What is the best practice for arranging third-party library licenses “paperwork”?
-
03-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am developing a small open source project. The application uses many third-party libraries released with a range of licenses: Apache, MIT, BSD, LGPL and CDDL.
Each of these licenses has its own “paperwork” requirements. For example, the Apache License, v2.0 says:
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file.
The MIT license contains a copyright notice and says:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
The BSD license also contains a copyright notice and says:
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
LGPL v.3 says:
(You should) give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License.
LGPL and CDDL licenses also require supplying the source code along with a binary form of a library, so the information on the way in which the source code can be obtained should be provided somewhere.
What is the best practice for arranging all this data? Should I create a text file and copy the content of all NOTICE files, MIT and BSD licenses etc. into that file? ... or should I create a separate directory for each library and put all data related to the library to that directory? … or something else?
It would also be interesting to see any examples of this “paperwork” in published projects.
UPDATE:
I have read Do you have to include a license notice with every source file?, but it does not address my problem. My question is about third-party libraries that are used in a project, and that question is about headers in the project's own source code.
Solution
First, the standard disclaimer: IANAL but a random stranger.
I have been packaging an AGPL application(*) recently. It uses third party libraries distributed under jQuery, MIT, BSD (and some other) licenses. Here is how I have proceeded.
My main intents when I designed this were: be compliant and be fair. While the first one should be sufficient, the second one ensures that whoever tries to sue me for not getting it 100% right has to admit I have done things in good faith.
1) Source files: all my files have the AGPL header. All 3rd party files are left (mostly) unmodified, and therefore include their own license header.
2) LICENSE.txt, at the root of the package, contains the AGPL license text (as explained in the "How to Apply These Terms to Your New Programs" section).
3) A secondary license file, which I named LICENSE-3RD-PARTY.txt, also located at the root of the package, contains verbatim copies of ALL licenses. For each license, a header states which license it is, and which part it applies to. I also include the name of the copyright holders here - I reuse them somewhere else afterwards so it's worth the effort.
-----------------------------------------------------------------------------
The MIT License (MIT)
applies to:
- AJAX Upload, Copyright (c) Andrew Valums
- jQuery hashchange event, Copyright (c) 2010 "Cowboy" Ben Alman
- jquery.hotkeys, Copyright (c) 2010 John Resig
-----------------------------------------------------------------------------
Permission is hereby granted, free of charge [...]
4) README.txt, also at the root, explains that the software is AGPL (see LICENSE.txt) and uses third party libraries that are distributed under their own terms (see LICENSE-3RD-PARTY.txt)
5) In the on-line documentation, I have a License page that repeats the information from the readme: my software is AGPL, and it uses 3rd party components that are BSD/MIT/[...]. I have decided to keep this page cleaner and more readable, therefore only the name of the license is provided, with a link to the full text, and the name of the copyright holders with a link to their own website.
jQuery
Copyright 2013 jQuery Foundation and other contributors
http://jquery.com
MIT License
Data Driven Documents (D3)
Copyright (c) 2013, Michael Bostock <-- link to personal website, if any
http://d3js.org <-- link to software website
BSD-like license <-- link to license full text
[...]
6) Also in the on-line documentation, I have a Credits page, where I list the direct and indirect main contributors. I have for instance cited the PostgreSQL group, although PostgreSQL is not included in the download, but you need it to run the software. This would be a good place to place all acknowledgements that are either required or desired by the authors of 3rd party tools/libraries/etc.
7) Inside the software itself, the list of libraries along with the license and copyright holders, is repeated in the About dialog box.
To address your specific questions regarding inclusion of source code and file layout:
it is generally accepted to only link to the full source code of 3rd party packages. Consult each specific license to be sure, but IMHO providing the link should be enough. For instance, if you use a minified version of a library, you can provide the link to the standard download and be fine.
unless the 3rd party component explicitly demands that distributions keep the file layout identical, you can re-arrange things as you wish. Imagine you use web libraries, having each a css/ and a js/ directory, you can merge them together into a single lib/ directory, containing merged css/ and js/, or even scatter them all around your source tree - your choice.
And as a final note, I would more than welcome commenters who wave a hand saying "you are doing this wrong" and/or "you should also do that".
(*) This is not intended to be spam linking, but just to answer the "please provide examples" part of the question. Feel free, dear mods, to clear this link if this is against the rules.
