Revise guidelines for NOTICE files in legal document guidelines
Submitted by Wayne Beaton @wbeaton
Link to original bug (#527696)
Description
We've put some additional thought into what sort of information needs to be represented in NOTICE files. At this point, we believe that there are actually two "flavours" of notice. The primary, or "Master" notice file is located in the root of all project source code repositories, and "Distribution" notice files that are packaged in the project's distribution form (e.g. JAR files).
The "Master" notice file provides information that pertains to the entire project:
- Basic project metadata (name, urls, location of source, etc.);
- Description of the project's declared license(s);
- Copyright information;
- Description of third party content; and
- (when cryptographic software is present) A cryptography statement.
The "Distribution" notice files are specific to the content that they include (e.g. information that is specific to the source that produces a particular JAR file):
- Basic project metadata (as above);
- Description of the content's licensing (may be different from the project's declared license(s));
- A description of where to find the copyright information; and
- (when cryptographic software is present) A cryptography statement.
If, for example, a JAR file includes only project code, the NOTICE file would describe the project's declared license(s). If a JAR file includes only third party content, then the NOTICE file would describe the license of that third-party content. In the case where a JAR file includes a mixture of project code and third party content, the license statement would be more complex.
Note that the terms of the licenses must be observed. If a license requires that the actual text of the license be included with the distribution, then include it.
Most projects will likely have several "Distribution" notice files; it is likely that most of them will have exactly the same content. This is very similar in concept to what projects do with "about.html" files in Eclipse Platform Plug-ins.
Copyright information must be captured in the source; either in the file headers for individual source files, or in aggregate in the "Master" NOTICE file (or both).
As it would be far too onerous to do so, project teams are not required to break copyright statements into specific individual distribution artifacts. The copyright statement in a "Distribution" notice file can refer back to the "Master" notices as found in the root of the project source.
Note that we understand that this information is captured (and is generally more complete) in Git. The Git repository is a moving target: repositories move, tags get deleted or changed, we may move to different source code management system in the future, etc. The copyright information must be captured indefinitely and so must be captured in the code itself. This has the added benefit of being more readily accessible for legal review by adopters.
Note also that the copyright holder is very often not the same as the author. It is relatively easy to capture author information, but generally harder to map that to a company. The advice given to the Eclipse Foundation is that it is enough to list the authors as copyright holders (with affiliations indicated where possible).
The actual text of the project's declared license(s) is represented in a LICENSE file.
Note that the EF is working on a tool that generates at least some of this legal documentation. That tool is currently labeled as experimental and should be considered as a tool to help gather this sort of information, not a authoritative source.
e.g.
https://www.eclipse.org/projects/tools/about.php?id=technology.dash