Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

If no one else steps forward to pick up the task of integrating this new
material into the Licensing How-To, I'm happy to.

Marvin Humphrey

On Fri, Jan 29, 2016 at 8:28 AM, Anthony Baker <ab...@pivotal.io> wrote:
> Thanks so much for helping to clarify these details.  Having just worked
> through some of these questions I can say I would have definitely benefitted
> from having this information available.
>
> Anthony
>
>> On Jan 26, 2016, at 12:08 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>>
>>> On Tue, Jan 26, 2016 at 11:42 AM, Todd Lipcon <to...@cloudera.com> wrote:
>>> I started a Google doc to try to clear this up in a simple "if/then" type
>>> layout:
>>> https://docs.google.com/document/d/1eftfjrWpOG-dRkw9dZWRfcj3p_qCeE5xC-G0Y5j29Ck/edit
>>
>> Nice work!
>>
>>> I have a bunch of confusion/open questions still, and email threads don't
>>> seem to be the best way to clear these things up, because different people
>>> have different opinions. Perhaps people could take a look at the above doc
>>> and add comments? This could then become a reference guide (or adendum to
>>> the existing licensing howto?).
>>
>> The structure of this document is actually pretty close to what I had
>> in mind with the first draft of the licensing how-to. I think we
>> should seek to integrate this material into that document.
>>
>> Once we have a patch we're happy with, we should run it by legal-discuss@apache.
>>
>> Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Julian Hyde <jh...@apache.org>]

I can see how a TLP would not be receptive to someone nit-picking their LICENSE/NOTICE files. Asking for patches, as Marvin suggests, is one approach that might work. Another approach is for someone with expertise in licensing to approach a TLP and offer to take them through a licensing review. Of course the TLP is at liberty to refuse, but if they accepted, some knowledge would undoubtedly rub off. I can speak only for the Calcite project, but I think we’d be happy to go through such a process every couple of years.

Julian


> On Feb 3, 2016, at 6:32 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
> 
> On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean <ju...@me.com> wrote:
>> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little
>> more consistent with current policy?
> 
> I approached a bunch of Lucene PMC members about this at ApacheCon a couple
> years back and they were receptive to the idea.
> 
> However, I don't think we should approach any other TLPs, to be honest.  A lot
> of the issues we'd like to fix in TLP LICENSE and NOTICE files would improve
> compliance with Apache *policy*, not law.  TLPs are the Board's purview -- the
> Incubator's writ only extends to podlings.
> 
> We can let the Board know that poor TLP compliance with Apache licensing
> policy is complicating our work in the Incubator, and perhaps the Board will
> solicit our help as volunteers to work on that problem.  But I think that if
> an initiative to tackle TLP licensing documentation originates on
> general@incubator, that's asking for trouble.  The last thing we need is
> conflict with the Board over ostensible IPMC overreach.
> 
>> Any suggestion on how we would go about this?
> 
> For any TLP we approach, I think we need to ensure that any proposed revisions
> are real, valuable contributions to the community.
> 
> *   Provide patches, rather than point out flaws.
> *   Explain persuasively and coherently to the PMC why these patches should be
>    applied, while minimizing what we ask of them in terms of review and
>    research.
> *   If possible, provide project-specific improvements which will help the PMC
>    handle licensing better and with less effort in the future.
> 
> We need to bear in mind that we are outsiders while a project's PMC members
> are charged with legal oversight of their project, and that there is generally
> limited energy and patience for dealing with legal stuff.
> 
>> Does the policy need to be made clearer first?
> 
> Yes, I think that's important -- it will help us to persuade PMCs that our
> proposed changes are both correct and worthwhile.
> 
> Marvin Humphrey
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

I took a look at all the LICENSE, NOTCE and DISCLAIMER files in the non documentation / non web site github repos of all incubating projects. 

I was assisted by scripts and make a few assumptions for expediency so may of missed a couple/included a graduated or retired project.

Some data points:
- 10 repos are missing a LICENSE file
- There's some (very) minor variations of text in the LICENSE appendix
- 39 repos use a boiler plate LICENSE file
- 1 LICENSE file is missing Apache boilerplate test
- 1 repo is missing the LICENSE appendix part
- 2 repos have a non standard LICENSE appendix (filled in copyright line)
- 10 LICENSE files have the long form of MIT/BSD licenses where the short form is preferred
- 1 LICENSE file oddly / verbosely lists out the MIT/BSD license of all individual files
- at least 1 LICENSE file lists Apache licensed ASF software
- at least 8 LICENSE files list non ASF Apache licensed software
- 14 repos are missing a NOTICE file
- in the NOTICE file 14 repos use the name "Apache XXXX (incubating)”, 55 use "Apache XXXX”, and 3 use just “XXX”  (missing Apache)
- 29 repos have a NOTICE file copyright year before 2016
- 2 use the older “developed by” instead of “developed at” in the NOTICE file
- 2 have incorrect text in the NOTICE files
- at least 8 including licensing information in NOTICE that should be in LICENSE (IMO from a quick look)
- at least 1 has excessive copyright lines which may be incorrect
- 21 repos are missing DISCLAIMER files
- There's some (minor) variation on the DISCLAIMER wording

Projects are works in progress or may not have made a release or updated the files for the next release or the expected files may not be in the 1/2 dozen places my scripts looked at. Just take these numbers as a rough indication. I really didn’t want to spend too long on this.

A few NOTICE / LICENSE files have TODO’s which is nice to see. I would pass an IPMC vote on a release if I saw this.

It looks like a few projects are getting confused with what goes in LICENSE and NOTICE. The two issues seem to be adding MIT, BSD or Apache licenses to NOTICE when it is not required and adding extra copyright notices to NOTICE. An update on policy documentation to make it clearer what goes in both files would help here I think - which is already under way.

There also seems be some confusion around what to do with bundled Apache licensed software. This existing documentation is not entirely clear on how to handle non ASF Apache software and this has come up on the list a few times with some differing opionions.

A few questions on incubator policy that may need to be clarified:
- A release must include a NOTICE file, but should a repo include one?
- Likewise should a DISCLAIMER file be present in the repo?
- I thought incubating projects should be named "Apache XXXX (incubating)” but the majority are named "Apache XXXX” missing the “(incubating)" in the NOTICE file.
- What is the correct way to handle non ASF Apache license software? Currently policy (AFAIK) is not to add to LICENSE but not an error if you do so. What advice should we give to podlings here?

I think some of these issues are likely to occur from copy and paste from other projects files. Would it make sense when creating new source repos to add boiler plate LICENSE, NOTICE and DISCLAIMER files?

Anyone have any other views / opionions / insights based on the above data?

Now I don’t want to look at a LICENSE or NOTICE file for a week or so and need a stiff drink.

Thanks,
Justin

PS If anyone is interested in the simple scripts/process to get those numbers just ask offline. I used grep, wc and sort a fair bit to narrow down which files to look at.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

You may want to common on / watch what happens with this:
https://issues.apache.org/jira/browse/LEGAL-234

(Re ASF license copyright lines in NOTICE)

Thanks,
Justin

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

On Wed, Feb 3, 2016 at 7:43 PM, Justin Mclean <ju...@me.com> wrote:

>>> Does the policy need to be made clearer first?
>>
>> Yes, I think that's important -- it will help us to persuade PMCs that our
>> proposed changes are both correct and worthwhile.
>
> OK lets work on that.

Based on insights gleaned from recent conversations over on
legal-discuss@apache, I feel good about incorporating the ideas in
this thread into some revisions for the Licensing How-To.  Give me a
week or two to polish something up.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@me.com>]

Hi,

> We can let the Board know that poor TLP compliance with Apache licensing
> policy is complicating our work in the Incubator

+1 to that it makes reviewing releases a lot harder. Recently a few release candidates have waited too long for a vote here and that may be a factor.

Some incubating projects understandably tend to look at what TLP have done and copy that rather than find and wade through all of the policy documentation.

>  The last thing we need is conflict with the Board over ostensible IPMC overreach.

Certainly not.

>> Does the policy need to be made clearer first?
> 
> Yes, I think that's important -- it will help us to persuade PMCs that our
> proposed changes are both correct and worthwhile.

OK lets work on that.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean <ju...@me.com> wrote:
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little
> more consistent with current policy?

I approached a bunch of Lucene PMC members about this at ApacheCon a couple
years back and they were receptive to the idea.

However, I don't think we should approach any other TLPs, to be honest.  A lot
of the issues we'd like to fix in TLP LICENSE and NOTICE files would improve
compliance with Apache *policy*, not law.  TLPs are the Board's purview -- the
Incubator's writ only extends to podlings.

We can let the Board know that poor TLP compliance with Apache licensing
policy is complicating our work in the Incubator, and perhaps the Board will
solicit our help as volunteers to work on that problem.  But I think that if
an initiative to tackle TLP licensing documentation originates on
general@incubator, that's asking for trouble.  The last thing we need is
conflict with the Board over ostensible IPMC overreach.

> Any suggestion on how we would go about this?

For any TLP we approach, I think we need to ensure that any proposed revisions
are real, valuable contributions to the community.

*   Provide patches, rather than point out flaws.
*   Explain persuasively and coherently to the PMC why these patches should be
    applied, while minimizing what we ask of them in terms of review and
    research.
*   If possible, provide project-specific improvements which will help the PMC
    handle licensing better and with less effort in the future.

We need to bear in mind that we are outsiders while a project's PMC members
are charged with legal oversight of their project, and that there is generally
limited energy and patience for dealing with legal stuff.

> Does the policy need to be made clearer first?

Yes, I think that's important -- it will help us to persuade PMCs that our
proposed changes are both correct and worthwhile.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Roman Shaposhnik <ro...@shaposhnik.org>]

On Wed, Feb 3, 2016 at 4:01 PM, Justin Mclean <ju...@me.com> wrote:
> Hi
>
> It seems that some of the confusion comes from what top level projects have done and not keep up with policy?
> From a 5 minute search (and not to pick on / point out any particular project) here’s some examples were
> I think improvement could be made to NOTICE files. [1][2][3][4][5][6][7]
>
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little more consistent with current policy?
> Any suggestion on how we would go about this? Does the policy need to be made clearer first?

FWIW I must echo Justin's sentiment: there's quite a few TLPs out
there that prove
to be far from ideal role models for the podlings. In fact, even in my
own case, I was
looking at a few examples that proved to be an unfortunate choice of
'prior art'.

Thanks,
Roman.

P.S. Justin, I don't think we thank you enough for your diligence
around these areas. So. THANK YOU!!!!

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Speaking from the NiFi side I can assure you an enormous amount of
> time, energy, and communication go into LICENSE and NOTICE handling
> for this project.

Sorry if you thought my message applied otherwise, there’s certainly no harm intended. 

I was just pointing out (with some examples) that a little confusion seems to occurs at TLP as well.

It was just a casual glance at your NOTICE, certainly not a formal or thorough review, but I would guess that these lines:

	This product includes the following work from the Apache Hadoop project:
	BoundedByteArrayOutputStream.java adapted to SoftLimitBoundedByteArrayOutputStream.java

Doesn’t need to be include in your NOTICE file as per [1]. It would be nice to mention this somewhere but I’m guessing NOTICE isn’t the correct place?

Of course something as minor as this may not even matter as it imposes little on any down stream projects.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#bundle-asf-product




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

On Thu, Feb 4, 2016 at 3:54 PM, Justin Mclean <ju...@classsoftware.com> wrote:

> What we put in NOTICE is policy right rather than a
> legal requirement so I guess 3rd parties can do just about anything and
> that’s OK?

The Apache License 2.0 doesn't restrict what can go in NOTICE.  You could put
the lyrics to "Happy Birthday" in there.  Or the complete works of William
Shakespeare.  Or the copyright history of the Wu Tang Clan catalog.

Roy used to have to work hard to persuade Apache projects not to use NOTICE
for crediting contributors, or as a change log.

All of that stuff would be pointless but legal in NOTICE.

But larding up NOTICE with that kind of garbage makes it more expensive for
downstream consumers who are making good faith efforts to comply with our
licensing.  And so it is the policy of the ASF that LICENSE and NOTICE be kept
minimal.

    http://www.apache.org/legal/release-policy#licensing-documentation

    ... LICENSE and NOTICE MUST NOT provide unnecessary information about
    materials which are not bundled in the package, such as separately
    downloaded dependencies.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> There are no active products using Apache-1.1 -- though old releases are still
> available -- so this question is mostly academic.

May be the case for some binary releases using old software. I can think of one project that may need to check that.

>  But it's very interesting historically!

Thanks for that now it’s clear what goes in NOTICE if it does ever show up.

> The BSD-4-clause license with the advertising clause is not approved for use
> by ASF projects.  It's not even OSI approved, and it's vanishingly rare these
> days, anyway. 

Last week I run into an incubating project that had several BSD-4 clause licenses. It (IMO) was not an issue as it turns out the clause had been rescinded (in 1999!) in this particular case. [1][2] But I assume any BSD-4-cluase not covered by that would not be allowed to be bundled.

Thanks,
Justin

1. https://opensource.org/licenses/BSD-3-Clause <https://opensource.org/licenses/BSD-3-Clause>
2. ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change <ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change>

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

On Sat, Feb 6, 2016 at 6:34 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> Here what I worked out needs to be added to LICENSE and NOTICE for each type
> of bundled license.

Good stuff!

Here's a old (2002) but succinct snippet on combining licenses:

    http://www.catb.org/esr/Licensing-HOWTO.html#compatibility

    When two licenses A and B are combined, the following things can happen:
    (1) A subsumes B, (2) B subsumes A, (3) A adds to B so that you must
    observe the requirements of both, or (4) A and B clash — they cannot both
    be satisfied.

As I understand it, when bundling works under other license terms into one of
our distibutions, we have two main objectives:

* Fulfill all requirements of the other licenses.
* Ensure that Apache-2.0 subsumes all other licenses.  This means that
  users who satisfy the terms of Apache-2.0 satisfy all requirements for all
  works in the package, and allows us to advertise the package as available
  under "Apache-2.0", rather than "Apache-2.0 plus FooLicense-3.0 plus
  BarLicense-1.2".

Here's a more recent article (2011) on combining licenses:

    https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility

> CC-A               Y  N

I believe you're referring to the Creative Commons Attribution license, which
normally goes by the acronym "CC-BY".

CC-BY is category B now -- it was moved -- so it can't be bundled in a source
release.  (See LEGAL-167.)

> Does anyone know what goes in NOTICE for Apache 1.1 licensed software?

There are no active products using Apache-1.1 -- though old releases are still
available -- so this question is mostly academic.  But it's very interesting
historically!

Here is the relevant clause from Apache-1.1:

    3. The end-user documentation included with the redistribution,
       if any, must include the following acknowledgment:
           "This product includes software developed by the
            Apache Software Foundation (http://www.apache.org/)."
       Alternately, this acknowledgment may appear in the software itself,
       if and wherever such third-party acknowledgments normally appear.

If the "This product..." line ends up in NOTICE, then Apache-2.0 can be said
to subsume Apache-1.1.  Otherwise, they "add" (by the terms of the catb.org
article quoted above).

It turns out that that "attribution" clause prevents Apache-1.1 from being
subsumed by the GPL, even though Apache-1.1 is otherwise very similar to
BSD-3-clause.  The primary reason that the NOTICE file was added in Apache-2.0
was to make it possible to move that notice out of the license, because the
GPL allows the preservation of notices even though it must subsume all other
licenses[1].

In other words, the NOTICE file originated as a clever legal hack to enable
subsumption of Apache-1.1 by Apache-2.0 while facilitating subsumption of
Apache-2.0 by the GPL.

> Oddly the BSD with advertising clause is not listed in the Category A, B or
> X lists so while it seems to have been discussed (at length) it may not
> actually be able to be bundled.

The BSD-4-clause license with the advertising clause is not approved for use
by ASF projects.  It's not even OSI approved, and it's vanishingly rare these
days, anyway.  We don't have to worry about it.

Marvin Humphrey

[1] http://s.apache.org/XAf

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

Here what I worked out needs to be added to LICENSE and NOTICE for each type of bundled license.

Bundled Code license	LICENSE		NOTICE
Apache 1.1			Y			Y		Not sure what need to be added to NOTICE here
ASF Apache 2.0		N			N/Y		From NOTICE If required 
non ASF Apache 2.0	N			Y 		Name and copyright from NOTICE and from NOTICE if required
BSD					Y			N
BSD (advertising)		Y			Y 		Advertising clause
MIT					Y			N
CC-A				Y			N
OFL*				Y			N
MPL*				Y			Y 		How to obtain a copy of source code
CDDL*				Y			Y 		How to obtain a copy of source code
Eclipse*				Y			Y 		How to obtain a copy of source code
GPL					-			-
LGPL				-			-

N = do nothing
Y = required to add 
* In binary form only
- Not allowed in Apache software

Does anyone know what goes in NOTICE for Apache 1.1 licensed software?

For Apache licensed software if required usually means 3rd party required notices or relocated copyrights that exist the NOTICE file.

Oddly the BSD with advertising clause is not listed in the Category A, B or X lists so while it seems to have been discussed (at length) it may not actually be able to be bundled.

Only case where there seem to be differing of opinions seems to be for bundling an ASF Apache license. Should the project name and copyright be placed in NOTICE? As far as I can tell the Apache License [1][2] doesn’t contain a requirement for a required 3rd party notice. But this [3] may mean than name and/or copyright needs to be added to NOTICE.  If this is the case it would have a large impact on existing (particularly binary) releases. Has there been a discussion on this, that I may of missed, somewhere that would clarify?

Assembled from here:
https://issues.apache.org/jira/browse/LEGAL-59
https://issues.apache.org/jira/browse/LEGAL-62
https://issues.apache.org/jira/browse/LEGAL-185
http://markmail.org/thread/ze722s7ovb5pjdnn
http://apache.markmail.org/thread/4nihn35nczynajvb
(and probably a few other places)

Thanks,
Justin

1. http://www.apache.org/legal/src-headers.html#notice <http://www.apache.org/legal/src-headers.html#notice>
2. http://apache.org/legal/resolved.html#required-third-party-notices <http://apache.org/legal/resolved.html#required-third-party-notices>
3. http://www.apache.org/dev/licensing-howto.html#bundle-asf-product

Re: Confusion over NOTICE vs LICENSE files

[Sean Busbey <bu...@cloudera.com>]

Encouraging use of Whisker from the Apache Creadur project is another
avenue:

http://creadur.apache.org/whisker/

On Thu, Feb 4, 2016 at 5:54 PM, Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> >> But better conventions on the format and content of the files that would
> >> make automated processing easier would also be a great thing, but that
> >> might be too late already.
> >
> > Right, the hardest part of this problem is the spec, which SPDX provides.
>
> SPDX looks good - how there been any interest to implement this at Apache?
>
> BTW I see their NOTICE file has a few issues :-) [1] (It mentions Apache,
> MIT and BSD software). What we put in NOTICE is policy right rather than a
> legal requirement so I guess 3rd parties can do just about anything and
> that’s OK?
>
> A fair number of non ASF Apache software is usually missing a NOTICE file
> or has other issues. What do we do when you bundle a non ASF Apache license
> software that is missing a NOTICE file? Nothing or be a little more polite
> or assume a minimal NOTICE file and add that to ours?
>
> Thanks,
> Justin
>
> 1. https://github.com/spdx/tools/blob/master/NOTICE
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>


-- 
Sean

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@me.com>]

Hi,

> When I saw this topic in the past, the answer was "nothing" [1]

What we’re legally required to do (i.e. nothing) is reasonably clear, but what policy or culturally is the best option is perhaps unclear. 

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Alex Harui <ah...@adobe.com>]

On 2/4/16, 3:54 PM, "Justin Mclean" <ju...@classsoftware.com> wrote:

>A fair number of non ASF Apache software is usually missing a NOTICE file
>or has other issues. What do we do when you bundle a non ASF Apache
>license software that is missing a NOTICE file? Nothing or be a little
>more polite or assume a minimal NOTICE file and add that to ours?

When I saw this topic in the past, the answer was "nothing" [1] or work
with that software community so they put a NOTICE in their future releases
[2]

HTH,
-Alex

[1] 
https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201406.mbox/%3c
CAM1oqKqL+1A90=WKQda-GJyQTo5gAH+ep3WViTRMF9EtiAiVgA@mail.gmail.com%3e

[2] 
https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201508.mbox/%3c
CAM1oqKp-iimxUS4+b11WTt6FuoDwLxL_vQjCio=XRX34jsdXBg@mail.gmail.com%3e


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

Hi,

>> But better conventions on the format and content of the files that would
>> make automated processing easier would also be a great thing, but that
>> might be too late already.
> 
> Right, the hardest part of this problem is the spec, which SPDX provides.

SPDX looks good - how there been any interest to implement this at Apache?

BTW I see their NOTICE file has a few issues :-) [1] (It mentions Apache, MIT and BSD software). What we put in NOTICE is policy right rather than a legal requirement so I guess 3rd parties can do just about anything and that’s OK?

A fair number of non ASF Apache software is usually missing a NOTICE file or has other issues. What do we do when you bundle a non ASF Apache license software that is missing a NOTICE file? Nothing or be a little more polite or assume a minimal NOTICE file and add that to ours?

Thanks,
Justin

1. https://github.com/spdx/tools/blob/master/NOTICE
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Marvin Humphrey <ma...@rectangular.com>]

On Thu, Feb 4, 2016 at 3:05 AM, Serge Huber <sh...@jahia.com> wrote:
> As an engineer that's not an expert at legal stuff I was wondering if
> there isn't a way to solve this with tooling ?

If you're going to go this route, I suggest taking a look at SPDX:

  http://spdx.org/about-spdx

  Our Mission

  Develop and promote adoption of a specification to enable any party in a
  software supply chain, from the original author to the final end user, to
  accurately communicate the licensing information for any piece of
  copyrightable material that such party may create, alter, combine, pass on,
  or receive, and to make such information available in a consistent,
  understandable, and re-usable fashion, with the aim of facilitating license
  and other policy compliance.

Perhaps a way forward would be to create one or more .spdx files describing
an Apache project's licensing -- then write something (ad hoc to begin with)
which uses the SPDX data to generate LICENSE and NOTICE.

> But better conventions on the format and content of the files that would
> make automated processing easier would also be a great thing, but that
> might be too late already.

Right, the hardest part of this problem is the spec, which SPDX provides.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Serge Huber <sh...@jahia.com>]

As an engineer that's not an expert at legal stuff I was wondering if there isn't a way to solve this with tooling ?

I've seen a few Maven plugins out there but they don't seem to work properly, especially for binary distributions.

I've started a plugin myself here [1] but it's still in heavy development. Basically it's aimed at help building license and notice files for binary distributions by scanning all the jars in a directory recursively, trying to find notice, license or Pom.xml files and I was even then looking at connecting it to scm systems or using search.maven.org to find project metadata.

But better conventions on the format and content of the files that would make automated processing easier would also be a great thing, but that might be too late already.

Cheers,
  Serge

[1] https://github.com/sergehuber/Legal-Maven-Plugin


Serge Huber
CTO & Co-Founder

T +41 22 361 3424
9 route des Jeunes | 1227 Acacias | Switzerland
jahia.com
SKYPE | LINKEDIN | TWITTER | VCARD
  

> JOIN OUR COMMUNITY to evaluate, get trained and to discover why Jahia is a leading User Experience Platform (UXP) for Digital Transformation.

> Le 3 févr. 2016 à 19:54, Justin Mclean <ju...@classsoftware.com> a écrit :
> 
> HI,
> 
>> [4] https://nifi.apache.org/licensing-guide.html <https://nifi.apache.org/licensing-guide.html>
> BTW nicely put together, it's well worth a read and clearly explains quite tricky LICENSE and NOTICE issues.
> 
> Thanks,
> Justin

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@classsoftware.com>]

HI,

> [4] https://nifi.apache.org/licensing-guide.html <https://nifi.apache.org/licensing-guide.html>
BTW nicely put together, it's well worth a read and clearly explains quite tricky LICENSE and NOTICE issues.

Thanks,
Justin

Re: Confusion over NOTICE vs LICENSE files

[Joe Witt <jo...@gmail.com>]

Justin,

Speaking from the NiFi side I can assure you an enormous amount of
time, energy, and communication go into LICENSE and NOTICE handling
for this project.  We've had discussions with PMC and committers of
other projects to learn their approach as well as to encourage them to
follow these policies as well.

We attempt to adhere to both spirit and letter of policy regarding
licensing and notice information.  The NOTICE [1] you reference for us
is only the source release NOTICE and I believe it to be correct for
the source release.  Can you share what you see is missing?

We also maintain a notice that specifically applies to any convenance
binaries we produce [2].  In fact, we also do that level of artifact
specific NOTICE resolution for any bundling of dependencies we do (for
example [3]).

We produced and frequently reference this guide to help our community
stay consistent with the policy as we understood/understand it [4].

And here you can see that we are pretty strict in following the
understanding of the policy even when it deviates from otherwise
accepted practice [5].

I very much welcome efforts to improve this guidance.  I think some of
the work Todd Lipcon has initiated recently is a great start.

Now I write this realizing you are an excellent contributor to the
licensing/notice discussions and you provided some of the best RC
reviews in this area as well for us in incubation.  So I write this
fully respecting you just want things to be done right.  if we're
actually doing something wrong let us know and we'll sort it out.

[1] https://github.com/apache/nifi/blob/master/NOTICE
[2] https://github.com/apache/nifi/blob/master/nifi-assembly/NOTICE
[3] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/src/main/resources/META-INF/NOTICE
[4] https://nifi.apache.org/licensing-guide.html
[5] https://issues.apache.org/jira/browse/LEGAL-230

On Wed, Feb 3, 2016 at 7:01 PM, Justin Mclean <ju...@me.com> wrote:
> Hi
>
> It seems that some of the confusion comes from what top level projects have done and not keep up with policy? From a 5 minute search (and not to pick on / point out any particular project) here’s some examples were I think improvement could be made to NOTICE files. [1][2][3][4][5][6][7]
>
> Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little more consistent with current policy? Any suggestion on how we would go about this? Does the policy need to be made clearer first?
>
> Thanks,
> Justin
>
> 1. https://github.com/apache/spark/blob/master/NOTICE <https://github.com/apache/spark/blob/master/NOTICE>
> 2. https://github.com/apache/flink/blob/master/NOTICE <https://github.com/apache/flink/blob/master/NOTICE>
> 3. https://github.com/apache/nifi/blob/master/NOTICE <https://github.com/apache/nifi/blob/master/NOTICE>
> 4. https://github.com/apache/accumulo/blob/master/NOTICE <https://github.com/apache/accumulo/blob/master/NOTICE>
> 5. https://github.com/apache/camel/blob/master/NOTICE.txt <https://github.com/apache/camel/blob/master/NOTICE.txt>
> 6. https://github.com/apache/phoenix/blob/master/NOTICE <https://github.com/apache/phoenix/blob/master/NOTICE>
> 7. https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt <https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt>
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Confusion over NOTICE vs LICENSE files

[Justin Mclean <ju...@me.com>]

Hi

It seems that some of the confusion comes from what top level projects have done and not keep up with policy? From a 5 minute search (and not to pick on / point out any particular project) here’s some examples were I think improvement could be made to NOTICE files. [1][2][3][4][5][6][7]

Perhaps it's time to ask TLP to review their LICENCE / NOTICE to be a little more consistent with current policy? Any suggestion on how we would go about this? Does the policy need to be made clearer first?

Thanks,
Justin

1. https://github.com/apache/spark/blob/master/NOTICE <https://github.com/apache/spark/blob/master/NOTICE>
2. https://github.com/apache/flink/blob/master/NOTICE <https://github.com/apache/flink/blob/master/NOTICE>
3. https://github.com/apache/nifi/blob/master/NOTICE <https://github.com/apache/nifi/blob/master/NOTICE>
4. https://github.com/apache/accumulo/blob/master/NOTICE <https://github.com/apache/accumulo/blob/master/NOTICE>
5. https://github.com/apache/camel/blob/master/NOTICE.txt <https://github.com/apache/camel/blob/master/NOTICE.txt>
6. https://github.com/apache/phoenix/blob/master/NOTICE <https://github.com/apache/phoenix/blob/master/NOTICE>
7. https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt <https://github.com/apache/lucene-solr/blob/master/lucene/NOTICE.txt>