www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: transitive 3rd party dependencies Notice and Licenses
Date Thu, 17 May 2012 05:35:42 GMT
Le 5/17/12 7:21 AM, David Jencks a écrit :
> On May 16, 2012, at 9:52 PM, Emmanuel Lécharny wrote:
>> Hi guys,
>> I have a question : when we use a 3rd party dependency in a project, we have to include
a reference to the License and some other information in the NOTICE file, plus add the original
3rd party License into our LICENCE file.
>> But what about transitive dependencies ?
>> For instance, if we use XStream, which include XPP, and if XSTREAM does not include
(or even if it does !) the required licnese for XPP? should we add it ourselves ?
> Hi Emmanuel,
> I'm not sure I understand what you mean by "use".
"Use" in this context means we have added it as a dependency in one of 
the project's pom.

> The LICENSE and NOTICE files refer to what's actually in the artifact, not anything that
might be needed to use it.
> Lets consider some examples:
> svn checkout points are expected to have LICENSE and NOTICE files at the root applying
to what's actually checked out from svn, not including anything that might be pulled into
and included in built artifacts.
> source artifacts (the buildable project, what is actually voted on for a release) need
LICENSE and NOTICE files for what's actually in the file: typically this will be the same
as the svn checkout.
> "convenience" binary artifacts such as jars need LICENSE and NOTICE files applying to
whats actually inside.  This might be compiled apache-licensed source from the project, and
it might include stuff pulled in from other dependencies (such as xstream, and xpp in your
example).  If the artifact includes stuff from elsewhere, it needs the additional info: if
not it doesn't
> something like a server assembly (e.g. a geronimo assembly, unpack and you get a working
server) that includes a lot of third party jars needs the info for everything included in
the LICENSE and NOTICE files.
> And since I looked into this or a similar combination once.... if you are talking about
an artifact such as xstream that appears to ignore the legal requirements for xpp code which
is included in the xstream jar, and you have an artifact that includes both, I prefer to try
to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm not
100% sure it was xstream that ignored the xpp requirements)
XStream is just mentionned because it includes XPP, and XPP license says 
that it should be mentionned. I don't remember, from the top of my head, 
if XStream complies or not, but let say -rethoricaly- that XStream does 
not include the required mention of XPP license : should we, 'users' of 
XStream, fix this by including XPP license into our package ? (because 
we won't be able to fix every single 3rd party we are using...)
> hope this is sufficiently accurate to be useful :-)
Almost, almost :)

Thanks !

Emmanuel Lécharny

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message