www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From simon <skitch...@apache.org>
Subject Re: LICENSE and NOTICE files and SVN
Date Sat, 12 Jan 2008 23:17:41 GMT

On Fri, 2008-01-11 at 14:50 -0600, William A. Rowe, Jr. wrote:
> simon wrote:
> > 
> > Firstly, does this mean that it is ok for the NOTICE file published in a
> > released module to be different (have more information) than the one
> > checked in to svn?
> When appropriate, of course.  If NOTICE is missing information relative
> to the subversion repository it represents, than no.
> For example, httpd has an import of expat along with a host of other
> copyrights that apply to bits (dating way back to NCSA).  That one
> is recorded in NOTICE.  But for example, the win32 builds include the
> binaries of openssl.  In that case, the NOTICE installed with those
> external binaries have additional NOTICE language with respect to
> openssl project's copyright (and the copyrights that apply to openssl's
> sources which they've incorporated).
> > Secondly, in the case of Java we are releasing what is effectively a
> > single ".so" file, and embedding the license/notice in it. You would
> > expect the notice in this case to include NOTICE (ie copyright) info
> > about projects that it *links* to (ie depends on, but does not itself
> > contain)?
> Odd to picture a distribution that wasn't otherwise packaged, but if it
> really is a single binary artifact, there should be the appropriate
> NOTICE and LICENSE in the same download location as the artifact, IMHO.

Java is a bit different. The basic functional unit ("shared library") is
called a "jarfile" and is actually a kind of zip-file that internally
has code plus a directory allocated for metadata information. It is the
convention that license and copyright info be placed in this internal

The basic redistributable module is just one of these modules; a "maven
repository" can be found here:
There are jarfiles from many organisations here, each with metadata
describing which other modules it depends on, and (hopefully) copyright
and licensing information embedded internally. You can take any ".jar"
file in this tree and open it with a zip program, then look inside the
META-INF directory.

Of course "tarball" type bundles containing a jarfile plus docs etc. are
often also available but often people just use the available jarfile

Now the question specifically is not whether a NOTICE file embedded in
the jarfile for project X should cover all the source corresponding to
the binary code within that jarfile (of course it should), but whether
it should also contain information about the external projects it has
mandatory dependencies on.

A separate mail to this list on the same topic provided this example:
where the first entry in the NOTICE completely covers the "fileupload"
project (just one copyright owner), and the second entry in the NOTICE
is information about the copyright owner of a project on which
file-upload has a mandatory dependency (commons-io). If file-upload had
6 mandatory dependencies, each of which had 6 mandatory dependencies
then the NOTICE file would have 37 entries.

Is such a thing:
(a) necessary,
(b) unnecessary but useful for users,
(b) unnecessary but harmless, or
(c) wrong/dangerous

Unless clear guidance is given on this issue, then the Java-based
projects are going to end up with a mix of releases using all possible
combinations of the above approaches.


DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message