trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

LICENSE and NOTICE issues

Open justinmclean opened this issue 3 years ago • 2 comments

Hi, I'm not involved in this project but I'm involved in the ASF and have reviewed 100's of releases there. I took a look at your LICENSE and NOTICE and noticed a number of things.

  • LICENSE is for license information not NOTICE. The NOTICE file has a large amount of license information.
  • The LICENSE and NOTICE should reflect the contents of the release, not its dependencies. NOTICE seems to list licenses of dependancies. This means that the binary and source releases may have different LICENSE and NOTICE files.
  • Files don't have Apache license headers.
  • I noticed a few files that have Kubernetes Apache headers also have a NetApp copyright notice added.
  • Some headers have "All Rights Reserved." which, while as I understand it has no legal standing, but generally means that it's not open source software.
  • The software includes a GPL dependency that is not compatible with the Apache license

This article on assembling LICENSE and NOTICE may help [1] or if you want I can assemble them for you. On the GPL issue please see [2][3]

  1. https://infra.apache.org/licensing-howto.html
  2. https://www.apache.org/legal/resolved.html#prohibited
  3. https://www.apache.org/licenses/GPL-compatibility.html

justinmclean avatar Jul 14 '22 09:07 justinmclean

Thanks @justinmclean for noticing and pointing out these problems! The NOTICE and LICENSE files are generated by a standard company process that we have to adhere to. If the process itself is wrong that may take more than a little effort to fix.

The smaller things you pointed out should be easy to fix, such screwed as up copyrights and missing license headers.

Most importantly, the GPL dependency in this case actually is compatible, because we don't link with that code, it's merely distributed in the docker image as a separate binary if you build the docker images. It's unfortunate that the NOTICES file does not distinguish between code our binaries link with and code that comprises the final docker images.

bswartz avatar Jul 19 '22 12:07 bswartz

Thanks for the response. Some of the advice the ASF gives is certainly open to interpretation, and ASF policy has changed over time so differences could be due to that. It is a good idea to keep what goes in NOTICE to the required minimum as it impacts projects that use code from this project. The GPL dependency sounds like an optional dependency to me and thus would be fine. I was just surprised to see it mentioned in a source release.

justinmclean avatar Jul 20 '22 04:07 justinmclean