Skip to content

Instantly share code, notes, and snippets.

@lucasgonze

lucasgonze/Attribution How-To.md Secret

Last active June 20, 2023 17:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lucasgonze/b6931de2c515f3c6d0dccbfaf20d2464 to your computer and use it in GitHub Desktop.
Save lucasgonze/b6931de2c515f3c6d0dccbfaf20d2464 to your computer and use it in GitHub Desktop.
Download ZIP
Open Source Attribution How-To
Raw
Attribution How-To.md

Attribution requirements are a common features of open-source licenses, but exactly when and how to do attribution are left to the implementor's judgement. I have done it wrong many times. In the spirit of doing one small thing well, I have researched and compiled guidelines. These are both for my own use, for my OSPO consulting clients, and for any potential reader.

Open Source Attribution How-To

  • Avoid redistribution. Prefer package managers.
    • When you must redistribute, include a comprehensive copy with the license, notice, and all source code.
  • Have a LICENSE file for your own license.
    • Limit the license file to your own package. No other package should be mentioned.
    • Use a standard license that has not been modified in any way except for your copyright statement.
  • Have a NOTICE file to attribute any component that has been redistributed - and no others.
    • Redistribution occurs in the following forms:
      • Copies of source code, including declarations of function headers
      • Libraries that have been statically linked with your binary
      • Libraries that will be dynamically linked, but only if your distribution incorporates a binary copy of the library. If your program is relying on the operating system to provide a shared library, it is out of scope.
    • For each attribution, include the name, the copyright statement, and the license.
      • Include a full copy of each license. Only have one copy. (Some licenses require copies, not links. Incorporating licenses by name creates ambiguity about which version of the license).
      • Link to the project home page if possible.
    • At the top of your notice file include your own copyright statement.

Examples

The Prometheus project has its NOTICE file online at https://github.com/prometheus/prometheus/blob/main/NOTICE. Highlights:

  • The name of the file is NOTICE. It does not have any extension. It is all uppercase.
  • The beginning lines are the copyright statement:
The Prometheus systems and service monitoring server
Copyright 2012-2015 The Prometheus Authors

Third-party attributions are prefaced with:

The following components are included in this product:

Each third-party attribution is in the form:

Bootstrap
https://getbootstrap.com
Copyright 2011-2014 Twitter, Inc.
Licensed under the MIT License

The link to the project home page is not a legal requirement but is useful.

The license is included by name. This is a mistake because it creates ambiguity and because some licenses require full copies.

Acknowledgements and Links

In compiling these guidelines I have had conversations with a number of people. I documented some in a gist. Most importantly Van Lindberg and I had two long conversations; his write-up takes a more explanatory angle that is complementary to this step-by-step how-to.

In the Indieweb POSSE spirit, I have published this to two locations:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment