Attribution requirements are a common features of open-source licenses, but exactly when and how to do attribution are left to the implementor's judgement. I have done it wrong many times. In the spirit of doing one small thing well, I have researched and compiled guidelines. These are both for my own use, for my OSPO consulting clients, and for any potential reader.

Open Source Attribution How-To

• Avoid redistribution. Prefer package managers.
  • When you must redistribute, include a comprehensive copy with the license, notice, and all source code.
• Have a LICENSE file for your own license.
  • Limit the license file to your own package. No other package should be mentioned.
  • Use a standard license that has not been modified in any way except for your copyright statement.
• Have a NOTICE file to attribute any component that has been redistributed - and no others.
  • Redistribution occurs in the following forms:
  • Copies of source code, including declarations of function headers
  • Libraries that have been statically linked with your binary
  • Libraries that will be dynamically linked, but only if your distribution incorporates a binary copy of the library. If your program is relying on the operating system to provide a shared library, it is out of scope.
  • For each attribution, include the name, the copyright statement, and the license.
  • Include a full copy of each license. Only have one copy. (Some licenses require copies, not links. Incorporating licenses by name creates ambiguity about which version of the license).
  • Link to the project home page if possible.
  • At the top of your notice file include your own copyright statement.

Official Guidance

The Apache Software Foundation has published detailed guidelines on what goes into a NOTICE file at
https://infra.apache.org/licensing-howto.html#mod-notice

Their guidance is almost the same but not identical.

Examples

The Prometheus project has its NOTICE file online at https://github.com/prometheus/prometheus/blob/main/NOTICE. Highlights:

• The name of the file is NOTICE. It does not have any extension. It is all uppercase.
• The beginning lines are the copyright statement:

The Prometheus systems and service monitoring server
Copyright 2012-2015 The Prometheus Authors

The following components are included in this product:

Bootstrap
https://getbootstrap.com
Copyright 2011-2014 Twitter, Inc.
Licensed under the MIT License

The link to the project home page is not a legal requirement but is useful.

The license is included by name. This is a mistake because it creates ambiguity and because some licenses require full copies.

Acknowledgements and Links

In compiling these guidelines I have had conversations with a number of people. I documented some in a gist. Most importantly Van Lindberg and I had two long conversations; his write-up takes a more explanatory angle that is complementary to this step-by-step how-to.

In the Indieweb POSSE spirit, I have published this to two locations:

• A gist on Github
• An entry on my personal blog

Weeks after publishing this I came across Apache's own documentation on NOTICE files. It's excellent.