Assembling LICENSE and NOTICE

Intended Audience

This document is a "how to" guide aimed at Apache Committers assembling LICENSE and NOTICE files for an Apache product.

Overview of the LICENSE and NOTICE files

The LICENSE file communicates the licensing of all content in an Apache product distribution. It always contains the text of the Apache License, and sometimes more.

The NOTICE file is described in section 4.4 of the Apache License version 2.0. It presence is not mandated by the license itself, but by ASF policy.

The complete requirements for LICENSE and NOTICE are described elsewhere.

Guiding principle

The LICENSE and NOTICE files must exactly represent the contents of the distribution they reside in.

Only bits that are actually included in a distribution have any bearing on the content of NOTICE and LICENSE.

Location Within the Source Tree

LICENSE and NOTICE belong at the top level of the source tree. They may be named LICENSE.txt and NOTICE.txt, but the bare names are preferred.

The Simple Case -- No Bundled Dependencies

For a source tree which consists entirely of code licensed to the ASF by the copyright holders and which has no bundled dependencies, LICENSE should contain the text of the ALv2 -- no more, no less.

NOTICE should contain only the following text, adapted with the product's name and copyright dates:

Apache [PRODUCT_NAME]
Copyright [XXXX-20XX] The Apache Software Foundation

This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).

Step-by-Step Instructions

To assemble LICENSE and NOTICE files from scratch for products with more complex requirements, follow these steps:

  1. Start with boilerplate LICENSE and NOTICE files, as above.

  2. Add any mandatory legal notifications specific to the IP of your product to NOTICE.

  3. For any dependency whose bits are bundled, consider whether LICENSE and NOTICE need to be modified. (DO NOT modify LICENSE or NOTICE for dependencies whose bits are not bundled.)

Bundling Permissively-Licensed Dependencies

Bundling a dependency which is issued under one of the following licenses is straightforward, assuming that said license applies uniformly to all files within the dependency:

  • BSD (without advertising clause)
  • MIT/X11

In LICENSE, add a pointer to the dependency's license within the source tree and a short note summarizing its licensing:

This product bundles SuperWidget 1.2.3, which is available under a
"3-clause BSD" license.  For details, see deps/superwidget/.

Under normal circumstances, there is no need to modify NOTICE.

NOTE: It's also possible to include the text of the 3rd party license within the LICENSE file. This is best reserved for short licenses.

There are a number of other "permissive" licenses which are approved for use by the ASF Legal Affairs Committee. Some of these may require additions to NOTICE -- if in doubt, ask.

Bundling an Apache-2.0-licensed Dependency

Assuming once again that that the bundled dependency itself contains no bundled subcomponents under other licenses and thus the ALv2 applies uniformly to all files, there is no need to modify LICENSE.

If the dependency supplies a NOTICE file, its contents must be analyzed and the relevant portions bubbled up into the top-level NOTICE file.

Bundling Other ASF Products

It is not necessary to duplicate the line "This product includes software developed at the Apache Software Foundation...", though the ASF copyright line and any other portions of NOTICE must be considered for propagation.

Modifications to NOTICE

NOTICE is reserved for a certain subset of legally required notifications which are not satisfied by either the text of LICENSE or the presence of licensing information embedded within the bundled dependency. Aside from Apache-licensed dependencies which supply NOTICE files of their own, it is uncommon for a dependency to require additions to NOTICE.

Copyright notifications which have been relocated from source files (rather than removed) must be preserved in NOTICE. However, elements such as the copyright notifications embedded within BSD and MIT licenses need not be duplicated in NOTICE -- it suffices to leave those notices in their original locations.

It is important to keep NOTICE as brief and simple as possible, as each addition places a burden on downstream consumers.

Do not add anything to NOTICE which is not legally required.

Bundled vs. Non-bundled Dependencies

LICENSE and NOTICE must always be tailored to the content of the specific distribution they reside within. Dependencies which are not included in the distribution MUST NOT be added to LICENSE and NOTICE. As far as LICENSE and NOTICE are concerned, only bundled bits matter.

Example: If the only difference between apache-foo-1.0.tgz and apache-foo-1.1.tgz is that one bundles SuperWidget while the other forces users to download SuperWidget separately, then LICENSE and NOTICE may very well need to be modified to account for the different bundled bits.

Dependencies of Dependencies

Dependencies of dependencies (including so-called "transitive dependencies") are no different from first-order dependencies for the purposes of assembling LICENSE and NOTICE: LICENSE and NOTICE need only be modified to accommodate them if and only if their bits are bundled.

Binary Distributions

What applies to canonical source distributions also applies to all redistributions, including binary redistributions:

Any redistribution must obey the licensing requirements of the contents.

The best way to do that will likely depend on the binary packaging form.

When assembling binary distributions, it is common to pull in and bundle additional dependencies which are not bundled with the source distribution. These additional dependencies must be accounted for in LICENSE and NOTICE.

As a result, the LICENSE and NOTICE files for a binary distribution may well differ from those in the source distribution it was built from.

In any case, the principle remains the same: LICENSE and NOTICE must exactly represent the contents of the distribution they reside in.