www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: transitive 3rd party dependencies Notice and Licenses
Date Thu, 17 May 2012 05:46:45 GMT

On May 16, 2012, at 10:35 PM, Emmanuel Lécharny wrote:

> Le 5/17/12 7:21 AM, David Jencks a écrit :
>> On May 16, 2012, at 9:52 PM, Emmanuel Lécharny wrote:
>>> Hi guys,
>>> I have a question : when we use a 3rd party dependency in a project, we have
to include a reference to the License and some other information in the NOTICE file, plus
add the original 3rd party License into our LICENCE file.
>>> But what about transitive dependencies ?
>>> For instance, if we use XStream, which include XPP, and if XSTREAM does not include
(or even if it does !) the required licnese for XPP? should we add it ourselves ?
>> Hi Emmanuel,
>> I'm not sure I understand what you mean by "use".
> "Use" in this context means we have added it as a dependency in one of the project's
>> The LICENSE and NOTICE files refer to what's actually in the artifact, not anything
that might be needed to use it.
>> Lets consider some examples:
>> svn checkout points are expected to have LICENSE and NOTICE files at the root applying
to what's actually checked out from svn, not including anything that might be pulled into
and included in built artifacts.
>> source artifacts (the buildable project, what is actually voted on for a release)
need LICENSE and NOTICE files for what's actually in the file: typically this will be the
same as the svn checkout.
>> "convenience" binary artifacts such as jars need LICENSE and NOTICE files applying
to whats actually inside.  This might be compiled apache-licensed source from the project,
and it might include stuff pulled in from other dependencies (such as xstream, and xpp in
your example).  If the artifact includes stuff from elsewhere, it needs the additional info:
if not it doesn't
>> something like a server assembly (e.g. a geronimo assembly, unpack and you get a
working server) that includes a lot of third party jars needs the info for everything included
in the LICENSE and NOTICE files.
>> And since I looked into this or a similar combination once.... if you are talking
about an artifact such as xstream that appears to ignore the legal requirements for xpp code
which is included in the xstream jar, and you have an artifact that includes both, I prefer
to try to fix the xstream mistake and track down the xpp requirements and satisfy them.  (I'm
not 100% sure it was xstream that ignored the xpp requirements)
> XStream is just mentionned because it includes XPP, and XPP license says that it should
be mentionned. I don't remember, from the top of my head, if XStream complies or not, but
let say -rethoricaly- that XStream does not include the required mention of XPP license :
should we, 'users' of XStream, fix this by including XPP license into our package ? (because
we won't be able to fix every single 3rd party we are using...)
>> hope this is sufficiently accurate to be useful :-)
> Almost, almost :)

Adding a dependency to a pom can have a lot of effects.  If the only use is to help compile
your code, then you don't need to mention xstream (or xpp) at all in any LICENSE or NOTICE
file.  If one of the effects is that some of the contents of the xstream jar get included
in some artifact X you are releasing, then X's LICENSE and NOTICE files have to include appropriate
legal info for whatever gets included (so if xpp code is included, then I think you should
try to track down the appropriate legal info and comply, even if xstream didn't)  Note there
are at least two ways the e.g. xstream code can be included: as a whole jar in something like
an "assembly" or by including some of a jar's contents in your jar, like xstream does with

words are so unclear :-)

david jencks

> Thanks !
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message