Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache 2.0 license incorrectly stated as "secondary license" to EPL 2.0 #5784

Closed
ohecker opened this issue Dec 10, 2020 · 5 comments · Fixed by #5795
Closed

Apache 2.0 license incorrectly stated as "secondary license" to EPL 2.0 #5784

ohecker opened this issue Dec 10, 2020 · 5 comments · Fixed by #5795
Assignees
@joakime

Comments

@ohecker
Copy link

ohecker commented Dec 10, 2020

With #3578 the project license was updated from dual licensed EPL-1.0 OR Apache-2.0 to EPL-2.0 OR Apache-2.0. This is correctly given in the NOTICE.txt file.
Nevertheless the LICENSE file and header information in the source file states EPL-2.0 with Apache-2.0 as secondary license.
This is incorrect.

The license file and header information should be corrected to clearly state dual licensing instead of making use of a "secondary license"
@joakime
Copy link
Contributor

joakime commented Dec 10, 2020
edited
Loading

cc @waynebeaton for clarification of below ...

The NOTICE and LICENSE files are generated for us by Eclipse Legal, so I'm keen to trust those formats as-is.

Both of those have SPDX lines defined as ...

SPDX-License-Identifier: EPL-2.0
SPDX-License-Identifier: Apache-2.0

https://github.com/eclipse/jetty.project/blob/b9645a17373e4e9b7f30b6c0a07defcea2cb660b/LICENSE#L493-L494

https://github.com/eclipse/jetty.project/blob/b9645a17373e4e9b7f30b6c0a07defcea2cb660b/NOTICE.txt#L20-L28

So lets look at the source headers ...

For jetty-10.0.x branch, it's defined as a template in /header-template.txt

========================================================================
Copyright (c) ${copyright-range} Mort Bay Consulting Pty Ltd and others.

This program and the accompanying materials are made available under
the terms of the Eclipse Public License 2.0 which is available at
https://www.eclipse.org/legal/epl-2.0

This Source Code may also be made available under the following
Secondary Licenses when the conditions for such availability set
forth in the Eclipse Public License, v. 2.0 are satisfied:
the Apache License v2.0 which is available at
https://www.apache.org/licenses/LICENSE-2.0

SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
========================================================================

The SPDX-License-Identifier line has the "OR" designator, which looks fishy to me.

However, per https://spdx.dev/ids/ ...

Saying “this file is MPL/MIT” is ambiguous, and leaves recipients unclear about their compliance requirements. Saying “MPL-2.0 AND MIT“ or “MPL-2.0 OR MIT“ specifies precisely whether the licensee must comply with both licenses, or either license, when redistributing the file.

This seems to be the proper way to define that line as a single line.

Taking a look a the legal documentation generator for Eclipse projects at https://www.eclipse.org/projects/tools/documentation.php?id=rt.jetty

It defines the header for "rt.jetty" as ...

/********************************************************************************
 * Copyright (c) {date} {owner}[ and others]
 * 
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0 which is available at
 * https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
 * which is available at https://www.apache.org/licenses/LICENSE-2.0.
 * 
 * SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
 ********************************************************************************/

Which means the SPDX line isn't really at issue, it's the text above it.

How about we change our template to ...

Note: our template is generic and applies to multiple source file formats, not just java source (that's why it looks slightly different).

========================================================================
Copyright (c) ${copyright-range} Mort Bay Consulting Pty Ltd and others.

This program and the accompanying materials are made available under the
terms of the Eclipse Public License v. 2.0 which is available at
https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
which is available at https://www.apache.org/licenses/LICENSE-2.0.

SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
========================================================================

@waynebeaton
Copy link

The NOTICE and LICENSE files are generated for us by Eclipse Legal, so I'm keen to trust those formats as-is.

These may have been provided early in our adoption of SPDX. We certainly would not recommend having multiple SPDX-License-Identifier entries in a single file now.

We've since provided a documentation generator that makes use of SPDX expressions which describe how the licenses are combined ("AND" has a very different meaning than "OR" in a multiple license configuration; it helps to think of it from the consumer's perspective).

Note that the documentation generator is labeled as "EXPERIMENTAL". It does a generally good job, but has limitations. In this particular case, however, it seems to be getting the license expression right.

You're absolutely right that the notion of secondary licensing does not apply here.

Your final template looks fine to me.

@joakime
Copy link
Contributor

joakime commented Dec 10, 2020

@waynebeaton thank you.

I just noticed that the top of the LICENSE file also has text about "secondary"

https://github.com/eclipse/jetty.project/blob/b9645a17373e4e9b7f30b6c0a07defcea2cb660b/LICENSE#L1-L8

That should probably be simplified to ...

This program and the accompanying materials are made available under the
terms of the Eclipse Public License v. 2.0 which is available at
https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
which is available at https://www.apache.org/licenses/LICENSE-2.0.

Either that, or remove that entire start section.
Effectively starting the LICENSE file at line 11 instead.

Which would make the resulting LICENSE file basically have ...

  1. The contents of EPL 2.0 license
  2. The contents of Apache 2.0 license
  3. The 2 SPDX-License-Identifier lines

With no other headers / fillers / footers present.

WDYT?

@waynebeaton
Copy link

WDYT?

Change it to a single SPDX-License-Identifier line and you get my +1

The SPDX-License-Identifier tells automated tools, like scancode (which is used by ClearlyDefined) what you mean. This makes it easier for folks to adopt your content and validate licensing compliance with tools.

joakime added a commit that referenced this issue Dec 10, 2020
@joakime
Issue #5784 - Fixing LICENSE file
ea38e53 
+ Eliminating header
+ Merging SPDX into 1 line

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
joakime added a commit that referenced this issue Dec 10, 2020
@joakime
Issue #5784 - Cleaning up source header template
31e5030 
+ Using proper language, no further mention
  of "secondary" license (which was an invalid
  way of handling an "OR" situation)

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
joakime added a commit that referenced this issue Dec 10, 2020
@joakime
Issue #5784 - Fixing source header text: EPL-2.0 OR Apache-2.0
f0badc5 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime joakime linked a pull request Dec 10, 2020 that will close this issue
Issue #5784 - fix dual license text #5795
Merged
@joakime
Copy link
Contributor

joakime commented Dec 10, 2020

PR #5795 opened.

  • Changes to LICENSE text are in commit ea38e53 (1 file changed)
  • Changes to header-template are in commit 31e5030 (1 file changed)
  • Changes to source headers are in commit f0badc5 (3,000 files changed)

joakime added a commit that referenced this issue Dec 11, 2020
@joakime
Issue #5784 - Cleaning up jetty-ant license checks
29744ef 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
joakime added a commit that referenced this issue Dec 11, 2020
@joakime
Issue #5784 - Removing infinispan exclusions on license checker
a8d6836 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
joakime added a commit that referenced this issue Dec 11, 2020
@joakime
Merge pull request #5795 from eclipse/jetty-10.0.x-5784-fix-dual-lice…
2662be0 
…nse-text

Issue #5784 - fix dual license text
This was referenced May 16, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joakime joakime

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue #5784 - fix dual license text jetty/jetty.project
3 participants
@joakime @waynebeaton @ohecker