Update NOTICE

[beorn7]

The NOTICE file in the repository's root is a requirement of the Apache license.
The file hasn't been maintained for a while and contains many entries that don't apply anymore, while it is missing many other entries.
Since we vendor the license files, there is certainly nothing missing from the repo as a whole but we should update the NOTICE file at our next convenience.

[brian-brazil]

Should we consider dropping the NOTICE file? It's only required to include it if there is one, though it might be too late to remove it now.

[elifkus]

I searched for glog to find out whether it needs to be removed from the NOTICE file.
https://github.com/prometheus/prometheus/search?utf8=%E2%9C%93&q=glog&type=

I couldn't find any references of it in the code, but it exists in the vendor folder. Should the license reference stay or should it be removed?

[beorn7]

I'd love to get an authoritative answer from a license expert if it is legally possible to not have the NOTICE file in an Apache-licensed repository.

[elifkus]

According to http://www.apache.org/dev/licensing-howto.html :

The NOTICE file is described in section 4.4 of the Apache License version 2.0. It presence is not mandated by the license itself, but by ASF policy.

I also asked on the Apache Jira. https://issues.apache.org/jira/browse/LEGAL-354 I'll let you know when I have the answer.

[elifkus]

By the way according to the same link http://www.apache.org/dev/licensing-howto.html for BSD and MIT/X11 licenses, you should add a pointer to the dependency's license within the distribution and a short note summarizing its licensing in your LICENSE file. Shall I open a separate issue for this?

[beorn7]

Personally, I would say it's most reasonable to state that 3rd party code is in the vendor folder together with the respective licenses. I just have no clue if that's in line with the Apache 2 license.

[elifkus]

The answer from Apache (https://issues.apache.org/jira/browse/LEGAL-354):

Short answer, yes you should keep the NOTICE file.

Long answer:

We can't give legal advice to non-Apache projects; for that, you need to talk to your own lawyer.

In general, "it depends", and in particular it depends on the history of any Apache-licensed code you've brought into your project.

Personally, I would say:

• Your project itself does not need to have a NOTICE file for its own purposes; that is, the ASF policy of always having a NOTICE file in releases does not apply to your non-ASF project.

• If you've had a NOTICE file in past releases, some users might be confused if you suddenly remove it.

• If your project redistributes code you've gotten elsewhere under the Apache license, then you must comply with the terms of that license, as stated in the section on redistribution:

  https://www.apache.org/licenses/LICENSE-2.0.html#redistribution

Thus, looking at your existing NOTICE file, it includes (among other things) an attribution about bootstrap3-typeahead.js. Presuming you still have that code in your project, then yes, you must still include the NOTICE file in your project.

You don't need to use it for your own work if you don't want to, but you do need to propagate the attributions from included projects. Does that all make sense?

[beorn7]

Sounds like we need to keep it and keep it up to date at least for other Apache-licensed software we vendor.

But I leave the final call to the maintainers of this repo: @brian-brazil @fabxc @juliusv

[beorn7]

Any executive decision on this from the maintainers? @brian-brazil @fabxc @juliusv

From the above, it looks we are in breach of the Apache license if we don't keep the NOTICE file up to date.

[fabxc]

If our chosen license requires it, I guess no contrary opinions are really relevant – we have to do it.

[juliusv]

To me this isn't 100% clear-cut yet. We do need to distribute the original license notices somewhere, but according to my reading, not necessarily in a central NOTICE file. The relevant section 4.d. in https://www.apache.org/licenses/LICENSE-2.0.html#redistribution says:

If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

...with the most relevant part being: "[...] in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works [...]"

So if we just keep the upstream NOTICE files together with their upstream code (like we do in some cases, like ./vendor/gopkg.in/yaml.v2/NOTICE), that should be fine too?

Looking at Kubernetes, they probably have many more dependencies than we do, and no central NOTICE file.