This document is a "how to" guide aimed at Apache Committers assembling
LICENSE and NOTICE files for an Apache product.
LICENSE and NOTICE files¶The LICENSE file communicates the licensing of all content in an Apache
product distribution. It always contains the text of the Apache License, and
sometimes more.
The NOTICE file is described in section 4.4 of the Apache License version
2.0. It
presence is not mandated by the license itself, but by ASF
policy.
The complete requirements for LICENSE and NOTICE are described
elsewhere.
The LICENSE and NOTICE files must
exactly represent the contents of the distribution they reside in.
Only bits that are actually included in a distribution have any bearing on the content of NOTICE and LICENSE.
LICENSE and NOTICE belong at the top level of the source
tree. They may
be named LICENSE.txt and NOTICE.txt, but the bare names are
preferred.
For a source tree which consists entirely of code licensed to the ASF by the
copyright holders and which has no bundled dependencies, LICENSE should
contain the text of the ALv2 --
no more, no less.
NOTICE should contain only the following
text, adapted with the
product's name and copyright dates:
Apache [PRODUCT_NAME] Copyright [XXXX-XXXX] The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/).
To assemble LICENSE and NOTICE files from scratch for products with more
complex requirements, follow these steps:
Start with boilerplate LICENSE and NOTICE files, as above.
Add any mandatory legal notifications specific to the IP of
your product to NOTICE.
For any dependency whose bits are bundled,
consider whether LICENSE and NOTICE need to be modified. (DO NOT
modify LICENSE or NOTICE for dependencies whose bits are not bundled.)
Bundling a dependency which is issued under one of the following licenses is straightforward, assuming that said license applies uniformly to all files within the dependency:
In LICENSE, add a pointer to the dependency's
license within the distribution and a short note summarizing its licensing:
This product bundles SuperWidget 1.2.3, which is available under a "3-clause BSD" license. For details, see deps/superwidget/.
Under normal circumstances, there is no need to modify NOTICE.
NOTE: It's also possible to include the text of the 3rd party license within the LICENSE file. This is best reserved for short licenses. It's important to specify the version of the dependency as licenses are sometimes changed.
There are a number of other "permissive" licenses which are
approved for use
by the ASF Legal Affairs Committee. Some of these may require additions to
NOTICE -- if in doubt,
ask.
Assuming once again that that the bundled dependency itself contains no bundled
subcomponents under other licenses and thus the ALv2 applies uniformly to all
files, there is no need to modify LICENSE. However, for completeness it is useful
to list the products and their versions, as is done for products under other licenses.
If the dependency supplies a NOTICE file, its contents must be analyzed and
the relevant portions bubbled up into the top-level NOTICE file.
It is not necessary to duplicate the line "This product includes software
developed at the Apache Software Foundation...", though the ASF copyright line
and any other portions of NOTICE must be considered for propagation.
NOTICE is reserved for a certain subset of legally required notifications
which are not satisfied by either the text of LICENSE or the presence of
licensing information embedded within the bundled dependency. Aside from
Apache-licensed dependencies which supply NOTICE files of their own, it is
uncommon for a dependency to require additions to NOTICE.
Copyright notifications which have been
relocated from source
files (rather than removed) must be preserved in NOTICE. However, elements
such as the copyright notifications embedded within BSD and MIT licenses
need
not be duplicated in
NOTICE -- it suffices to leave those notices in their original locations.
It is important to keep NOTICE as brief and simple as possible, as each
addition places a burden on downstream consumers.
Do not add anything to NOTICE which is not legally required.
LICENSE and NOTICE must always be tailored to the content of the specific
distribution they reside within. Dependencies which are not included in the
distribution MUST NOT be added to LICENSE and NOTICE. As far as LICENSE
and NOTICE are concerned, only bundled bits matter.
Example: If the only difference between apache-foo-1.0.tgz and
apache-foo-1.1.tgz is that one bundles SuperWidget while the other forces
users to download SuperWidget separately, then LICENSE and NOTICE may very
well need to be modified to account for the different bundled bits.
Dependencies of dependencies (including so-called "transitive dependencies")
are no different from first-order dependencies for the purposes of assembling
LICENSE and NOTICE: LICENSE and NOTICE need only be modified to
accommodate them if and only if their bits are bundled.
What applies to canonical source distributions also applies to all redistributions, including binary redistributions:
Any redistribution must obey the licensing requirements of the contents.
The best way to do that will likely depend on the binary packaging form.
When assembling binary distributions, it is common to pull in and bundle
additional dependencies which are not bundled with the source distribution.
These additional dependencies must be accounted for in LICENSE and NOTICE.
As a result, the LICENSE and NOTICE files for a binary distribution may
well differ from those in the source distribution it was built from.
In any case, the principle remains the same: LICENSE and NOTICE must
exactly represent the contents of the distribution they reside in.