www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Simplfying requirements for LICENSE and NOTICE
Date Mon, 08 Feb 2016 05:04:25 GMT

Despite our best efforts, confusion about the requirements for LICENSE
and NOTICE continues to frustrate our volunteers. Over time, I have become
increasingly convinced that those requirements are simply unrealistic and
that the problems we face are not solvable through improved documentation.

Therefore, I propose exploring the following changes in how we handle
licensing documentation for official Apache source releases:

1.  Cease propagating *any* content from bundled dependencies into the
    top-level NOTICE file.
2.  Cease the practice of copying dependency licenses verbatim into LICENSE.
3.  Recommend that LICENSE consist of the ALv2, plus a filepath
    pointer to each bundled dependency along with the dependency's version
    identifier and an SPDX license identifier[1].

As far as I know, there are two rationales for the current practice of
"bubbling up" dependency licensing information and notification requirements
into the top-level LICENSE and NOTICE files. First, to comply with any
relevant provisions in the licenses of bundled dependencies. Second, to
provide aggregate licensing information as a convenience to downstream

With regards to notifications, I question whether "bubbling up" anything is
legally required for source redistribution. I submit that for source
releases, bundling any dependency in source form suffices to satisfy typical
notification requirements[2] so long as the dependency licensing
documentation remains intact in the dependency source code subtree.

With regards to providing aggregate licensing information as a convenience,
I submit that our amateur attempts at aggregation are not reliable enough
for those who are serious about compliance -- and that such consumers will
perform exhaustive analysis regardless. The only real benefit is thus to
provide a superficial overview of package licensing -- which is worthwhile
but can be achieved at lower cost.

Therefore, instead of calling on our volunteers to interpret notification
provisions written in legalese, we should instead recommend that they simply
provide pointers to all bundled dependencies. I believe that task is more
consistently achievable -- it could be automated for many projects -- yet
provides the same real benefits as the current regime to downstream

Marvin Humphrey

[1] https://spdx.org/licenses/
[2] I am confident that "bubbling up" is not required by either MIT or BSD
    licenses for redistribution in source form. My amateur analysis is that
    the same holds true for the ALv2 section 4d, the EPL 1.0 section 3, and
    the MPL 2.0 sections 3.1, 3.4 and 10.4.

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message