KAFKA-12602: Fix LICENSE file #10474
Conversation
vvcephei
force-pushed
the
kafka-12602-add-licenses
branch
from
8ab5c77 to
519434f
Compare
There was a problem hiding this comment.
Hi all,
This is in response to the issues raised in the mailing list:
https://lists.apache.org/thread.html/r2df54c11c10d3d38443054998bc7dd92d34362641733c2fb7c579b50%40%3Cdev.kafka.apache.org%3E
I'm way out of my league here, but someone has got to take a stab at fixing this situation. Please make no assumption that I know what I'm doing and let me know if anything seems wrong.
A few specific questions:
- Note my questions regarding the copyright line in BSD and MIT... It doesn't seem necessary to include copyright notices with a binary dependency, since (AFAIK) copyright applies to the text of the source code, not the compiled program code. But that's based on a very sketchy understanding of the legal foundations here.
- Many of our dependencies list multiple licenses. I think this means we can just pick which one we want to use. Is that right? I preferred to use Apache2 where available, and otherwise to minimize the number of new licenses that we pull in (under the assumption that that will help our users analyze their legal standing).
In addition to those specific questions, I hope at least one reviewer can double-check the dependencies and their licenses to make sure I didn't make any typos.
Also, we should include some automation as well, at least to check that we keep this list updated when we add/update dependencies. I've sunk a ton of time into this, though, so I'll just file a ticket to do that for the next release(s).
| @@ -200,350 +200,3 @@ | |||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
| See the License for the specific language governing permissions and | |||
| limitations under the License. | |||
|
|
|||
| ------------------------------------------------------------------------------------ | |||
| This distribution has a binary dependency on jersey, which is available under the EPLv2 | |||
There was a problem hiding this comment.
This doesn't belong in the source-distribution license.
| You may add additional accurate notices of copyright ownership. | ||
|
|
||
| ------------------------------------------------------------------------------------ | ||
| This distribution has a binary dependency on zstd, which is available under the BSD 3-Clause License as described below. |
There was a problem hiding this comment.
This is not a binary dependency.
| SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
|
|
||
| ------------------------------------------------------------------------------------ | ||
| This distribution has a binary dependency on zstd-jni, which is available under the BSD 2-Clause License |
There was a problem hiding this comment.
This doesn't belong in the source-distribution license.
|
|
||
| You may add additional accurate notices of copyright ownership. | ||
|
|
||
| ------------------------------------------------------------------------------- |
There was a problem hiding this comment.
Everything below this line is correct, to the best of my knowledge. I would greatly appreciate anyone double-checking me here.
|
|
||
| --------------------------------------- | ||
| Eclipse Distribution License - v 1.0 | ||
| see: licenses/eclipse-distribution-license-1.0 |
There was a problem hiding this comment.
These files are also included in this PR.
| @@ -967,7 +967,7 @@ project(':core') { | |||
| compression = Compression.GZIP | |||
| from(project.file("$rootDir/bin")) { into "bin/" } | |||
| from(project.file("$rootDir/config")) { into "config/" } | |||
| from "$rootDir/LICENSE" | |||
| from "$rootDir/LICENSE-binary" rename {String filename -> filename.replace("-binary", "")} | |||
There was a problem hiding this comment.
I verified that we get the binary license bundled as LICENSE when we run ./gradlewAll releaseTarGz
licenses/BSD-2-clause
Outdated
| @@ -0,0 +1,8 @@ | |||
| Copyright <YEAR> <COPYRIGHT HOLDER> | |||
There was a problem hiding this comment.
This seems like we might have to bring in a complete copy of this license for each dependency, since their copyright lines are obviously different. Is that right? It seems a bit excessive.
I took a look at Hadoop, and it's not what they do, but that's no guarantee of correctness.
licenses/BSD-3-clause
Outdated
| @@ -0,0 +1,9 @@ | |||
| Copyright <YEAR> <COPYRIGHT HOLDER> | |||
licenses/MIT
Outdated
| @@ -0,0 +1,7 @@ | |||
| Copyright <YEAR> <COPYRIGHT HOLDER> | |||
There was a problem hiding this comment.
Ditto here as well.
|
Hey @ableegoldman and @mimaison , Since you're also both blocked on this, would you mind giving these changes a double-check? |
| @@ -0,0 +1,14 @@ | |||
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |||
There was a problem hiding this comment.
Yeah, I'm a little embarrassed to have this in our dependencies. ¯_(ツ)_/¯
There was a problem hiding this comment.
To the extent of my understanding, this LGTM. I've seen some places assert that you need the exact licensing text word-for-word of each dependency, while others indicate that it's fine to combine common licensing with slight textual differences into a single one, provided it doesn't lose any information in the original licenses. But it certainly doesn't hurt to list each copy, better safe than sorry I guess.
Thanks again for all your help in sorting this out
There was a problem hiding this comment.
- Note my questions regarding the copyright line in BSD and MIT... It doesn't seem necessary to include copyright notices with a binary dependency, since (AFAIK) copyright applies to the text of the source code, not the compiled program code. But that's based on a very sketchy understanding of the legal foundations here.
BSD specifically calls out preserving copyright in both source and binary forms. Binaries are copyrightable, otherwise proprietary software wouldn't be protected.
- Many of our dependencies list multiple licenses. I think this means we can just pick which one we want to use. Is that right? I preferred to use Apache2 where available, and otherwise to minimize the number of new licenses that we pull in (under the assumption that that will help our users analyze their legal standing).
For dual licensed files, yes, we can choose which license to use (which can e.g. come into play re: ability of Apache to redistribute it). As long as they are acceptable licenses for Apache, it also doesn't hurt to mention both for the sake of downstream user's freedom to choose a license that works best for them.
LICENSE-binary
Outdated
| limitations under the License. | ||
|
|
||
| ------------------------------------------------------------------------------------ | ||
| This distribution has a binary dependency on jersey, which is available under the EPLv2 |
There was a problem hiding this comment.
Jersey is EPL or GPL2+classpath, you might be able to simplify this with GPL2+classpath (which is basically LGPL just from before LGPL existed). Also, what is the difference between this, where we put the license here vs everything below?
There was a problem hiding this comment.
Oy, I meant to strip off these extra license texts from the bottom of the Apache2 license. I must have gotten a couple and missed the rest.
Fixes the LICENSE files that we ship with our releases: * the source-distribution license included wrong and unnecessary dependencies * the binary-distribution license was missing most of our actual dependencies Reviewers: A. Sophie Blee-Goldman <ableegoldman@apache.org>, Ewen Cheslack-Postava <ewencp@apache.org>, Justin Mclean <jmclean@apache.org>
Fixes the LICENSE files that we ship with our releases: * the source-distribution license included wrong and unnecessary dependencies * the binary-distribution license was missing most of our actual dependencies Reviewers: A. Sophie Blee-Goldman <ableegoldman@apache.org>, Ewen Cheslack-Postava <ewencp@apache.org>, Justin Mclean <jmclean@apache.org>
Fixes the LICENSE files that we ship with our releases: * the source-distribution license included wrong and unnecessary dependencies * the binary-distribution license was missing most of our actual dependencies Reviewers: A. Sophie Blee-Goldman <ableegoldman@apache.org>, Ewen Cheslack-Postava <ewencp@apache.org>, Justin Mclean <jmclean@apache.org>
Fixes the LICENSE files that we ship with our releases:
Committer Checklist (excluded from commit message)