On Thu, 2013-04-25 at 21:27 -0400, Richard Fontana wrote:
Hi,
Thanks Stefano and Mark for setting up this list. Since I appear to be indirectly to blame for its creation I thought I would provide an initial contribution by addressing the issue Dims asked a couple of days ago on openstack-dev: http://lists.openstack.org/pipermail/openstack-dev/2013-April/007778.html
Wow, what a start ... talk about comprehensive :)
As noted by Dims NOTICE files are specifically referred to in the Apache License 2.0 section 4d. I won't quote the whole provision but it begins by saying:
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file ....
So it is understood that upstream projects might not use NOTICE files, but in case they do, and they include attribution notices in such a file, then distributed 'Derivative Works' must preserve or include those attribution notices in one of certain specified ways.
Ah, I never took notice (hah, pun) of this provision any more So, for example, if you shipped a proprietary product based on OpenStack, you would be required to take the attribution notices from each of the NOTICE files and include it in the product
ASF projects routinely use NOTICE files. The ASF uses them as a centralized place for not just an ASF attribution notice but also any legal notices that must be preserved under third-party licenses. Older ASF projects also include an Apache Software Foundation copyright notice (AIUI the ASF ceased this practice at some point as it came to be seen as controversial since the ASF didn't hold any significant copyright interest in any particular project).
It is my experience, however, that very few non-ASF projects using the Apache License 2.0 make use of the NOTICE file mechanism.
While there are some nice things about having a centralized file for collecting *third-party* legal notices, such a thing is not necessary (this assumes that any legal notices that have to be preserved in a source distribution are preserved in individual source files).
Hmm, so we had a case recently where we were considering incorporating (2 clause) BSD licensed code in a project: https://review.openstack.org/25531 What I wondered about was how to best comply (or rather, enable distributors of OpenStack in "binary form" to comply) with the second clause of the license: 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Do we just include that license (along with the copyright notice) in the project's LICENSE file? Does a NOTICE file serve do anything to help with this case?
An important exception, probably not relevant and unlikely to be relevant to OpenStack, is if your source code incorporates code from an Apache-licensed project that itself used a NOTICE file.
You could use a centralized file to contain any copyright notices from *OpenStack* contributors; this has not been the approach of OpenStack thus far, and is really a separate question.
So the question raised by Dims boils down to whether OpenStack projects should include an *OpenStack* attribution notice in top-level NOTICE files. This would presumably be something analogous to standard ASF attribution notices, like:
This product includes software developed by the OpenStack Foundation (http://www.openstack.org/).
I'm not sure "developed by the OpenStack Foundation" rings true to me ... maybe "developed by the OpenStack project". The Foundation doesn't develop the code, it empowers/protects/promotes the project which develops the code.
The policy goal in the ASF's case has been to make sure the ASF gets visible credit in cases where downstream distributed products are based in part on ASF code.
For OpenStack, thus far it has not been thought important to have any such attribution notice, as with most other non-ASF Apache-licensed projects. I myself don't think it is important so I see no reason to begin deviating from historical OpenStack practice to emulate what the ASF does.
I agree.
But perhaps contributors to OpenStack projects feel otherwise. In a project like OpenStack that does not aggregate copyright ownership (and in which copyright ownership is getting increasingly diverse), perhaps some perceive a value to having an OpenStack-specific attribution notice.
Yes, you could imagine a case would be made for it, but it would be a new departure for the project. I'd rather such a move to be made as a reaction to us feeling we're not getting credit for our work rather than a "the ASF does it, maybe we should too?" discussion.
I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that.
The only cases I've noticed this are where the code was developed by Rackspace employees before the foundation was created. If there are other cases, it's mostly down to confusion and/or people blindly copying the header from another file. I'm probably a good bit more pedantic than most about this and check what people mean when they add an OpenStack Foundation copyright notice e.g. https://review.openstack.org/#/c/27285/2/openstack/common/middleware/sizelim... Cheers, Mark.