www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: dependency on CDDL binary
Date Thu, 18 Feb 2016 15:18:58 GMT
required notices and information that the downstream end user should
reasonably expect to be there.

> On Feb 18, 2016, at 5:21 AM, sebb <sebbaz@gmail.com> wrote:
> 
> On 18 February 2016 at 10:05, Henri Yandell <bayard@apache.org> wrote:
>> I think there's a lot of personal style at play; so ymmv.
>> 
>> Personally, my rubric would be:
>> 
>> * If a dependency, but not included -> README.
>> * If a dependency, and included -> LICENSE. With CDDL I would put the
>> required link to the source in the LICENSE file, with the CDDL text, as my
>> preference is for the NOTICE to relate to the Apache source and not the
>> package as a whole; but I see the argument for including in the NOTICE too.
>> * If in the Apache source, I would use NOTICE, but as it's CDDL our policy
>> would be not to include in the Apache source so this is a no-op at Apache.
> 
> I thought the policy for NOTICE was to only include *required notices*.
> Nothing should be added to NOTICE "just in case".
> 
> As per [1] most 3rd party licenses don't need attribution in this way.
> 
> [1] http://www.apache.org/dev/licensing-howto.html#mod-notice
> 
>> Hen
>> 
>> On Wed, Feb 17, 2016 at 8:21 PM, Joe Witt <joe.witt@gmail.com> wrote:
>>> 
>>> I should clarify that CDDL is category-b as per [1].  So with that in
>>> mind the guidance on that same category-b listing states "By including
>>> only the object/binary form, there is less exposed surface area of the
>>> third-party work from which a work might be derived; this addresses
>>> the second guiding principle of this policy. By attaching a prominent
>>> label to the distribution and requiring an explicit action by the user
>>> to get the reciprocally-licensed source, users are less likely to be
>>> unaware of restrictions significantly different from those of the
>>> Apache License. Please include the URL to the product's homepage in
>>> the prominent label."
>>> 
>>> Would the NOTICE then be the right place for that or is it still
>>> readme even for a bundled artifact in a convenience binary
>>> distribution?
>>> 
>>> [1] http://www.apache.org/legal/resolved.html#category-b
>>> 
>>> On Wed, Feb 17, 2016 at 11:13 PM, Joe Witt <joe.witt@gmail.com> wrote:
>>>> Henri
>>>> 
>>>> Is it correct to say your response applies only to the source release?
>>>> If they were to have a convenience binary release that bundled that
>>>> third party dependency then I believe the NOTICE would actually need
>>>> to reflect that CDDL licensed work as per [1] and specifically this
>>>> line "There are a number of other "permissive" licenses which are
>>>> approved for use by the ASF Legal Affairs Committee. Some of these may
>>>> require additions to NOTICE".  This is also of the understanding that
>>>> the CDDL is one of these 'permissive' category-A licenses [2].
>>>> 
>>>> If my understanding is correct I believe this is a good example of
>>>> where confusion can leak in regarding LICENSE/NOTICE handling.
>>>> Responses to these sorts of questions often do not specify whether the
>>>> guidance is for a source release or a convenience binary distribution
>>>> nor do the questions often specify one or the other.  So the guidance
>>>> tends to be about a source release and projects tend to follow the
>>>> source (largely non-bundled dependency) guidance and think it is
>>>> sufficient for their convenience binary distributions.
>>>> 
>>>> [1] http://www.apache.org/dev/licensing-howto.html
>>>> [2] http://www.apache.org/legal/resolved.html#category-a
>>>> 
>>>> Thanks
>>>> Joe
>>>> 
>>>> On Wed, Feb 17, 2016 at 10:53 PM, Henri Yandell <bayard@apache.org>
>>>> wrote:
>>>>> Appropriately labelled.
>>>>> 
>>>>> High-level-speak for:
>>>>> 
>>>>> Make sure the users is aware that a CDDL licensed piece is included in
>>>>> the
>>>>> Apache work. Include the CDDL license, name of project, url to project.
>>>>> 
>>>>> Or if only a dependency, then a note in the README to the effect that
>>>>> the
>>>>> project relies upon a CDDL licensed piece of work (url to project, name
>>>>> of
>>>>> project).
>>>>> 
>>>>> Hen
>>>>> 
>>>>> 
>>>>> On Wed, Feb 17, 2016 at 1:23 PM, Jun Rao <junrao@gmail.com> wrote:
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> We just realized that Apache Kafka started to have a dependency on
>>>>>> Jersey
>>>>>> jars (https://jersey.java.net/license.html) since 0.9.0.0 released
>>>>>> last
>>>>>> November. Jersey is dual licensed under CDDL and GPL. From Apache's
>>>>>> website,
>>>>>> it says that it's ok to have a binary dependency on CDDL but the
>>>>>> inclusion
>>>>>> must be properly labelled. Could you clarify what exactly properly
>>>>>> labelled
>>>>>> means?
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Jun
>>>>> 
>>>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>> 
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message