Open Stack

(Top posting. Phone. Sorry.)

What if we were to generate a NOTICE file? We treat the got repo as the true source of record, and we put copyright attribution into each file. What if, same as AUTHORS and ChangeLog, we generate NOTICE at sdist time to include information collected from the individual files?

Richard Fontana <rfontana at redhat.com> wrote:

>On Fri, Apr 26, 2013 at 10:50:56AM +0100, Mark McLoughlin wrote:
>> Hmm, so we had a case recently where we were considering incorporating
>> (2 clause) BSD licensed code in a project:
>> 
>>   https://review.openstack.org/25531
>> 
>> What I wondered about was how to best comply (or rather, enable
>> distributors of OpenStack in "binary form" to comply) with the second
>> clause of the license:
>> 
>>   2. Redistributions in binary form must reproduce the above copyright notice,
>>      this list of conditions and the following disclaimer in the documentation
>>      and/or other materials provided with the distribution. 
>> 
>> Do we just include that license (along with the copyright notice) in the
>> project's LICENSE file? Does a NOTICE file serve do anything to help
>> with this case?
>
>The two ways to deal with this are to include the license information
>in the file incorporating the third-party code or to include it in
>some global file.
>
>The ASF, as noted, is (or at least seems to be) using NOTICE files not
>just for attribution but also for global collection of third-party
>legal notices. Sphinx itself (just checking now) apparently uses its
>global LICENSE file similarly to store third-party license notices.
>
>If one cares about theoretically making life as easy as possible for
>downstream distributors of 'binary form' versions, I suppose this
>global-legal-file approach is a preferable way to do that. The other
>approach (putting, or retaining, a notice in the source file) is the
>one I've tended to recommend (I suppose because it generally conveys
>more information, and because I consider it the responsibility of the
>downstream distributor to ensure that it is in compliance with all
>licenses). There's no right or wrong answer, but a consistent approach
>is a good idea.
>
>Sphinx uses notices in individual source files that point to the
>global LICENSE file, which means if you're using excerpts of code from
>a Sphinx file you'd have to do more work than you would if the actual
>license text were already in the file, at least the way I see it. So
>here it would have been just as much work to make sure the file(s) in
>question had the 2-clause BSD license from Sphinx, as it would have
>been to put the same information in a global LICENSE or NOTICE file.
>
>> > So the question raised by Dims boils down to whether OpenStack
>> > projects should include an *OpenStack* attribution notice in top-level
>> > NOTICE files. This would presumably be something analogous to standard
>> > ASF attribution notices, like:
>> > 
>> >   This product includes software developed by 
>> >   the OpenStack Foundation (http://www.openstack.org/).
>> 
>> I'm not sure "developed by the OpenStack Foundation" rings true to
>> me ... maybe "developed by the OpenStack project". The Foundation
>> doesn't develop the code, it empowers/protects/promotes the project
>> which develops the code.
>
>That was my intuition too (though from someone who's still really an
>outside observer of OpenStack, so I wasn't sure I was right), and what
>I was alluding to at the end of my message. By contrast, to most ASF
>project developers, the wording of the ASF attribution notice
>presumably rings true.
>
>> > But perhaps contributors to OpenStack projects feel
>> > otherwise. In a project like OpenStack that does not aggregate
>> > copyright ownership (and in which copyright ownership is getting
>> > increasingly diverse), perhaps some perceive a value to having an
>> > OpenStack-specific attribution notice. 
>> 
>> Yes, you could imagine a case would be made for it, but it would be a
>> new departure for the project. I'd rather such a move to be made as a
>> reaction to us feeling we're not getting credit for our work rather than
>> a "the ASF does it, maybe we should too?" discussion.
>
>For a Red Hat perspective, FWIW, increasingly the Apache License 2.0
>is being used for projects initiated by or maintained principally by
>Red Hat developers, but AFAICR we've thus far never used the NOTICE
>file attribution mechanism. The one case I can think of where we've
>considered adding it was for a project where the developers were
>miffed at a downstream proprietary commercial derivative product
>making significant reuse of the upstream code but apparently not
>giving any credit.
>
> - RF
>
>_______________________________________________
>legal-discuss mailing list
>legal-discuss at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
>