(Top posting. Phone. Sorry.)
What if we were to generate a NOTICE file? We treat the got repo as the true source of record, and we put copyright attribution into each file. What if, same as AUTHORS and ChangeLog, we generate NOTICE at sdist time to include information collected from the individual files?
Richard Fontana <rfontana(a)redhat.com> wrote:
>On Fri, Apr 26, 2013 at 10:50:56AM +0100, Mark McLoughlin wrote:
>> Hmm, so we had a case recently where we were considering incorporating
>> (2 clause) BSD licensed code in a project:
>>
>> https://review.openstack.org/25531
>>
>> What I wondered about was how to best comply (or rather, enable
>> distributors of OpenStack in "binary form" to comply) with the second
>> clause of the license:
>>
>> 2. Redistributions in binary form must reproduce the above copyright notice,
>> this list of conditions and the following disclaimer in the documentation
>> and/or other materials provided with the distribution.
>>
>> Do we just include that license (along with the copyright notice) in the
>> project's LICENSE file? Does a NOTICE file serve do anything to help
>> with this case?
>
>The two ways to deal with this are to include the license information
>in the file incorporating the third-party code or to include it in
>some global file.
>
>The ASF, as noted, is (or at least seems to be) using NOTICE files not
>just for attribution but also for global collection of third-party
>legal notices. Sphinx itself (just checking now) apparently uses its
>global LICENSE file similarly to store third-party license notices.
>
>If one cares about theoretically making life as easy as possible for
>downstream distributors of 'binary form' versions, I suppose this
>global-legal-file approach is a preferable way to do that. The other
>approach (putting, or retaining, a notice in the source file) is the
>one I've tended to recommend (I suppose because it generally conveys
>more information, and because I consider it the responsibility of the
>downstream distributor to ensure that it is in compliance with all
>licenses). There's no right or wrong answer, but a consistent approach
>is a good idea.
>
>Sphinx uses notices in individual source files that point to the
>global LICENSE file, which means if you're using excerpts of code from
>a Sphinx file you'd have to do more work than you would if the actual
>license text were already in the file, at least the way I see it. So
>here it would have been just as much work to make sure the file(s) in
>question had the 2-clause BSD license from Sphinx, as it would have
>been to put the same information in a global LICENSE or NOTICE file.
>
>> > So the question raised by Dims boils down to whether OpenStack
>> > projects should include an *OpenStack* attribution notice in top-level
>> > NOTICE files. This would presumably be something analogous to standard
>> > ASF attribution notices, like:
>> >
>> > This product includes software developed by
>> > the OpenStack Foundation (http://www.openstack.org/)
>>
>> I'm not sure "developed by the OpenStack Foundation" rings true to
>> me ... maybe "developed by the OpenStack project". The Foundation
>> doesn't develop the code, it empowers/protects/promotes the project
>> which develops the code.
>
>That was my intuition too (though from someone who's still really an
>outside observer of OpenStack, so I wasn't sure I was right), and what
>I was alluding to at the end of my message. By contrast, to most ASF
>project developers, the wording of the ASF attribution notice
>presumably rings true.
>
>> > But perhaps contributors to OpenStack projects feel
>> > otherwise. In a project like OpenStack that does not aggregate
>> > copyright ownership (and in which copyright ownership is getting
>> > increasingly diverse), perhaps some perceive a value to having an
>> > OpenStack-specific attribution notice.
>>
>> Yes, you could imagine a case would be made for it, but it would be a
>> new departure for the project. I'd rather such a move to be made as a
>> reaction to us feeling we're not getting credit for our work rather than
>> a "the ASF does it, maybe we should too?" discussion.
>
>For a Red Hat perspective, FWIW, increasingly the Apache License 2.0
>is being used for projects initiated by or maintained principally by
>Red Hat developers, but AFAICR we've thus far never used the NOTICE
>file attribution mechanism. The one case I can think of where we've
>considered adding it was for a project where the developers were
>miffed at a downstream proprietary commercial derivative product
>making significant reuse of the upstream code but apparently not
>giving any credit.
>
> - RF
>
>_______________________________________________
>legal-discuss mailing list
>legal-discuss(a)lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
>
Hi,
Thanks Stefano and Mark for setting up this list. Since I appear to be
indirectly to blame for its creation I thought I would provide an
initial contribution by addressing the issue Dims asked a couple of
days ago on openstack-dev:
http://lists.openstack.org/pipermail/openstack-dev/2013-April/007778.html
As noted by Dims NOTICE files are specifically referred to in the
Apache License 2.0 section 4d. I won't quote the whole provision but
it begins by saying:
If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained within
such NOTICE file ....
So it is understood that upstream projects might not use NOTICE files,
but in case they do, and they include attribution notices in such a
file, then distributed 'Derivative Works' must preserve or include
those attribution notices in one of certain specified ways.
ASF projects routinely use NOTICE files. The ASF uses them as a
centralized place for not just an ASF attribution notice but also any
legal notices that must be preserved under third-party licenses. Older
ASF projects also include an Apache Software Foundation copyright
notice (AIUI the ASF ceased this practice at some point as it came to
be seen as controversial since the ASF didn't hold any significant
copyright interest in any particular project).
It is my experience, however, that very few non-ASF projects using the
Apache License 2.0 make use of the NOTICE file mechanism.
While there are some nice things about having a centralized file for
collecting *third-party* legal notices, such a thing is not necessary
(this assumes that any legal notices that have to be preserved in a
source distribution are preserved in individual source files). An
important exception, probably not relevant and unlikely to be relevant
to OpenStack, is if your source code incorporates code from an
Apache-licensed project that itself used a NOTICE file.
You could use a centralized file to contain any copyright notices from
*OpenStack* contributors; this has not been the approach of OpenStack
thus far, and is really a separate question.
So the question raised by Dims boils down to whether OpenStack
projects should include an *OpenStack* attribution notice in top-level
NOTICE files. This would presumably be something analogous to standard
ASF attribution notices, like:
This product includes software developed by
the OpenStack Foundation (http://www.openstack.org/)
The policy goal in the ASF's case has been to make sure the ASF gets
visible credit in cases where downstream distributed products are
based in part on ASF code.
For OpenStack, thus far it has not been thought important to have any
such attribution notice, as with most other non-ASF Apache-licensed
projects. I myself don't think it is important so I see no reason to
begin deviating from historical OpenStack practice to emulate what the
ASF does. But perhaps contributors to OpenStack projects feel
otherwise. In a project like OpenStack that does not aggregate
copyright ownership (and in which copyright ownership is getting
increasingly diverse), perhaps some perceive a value to having an
OpenStack-specific attribution notice.
I see occasional uses of "Copyright OpenStack Foundation" in source
files and I am not clear on whether this signifies code that was
originally copyrighted by OpenStack LLC or, instead, some sort of
attempt (like the deprecated ASF practice) to provide attribution to
the OpenStack Foundation regardless of whether it is actually in any
interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to
the OpenStack *Foundation*, but that's a project-specific cultural
question and I don't have good insight into that.
- RF