www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: CDDL + GPL license
Date Fri, 30 Jan 2015 19:41:23 GMT
On Fri, Jan 30, 2015 at 5:10 AM, Amareshwari Sriramdasu
<amareshwari@apache.org> wrote:

> In Apache Lens, we are using javax and jersey libraries which are under
> CDDL+GPL license. Dependency management section for the same can be browsed
> here - http://lens.incubator.apache.org/dependency-management.html.
>
> Wanted to find out whether we should include both of them in LICENSE and
> NOTICE files or Including CDDL is sufficient.

LICENSE and NOTICE must always reflect the exact content being distributed.
Libraries available under CDDL/GPL dual licensing cannot be bundled with an
official Apache source release, and therefore their licensing information does
not belong in the LICENSE and NOTICE embedded in the canonical source release
artifacts.

Should a community member supply "convenience binaries"[1], any embedded
LICENSE and NOTICE files will likely need to diverge from those embedded in
the official source release if additional intellectual property is bundled.
Therefore, your question applies only to convenience binaries for Lens which
bundle CDDL/GPL libraries.

I'm prepared to offer some informal commentary to help keep the Lens community
from getting mired in debates over binary licensing details, but the crucial
task is getting the canonical source release correct.  The Apache Software
Foundation releases open source software.  Compiled artifacts, while they may
be derived from open source, are not themselves open source and do not satisfy
the ASF's mission.

Under normal circumstances, it is not legally required to copy the complete
dependency license text into the top-level LICENSE file.  The dependency's own
embedded licensing info should cover its portion of the distribution; so long
as such licensing info is left intact, any obligation of redistributors to
supply a copy of the license text ought to be satisfied.  For example,
consider this sentence from the CDDL 1.0 section 3.1:

    http://opensource.org/licenses/CDDL-1.0

    You must include a copy of this License with every copy of the Source Code
    form of the Covered Software You distribute or otherwise make available.

That sentence does not specify *where* the copy of the CDDL must live, only
that it must be included somewhere.  Thus, for the top-level LICENSE file, it
suffices to supply a pointer -- and even then such a pointer consitutes
"licensing documentation" rather than fulfillment of a legal obligation.

Here's an example pointer taken from our Licensing How-to:

    http://www.apache.org/dev/licensing-howto.html

    This product bundles SuperWidget 1.2.3, which is available under a
    "3-clause BSD" license.  For details, see deps/superwidget/.

For Lens's bundled use of javax and jersey, I suggest adapting that example
for each to mention that the dependency is dual-licensed under the CDDL and
GPL and to reference a specific location within the binary artifacts where its
licensing lives.

Additionally, CDDL 1.0 section 3.1 contains this provision:

    You must inform recipients of any such Covered Software in Executable form
    as to how they can obtain such Covered Software in Source Code form in a
    reasonable manner on or through a medium customarily used for software
    exchange.

To satisfy that requirement, a brief entry in NOTICE with a web link should
suffice.

HTH,

Marvin Humphrey

[1] The term "convenience binaries" is our shorthand for "binary/bytecode
    packages [...] produced as a convenience to users" as described at
    http://www.apache.org/dev/release#what

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message