Hi, Thanks Stefano and Mark for setting up this list. Since I appear to be indirectly to blame for its creation I thought I would provide an initial contribution by addressing the issue Dims asked a couple of days ago on openstack-dev: http://lists.openstack.org/pipermail/openstack-dev/2013-April/007778.html As noted by Dims NOTICE files are specifically referred to in the Apache License 2.0 section 4d. I won't quote the whole provision but it begins by saying: If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file .... So it is understood that upstream projects might not use NOTICE files, but in case they do, and they include attribution notices in such a file, then distributed 'Derivative Works' must preserve or include those attribution notices in one of certain specified ways. ASF projects routinely use NOTICE files. The ASF uses them as a centralized place for not just an ASF attribution notice but also any legal notices that must be preserved under third-party licenses. Older ASF projects also include an Apache Software Foundation copyright notice (AIUI the ASF ceased this practice at some point as it came to be seen as controversial since the ASF didn't hold any significant copyright interest in any particular project). It is my experience, however, that very few non-ASF projects using the Apache License 2.0 make use of the NOTICE file mechanism. While there are some nice things about having a centralized file for collecting *third-party* legal notices, such a thing is not necessary (this assumes that any legal notices that have to be preserved in a source distribution are preserved in individual source files). An important exception, probably not relevant and unlikely to be relevant to OpenStack, is if your source code incorporates code from an Apache-licensed project that itself used a NOTICE file. You could use a centralized file to contain any copyright notices from *OpenStack* contributors; this has not been the approach of OpenStack thus far, and is really a separate question. So the question raised by Dims boils down to whether OpenStack projects should include an *OpenStack* attribution notice in top-level NOTICE files. This would presumably be something analogous to standard ASF attribution notices, like: This product includes software developed by the OpenStack Foundation (http://www.openstack.org/). The policy goal in the ASF's case has been to make sure the ASF gets visible credit in cases where downstream distributed products are based in part on ASF code. For OpenStack, thus far it has not been thought important to have any such attribution notice, as with most other non-ASF Apache-licensed projects. I myself don't think it is important so I see no reason to begin deviating from historical OpenStack practice to emulate what the ASF does. But perhaps contributors to OpenStack projects feel otherwise. In a project like OpenStack that does not aggregate copyright ownership (and in which copyright ownership is getting increasingly diverse), perhaps some perceive a value to having an OpenStack-specific attribution notice. I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder. It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that. - RF
On Thu, 2013-04-25 at 21:27 -0400, Richard Fontana wrote:
Hi,
Thanks Stefano and Mark for setting up this list. Since I appear to be indirectly to blame for its creation I thought I would provide an initial contribution by addressing the issue Dims asked a couple of days ago on openstack-dev: http://lists.openstack.org/pipermail/openstack-dev/2013-April/007778.html
Wow, what a start ... talk about comprehensive :)
As noted by Dims NOTICE files are specifically referred to in the Apache License 2.0 section 4d. I won't quote the whole provision but it begins by saying:
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file ....
So it is understood that upstream projects might not use NOTICE files, but in case they do, and they include attribution notices in such a file, then distributed 'Derivative Works' must preserve or include those attribution notices in one of certain specified ways.
Ah, I never took notice (hah, pun) of this provision any more So, for example, if you shipped a proprietary product based on OpenStack, you would be required to take the attribution notices from each of the NOTICE files and include it in the product
ASF projects routinely use NOTICE files. The ASF uses them as a centralized place for not just an ASF attribution notice but also any legal notices that must be preserved under third-party licenses. Older ASF projects also include an Apache Software Foundation copyright notice (AIUI the ASF ceased this practice at some point as it came to be seen as controversial since the ASF didn't hold any significant copyright interest in any particular project).
It is my experience, however, that very few non-ASF projects using the Apache License 2.0 make use of the NOTICE file mechanism.
While there are some nice things about having a centralized file for collecting *third-party* legal notices, such a thing is not necessary (this assumes that any legal notices that have to be preserved in a source distribution are preserved in individual source files).
Hmm, so we had a case recently where we were considering incorporating (2 clause) BSD licensed code in a project: https://review.openstack.org/25531 What I wondered about was how to best comply (or rather, enable distributors of OpenStack in "binary form" to comply) with the second clause of the license: 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Do we just include that license (along with the copyright notice) in the project's LICENSE file? Does a NOTICE file serve do anything to help with this case?
An important exception, probably not relevant and unlikely to be relevant to OpenStack, is if your source code incorporates code from an Apache-licensed project that itself used a NOTICE file.
You could use a centralized file to contain any copyright notices from *OpenStack* contributors; this has not been the approach of OpenStack thus far, and is really a separate question.
So the question raised by Dims boils down to whether OpenStack projects should include an *OpenStack* attribution notice in top-level NOTICE files. This would presumably be something analogous to standard ASF attribution notices, like:
This product includes software developed by the OpenStack Foundation (http://www.openstack.org/).
I'm not sure "developed by the OpenStack Foundation" rings true to me ... maybe "developed by the OpenStack project". The Foundation doesn't develop the code, it empowers/protects/promotes the project which develops the code.
The policy goal in the ASF's case has been to make sure the ASF gets visible credit in cases where downstream distributed products are based in part on ASF code.
For OpenStack, thus far it has not been thought important to have any such attribution notice, as with most other non-ASF Apache-licensed projects. I myself don't think it is important so I see no reason to begin deviating from historical OpenStack practice to emulate what the ASF does.
I agree.
But perhaps contributors to OpenStack projects feel otherwise. In a project like OpenStack that does not aggregate copyright ownership (and in which copyright ownership is getting increasingly diverse), perhaps some perceive a value to having an OpenStack-specific attribution notice.
Yes, you could imagine a case would be made for it, but it would be a new departure for the project. I'd rather such a move to be made as a reaction to us feeling we're not getting credit for our work rather than a "the ASF does it, maybe we should too?" discussion.
I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that.
The only cases I've noticed this are where the code was developed by Rackspace employees before the foundation was created. If there are other cases, it's mostly down to confusion and/or people blindly copying the header from another file. I'm probably a good bit more pedantic than most about this and check what people mean when they add an OpenStack Foundation copyright notice e.g. https://review.openstack.org/#/c/27285/2/openstack/common/middleware/sizelim... Cheers, Mark.
On Fri, Apr 26, 2013 at 10:50:56AM +0100, Mark McLoughlin wrote:
Hmm, so we had a case recently where we were considering incorporating (2 clause) BSD licensed code in a project:
https://review.openstack.org/25531
What I wondered about was how to best comply (or rather, enable distributors of OpenStack in "binary form" to comply) with the second clause of the license:
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Do we just include that license (along with the copyright notice) in the project's LICENSE file? Does a NOTICE file serve do anything to help with this case?
The two ways to deal with this are to include the license information in the file incorporating the third-party code or to include it in some global file. The ASF, as noted, is (or at least seems to be) using NOTICE files not just for attribution but also for global collection of third-party legal notices. Sphinx itself (just checking now) apparently uses its global LICENSE file similarly to store third-party license notices. If one cares about theoretically making life as easy as possible for downstream distributors of 'binary form' versions, I suppose this global-legal-file approach is a preferable way to do that. The other approach (putting, or retaining, a notice in the source file) is the one I've tended to recommend (I suppose because it generally conveys more information, and because I consider it the responsibility of the downstream distributor to ensure that it is in compliance with all licenses). There's no right or wrong answer, but a consistent approach is a good idea. Sphinx uses notices in individual source files that point to the global LICENSE file, which means if you're using excerpts of code from a Sphinx file you'd have to do more work than you would if the actual license text were already in the file, at least the way I see it. So here it would have been just as much work to make sure the file(s) in question had the 2-clause BSD license from Sphinx, as it would have been to put the same information in a global LICENSE or NOTICE file.
So the question raised by Dims boils down to whether OpenStack projects should include an *OpenStack* attribution notice in top-level NOTICE files. This would presumably be something analogous to standard ASF attribution notices, like:
This product includes software developed by the OpenStack Foundation (http://www.openstack.org/).
I'm not sure "developed by the OpenStack Foundation" rings true to me ... maybe "developed by the OpenStack project". The Foundation doesn't develop the code, it empowers/protects/promotes the project which develops the code.
That was my intuition too (though from someone who's still really an outside observer of OpenStack, so I wasn't sure I was right), and what I was alluding to at the end of my message. By contrast, to most ASF project developers, the wording of the ASF attribution notice presumably rings true.
But perhaps contributors to OpenStack projects feel otherwise. In a project like OpenStack that does not aggregate copyright ownership (and in which copyright ownership is getting increasingly diverse), perhaps some perceive a value to having an OpenStack-specific attribution notice.
Yes, you could imagine a case would be made for it, but it would be a new departure for the project. I'd rather such a move to be made as a reaction to us feeling we're not getting credit for our work rather than a "the ASF does it, maybe we should too?" discussion.
For a Red Hat perspective, FWIW, increasingly the Apache License 2.0 is being used for projects initiated by or maintained principally by Red Hat developers, but AFAICR we've thus far never used the NOTICE file attribution mechanism. The one case I can think of where we've considered adding it was for a project where the developers were miffed at a downstream proprietary commercial derivative product making significant reuse of the upstream code but apparently not giving any credit. - RF
On 2013-04-25 21:27:20 -0400 (-0400), Richard Fontana wrote: [...]
I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that.
In the case of code contribution from those of us who are directly employed by the OpenStack Foundation, it seems entirely appropriate (at least to me, though IANAL). I'm curious whether you have an alternative suggestion. -- Jeremy Stanley
On 04/28/2013 06:04 PM, Jeremy Stanley wrote:
On 2013-04-25 21:27:20 -0400 (-0400), Richard Fontana wrote: [...]
I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that.
In the case of code contribution from those of us who are directly employed by the OpenStack Foundation, it seems entirely appropriate (at least to me, though IANAL). I'm curious whether you have an alternative suggestion.
If you are employed by the Foundation, then I would say you should certainly give attribution unless the Foundation has an exempting clause in your employment contract. (FWIW, I would vote in favor of not having Foundation employees assign their copyright to the Foundation, since I do know believe our intent is to grow the amount of lines of code under its copyright. That said- I don't really care, so if you're ok with it, I'm ok with it.) As for all of the other instances (pretty much every instance that is not a result of jeblair or fungi writing code over the last few months) it seems to me that they are all mistaken attribution by people who were never given adequate instructions as to what to do. A decent amount of them are likely from Rackspace employees told to put Copyright OpenStack LLC in there. This in turn caused cargo-culting by other people who had not in any legal way assigned their copyright to the Openstack LLC or the Foundation (since we don't do copyright assignment) That said - I'm not sure what, if anything, it damages. And I'm fairly certain the cost of fixing it would be MASSIVE. Or?
On Apr 28, 2013, at 6:13 PM, Monty Taylor <mordred@inaugust.com> wrote:
A decent amount of them are likely from Rackspace employees told to put Copyright OpenStack LLC in there. This in turn caused cargo-culting by other people who had not in any legal way assigned their copyright to the Openstack LLC or the Foundation (since we don't do copyright assignment)
correct (as far as I've seen, at least) --John
On 2013-04-28 18:13:14 -0700 (-0700), Monty Taylor wrote: [...]
I would vote in favor of not having Foundation employees assign their copyright to the Foundation [...]
That's a great point--it's not entirely clear to me that there's any particular benefit to the community to having the output of foundation staff treated as work-for-hire. On the other hand, we represent a small enough percentage of the ATCs that it's probably not worth the effort to put to a vote either. But you're right... it does have the potential to create some confusion for other contributors who see that copyright in a file and assume something akin to an FSF-style assignment. -- Jeremy Stanley
On Mon, Apr 29, 2013 at 01:04:08AM +0000, Jeremy Stanley wrote:
On 2013-04-25 21:27:20 -0400 (-0400), Richard Fontana wrote: [...]
I see occasional uses of "Copyright OpenStack Foundation" in source files and I am not clear on whether this signifies code that was originally copyrighted by OpenStack LLC or, instead, some sort of attempt (like the deprecated ASF practice) to provide attribution to the OpenStack Foundation regardless of whether it is actually in any interesting sense a copyright holder.
It is also not clear to me that it is *proper* to give attribution to the OpenStack *Foundation*, but that's a project-specific cultural question and I don't have good insight into that.
In the case of code contribution from those of us who are directly employed by the OpenStack Foundation, it seems entirely appropriate (at least to me, though IANAL).
There are two distinct issues here, notice of copyright ownership and notice of attribution. It is understood that the person or entity named in a copyright notice is the copyright holder. So if an employee of the OpenStack Foundation contributes code to OpenStack and the Foundation holds copyright on such contributions, certainly any copyright notice associated with those contributions should identify the Foundation. In that first paragraph you quoted from my message, I was mistakenly ignoring that possibility (something I realized after posting the message). The question of whether to use the NOTICE file mechanism mentioned in the Apache License 2.0 raises the second issue, that of attribution notices. The issue here is more specifically whether you'd want to use a NOTICE file to give attribution to something other than that list of people in AUTHORS, analogous to what is done by the ASF (giving NOTICE-file attribution to the ASF itself). That is what I meant in the second paragraph that you quoted, where I said I wasn't sure it was "proper". I don't mean it's not *legally* proper. I mean that my intuition was what Mark later expressed when he said that an ASF-style attribution to the OpenStack Foundation (alone out of all individuals and organizations associated with contributing to OpenStack) would not ring true. (I suppose you could use a different wording of attribution singling out the OpenStack Foundation in a way that might 'ring true'.)
I'm curious whether you have an alternative suggestion.
Just to be clear, I don't think there is any reason to use the NOTICE file mechanism to provide attribution to some *single* thing (vs., say, the list of individual authors generated in the AUTHORS file), and clearly up to this point no one has either thought about it or considered it important to use the NOTICE file at all. But if that were considered desirable, then I'd suggest that the single thing should be the OpenStack project, not the OpenStack Foundation. That is not a legal opinion or conclusion, it is the result of my intuition about the distinction between OpenStack (the project) and the OpenStack Foundation. - RF
participants (5)
-
Jeremy Stanley
-
John Dickinson
-
Mark McLoughlin
-
Monty Taylor
-
Richard Fontana