Open Source Attribution How-To

Attribution requirements are a common features of open-source licenses, but exactly when and how to do attribution are left to the implementor's judgement. I have done it wrong many times. In the spirit of doing one small thing well, I have researched and compiled guidelines. These are both for my own use, for my OSPO consulting clients, and for any potential reader.

Open Source Attribution How-To

  • Avoid redistribution. Prefer package managers.
    • When you must redistribute, include a comprehensive copy with the license, notice, and all source code.
  • Have a LICENSE file for your own license.
    • Limit the license file to your own package. No other package should be mentioned.
    • Use a standard license that has not been modified in any way except for your copyright statement.
  • Have a NOTICE file to attribute any component that has been redistributed - and no others.
    • Redistribution occurs in the following forms:
    • Copies of source code, including declarations of function headers
    • Libraries that have been statically linked with your binary
    • Libraries that will be dynamically linked, but only if your distribution incorporates a binary copy of the library. If your program is relying on the operating system to provide a shared library, it is out of scope.
    • For each attribution, include the name, the copyright statement, and the license.
    • Include a full copy of each license. Only have one copy. (Some licenses require copies, not links. Incorporating licenses by name creates ambiguity about which version of the license).
    • Link to the project home page if possible.
    • At the top of your notice file include your own copyright statement.

Official Guidance

The Apache Software Foundation has published detailed guidelines on what goes into a NOTICE file at
https://infra.apache.org/licensing-howto.html#mod-notice

Their guidance is almost the same but not identical.

Examples

The Prometheus project has its NOTICE file online at https://github.com/prometheus/prometheus/blob/main/NOTICE. Highlights:

  • The name of the file is NOTICE. It does not have any extension. It is all uppercase.
  • The beginning lines are the copyright statement:
The Prometheus systems and service monitoring server
Copyright 2012-2015 The Prometheus Authors
Third-party attributions are prefaced with:
The following components are included in this product:
Each third-party attribution is in the form:
Bootstrap
https://getbootstrap.com
Copyright 2011-2014 Twitter, Inc.
Licensed under the MIT License

The link to the project home page is not a legal requirement but is useful.

The license is included by name. This is a mistake because it creates ambiguity and because some licenses require full copies.

Acknowledgements and Links

In compiling these guidelines I have had conversations with a number of people. I documented some in a gist. Most importantly Van Lindberg and I had two long conversations; his write-up takes a more explanatory angle that is complementary to this step-by-step how-to.

In the Indieweb POSSE spirit, I have published this to two locations:

Weeks after publishing this I came across Apache's own documentation on NOTICE files. It's excellent.


You'll only receive email when they publish something new.

More from Lucas Gonze
All posts