www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <bay...@apache.org>
Subject Re: LICENSE and NOTICE files and SVN
Date Sun, 13 Jan 2008 05:08:54 GMT
On Jan 12, 2008 3:17 PM, simon <skitching@apache.org> wrote:

> A separate mail to this list on the same topic provided this example:
>   http://people.apache.org/~niallp/fileupload-NOTICE.txt
> where the first entry in the NOTICE completely covers the "fileupload"
> project (just one copyright owner), and the second entry in the NOTICE
> is information about the copyright owner of a project on which
> file-upload has a mandatory dependency (commons-io). If file-upload had
> 6 mandatory dependencies, each of which had 6 mandatory dependencies
> then the NOTICE file would have 37 entries.
>
> Is such a thing:
> (a) necessary,
> (b) unnecessary but useful for users,
> (b) unnecessary but harmless, or
> (c) wrong/dangerous

Currently it is the fourth on your list (c) imo, because it mixes
'includes' and 'uses' up. 'includes' strongly implies its in the
distribution and is very important. 'uses' is pretty loose, though I'm
sure it's meant to mean 'depends on, but does not distribute'. Merging
these two concepts is very unclear, when before it was very clear (ie:
includes would be in NOTICE and uses would be in documentation).  Plus
the most important part is the one that is going to be less likely to
appear - 3rd party code in our source itself rather than jars - that
being the most important use of a NOTICE, not the things distributed
with the file [which I'm quite happy to have the license files sit
next to the jars].

If the Maven plugin was able to:

a) Allow for a static NOTICE entry to be included that contained extra
NOTICES about the source (typically source code that is not under the
general copyright),
b) Clearly specify the dependencies which are being included in the
distribution; this would include things like the LGPL output of the
Cobertura plugin [though obviously not that as the ASF don't
distribute LGPL], and
c) Additionally specify non-shipped dependencies and allow for notes
about them [ie: Java version, url of dependency etc]

Then I think a NOTICE would be pretty damn cool and also not
dangerous. Though it wouldn't matter much for a Maven repository
itself as NOTICE and LICENSE flies in jars are only looked at by
serious users - while it's just a zip, it's treated as an executable
and rarely introspected. I imagine Archiva/Eclipse plugin would dig
inside etc.

I'd still worry a bit about people not paying attention to the need,
and it would suck for people trying to find the license, that being
hard enough already [maven website considers the license a 'report'
etc, and notice is not viewable].

> Unless clear guidance is given on this issue, then the Java-based
> projects are going to end up with a mix of releases using all possible
> combinations of the above approaches.

You're getting a clear answer I think, which is that we should put the
NOTICE/LICENSE in SVN (be it because we have to, or because it's
hugely useful for the users) and that the current NOTICE file is not
good enough (be it because we cannot have dependencies in there, or
because the current NOTICE just does it very badly and creates
suspicion that all it will do is lead to worse NOTICE files).

Hen

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message