www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <st...@apache.org>
Subject Re: Is GitHub forking subject to clause 4b?
Date Mon, 02 Jan 2017 23:18:24 GMT
I've committed in CMS two new suggested entries to add to the FAQ
about Prominent Notices, intended for

As there was no clear way to fork (!) the www.apache.org site in CMS
commits and this shouldn't go straight live before Legal agrees, I
used HTML comments as safeguards, so it does not show up on the
staging build. Use https://cms.apache.org/www/ to  modify the text and
comment in this thread.  (Remember the notorious "Update" button

Comments welcome!


## How do I provide a "prominent notice" if I modify Apache source
code? ## {#Prominent-Notice}

The Apache License 2.0 [clause 4b](/licenses/LICENSE-2.0#redistribution) permits
you to distribute Apache source code with your own modifications, provided that:

> 4b) You must cause any modified files to carry prominent notices stating that You changed
the files

The easiest way to add a _prominent notice_ for your modifications
is to amend the [license header](/legal/src-headers.html) at the top of the
source code file and add a separate comment immediately above or below
the existing
license header.

For instance, if Example Corporation has modified a file from Apache Foo:

     * Adapted from Apache Foo 1.2.3 http://foo.apache.org/
     * Modifications Copyright 2015-2016 Example Corporation
     * Licensed to the Apache Software Foundation (ASF) under one
     * or more contributor license agreements.  See the NOTICE file
     * distributed with this work for additional information
     * ...

As exemplified above, you are recommended (but not required)
to also include a reference to which Apache release the file
was adapted from.

Note that derivative work (e.g. compiled binaries) do not need to carry a
prominent notice of your changes, however as you are required to
[redistribute any NOTICE file](/licenses/LICENSE-2.0#redistribution)
(clause 4d),
you may want to also amend the NOTICE file
to include the copyright of your modifications.


## Does forking Apache code require prominent notices? ## {#Forking}

In general, _forking_ Apache code, e.g. publishing your own source
code repository with
modified Apache code, is
 a form of
[redistribution]([clause 4b](/licenses/LICENSE-2.0#redistribution)
and therefore require any Apache files you modify to include a
[prominent notice](#Prominent-Notice).

The Apache Software Foundation do however recognise that open source
development can be
performed in distributed collaboration,
including [GitHub pull
requests](https://help.github.com/articles/about-pull-requests/) and
public personal branches of version management systems like Git and
Mercurial, and that
distributing such contributions publicly is a side-effect of open development.

We therefore consider a forked repository which includes modified Apache code
to sufficiently carry a _prominent notice_ if:

a) The repository clearly shows which files have been modified (e.g.
prominently showing "Latest commit")

b) The repository clearly shows its origin from ASF (e.g. prominently
showing "Forked from apache/foo")

c) The repository is **not** intended for redistribution, e.g.
additional release tags or custom installation instructions

d) The modifications are clearly experimental or intended for
contribution to the Apache Software Foundation.


Not sure about the a/b/c/d  break down list as it becomes a bit too
specific and sounds too legalish - this is a FAQ! But how can we
otherwise say "Heey.. we don't care as long as you are nice and it's
not a fork-fork" ?

On 31 December 2016 at 12:00, Stian Soiland-Reyes <stain@apache.org> wrote:
> This is not a problem that ASF is legally in trouble, but that we could be
> pushing contributors towards a license violation.
> I am merely concerned that many projects now encourage contributions through
> GH pull requests (good), and notice that some projects even use tags in
> personal (but public) Gh repositories as release candidates, subject to vote
> of their PMCs. In some projects even committers use such pull requests for
> code review. I think this reflects modern open source development.
> However, as what is established in this thread, publishing a modified source
> to GitHub would be subject to clause 4b requiring a "prominent notice". It
> is unclear if a commit history shown would be sufficient; however we seem to
> think it *should be*.
> As this is currently unclear, we could be encouraging third-parties and
> existing committers to violate our own license to contribute.
> The license is written for a time when contributions were done by patches
> emailed or attached to ASF-hosted infrastructure, which then would not be in
> violation of 4b.
> As technically GitHub forks of any kind could be against clause 4b,  but not
> be something ASF would pursue legally for contribution-intended changes,
> this means that either the license is "wrong", or our policy needs
> clarification to match current practice.
> At the same time we want to keep the option for any actual freestanding
> forks which would need to comply with 4b by modifying their file headers or
> similar.
> Perhaps we can add something to the FAQ on GH pull requests? "When do I need
> to add a prominent notice?"
> On 31 Dec 2016 12:46 am, "Shane Curcuru" <asf@shanecurcuru.org> wrote:
>> There's some good discussion in this thread, but more to the point: what
>> is the specific question that one of our projects is asking here?
>> Separately: immaterial of the legal details, where is the business or
>> community process question?
>> - That is, are you (or others) concerned that the ASF might go after
>> other developers forking our project code on github?
>> In that case, it's a policy decision to discuss in Legal Affairs if and
>> when it happens, and *only if* we decide we care.  I can't see the ASF
>> doing that unless someone else is purposefully and egregiously breaking
>> our license - incredibly unlikely.
>> - Or are people concerned that third party developers who's code is
>> included in an Apache project on github might complain to the ASF?
>> If so, this is a process risk to our project communities, because the
>> ASF will then (if our lawyers say we need to) have to ask the project to
>> remove the offending code or otherwise remediate the issue in a timely
>> manner so that we're respecting the other party's license.
>> But it's not much of a legal risk, because the ASF would always want to
>> ensure we comply with someone else's license.  We'd change the code
>> before anyone would take us to court.
>> - Shane
>> Stian Soiland-Reyes wrote on 12/27/16 6:43 PM:
>> > BTW, I was just wondering.. as it's late December and all:
>> >
>> > It seems technically anyone forking an Apache repository on GitHub,
>> > modifying some source code, and then contribute it as a pull request
>> > (or not), could be in violation of our clause 4b
>> >
>> >>      (b) You must cause any modified files to carry prominent notices
>> >>          stating that You changed the files; and
>> >
>> >
>> > unless they also modified each file they propose changes to - which
>> > probably we would not want in the pull request.
>> >
>> > (The pull request itself constitutes a contribution under clause 5,
>> > but that does not except from 4b - in addition, a forked branch might
>> > be public before it is sent as a pull request)
>> >
>> >
>> > Would keeping a branch on your own github repository constitute
>> > "redistribution", or are we good with "carry prominent notices" as
>> > long as you don't publish/tag the source code?
>> >
>> > (GitHub shows the list of recent commits pretty prominently!)
>> >
>> >
>> > And who would be in violation, GitHub or the user? GitHub would be
>> > "any medium" i think.
>> >
>> >
>> > This is also related to an earlier discussion: A practice in some ASF
>> > projects to do a release candidate git tag only in a personal GitHub
>> > repository and use that personal URL as the subject of the release
>> > vote - this reduces "pre-publishing" the RC tag to wider audience but
>> > can be seen as "distribution" as GitHub creates a 'release' archive of
>> > the tag.
>> >
>> >
>> --
>> - Shane
>>   https://www.apache.org/foundation/marks/resources
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org

Stian Soiland-Reyes

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message