Open Stack

On Thu, 2013-04-25 at 21:27 -0400, Richard Fontana wrote:
> Hi, 
> 
> Thanks Stefano and Mark for setting up this list. Since I appear to be
> indirectly to blame for its creation I thought I would provide an
> initial contribution by addressing the issue Dims asked a couple of
> days ago on openstack-dev:
> http://lists.openstack.org/pipermail/openstack-dev/2013-April/007778.html

Wow, what a start ... talk about comprehensive :)

> As noted by Dims NOTICE files are specifically referred to in the
> Apache License 2.0 section 4d. I won't quote the whole provision but
> it begins by saying:
> 
>   If the Work includes a "NOTICE" text file as part of its
>   distribution, then any Derivative Works that You distribute must
>   include a readable copy of the attribution notices contained within
>   such NOTICE file .... 
> 
> So it is understood that upstream projects might not use NOTICE files,
> but in case they do, and they include attribution notices in such a
> file, then distributed 'Derivative Works' must preserve or include
> those attribution notices in one of certain specified ways.

Ah, I never took notice (hah, pun) of this provision any more

So, for example, if you shipped a proprietary product based on
OpenStack, you would be required to take the attribution notices from
each of the NOTICE files and include it in the product

> ASF projects routinely use NOTICE files. The ASF uses them as a
> centralized place for not just an ASF attribution notice but also any
> legal notices that must be preserved under third-party licenses. Older
> ASF projects also include an Apache Software Foundation copyright
> notice (AIUI the ASF ceased this practice at some point as it came to
> be seen as controversial since the ASF didn't hold any significant
> copyright interest in any particular project).
> 
> It is my experience, however, that very few non-ASF projects using the
> Apache License 2.0 make use of the NOTICE file mechanism. 
> 
> While there are some nice things about having a centralized file for
> collecting *third-party* legal notices, such a thing is not necessary
> (this assumes that any legal notices that have to be preserved in a
> source distribution are preserved in individual source files).

Hmm, so we had a case recently where we were considering incorporating
(2 clause) BSD licensed code in a project:

  https://review.openstack.org/25531

What I wondered about was how to best comply (or rather, enable
distributors of OpenStack in "binary form" to comply) with the second
clause of the license:

  2. Redistributions in binary form must reproduce the above copyright notice,
     this list of conditions and the following disclaimer in the documentation
     and/or other materials provided with the distribution. 

Do we just include that license (along with the copyright notice) in the
project's LICENSE file? Does a NOTICE file serve do anything to help
with this case?

>  An
> important exception, probably not relevant and unlikely to be relevant
> to OpenStack, is if your source code incorporates code from an
> Apache-licensed project that itself used a NOTICE file.
> 
> You could use a centralized file to contain any copyright notices from
> *OpenStack* contributors; this has not been the approach of OpenStack
> thus far, and is really a separate question.
> 
> So the question raised by Dims boils down to whether OpenStack
> projects should include an *OpenStack* attribution notice in top-level
> NOTICE files. This would presumably be something analogous to standard
> ASF attribution notices, like:
> 
>   This product includes software developed by 
>   the OpenStack Foundation (http://www.openstack.org/).

I'm not sure "developed by the OpenStack Foundation" rings true to
me ... maybe "developed by the OpenStack project". The Foundation
doesn't develop the code, it empowers/protects/promotes the project
which develops the code.

> The policy goal in the ASF's case has been to make sure the ASF gets
> visible credit in cases where downstream distributed products are
> based in part on ASF code.
> 
> For OpenStack, thus far it has not been thought important to have any
> such attribution notice, as with most other non-ASF Apache-licensed
> projects. I myself don't think it is important so I see no reason to
> begin deviating from historical OpenStack practice to emulate what the
> ASF does.

I agree.

> But perhaps contributors to OpenStack projects feel
> otherwise. In a project like OpenStack that does not aggregate
> copyright ownership (and in which copyright ownership is getting
> increasingly diverse), perhaps some perceive a value to having an
> OpenStack-specific attribution notice. 

Yes, you could imagine a case would be made for it, but it would be a
new departure for the project. I'd rather such a move to be made as a
reaction to us feeling we're not getting credit for our work rather than
a "the ASF does it, maybe we should too?" discussion.

> I see occasional uses of "Copyright OpenStack Foundation" in source
> files and I am not clear on whether this signifies code that was
> originally copyrighted by OpenStack LLC or, instead, some sort of
> attempt (like the deprecated ASF practice) to provide attribution to
> the OpenStack Foundation regardless of whether it is actually in any
> interesting sense a copyright holder.
> 
> It is also not clear to me that it is *proper* to give attribution to
> the OpenStack *Foundation*, but that's a project-specific cultural
> question and I don't have good insight into that.

The only cases I've noticed this are where the code was developed by
Rackspace employees before the foundation was created.

If there are other cases, it's mostly down to confusion and/or people
blindly copying the header from another file.

I'm probably a good bit more pedantic than most about this and check
what people mean when they add an OpenStack Foundation copyright notice
e.g.

  https://review.openstack.org/#/c/27285/2/openstack/common/middleware/sizelimit.py

Cheers,
Mark.