On Wed, Feb 10, 2016 at 9:01 AM, Marvin Humphrey <marvin@rectangular.com> wrote:
On Wed, Feb 10, 2016 at 4:08 AM, Jim Jagielski <jim@jagunet.com> wrote:

> In other words, we don't do enough to explain what LICENSE
> and NOTICE are for

I still don't understand why "bubbling up" notifications into NOTICE is
*legally* required for a source distro. The sole argument I've seen mentions
the "attribution clause (if any)" of a BSD license.  But what clause is that?
Nobody seems to call it that.

Everyone calls it that...

https://en.wikipedia.org/wiki/BSD_licenses#4-clause_license_.28original_.22BSD_License.22.29

  3. All advertising materials mentioning features or use of this software
     must display the following acknowledgement:
     This product includes software developed by the <organization>.

This is actually the more important clause in terms of our NOTICE file,
however...

  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.

Every binary build, including any binary build from the ASF, is required
to provide the copyright notice and the full license (list of conditions),
which is why both LICENSE and NOTICE are critical.  That also even
includes "the documentation" - e.g. http://tlp.apache.org/docs/.

Wherever we point users to obtain a subcomponent on their own, we
leave the onus on them to then aggregate and satisfy LICENSE and 
NOTICE requirements the component sources on their own.

Wherever we import/merge sources under other licenses, we have
assumed the responsibility of doing so for our users.  If the user
cannot comply with the copyright and licensing terms when compiling
our source code tarball by simply referring to our LICENSE and NOTICE 
files, we've failed to correctly deliver a complete open source work.

So in short, if you really dislike rolling up the terms of whatever copyright
license or notice requirements into our LICENSE and NOTICE files for
our users, quit importing such code into our ASF works, and let the users
obtain those sources for themselves, and own that responsibility for
complying with the sources *they* obtain.

Cheers,

Bill