Not so fast about dispensing with Category B requirements for pointers to source code.
In MPL 2.0, a common case, it is very clear that location of the source code is one of the requirements for distribution of the code in executable form or within a larger work (distributed in binary), that there must be identification of the origin of the code and where source code is available. It is insufficient to simply include the license (by reference or otherwise). MPL 2.0 has a handy Appendix (which I have never seen followed, but I don't get out much) that stipulates a suitable notice. The key is that it must be possible for a recipient of the executable to directly find the specific source code at a suitably archival location. This is also a requirement for distribution of most Category X works in binary form, and that applies in some cases where Category X licenses are bundled in binary distributions under sanitary conditions that satisfy ASF requirements. - Dennis PS: That these requirements are typically satisfied in the breach is not, it seems to me, something that is appropriate for the ASF to countenance. That there are projects out there that have never complied with such requirements is not justification. For me, it does not serve the public interest, nor does it demonstrate the care for the provenance of contributions (and dependencies) that should be the norm. Most of all, being careless about this undervalues the gift that such dependencies represent to projects that find reuse more convenient than not. PPS: There is also a forensic value to satisfying these license requirements. In these days of rapid disclosures of security flaws all over the landscape, it is important for a recipient of executable code to know whether or not vulnerability disclosures apply to dependencies in the distribution they are relying upon and whether mitigation is called for. (Although this is also of some benefit to adversaries, it must always be assumed that determined adversaries already know.) -----Original Message----- From: Sergio Fernández [mailto:sergio.fernan...@salzburgresearch.at] Sent: Tuesday, April 23, 2013 00:32 To: general@incubator.apache.org Cc: Marvin Humphrey Subject: Re: LICENSE/NOTICE revisited (was Release Apache Marmotta 3.0.0-incubating (RC8)) Hi Marvin, thanks for your time analysing our release. Please, find my reply inline. On 18/04/13 02:30, Marvin Humphrey wrote: > On Wed, Apr 17, 2013 at 11:00 AM, Sebastian Schaffert wrote: [ ... ] >> - for dependencies of category B, [2] specifies that "Although the source >> must not be included in Apache products, the NOTICE file, which is >> required to be included in each ASF distribution, must point to the source >> form of the included binary (more on that in the forthcoming "Receiving >> and Releasing Contributions" document).", a fact that is not mentioned in >> any of the other documents. > > This passage has somehow escaped my notice until now. Based on my > understanding about the origins of the NOTICE file, it does not ring true. It > seems to me that what works for category A should also work for category B: > reference/quote the license in LICENSE and address mandatory attribution > requirements in NOTICE. The goal is to satisfy the licensing requirements of > the dependency, not to give credit -- so IMO linking only makes sense if > that's a requirement of the dependency's license. So keep in NOTICE only those which require additional attribution requirements? > Does anybody know any TLPs that are actually following the advice to link to > source for category B dependencies in binary NOTICE files? [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
