey, I'm all for people having opinions on development and credits and
documentation. NOTICE and LICENSE are none of those. They are not open
to anyone's opinions other than the copyright owners that require such
notices, and they must not be added where they are not required. Each
additional notice places a burden on the ASF and all downstream
redistributors.
Please, folks, I am not even a Sling committer. I am speaking as the
author of the Apache License. Don't screw with what I have changed.
I have way more experience in these matters than everyone else at the
ASF combined. If you put stuff in NOTICE that is not legally required
to be there, I will remove it as an officer of the ASF. If you add it
back in, I will have to duplicate the effort of removing it again.
That will not make me a happy camper.
Sometimes, a copyright holder will insist on putting their copyright notice
into the NOTICE file. Once that happens, we are compelled -- by law -- not to
remove or modify their copyright notice without their permission. But we
should not be making decisions to propagate copyright notices into NOTICE
unilaterally.
---
Next, LICENSE for the convenience binary (and associated LICENSE-* files):
As with LICENSE in the source release, I suggest stripping out the list of
miscellaneous files under ALv2.
This comma seems like a typo:
For org.hsqldb,
The approach taken in the rest of it seems OK. Kudos for not embedding the
longer licenses, but instead including additional files like `LICENSE-EPL`.
---
Finally, NOTICE for the convenience binary:
The required info from src-headers.html seems right.
The links for "category B" dependencies seem appropriate.
Mentions for MIT or 2/3-clause BSD deps in the NOTICE file for *binary*
distributions is an unsettled subject at the ASF as far as I know -- and since
we don't release binaries, I don't know how soon there will be guidance, if
ever. But note that both licenses contain relevant provisions (BSD is clear
about binary redistribition, MIT is ambiguous):
BSD:
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the
distribution.
MIT:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
Note the both licenses require propagation of the *entire* license text, so a
link in NOTICE does not suffice. I imagine that the appropriate place for
achieving compliance is A) not NOTICE and B) dependent on the binary format
and where a consumer would be expected to look for such licensing information.
For a jar file, I'd speculate that inclusion in META-INF/LICENSE is good
enough?
---
Standard IANAL disclaimers apply. Licensing for the convenience binary is the
primary responsibility of the producer, not the ASF. I only performed a
superficial review -- going over such complicated licensing is exhausting and
I didn't have time to go line by line, confirm that licensing documentation
actually matches the bundled content, etc.
HTH,
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org