This is an automated archive made by the Lemmit Bot.
The original was posted on /r/opensource by /u/AtonementCrystals on 2023-09-01 19:53:59.
FINAL DECISION:
After considering the options for which open-source license which I felt best fit my usecase, preferences, and needs (MIT, Apache 2.0, or LGPLv3), I decided to go with the Apache license as it is both highly permissive and provides necessary copyright and patent protections. And, after looking at multiple GitHub repos which utilize the Apache license, I have determined that a NOTICE file in the source code itself only necessary if you write code for the Apache Software Foundation (ASF). Otherwise, for a Java project using Maven, simply utilizing the ApacheNoticeResourceTransformer is sufficient for generating the appropriate NOTICE file in my project’s jar when bundling ASF dependencies.
Please see the addendum at the bottom of this post regarding my findings with regards to my question as to the definition of what what legally constitutes a derivative work in terms of software, and how the Apache and GPL licenses fundamentally differ in this regard.
ORIGINAL POST:
I’m planning to publish my in-progress work of a programming project to Github soon, and I’d like to apply a permissive open-source license to it. It is an interpreter for an original programming language I have designed. It is written in Java and its build is managed by Maven. It has a few dependencies, which use the following licenses:
Apache License 2.0:
Eclipse Public License 2.0:
The 3-Clause BSD License:
As far as I can tell, these are all generally permissive open-source licenses. Which I’m assuming means I can generally apply whatever license I want to my project which utilizes these projects as dependencies. I’m leaning towards the MIT license, as it seems to be the simplest, most permissive, and is by far the most commonly used. But I want to make sure I’m doing this right, and that it is within my rights to use said dependencies with their licenses listed above and apply this other license (or a similar one) to my project.
But one caveat is that I use the maven-shade-plugin, which bundles all dependencies together into one final executable jar. This seems to sense from a distribution perspective as it simplifies the steps needed to take for anyone who desires to use my program. But I don’t understand if or how this complicates the situation with regard to these dependencies’ licenses.
All that being said, I have a few specific questions related to this. But if anyone in the know can please help explain to me specific expectations and steps to follow so as to properly do this, I would certainly appreciate it. I.e.: what exactly is expected to go into the into the LICENSE and NOTICE files? And, do I need to also somehow include or refer to the licenses of all or some of my dependencies somewhere in my project and distributed artifact, as well?
- Some licenses refer to “derivative works” and provide a definition. But I still feel uncertain as to what exactly this entails. What generally is a derivative work in terms of software? Is any project that uses X as a dependency, aka as an imported library or module, necessarily a derivative work of X? Or is this only for direct forks of a project where you directly modify the source code of X, and then use or distribute that modified copy?
- To my understanding, the Apache license wants a NOTICE file which contains a list of copyright info for each project using the license, and a copy of the Apache license somewhere (?) as well. There is a plugin which scans Maven dependencies for Apache notices and generates an output file in the assembled jar.
I presume this output to be adequate for any dependencies utilizing the Apache license. But do any other of the licenses I linked above require something added to this NOTICE file?
Also, they have a line in their license stating:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License;
Does this mean using an Apache package as a dependency in my project where I distribute a bundled artifact means I need to include their full license somewhere in my project, as well? If so, what is the standard way to do so?
- The Eclipse license has a section about “secondary licenses” that is confusing and I don’t understand if it applies to simply using a dependency that is licensed under the Eclipse license.
Exhibit A - Form of Secondary Licenses Notice
“This Source Code may also be made available under the following Secondary Licenses when the conditions for such availability set forth in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), version(s), and exceptions or additional permissions here}.”
Simply including a copy of this Agreement, including this Exhibit A is not sufficient to license the Source Code under Secondary Licenses.
If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice.
You may add additional accurate notices of copyright ownership.
Does this somehow limit what kind of license a project that uses this dependency can select for itself? What even is a secondary license? I’m hoping this does not apply as I’m not distributing or modifying the project’s original source code. But once again, I’m not sure if distributing a bundled artifact means I have to somehow abide by this.
The Eclipse license also mentions the following:
3.1 If a Contributor Distributes the Program in any form, then:
b) the Contributor may Distribute the Program under a license different than this Agreement, provided that such license:…
Which seems to suggest that distributing this library in a bundled artifact means you can use another license, granted it fits into its terms. But which licenses would generally abide by those terms I can only guess to, but not be 100% certain.
- The BSD license states the following:
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Which I presume includes the situation of a bundled artifact. So then I’m wondering if this means including the entire BSD license somewhere? Or does it mean a shorter blurb that perhaps should instead be included in the same NOTICE file that the Apache license mandates?
Addendum: Regarding Derivative Works
The general consensus in the comments is that simply using a library does not make a project a derivative work of that library. Meanwhile, a derivative work would clearly be something akin to forking a project, adding your modifications to its code base, and then publishing that as your own project.
The GPL and Apache licenses fundamentally disagree in this respect. GPL asserts that simply using a library makes your project a derivative work of said library. While the Apache license asserts that it does not.
Exhibit 1: GPL’s Stance on Derivative Works
According to this old article from GNU, the author claims that simply using a library in a Java program makes said program a derivative work of that library:
The typical arrangement for Java is that each library an application uses is distributed as a separate JAR (Java Archive) file. Applications use Java’s “import” functionality to access classes from these libraries. When the application is compiled, function signatures are checked against the library, creating a link. The application is then generally a derivative work of the library. So, the copyright holder for the library must authorize distribution of the work. The LGPL permits this distribution.
Exhibit 2: Compatibility of Apache and GPL Licenses
Apache has a note regarding compatibility of code licensed under the Apache and GPL licenses:
Apache 2 software can therefore be included in GPLv3 projects, because the GPLv3 license accepts our software into GPLv3 works. However, GPLv3 software cannot be included in Apache projects. The licenses are incompatible in one direction only, and it is a result of ASF’s licensing philosophy and the GPLv3 authors’ interpretation of copyright law.
This licensing incompatibility applies only when some Apache project software becomes a derivative work of some GPLv3 software, because then the Apache software would have to be distributed under GPLv3. This would be incompatible with ASF’s requirement that all Apache software must be distributed under the Apache License 2.0.
We avoid GPLv3 software because merely linking to it is considered by the GPLv3 authors to create a derivative work. We want to honor th…
Content cut off. Read original on https://old.reddit.com/r/opensource/comments/167e3i3/selecting_an_open_source_license_for_my_project/