You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page provides guidance on accounting for third party works in LICENSE and NOTICE files and is heavily inspired by the excellent Geode License Guide for Contributors.

DISCLAIMER:

The source of truth for all licensing issues are the official Apache guidelines. This guide is NOT a replacement for them and only serves to inform committers about how the Apache Flink project handles licenses in practice.

The guidelines outlined here DO NOT strictly adhere to the Apache guidelines. Following the official guidelines is not maintainable at the moment due to missing tooling for the combination of LICENSE files.

Source files

Every source file should include the standard ASF license header [1].  Exceptions can be made for "non-creative” works or test files that must have an exact form.  These exclusions should be added to the rat-plugin configuration in the root pom.xml.  

Source files containing third-party works should follow the rules in [2].

Distributions

The primary format of a Flink release is the source distribution (this is true of all Apache projects).

Flink also provides a binary convenience distribution as well as Maven artifacts.

Each of these distributions must observe the rules described below for “bundled” software dependencies.

The rules dictate the content of the LICENSE and NOTICE files for each distribution type.

Source distribution

The contents of the source distribution must closely reflect the files in source control with a few minor exclusions.

Code that has been copied either in part or in whole from other projects is considered bundled in the source distribution.

The LICENSE and NOTICE files for the source distribution can be found in the project root directory. The root directory also contains the licenses directory which contains the LICENSE files of all bundled code dependencies.

If a bundled dependency is present in the source distribution, the license must be a Category A license [3].

Attention: The module flink-runtime-web bundles JavaScript dependencies for the Flink UI which are part of the source distribution. Run bower list in the flink-runtime-web/web-dashboard to get a list of all used JavaScript dependencies.

Binary distribution

The binary distribution contains flink-dist and several Flink modules as optional jars (as defined in flink-dist/src/main/assemblies).

Dependencies that have been copied into the distribution (such as jar files) should be considered bundled, in addition to the bundled dependencies of the source archive.

The LICENSE and NOTICE (called NOTICE-binary) files for the binary distribution can be found in the project root directory.

Similar to the source distribution, the root directory contains a licenses-binary directory which contains all LICENSE files of the bundled dependencies by the binary distribution.

When assembling the binary distribution (done by the maven-assembly-plugin in flink-dist), Maven will rename the NOTICE-binary file into NOTICE, licenses-binary into licenses and include the LICENSE file in the resulting assembly. Therefore, make sure that NOTICE-binary and licenses-binary contain all the license information of the binary release's bundled dependencies. (further instructions)

If a bundled dependency is present in a binary distribution, the license must be a Category A [3] or Category B [4] license.

Maven artifacts

Most modules of Flink generate at least one Maven artifact that is uploaded and available for download on Maven Central.  These artifacts follow a similar pattern to the binary distribution except that the bundled software is typically restricted to the individual module.

The LICENSE file for all Maven artifacts is pulled in automatically via the apache-jar-resource-bundle defined in the Apache parent pom.

For Maven artifacts that DO NOT bundle any dependencies the NOTICE file is pulled in automatically via the apache-jar-resource-bundle defined in the Apache parent pom.

For Maven artifacts that DO bundle any dependencies the NOTICE file can be found in the src/main/resources/META-INF directory of the respective module. If the module does not have a NOTICE file yet, then add one under src/main/resources/META-INF.

Requirements for LICENSE

All modules must contain a standard Apache License file, i.e. the one pulled in from the apache-jar-resource-bundle.

LICENSE.txt files pulled in through dependencies should be excluded from the distribution.

Requirements for NOTICE

All bundled dependencies must be listed in NOTICE, grouped by license type, using standard maven syntax (groupId:artifactId:version).

  • This DOES include ASLv2 dependencies (for maintainability reasons, as it simplifies matching of entries in the dependency-tree and NOTICE files)

    flink-mesos
    Copyright 2014-2018 The Apache Software Foundation

    This product includes software developed at
    The Apache Software Foundation (http://www.apache.org/).

    This project bundles the following dependencies under the Apache Software License 2.0. (http://www.apache.org/licenses/LICENSE-2.0.txt)

    - com.netflix.fenzo:fenzo-core:0.10.1
    - org.apache.mesos:mesos:1.0.1
    - com.fasterxml.jackson.core:jackson-annotations:2.4.0
    - com.fasterxml.jackson.core:jackson-core:2.4.5
    - com.fasterxml.jackson.core:jackson-databind:2.4.5

    This project bundles the following dependencies under the BSD license.
    See bundled license files for details.

    - com.google.protobuf:protobuf-java:2.6.2


For all dependencies not using the ASLv2, include the license text in a LICENSE.<dependency_name> file under the src/main/resources/META-INF/licenses directory of the respective module.

Special cases:

  • NOTICE.txt files pulled in through dependencies should be excluded from the distribution and manually merged into the dependents NOTICE file.
  • netty:3.X.Y includes a NOTICE files that cover more than they should. These should be excluded and relevant parts merged into the dependents NOTICE file.
  • netty:3.X.Y includes a license directory under META-INF. Jars that bundle this directory along with a LICENSE file under META-INF cannot be unpacked on case-insensitive filesystems. This directory should be excluded and merged into the dependents licenses directory.


Attention: flink-dist bundles various Flink modules and their transitive dependencies. Any transitive dependency that is pulled in this way which is not included (and thus accounted for!) in a bundled Flink module MUST be accounted for in flink-dist.

NOTICE-binary and licenses-binary creation


In order to generate a NOTICE file and licenses directory for all contained jars in the binary distribution, you can use tools/releasing/collect_license_files.sh. The script takes the directory of the binary distribution and an output directory as arguments. It extracts the NOTICE files and licenses directories from all jars contained in the specified directory and merges them. This can be used as a skeleton for creating the NOTICE-binary file and licenses-binary directory. The skeleton needs to be enriched with license information of differently bundled dependencies.

The merged NOTICE file might contain duplicate entries which should be removed. For example, flink-s3-fs-hadoop and flink-s3-fs-presto both pull in a NOTICE file from the same Hadoop version.

Attention: Example jars are also included in the binary distribution. They originate from flink-examples/flink-examples-batch and flink-examples/flink-examples-streaming. The pulled in dependencies from the example jars need to be accounted for in NOTICE-binary and licenses-binary.

[1] http://apache.org/legal/src-headers.html#headers
[2] http://apache.org/legal/src-headers.html#3party
[3] http://www.apache.org/legal/resolved.html#category-a
[4] http://www.apache.org/legal/resolved.html#category-b

  • No labels