June 20, 2023•515 words
Attribution requirements are a common features of open-source licenses, but exactly when and how to do attribution are left to the implementor's judgement. I have done it wrong many times. In the spirit of doing one small thing well, I have researched and compiled guidelines. These are both for my own use, for my OSPO consulting clients, and for any potential reader.
Open Source Attribution How-To
- Avoid redistribution. Prefer package managers.
- When you must redistribute, include a comprehensive copy with the license, notice, and all source code.
- Have a LICENSE file for your own license.
- Limit the license file to your own package. No other package should be mentioned.
- Use a standard license that has not been modified in any way except for your copyright statement.
- Have a NOTICE file to attribute any component that has been redistributed - and no others.
- Redistribution occurs in the following forms:
- Copies of source code, including declarations of function headers
- Libraries that have been statically linked with your binary
- Libraries that will be dynamically linked, but only if your distribution incorporates a binary copy of the library. If your program is relying on the operating system to provide a shared library, it is out of scope.
- For each attribution, include the name, the copyright statement, and the license.
- Include a full copy of each license. Only have one copy. (Some licenses require copies, not links. Incorporating licenses by name creates ambiguity about which version of the license).
- Link to the project home page if possible.
- At the top of your notice file include your own copyright statement.
The Apache Software Foundation has published detailed guidelines on what goes into a NOTICE file at
Their guidance is almost the same but not identical.
The Prometheus project has its NOTICE file online at https://github.com/prometheus/prometheus/blob/main/NOTICE. Highlights:
- The name of the file is
NOTICE. It does not have any extension. It is all uppercase.
- The beginning lines are the copyright statement:
The Prometheus systems and service monitoring server Copyright 2012-2015 The Prometheus AuthorsThird-party attributions are prefaced with:
The following components are included in this product:Each third-party attribution is in the form:
Bootstrap https://getbootstrap.com Copyright 2011-2014 Twitter, Inc. Licensed under the MIT License
The link to the project home page is not a legal requirement but is useful.
The license is included by name. This is a mistake because it creates ambiguity and because some licenses require full copies.
Acknowledgements and Links
In compiling these guidelines I have had conversations with a number of people. I documented some in a gist. Most importantly Van Lindberg and I had two long conversations; his write-up takes a more explanatory angle that is complementary to this step-by-step how-to.
In the Indieweb POSSE spirit, I have published this to two locations:
Weeks after publishing this I came across Apache's own documentation on NOTICE files. It's excellent.