www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: dependency on CDDL binary
Date Thu, 18 Feb 2016 10:21:21 GMT
On 18 February 2016 at 10:05, Henri Yandell <bayard@apache.org> wrote:
> I think there's a lot of personal style at play; so ymmv.
>
> Personally, my rubric would be:
>
> * If a dependency, but not included -> README.
> * If a dependency, and included -> LICENSE. With CDDL I would put the
> required link to the source in the LICENSE file, with the CDDL text, as my
> preference is for the NOTICE to relate to the Apache source and not the
> package as a whole; but I see the argument for including in the NOTICE too.
> * If in the Apache source, I would use NOTICE, but as it's CDDL our policy
> would be not to include in the Apache source so this is a no-op at Apache.

I thought the policy for NOTICE was to only include *required notices*.
Nothing should be added to NOTICE "just in case".

As per [1] most 3rd party licenses don't need attribution in this way.

[1] http://www.apache.org/dev/licensing-howto.html#mod-notice

> Hen
>
> On Wed, Feb 17, 2016 at 8:21 PM, Joe Witt <joe.witt@gmail.com> wrote:
>>
>> I should clarify that CDDL is category-b as per [1].  So with that in
>> mind the guidance on that same category-b listing states "By including
>> only the object/binary form, there is less exposed surface area of the
>> third-party work from which a work might be derived; this addresses
>> the second guiding principle of this policy. By attaching a prominent
>> label to the distribution and requiring an explicit action by the user
>> to get the reciprocally-licensed source, users are less likely to be
>> unaware of restrictions significantly different from those of the
>> Apache License. Please include the URL to the product's homepage in
>> the prominent label."
>>
>> Would the NOTICE then be the right place for that or is it still
>> readme even for a bundled artifact in a convenience binary
>> distribution?
>>
>> [1] http://www.apache.org/legal/resolved.html#category-b
>>
>> On Wed, Feb 17, 2016 at 11:13 PM, Joe Witt <joe.witt@gmail.com> wrote:
>> > Henri
>> >
>> > Is it correct to say your response applies only to the source release?
>> >  If they were to have a convenience binary release that bundled that
>> > third party dependency then I believe the NOTICE would actually need
>> > to reflect that CDDL licensed work as per [1] and specifically this
>> > line "There are a number of other "permissive" licenses which are
>> > approved for use by the ASF Legal Affairs Committee. Some of these may
>> > require additions to NOTICE".  This is also of the understanding that
>> > the CDDL is one of these 'permissive' category-A licenses [2].
>> >
>> > If my understanding is correct I believe this is a good example of
>> > where confusion can leak in regarding LICENSE/NOTICE handling.
>> > Responses to these sorts of questions often do not specify whether the
>> > guidance is for a source release or a convenience binary distribution
>> > nor do the questions often specify one or the other.  So the guidance
>> > tends to be about a source release and projects tend to follow the
>> > source (largely non-bundled dependency) guidance and think it is
>> > sufficient for their convenience binary distributions.
>> >
>> > [1] http://www.apache.org/dev/licensing-howto.html
>> > [2] http://www.apache.org/legal/resolved.html#category-a
>> >
>> > Thanks
>> > Joe
>> >
>> > On Wed, Feb 17, 2016 at 10:53 PM, Henri Yandell <bayard@apache.org>
>> > wrote:
>> >> Appropriately labelled.
>> >>
>> >> High-level-speak for:
>> >>
>> >> Make sure the users is aware that a CDDL licensed piece is included in
>> >> the
>> >> Apache work. Include the CDDL license, name of project, url to project.
>> >>
>> >> Or if only a dependency, then a note in the README to the effect that
>> >> the
>> >> project relies upon a CDDL licensed piece of work (url to project, name
>> >> of
>> >> project).
>> >>
>> >> Hen
>> >>
>> >>
>> >> On Wed, Feb 17, 2016 at 1:23 PM, Jun Rao <junrao@gmail.com> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> We just realized that Apache Kafka started to have a dependency on
>> >>> Jersey
>> >>> jars (https://jersey.java.net/license.html) since 0.9.0.0 released
>> >>> last
>> >>> November. Jersey is dual licensed under CDDL and GPL. From Apache's
>> >>> website,
>> >>> it says that it's ok to have a binary dependency on CDDL but the
>> >>> inclusion
>> >>> must be properly labelled. Could you clarify what exactly properly
>> >>> labelled
>> >>> means?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Jun
>> >>
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message