Legal Discuss
  1. Legal Discuss
  2. LEGAL-62

What are the required 3rd party notices that should go in the NOTICE file?

    Details

    • Type: Question Question
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Labels:
      None

      Description

      The ASF doc on the NOTICE file states:

      2. The remainder of the NOTICE file is to be used for required third-party notices. The NOTICE file may also include copyright notices moved from source files submitted to the ASF.

      See: http://www.apache.org/legal/src-headers.html#notice

      I understand the part about "copyright notices moved from source files" but what are required third-party notices?

      After participating in many Incubator poddling release reviews I've seen poddlings asked to do release respins because they've left stuff out and also to respin for including text that is said shouldn't be included. There doesn't seem to be much common understanding on what these notices are, and like LEGAL-31 this is a constant point of contention at the Incubator so it would be really helpful to have some clarification.

        Issue Links

          Activity

          Hide
          Jukka Zitting added a comment -

          Disclaimer: IANAL

          See the license under which the third-party work is available. There typically is a clause that mandates any redistribution to include specific copyright notices. The exact wording is different in each license, but the copyright notices typically follow the form "Copyright (c) <year(s)> <owner>". See below for some simple examples.

          The reason why the NOTICE shouldn't contain much extra text is that our license makes a strict requirement that any derivative works contain those notices. Including text like "this dependency is used for X" or "this dependency is licensed under Y" may be troublesome as the derivative work may well be heavily refactored or relicensed. So, keep the NOTICE file clean and put any extra explanations to the README or some other similar place.

          Examples:

          1) The Apache License version 2.0

          [...]
          If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works
          that You distribute must include a readable copy of the attribution notices contained within
          such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works,
          [...]

          Include the relevant copyright notices found in the NOTICE file.

          2) BSD license:

          Copyright (c) <YEAR>, <OWNER>
          All rights reserved.
          [...]
          Redistributions in binary form must reproduce the above copyright notice, this list of conditions
          and the following disclaimer in the documentation and/or other materials provided with the distribution.
          [...]

          Include the "Copyright (c) <YEAR>, <OWNER>" line. Possibly also the "All rights reserved." line?

          3) The MIT license:

          Copyright (c) <year> <copyright holders>
          [...]
          The above copyright notice and this permission notice shall be included in
          all copies or substantial portions of the Software.
          [...]

          Include the "Copyright (c) <year> <copyright holders>" line.

          Show
          Jukka Zitting added a comment - Disclaimer: IANAL See the license under which the third-party work is available. There typically is a clause that mandates any redistribution to include specific copyright notices. The exact wording is different in each license, but the copyright notices typically follow the form "Copyright (c) <year(s)> <owner>". See below for some simple examples. The reason why the NOTICE shouldn't contain much extra text is that our license makes a strict requirement that any derivative works contain those notices. Including text like "this dependency is used for X" or "this dependency is licensed under Y" may be troublesome as the derivative work may well be heavily refactored or relicensed. So, keep the NOTICE file clean and put any extra explanations to the README or some other similar place. Examples: 1) The Apache License version 2.0 [...] If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, [...] Include the relevant copyright notices found in the NOTICE file. 2) BSD license: Copyright (c) <YEAR>, <OWNER> All rights reserved. [...] Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. [...] Include the "Copyright (c) <YEAR>, <OWNER>" line. Possibly also the "All rights reserved." line? 3) The MIT license: Copyright (c) <year> <copyright holders> [...] The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. [...] Include the "Copyright (c) <year> <copyright holders>" line.
          Hide
          ant elder added a comment -

          That appears disagree with the emerging consensus of LEGAL-59 and for example in this thread about it: http://apache.markmail.org/message/u66o5ucyfquxjl7i?q=LEGAL-59+order:date-forward&page=1

          Show
          ant elder added a comment - That appears disagree with the emerging consensus of LEGAL-59 and for example in this thread about it: http://apache.markmail.org/message/u66o5ucyfquxjl7i?q=LEGAL-59+order:date-forward&page=1
          Hide
          Jukka Zitting added a comment -

          Hmm, in that case I would be wrong and the appropriate examples would be:

          1) Apache License version 1.1

          The end-user documentation included with the redistribution,
          if any, must include the following acknowledgment:
          "This product includes software developed by the
          Apache Software Foundation (http://www.apache.org/)."
          Alternately, this acknowledgment may appear in the software itself,
          if and wherever such third-party acknowledgments normally appear.

          Include "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."

          1) BSD license with advertising clause

          All advertising materials mentioning features or use of this software
          must display the following acknowledgement:
          This product includes software developed by the University of
          California, Berkeley and its contributors.

          Include "This product includes software developed by the University of California, Berkeley and its contributors."

          Show
          Jukka Zitting added a comment - Hmm, in that case I would be wrong and the appropriate examples would be: 1) Apache License version 1.1 The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation ( http://www.apache.org/ )." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. Include "This product includes software developed by the Apache Software Foundation ( http://www.apache.org/ )." 1) BSD license with advertising clause All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. Include "This product includes software developed by the University of California, Berkeley and its contributors."
          Hide
          Jukka Zitting added a comment - - edited

          I believe there is consensus that the approach illustrated in my second comment is the correct one.

          Is there an action item for this (update some web page, etc.), or should we just resolve this as fixed based on the shared understanding that was reached?

          Show
          Jukka Zitting added a comment - - edited I believe there is consensus that the approach illustrated in my second comment is the correct one. Is there an action item for this (update some web page, etc.), or should we just resolve this as fixed based on the shared understanding that was reached?
          Hide
          Henri Yandell added a comment -

          Resolving this as I think it is effectively a duplicate of LEGAL-59 and I'd rather see the discussion there.

          The short answer is:

          "Required notices depend on the license in question. "

          As it is, I believe that the vast majority of these can be satisfied by the 3rd party license file being in the product rather than having developers trying to determine how to interpret the attribution clauses of each product. The only use case I know of that doesn't fit this are advertising clauses, and those are few and far between.

          Show
          Henri Yandell added a comment - Resolving this as I think it is effectively a duplicate of LEGAL-59 and I'd rather see the discussion there. The short answer is: "Required notices depend on the license in question. " As it is, I believe that the vast majority of these can be satisfied by the 3rd party license file being in the product rather than having developers trying to determine how to interpret the attribution clauses of each product. The only use case I know of that doesn't fit this are advertising clauses, and those are few and far between.
          Hide
          ant elder added a comment -

          This issue keeps on coming up so i wondered if it would be helpful to update the description of the NOTICE file at http://apache.org/legal/src-headers.html#notice.

          Presently it says:

          2.The remainder of the NOTICE file is to be used for required third-party notices.

          How about extending that to have something like:

          2.The remainder of the NOTICE file is to be used for required third-party notices. What is a required notices depend on the license in question. The vast majority of these can be satisfied by the 3rd party license file being included in the product LICENSE file rather than having developers trying to determine how to interpret the attribution clauses of each product. The main case of required third-party notice that doesn't fit this are advertising clauses, and those are few and far between. For discussion about this see LEGAL-59 and LEGAL-62 and the ML discussion around those http://apache.markmail.org/message/u66o5ucyfquxjl7i

          Show
          ant elder added a comment - This issue keeps on coming up so i wondered if it would be helpful to update the description of the NOTICE file at http://apache.org/legal/src-headers.html#notice . Presently it says: 2.The remainder of the NOTICE file is to be used for required third-party notices. How about extending that to have something like: 2.The remainder of the NOTICE file is to be used for required third-party notices. What is a required notices depend on the license in question. The vast majority of these can be satisfied by the 3rd party license file being included in the product LICENSE file rather than having developers trying to determine how to interpret the attribution clauses of each product. The main case of required third-party notice that doesn't fit this are advertising clauses, and those are few and far between. For discussion about this see LEGAL-59 and LEGAL-62 and the ML discussion around those http://apache.markmail.org/message/u66o5ucyfquxjl7i
          Hide
          Robert Burrell Donkin added a comment -

          Ant

          I agree that more detail would be useful but would prefer to keep http://apache.org/legal/src-headers.html#notice simple

          I think we need to add discussion of 'appropriate' verses 'required' in http://www.apache.org/legal/resolved.html, so IMHO it would be better to add content to that document

          Robert

          Show
          Robert Burrell Donkin added a comment - Ant I agree that more detail would be useful but would prefer to keep http://apache.org/legal/src-headers.html#notice simple I think we need to add discussion of 'appropriate' verses 'required' in http://www.apache.org/legal/resolved.html , so IMHO it would be better to add content to that document Robert
          Hide
          Sebb added a comment -

          If the information is added to resolved instead, there should at least be a link from the #notice section.

          Show
          Sebb added a comment - If the information is added to resolved instead, there should at least be a link from the #notice section.
          Hide
          Robert Burrell Donkin added a comment -

          +1

          Show
          Robert Burrell Donkin added a comment - +1
          Hide
          Dennis E. Hamilton added a comment -

          One factor that catches my attention is the following notice that appears on many files:

          /*

          • Licensed to the Apache Software Foundation (ASF) under one
          • or more contributor license agreements. See the NOTICE file
          • distributed with this work for additional information
          • regarding copyright ownership. The ASF licenses this file
          • to you under the Apache License, Version 2.0 (the
          • "License"); you may not use this file except in compliance
          • with the License.
            [ ... ]
            *.

          From that, I would expect the NOTICE file to tell me what I need to know and that I should not have to hop over to LICENSE to find where the required text is to be found, if there is such a required text. It might have the longer part deeper in the NOTICE but cited in the top-level information so that a reader can get the gist of the NOTICE without climbing through a stream of republished license notices, but keeping them where the limitation of their scope is apparent seems like a better idea than a ribbon of licenses in LICENSE.

          So it seems to me. Having an unambigous procedure is definitely more important though.

          Show
          Dennis E. Hamilton added a comment - One factor that catches my attention is the following notice that appears on many files: /* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. [ ... ] *. From that, I would expect the NOTICE file to tell me what I need to know and that I should not have to hop over to LICENSE to find where the required text is to be found, if there is such a required text. It might have the longer part deeper in the NOTICE but cited in the top-level information so that a reader can get the gist of the NOTICE without climbing through a stream of republished license notices, but keeping them where the limitation of their scope is apparent seems like a better idea than a ribbon of licenses in LICENSE. So it seems to me. Having an unambigous procedure is definitely more important though.
          Hide
          ant elder added a comment -

          Dennis, I think what you're talking about is covered by the last line at http://www.apache.org/legal/src-headers.html#notice which says "The NOTICE file may also include copyright notices moved from source files submitted to the ASF.". No change to that so those type of copyright statements may still be in the NOTICE file.

          Show
          ant elder added a comment - Dennis, I think what you're talking about is covered by the last line at http://www.apache.org/legal/src-headers.html#notice which says "The NOTICE file may also include copyright notices moved from source files submitted to the ASF.". No change to that so those type of copyright statements may still be in the NOTICE file.
          Hide
          ant elder added a comment -

          Ok then how about in http://www.apache.org/legal/resolved.html add a new item to Previously Asked Questions:


          What are required third-party notices?

          The NOTICE file in a released artifact may be used for required third-party notices.
          What is a required notices depends on the license in question. The vast majority of
          these can be satisfied by the 3rd party license file being included in the artifats LICENSE
          file rather than having developers trying to determine how to interpret the attribution
          clauses of each product. The main case of required third-party notice that doesn't fit this
          are advertising clauses, and those are few and far between. For discussion about this see
          LEGAL-59 and LEGAL-62 and the ML discussion around those
          http://apache.markmail.org/message/u66o5ucyfquxjl7i

          And in http://www.apache.org/legal/src-headers.html#notice where it says:

          2. The remainder of the NOTICE file is to be used for required third-party notices.

          Change the text "required third-party notices" to be a clickable link pointing to the new item in resolved.html

          Show
          ant elder added a comment - Ok then how about in http://www.apache.org/legal/resolved.html add a new item to Previously Asked Questions: — What are required third-party notices? The NOTICE file in a released artifact may be used for required third-party notices. What is a required notices depends on the license in question. The vast majority of these can be satisfied by the 3rd party license file being included in the artifats LICENSE file rather than having developers trying to determine how to interpret the attribution clauses of each product. The main case of required third-party notice that doesn't fit this are advertising clauses, and those are few and far between. For discussion about this see LEGAL-59 and LEGAL-62 and the ML discussion around those http://apache.markmail.org/message/u66o5ucyfquxjl7i — And in http://www.apache.org/legal/src-headers.html#notice where it says: 2. The remainder of the NOTICE file is to be used for required third-party notices. Change the text "required third-party notices" to be a clickable link pointing to the new item in resolved.html
          Hide
          Robert Burrell Donkin added a comment -

          Dennis: (As Ant says) NOTICE deals with copyright ownership whereas LICENSE deals with licensing but I agree that this legal distinction might be difficult for some people. Probably a good idea to suggest some words which projects could use to explain this to consumers.

          Show
          Robert Burrell Donkin added a comment - Dennis: (As Ant says) NOTICE deals with copyright ownership whereas LICENSE deals with licensing but I agree that this legal distinction might be difficult for some people. Probably a good idea to suggest some words which projects could use to explain this to consumers.
          Hide
          Robert Burrell Donkin added a comment -

          I've drafted something along the lines Ant suggested above. Please take a look and suggest improvements.

          Show
          Robert Burrell Donkin added a comment - I've drafted something along the lines Ant suggested above. Please take a look and suggest improvements.
          Hide
          Lawrence Rosen added a comment -

          FWIW, I have never understood the distinction between the NOTICE file and the LICENSE file. I guess I assumed that someone else here did and that ASF had already explained it precisely somewhere. Based on this multi-year-long thread on JIRA, I now assume I'm not the only one confused.

          Is there a link somewhere that explains what goes in NOTICE and what goes in LICENSE?

          /Larry

          Show
          Lawrence Rosen added a comment - FWIW, I have never understood the distinction between the NOTICE file and the LICENSE file. I guess I assumed that someone else here did and that ASF had already explained it precisely somewhere. Based on this multi-year-long thread on JIRA, I now assume I'm not the only one confused. Is there a link somewhere that explains what goes in NOTICE and what goes in LICENSE? /Larry
          Hide
          Dennis E. Hamilton added a comment -

          @ant @Robert What bothers me about a pile-up of license statements in LICENSE is I don't know what applies to what. I thought the way NOTICE provides attribution (in some cases at least), that is a good place to point to the applicable license statement, if there is one. If it is somewhere in the same file, there is less risk of potential separation.

          My remaining concern.

          Show
          Dennis E. Hamilton added a comment - @ant @Robert What bothers me about a pile-up of license statements in LICENSE is I don't know what applies to what. I thought the way NOTICE provides attribution (in some cases at least), that is a good place to point to the applicable license statement, if there is one. If it is somewhere in the same file, there is less risk of potential separation. My remaining concern.
          Hide
          Sebb added a comment -

          Normally the licenses are not just concatenated; there should be a short header which lists the components to which the subsequent license text applies.

          See for example the httpd LICENSE:

          http://svn.apache.org/repos/asf/httpd/httpd/trunk/LICENSE

          Show
          Sebb added a comment - Normally the licenses are not just concatenated; there should be a short header which lists the components to which the subsequent license text applies. See for example the httpd LICENSE: http://svn.apache.org/repos/asf/httpd/httpd/trunk/LICENSE
          Hide
          ant elder added a comment -

          Robert - thanks for the doc updates, looks good to me.

          Show
          ant elder added a comment - Robert - thanks for the doc updates, looks good to me.
          Hide
          Robert Burrell Donkin added a comment -

          @lawrence

          "FWIW, I have never understood the distinction between the NOTICE file and the LICENSE file. I guess I assumed that someone else here did and that ASF had already explained it precisely somewhere. Based on this multi-year-long thread on JIRA, I now assume I'm not the only one confused."

          Here's my understanding:

          For the convenience of downstream consumers, Apache asks that all resources shipped in a release have their licenses described and a copy of each license shipped. The conventional way to achieve this is by including an index in the LICENSE.

          Unlike the LICENSE, the NOTICE must be retained by downstream consumers. This NOTICE contains the standard Apache attribution, and any notices that Apache is required to ship with the release - for example: relocated copyright notices, source download locations (for some weak copyleft licenses) and text that must be preserved (for some permissive licenses).

          Show
          Robert Burrell Donkin added a comment - @lawrence "FWIW, I have never understood the distinction between the NOTICE file and the LICENSE file. I guess I assumed that someone else here did and that ASF had already explained it precisely somewhere. Based on this multi-year-long thread on JIRA, I now assume I'm not the only one confused." Here's my understanding: For the convenience of downstream consumers, Apache asks that all resources shipped in a release have their licenses described and a copy of each license shipped. The conventional way to achieve this is by including an index in the LICENSE. Unlike the LICENSE, the NOTICE must be retained by downstream consumers. This NOTICE contains the standard Apache attribution, and any notices that Apache is required to ship with the release - for example: relocated copyright notices, source download locations (for some weak copyleft licenses) and text that must be preserved (for some permissive licenses).
          Hide
          Roy T. Fielding added a comment -

          I don't think that understanding is entirely right. Most of the licenses are required to be retained by downstream redistributions. Some only need to be retained in source. And some can be sublicensed (combined under one set of license terms that are compatible).

          The short answer is that LICENSE contains the terms on redistribution/use, whereas NOTICE contains the minimal set of information required by those LICENSE terms in the sense of advertising clauses and stuff that needs to be displayed in an "About..." box.

          The historical reason why we have them separated is because GPL requires the preservation of notices even when it subsumes all other licenses, thus preserving our advertising clause in a way that would otherwise have been incompatible with the GPL.

          Show
          Roy T. Fielding added a comment - I don't think that understanding is entirely right. Most of the licenses are required to be retained by downstream redistributions. Some only need to be retained in source. And some can be sublicensed (combined under one set of license terms that are compatible). The short answer is that LICENSE contains the terms on redistribution/use, whereas NOTICE contains the minimal set of information required by those LICENSE terms in the sense of advertising clauses and stuff that needs to be displayed in an "About..." box. The historical reason why we have them separated is because GPL requires the preservation of notices even when it subsumes all other licenses, thus preserving our advertising clause in a way that would otherwise have been incompatible with the GPL.
          Hide
          Marvin Humphrey added a comment -

          Roy Fielding wrote:

          > The historical reason why we have them separated is because GPL requires the
          > preservation of notices even when it subsumes all other licenses, thus
          > preserving our advertising clause in a way that would otherwise have been
          > incompatible with the GPL.

          While at ApacheCon NA 2013 in Portland, I buttonholed Roy and asked him to
          expand on this comment. Here is my understanding of his answer, phrased as an
          FAQ entry:


          What are the historical motivations behind the NOTICE file?

          The NOTICE file serves several purposes, but the primary reason for separating
          NOTICE out of LICENSE in the Apache License 2.0 was to preserve the
          attribution requirement spelled out in section 3 of the Apache License 1.1 in
          a way that would otherwise have been incompatible with the GPL.

          When carried by the LICENSE, the attribution language constitutes an
          additional requirement which conflicts with the GPL. However, when carried by
          the optional NOTICE file instead of the license, the attribution requirement
          does not conflict with the GPL because the GPL requires the preservation of
          notices even when it subsumes all other licenses.

          I'm not sure we need that to go into "Previously Asked Questions", but I
          wanted to capture it for posterity. It's often been challenging to
          explain why NOTICE exists, and understanding its origins is helpful.

          Show
          Marvin Humphrey added a comment - Roy Fielding wrote: > The historical reason why we have them separated is because GPL requires the > preservation of notices even when it subsumes all other licenses, thus > preserving our advertising clause in a way that would otherwise have been > incompatible with the GPL. While at ApacheCon NA 2013 in Portland, I buttonholed Roy and asked him to expand on this comment. Here is my understanding of his answer, phrased as an FAQ entry: – What are the historical motivations behind the NOTICE file? The NOTICE file serves several purposes, but the primary reason for separating NOTICE out of LICENSE in the Apache License 2.0 was to preserve the attribution requirement spelled out in section 3 of the Apache License 1.1 in a way that would otherwise have been incompatible with the GPL. When carried by the LICENSE, the attribution language constitutes an additional requirement which conflicts with the GPL. However, when carried by the optional NOTICE file instead of the license, the attribution requirement does not conflict with the GPL because the GPL requires the preservation of notices even when it subsumes all other licenses. – I'm not sure we need that to go into "Previously Asked Questions", but I wanted to capture it for posterity. It's often been challenging to explain why NOTICE exists, and understanding its origins is helpful.

            People

            • Assignee:
              Robert Burrell Donkin
              Reporter:
              ant elder
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Development