Disclosing source code of derivatives of Apache covered software?

[SCHMITZ Patrice-Emmanuel <Pa...@ext.ec.europa.eu>]

Dears,

We contact the legal affair committee of the Apache foundation for solving a legal point: in the European Commission JLA tool for analysing open licenses content and compatibility (https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses) the obligations (MUST column) attributed to the Apache-2.0 license are;  Include Copyright, State changes, Disclose source and Include licence.
Reading the license text, the provision (or disclosure) of the source code is not a strict requirement of the Apache licence.

However, when a recipient distributes derivative software there is an obligation to state changes (You must cause any modified files to carry prominent notices stating that You changed the files) and to include the attribution notice in the distributed source code, analysts said (https://www.newmediarights.org/open_source/new_media_rights_open_source_licensing_guide ) that the sub-licensors may be required to include it in their distribution if (the original) licensor requires.

It interesting to note that in the current JLA selection (a subset of the 51 most interesting open licences), if you select licences that are “for software” (in the COMPATIBLE column) and that have “State changes” (in the MUST column), you obtain 19 licences (the set includes Apache-2.0) and all of them have also “disclose source” as a must.  This is an indication that the two obligations seems to be closely linked.

So which option do you advise when distributing a modified derivative under Apache-2.0?

  1.  Say that there is no obligation at all to disclose the source code (even if it may cause some tension with other requirements);
  2.  Say that there is no strict obligation , but that it is the good and usual practice;
  3.  Say the there is an implicit obligation (resulting from other requirements like documenting changes in every modified file);
  4.  Say that there is an obligation in case the original licensor requires this communication;
  5.  Any other answer ?

Best regards,

Patrice-Emmanuel Schmitz
Legal support - Joinup.eu

Re: Disclosing source code of derivatives of Apache covered software?

["Roy T. Fielding" <fi...@gbiv.com>]

> On May 6, 2021, at 2:30 AM, SCHMITZ Patrice-Emmanuel <Pa...@ext.ec.europa.eu> wrote:
> 
> We contact the legal affair committee of the Apache foundation for solving a legal point: in the European Commission JLA tool for analysing open licenses content and compatibility (https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses <https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses>) the obligations (MUST column) attributed to the Apache-2.0 license are;  Include Copyright, State changes, Disclose source and Include licence.

BTW, the "Disclose source" attribute is incorrectly specified for almost
all of those licenses. An open source license might require disclosure of
source code when a derived work is distributed in any form (e.g., GPL).
That's what "disclose source" means to our communities.

It does not mean that there are requirements on source code when that
source code is redistributed, which is how the JLA table is incorrectly
interpreting it.

.....Roy

Re: Disclosing source code of derivatives of Apache covered software?

["Roy T. Fielding" <fi...@gbiv.com>]

> On May 6, 2021, at 2:30 AM, SCHMITZ Patrice-Emmanuel <Pa...@ext.ec.europa.eu> wrote:
> 
> Dears,
> 
> We contact the legal affair committee of the Apache foundation for solving a legal point: in the European Commission JLA tool for analysing open licenses content and compatibility (https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses <https://joinup.ec.europa.eu/collection/eupl/solution/joinup-licensing-assistant/jla-find-and-compare-software-licenses>) the obligations (MUST column) attributed to the Apache-2.0 license are;  Include Copyright, State changes, Disclose source and Include licence.
> Reading the license text, the provision (or disclosure) of the source code is not a strict requirement of the Apache licence.

Disclosing the source is not a requirement, even when modified.

> However, when a recipient distributes derivative software there is an obligation to state changes (You must cause any modified files to carry prominent notices stating that You changed the files) and to include the attribution notice in the distributed source code, analysts said (https://www.newmediarights.org/open_source/new_media_rights_open_source_licensing_guide <https://www.newmediarights.org/open_source/new_media_rights_open_source_licensing_guide> ) that the sub-licensors may be required to include it in their distribution if (the original) licensor requires.

Section 4 is about redistribution. "You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:" "b. You must cause any modified files to carry prominent notices stating that You changed the files;" is specifically about what files You redistribute -- "cause any modified files to carry" is only possible when those files are being distributed.

That condition does not apply to the source code files that are not redistributed.

> It interesting to note that in the current JLA selection (a subset of the 51 most interesting open licences), if you select licences that are “for software” (in the COMPATIBLE column) and that have “State changes” (in the MUST column), you obtain 19 licences (the set includes Apache-2.0) and all of them have also “disclose source” as a must.  This is an indication that the two obligations seems to be closely linked.

No, it's an indication that a reader misinterpreted the text.

> So which option do you advise when distributing a modified derivative under Apache-2.0?
> Say that there is no obligation at all to disclose the source code (even if it may cause some tension with other requirements);

That's what the license says. There is no tension.

....Roy T. Fielding (license author and Director, The ASF)