www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: transitive 3rd party dependencies Notice and Licenses
Date Thu, 17 May 2012 05:21:33 GMT

On May 16, 2012, at 9:52 PM, Emmanuel L├ęcharny wrote:

> Hi guys,
> 
> I have a question : when we use a 3rd party dependency in a project, we have to include
a reference to the License and some other information in the NOTICE file, plus add the original
3rd party License into our LICENCE file.
> 
> But what about transitive dependencies ?
> 
> For instance, if we use XStream, which include XPP, and if XSTREAM does not include (or
even if it does !) the required licnese for XPP? should we add it ourselves ?
> 

Hi Emmanuel,

I'm not sure I understand what you mean by "use".  The LICENSE and NOTICE files refer to what's
actually in the artifact, not anything that might be needed to use it.

Lets consider some examples:

svn checkout points are expected to have LICENSE and NOTICE files at the root applying to
what's actually checked out from svn, not including anything that might be pulled into and
included in built artifacts.

source artifacts (the buildable project, what is actually voted on for a release) need LICENSE
and NOTICE files for what's actually in the file: typically this will be the same as the svn
checkout.

"convenience" binary artifacts such as jars need LICENSE and NOTICE files applying to whats
actually inside.  This might be compiled apache-licensed source from the project, and it might
include stuff pulled in from other dependencies (such as xstream, and xpp in your example).
 If the artifact includes stuff from elsewhere, it needs the additional info: if not it doesn't

something like a server assembly (e.g. a geronimo assembly, unpack and you get a working server)
that includes a lot of third party jars needs the info for everything included in the LICENSE
and NOTICE files.

And since I looked into this or a similar combination once.... if you are talking about an
artifact such as xstream that appears to ignore the legal requirements for xpp code which
is included in the xstream jar, and you have an artifact that includes both, I prefer to try
to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm not
100% sure it was xstream that ignored the xpp requirements)

hope this is sufficiently accurate to be useful :-)

david jencks

> Thanks !
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message