Observations of common license obligations in regards to what is necessary to account for when distributing an application built on /open-source software with various licenses.
Must give give a copy of the license.
- This "license" is defined as "the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document."
- This notably doesn't include the copyright statement, except in source distributions.
- Which means binary distributions don't need to to include the copyright notice, just the license.
- The caveat is that if there is a
NOTICE
text file in the distribution, you must include those notices in your 3rd party notices, even for binary distributions.
Doesn't require require attribution except in source distributions.
Must include the terms and the copyright.
- This doesn't necessarily mean you need the exact file unchanged, as long as it includes the copyright statement and the "permission notice", which is the license text.
Essentially the same as MIT: must include the copyright and the terms of the license.
Essentially the same as BSD 2-Clause.
The license and the included copyright ( which is always the same because it's specific to unicode ) must be included in documentation.
You must ensure that the user can get to the source code of the MPL licensed work, and you may not remove copyright or license notices from the source code. This can be satisfied simply by providing a link to the MPL licensed package.
In a project including dependencies with all of the above licenses, the minimal requirements to satisfy all obligations, ASSUMING YOU DON'T MODIFY THE DEPENDENCIES, is:
- Provide a link to the source code ( satisfies MPL )
- Include the standardized license text from the SPDX license repository for each detected license type ( satisfies Unicode, most of the apache Apache, and the terms portions of MIT and BSD )
- Include any copyright statements associated to the software licenses ( satisfies the copyright portions of MIT and BSD )
- Include the contents of any
NOTICE
files distributed with the source dependency ( satisfies the final requirement of Apache )
That means that one proper attribution form would be an HTML file containing:
- A table with a row for every dependency and the following columns: Name, Package URL, License ID, Notices ( containing all copyrights, authors, and notices found )
- A list of the official license texts from the SPDX license list for all of the licenses used.
It may be worth updating the list to see if there are extra obligations when distributing binary builds when included dependencies have been modified.
/license