avoid convenience code copies in notebooks

[jonassmedegaard]

bokeh.bkr embeds BokehJs, complete with base64-encoded FontAwesome font.

As a miminum you should revive and include license grants for those projects - you seem to currently violate their licensing by not adequately credit sources and include licensing!

I urge you to avoid embedding full code projects like that in notebooks altogether: Even if technically possible to do, it is a an antipattern you shouldn't encourage your users to mimick.

[scottdraves]

Agreed but this is just how Bokeh works, we don't control it, it's a popular library and it happens to work in Beaker.

Our license/credit page is available in the "About" window if you click through "Beaker is made possible by code from many great open source software projects." which brings up https://github.com/twosigma/beaker-notebook/blob/18ea55815b2054e9223c397ebdc556e706dc6889/core/src/main/web/credits.html
We could just add FontAwesome there, right?

Alternatively we could just remove this notebook from the documentation it is not critical, we could just host in on pub.beakernotebook.com.

[jonassmedegaard]

Quoting Scott Draves (2015-10-07 22:44:43)

Agreed but this is just how Bokeh works, we don't control it, it's a
popular library and it happens to work in Beaker.

Our license/credit page is available in the "About" window if you
click through "Beaker is made possible by code from many great open
source software projects." which brings up
https://github.com/twosigma/beaker-notebook/blob/
18ea558/core/src/main/web/credits.html

Alternatively we could just remove this notebook from the
documentation it is not critical, we could just host in on
pub.beakernotebook.com.

If it is "just how Bokeh works" to violate its own licensing terms, then
you are just not permitted to redistribute it :-P

The license of Bokeh requires, as I understand it, that copyright,
license and disclaimer for that project is included with any and all
redistribution of it. Seems to me that you nowhere include that info in
your released tarball nor the git - both of which are forms of
redistribution.

I believe you could satisfy the license of Bokeh by including verbatim
the copyright and license and disclaimer from that project in your
credits page. But the current contents of the credits page seems
inadequate.

That said, you need not remove the file to please packaging for Debian:
We can strip the problematic file as part of our redistribution - I just
wanted to share with you in case you want to respect licenses same way
as we do. No offense intended: You are free to interpret differently
(but make sure to read the actual license before you decide - I believe
the rules set out by the copyright holder is pretty unambiguous).

• Jonas

• Jonas Smedegaard - idealist & Internet-arkitekt

• Tlf.: +45 40843136 Website: http://dr.jones.dk/

  [x] quote me freely [ ] ask before reusing [ ] keep private

[scottdraves]

We don't redistribute Bokeh in general, in order to use it it has to be installed with pip or whatever python mechanism. But yes this file does include their js driver, bokeh.min.js. I am quite sure it is not their intent to make everyone who redistributes notebooks also display their license, but maybe it is technically required. Let me ask them.

[bryevdv]

A few notes (I am the Bokeh project lead)

• Embedding the BokehJS library inline is provided as an option to make notebooks and HTML documents containing Bokeh plots self-contained, and usable without an internet connection. There is no other technical way to accomplish that, unless I am mistaken. (I would love to hear any other ideas.) However, it is also possible to load BokehJS from CDN (or from your own servers) and in fact CDN will be the default way to load BokehJS starting with version 0.11 in November.
• Just to be clear: both the full and minified BokehJS files contain inside them, the plaintext licenses of any dependencies that are vendored in, in order to comply with the terms of those licenses.
• Since the source code for BokehJS is actually written in coffeescript, and the compiled to JavaScript, I do not consider the mere usage of BokehJS (as we obviously intend for people to be able to do) to constitute a "source distribution". A "source distribution" (in my opinion) is a redistribution of the original, primary, uncompiled CoffeeScript sources. Therefore, the license requires (at most) that the license be available "in the documentation and/or other materials provided with the distribution". Since BokehJS file contains a link to the Bokeh documentation inside it, I will stipulate that this is sufficent.
• We will include and embed the license file and text in more places in future releases. We will improve the wording to make things clearer. However, IANAL (obviously!) so if you are, and would like to help, a PR would certainly be appreciated.

I have made an issue you can refer to to track these changes: bokeh/bokeh#2958

[scottdraves]

Thanks Bryan, I am satisfied Beaker doesn't need to change, but Jonas it's up to you how to handle that in your redistribution.

[jonassmedegaard]

Hi Bryan,

Quoting Bryan Van de Ven (2015-10-08 02:45:34)

A few notes (I am the Bokeh project lead)

• Embedding the BokehJS library inline is provided as an option to
make notebooks and HTML documents containing Bokeh plots
self-contained, and usable without an internet connection. There is
no other technical way to accomplish that, unless I am mistaken. (I
would love to hear any other ideas.) However, it is also possible to
load BokehJS from CDN (or from your own servers) and in fact CDN
will be the default way to install BokehJS starting with version
0.11 in November.

I agree there are benefits in embedding the code.

Sounds nice that you make it configurable in the future, because there
are different - conflicting - benefits in cloud hosting, local hosting
and embedding.

I can imagine it being preferable for Two Sigma to stick to your future
default of cloud hosting, whereas for Debian redistribution we want to
avoid trackability hence prefer switching to a local path per default.

I've created a separate issue on the Beaker ability to benefit from that
future configurability, to allow users to choose between benefits of
reliance on internet (cloud), system (localpath) or document (embed).

• Just to be clear: both the full and minified BokehJS files contain
inside them, the plaintext licenses of any dependencies that are
vendored in, in order to comply with the terms of those licenses.

Uhm, that seems incorrect, actually: As an example, your full source
include Font Awesome which is licensed as OFL-1.1, yet apparently you
only mention the shortname of that license despite its condition #2 is
that both copyright and license be included.

Also, minified code embedded in a Beaker notebook lacks verbatim
copyright and license, as Scott points out in bokeh/bokeh/#2957

I suggest Bokeh to include in src/vendor/font-awesome-4.2.0 LICENSE and
COPYRIGHT files containing OFL-1.1 license and upstream copyright
statement, respectively. And somehow ensure that both are included
directly tied to minified code too - i.e. either within or as separate
files, as long as they are "easily viewed by the user."

NB! Authors of Font Awesome don't include the license themselves:
Licensing terms apply for licensees but not copyright holders
themselves. Bokeh may similarly choose to not include their own license
even though requiring it of their licensees. But I believe Beaker
cannot ignore that (within the general licensing terms passed on to its
users, including Debian).

• Since the source code for BokehJS is actually written in
coffeescript, and the compiled to JavaScript, I do not consider the
mere usage of BokehJS (as we obviously intend for people to be able
to do) to constitute a "source distribution". A "source
distribution" (in my opinion) is a redistribution of the original,
primary, uncompiled CoffeeScript sources. Therefore, the license
requires (at most) that the license be available "in the
documentation and/or other materials provided with the
distribution". Since BokehJS file contains a link to the Bokeh
documentation inside it, I will stipulate that this is sufficent.

Makes sense, and fits (my interpretation of) OFL-1.1 requirements too.

Issue here in Beaker is that copyright and license is missing.

I suggest to include in Beaker credits page both copyright and license -
verbatim, not shortname or web link - for both BokehJS and all of its
upstreams where licensing requires it (no matter if Bokeh themselves
included all of that in their distribution).

• We will improve the wording to make things clearer. However, IANAL,
so if you are, and would like to help, a PR would certainly be
appreciated.

Sorry for not clarifying earlier: I am no lawyer either, merely a Debian
developer (i.e. a software "librarian" more than a programmer) who cares
about respecting the various licensing terms of everyone involved in the
FLOSS ecosystem.

I have made an issue you can refer to to track these changes: #2651

Thanks. Oddly enough Github links wrongly in its email representation,
but I saw the proper link online :-)

• Jonas

• Jonas Smedegaard - idealist & Internet-arkitekt

• Tlf.: +45 40843136 Website: http://dr.jones.dk/

  [x] quote me freely [ ] ask before reusing [ ] keep private

[bryevdv]

Jonas, I was not as clear as I could have been. It is configurable now, we are merely changing the default behavior in the future. If you'd like to utilize CDN resources instead of inline resources that has been possible for ~2 years.

Regarding the minified files it seems that the inclusion of license comments was unintentionally lost when we switched from grunt to gulp for our build. Grunt minify tools do include the comments by default, but gulp tools (unfortunately) do not include them by default. This was an oversight. This behavior has been explicitly re-enabled in bokeh/bokeh#2958 and the license comments will be present in all future dev builds and full releases. We will strive to patch or update existing files to the extent of our ability, as we are able.

[jonassmedegaard]

Quoting Bryan Van de Ven (2015-10-08 13:58:36)

Jonas, I was not as clear as I could have been. It is configurable
now, we are merely changing the default behavior in the future. If
you'd like to utilize CDN resources instead of inline resources that
has been possible for ~2 years.

Regarding the minified files it seems that the inclusion of license
comments was unintentionally lost when we switched from grunt to gulp
for our build. Grunt minify tools do include the comments by
default, but gulp tools (unfortunately) do not include them by
default. This was an oversight. This behavior has been explicitly
re-enabled in bokeh/bokeh#2958 and the license comments will be
present in all future dev builds and full releases. We will strive to
patch or update existing files to the extent of our ability, as we are
able.

Cool! Both points :-)

• Jonas

• Jonas Smedegaard - idealist & Internet-arkitekt

• Tlf.: +45 40843136 Website: http://dr.jones.dk/

  [x] quote me freely [ ] ask before reusing [ ] keep private

[bryevdv]

Thanks for raising these issues, BTW. Our intention is to be compliant with strict interpretations of license obligations. But development is a frenzy, and unintended consequences sometimes happen (as seen), so it is good that you brought this to our attention.