[legal-discuss] NOTICE files

Richard Fontana rfontana at redhat.com
Sat Apr 27 01:11:27 UTC 2013


On Fri, Apr 26, 2013 at 10:50:56AM +0100, Mark McLoughlin wrote:
> Hmm, so we had a case recently where we were considering incorporating
> (2 clause) BSD licensed code in a project:
> 
>   https://review.openstack.org/25531
> 
> What I wondered about was how to best comply (or rather, enable
> distributors of OpenStack in "binary form" to comply) with the second
> clause of the license:
> 
>   2. Redistributions in binary form must reproduce the above copyright notice,
>      this list of conditions and the following disclaimer in the documentation
>      and/or other materials provided with the distribution. 
> 
> Do we just include that license (along with the copyright notice) in the
> project's LICENSE file? Does a NOTICE file serve do anything to help
> with this case?

The two ways to deal with this are to include the license information
in the file incorporating the third-party code or to include it in
some global file.

The ASF, as noted, is (or at least seems to be) using NOTICE files not
just for attribution but also for global collection of third-party
legal notices. Sphinx itself (just checking now) apparently uses its
global LICENSE file similarly to store third-party license notices.

If one cares about theoretically making life as easy as possible for
downstream distributors of 'binary form' versions, I suppose this
global-legal-file approach is a preferable way to do that. The other
approach (putting, or retaining, a notice in the source file) is the
one I've tended to recommend (I suppose because it generally conveys
more information, and because I consider it the responsibility of the
downstream distributor to ensure that it is in compliance with all
licenses). There's no right or wrong answer, but a consistent approach
is a good idea.

Sphinx uses notices in individual source files that point to the
global LICENSE file, which means if you're using excerpts of code from
a Sphinx file you'd have to do more work than you would if the actual
license text were already in the file, at least the way I see it. So
here it would have been just as much work to make sure the file(s) in
question had the 2-clause BSD license from Sphinx, as it would have
been to put the same information in a global LICENSE or NOTICE file.

> > So the question raised by Dims boils down to whether OpenStack
> > projects should include an *OpenStack* attribution notice in top-level
> > NOTICE files. This would presumably be something analogous to standard
> > ASF attribution notices, like:
> > 
> >   This product includes software developed by 
> >   the OpenStack Foundation (http://www.openstack.org/).
> 
> I'm not sure "developed by the OpenStack Foundation" rings true to
> me ... maybe "developed by the OpenStack project". The Foundation
> doesn't develop the code, it empowers/protects/promotes the project
> which develops the code.

That was my intuition too (though from someone who's still really an
outside observer of OpenStack, so I wasn't sure I was right), and what
I was alluding to at the end of my message. By contrast, to most ASF
project developers, the wording of the ASF attribution notice
presumably rings true.

> > But perhaps contributors to OpenStack projects feel
> > otherwise. In a project like OpenStack that does not aggregate
> > copyright ownership (and in which copyright ownership is getting
> > increasingly diverse), perhaps some perceive a value to having an
> > OpenStack-specific attribution notice. 
> 
> Yes, you could imagine a case would be made for it, but it would be a
> new departure for the project. I'd rather such a move to be made as a
> reaction to us feeling we're not getting credit for our work rather than
> a "the ASF does it, maybe we should too?" discussion.

For a Red Hat perspective, FWIW, increasingly the Apache License 2.0
is being used for projects initiated by or maintained principally by
Red Hat developers, but AFAICR we've thus far never used the NOTICE
file attribution mechanism. The one case I can think of where we've
considered adding it was for a project where the developers were
miffed at a downstream proprietary commercial derivative product
making significant reuse of the upstream code but apparently not
giving any credit.

 - RF



More information about the legal-discuss mailing list