www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Yandell <bay...@apache.org>
Subject Re: dependency on CDDL binary
Date Thu, 18 Feb 2016 10:05:35 GMT
I think there's a lot of personal style at play; so ymmv.

Personally, my rubric would be:

* If a dependency, but not included -> README.
* If a dependency, and included -> LICENSE. With CDDL I would put the
required link to the source in the LICENSE file, with the CDDL text, as my
preference is for the NOTICE to relate to the Apache source and not the
package as a whole; but I see the argument for including in the NOTICE too.
* If in the Apache source, I would use NOTICE, but as it's CDDL our policy
would be not to include in the Apache source so this is a no-op at Apache.

Hen

On Wed, Feb 17, 2016 at 8:21 PM, Joe Witt <joe.witt@gmail.com> wrote:

> I should clarify that CDDL is category-b as per [1].  So with that in
> mind the guidance on that same category-b listing states "By including
> only the object/binary form, there is less exposed surface area of the
> third-party work from which a work might be derived; this addresses
> the second guiding principle of this policy. By attaching a prominent
> label to the distribution and requiring an explicit action by the user
> to get the reciprocally-licensed source, users are less likely to be
> unaware of restrictions significantly different from those of the
> Apache License. Please include the URL to the product's homepage in
> the prominent label."
>
> Would the NOTICE then be the right place for that or is it still
> readme even for a bundled artifact in a convenience binary
> distribution?
>
> [1] http://www.apache.org/legal/resolved.html#category-b
>
> On Wed, Feb 17, 2016 at 11:13 PM, Joe Witt <joe.witt@gmail.com> wrote:
> > Henri
> >
> > Is it correct to say your response applies only to the source release?
> >  If they were to have a convenience binary release that bundled that
> > third party dependency then I believe the NOTICE would actually need
> > to reflect that CDDL licensed work as per [1] and specifically this
> > line "There are a number of other "permissive" licenses which are
> > approved for use by the ASF Legal Affairs Committee. Some of these may
> > require additions to NOTICE".  This is also of the understanding that
> > the CDDL is one of these 'permissive' category-A licenses [2].
> >
> > If my understanding is correct I believe this is a good example of
> > where confusion can leak in regarding LICENSE/NOTICE handling.
> > Responses to these sorts of questions often do not specify whether the
> > guidance is for a source release or a convenience binary distribution
> > nor do the questions often specify one or the other.  So the guidance
> > tends to be about a source release and projects tend to follow the
> > source (largely non-bundled dependency) guidance and think it is
> > sufficient for their convenience binary distributions.
> >
> > [1] http://www.apache.org/dev/licensing-howto.html
> > [2] http://www.apache.org/legal/resolved.html#category-a
> >
> > Thanks
> > Joe
> >
> > On Wed, Feb 17, 2016 at 10:53 PM, Henri Yandell <bayard@apache.org>
> wrote:
> >> Appropriately labelled.
> >>
> >> High-level-speak for:
> >>
> >> Make sure the users is aware that a CDDL licensed piece is included in
> the
> >> Apache work. Include the CDDL license, name of project, url to project.
> >>
> >> Or if only a dependency, then a note in the README to the effect that
> the
> >> project relies upon a CDDL licensed piece of work (url to project, name
> of
> >> project).
> >>
> >> Hen
> >>
> >>
> >> On Wed, Feb 17, 2016 at 1:23 PM, Jun Rao <junrao@gmail.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> We just realized that Apache Kafka started to have a dependency on
> Jersey
> >>> jars (https://jersey.java.net/license.html) since 0.9.0.0 released
> last
> >>> November. Jersey is dual licensed under CDDL and GPL. From Apache's
> website,
> >>> it says that it's ok to have a binary dependency on CDDL but the
> inclusion
> >>> must be properly labelled. Could you clarify what exactly properly
> labelled
> >>> means?
> >>>
> >>> Thanks,
> >>>
> >>> Jun
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Mime
View raw message