Skip to content

Instantly share code, notes, and snippets.

@zicklag

zicklag/readme.md

Last active April 30, 2024 17:16
Show Gist options
  • Save zicklag/9d70d481dd826a74a6adc2a8c5605772 to your computer and use it in GitHub Desktop.
Save zicklag/9d70d481dd826a74a6adc2a8c5605772 to your computer and use it in GitHub Desktop.
Download ZIP
Common Open Source License Obligations - NOT LEGAL ADVICE
Raw
readme.md

NOT LEGAL ADVIVCE, THIS INTERPRETATION MAY BE INCORRECT

Common License Obligations

Observations of common license obligations in regards to what is necessary to account for when distributing an application built on /open-source software with various licenses.

/apache-2.0

Must give give a copy of the license.

  • This "license" is defined as "the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document."
  • This notably doesn't include the copyright statement, except in source distributions.
  • Which means binary distributions don't need to to include the copyright notice, just the license.
  • The caveat is that if there is a NOTICE text file in the distribution, you must include those notices in your 3rd party notices, even for binary distributions.

/zlib

Doesn't require require attribution except in source distributions.

/mit

Must include the terms and the copyright.

  • This doesn't necessarily mean you need the exact file unchanged, as long as it includes the copyright statement and the "permission notice", which is the license text.

/bsd-2-clause

Essentially the same as MIT: must include the copyright and the terms of the license.

/bsd-3-clause

Essentially the same as BSD 2-Clause.

/unicode-dfs-2016

The license and the included copyright ( which is always the same because it's specific to unicode ) must be included in documentation.

/mpl-2.0

You must ensure that the user can get to the source code of the MPL licensed work, and you may not remove copyright or license notices from the source code. This can be satisfied simply by providing a link to the MPL licensed package.

Summary

In a project including dependencies with all of the above licenses, the minimal requirements to satisfy all obligations, ASSUMING YOU DON'T MODIFY THE DEPENDENCIES, is:

  • Provide a link to the source code ( satisfies MPL )
  • Include the standardized license text from the SPDX license repository for each detected license type ( satisfies Unicode, most of the apache Apache, and the terms portions of MIT and BSD )
  • Include any copyright statements associated to the software licenses ( satisfies the copyright portions of MIT and BSD )
  • Include the contents of any NOTICE files distributed with the source dependency ( satisfies the final requirement of Apache )

That means that one proper attribution form would be an HTML file containing:

  • A table with a row for every dependency and the following columns: Name, Package URL, License ID, Notices ( containing all copyrights, authors, and notices found )
  • A list of the official license texts from the SPDX license list for all of the licenses used.

It may be worth updating the list to see if there are extra obligations when distributing binary builds when included dependencies have been modified.

/license

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment