License acknowledgment

I am not experienced on the topic of software licenses. After lot of research I understand that acknowledging copyright and licenses is in general a really complicated topic and can bring you potentially in big trouble if doing it wrong.

Sadly even narrowing the question down to the rust ecosystem I am unsure how to do it propperly. I even have doubts that it's done propperly.

I really would love to see like a guideline how to do it in the cargo book eg.

My understanding is that there are probably three different scenarios to considder, maybe only two:

Case 1 publishing a library package, case 2 publishing a binary package or a library package with example binaries, case 3 publishing the binary. (Maybe there is no difference between Case 1 and 2).

I think that in case 1 I am only referencing the code and not publishing it. So I can license my code quite independently and don't need to acknowledge the copyright of the dependencies.

In case 2 I guess I am doing in principle the same as in case 1. Because putting the code together is done during compile and so I don't ship the dependencies. What probably has to be acknowledged though (and I never saw that) if builder scripts, like build.rs for embedded or .cargo/config.toml is coppied from the respective templates. Of course there might be some modifications, but actually the boilerplate in there was licensed in the repo and actually one would need to mention that. Probably one has then also to differ the license for the actual lib and for the example. I don't know whether this works. Reuse could be a good solution to manage that.

Case 3 would definitly require one to publish all license text with all copyright notices etc. together. Leading to probsblydozens or hundreds of filled out Appache and/or MIT licenses. I don't know if one needs to provide this in the source code, in the documentation or including them in the binary. Or all of it.

I found here a topic on technical solutions for it: Missing good tools for bundling third party licenses

And apparently there seems not to be one. But despite how to automate it, I am unsure how to manage that topic propperly even manually.

Although probably nobody will care about my hobby projects, I am still really hesitated to publish something because I don't want to mess up that copyright topic.

2 Likes

A follow up remark. I noticed that many projects that are binary projects tell a user to install the program via cargo install.

So in that case the user will be the one downloading all dependencies and subdependencies and compile the binary.

If I understand correctly that frees the repo owner from distributing all the license files.

But if this compiled version would be distributedfurther one would need to do it.

I might be wrong here, but this would also open the chance to create counter intuitive licensing. Eg. I could write a binary crate that depends on a GPL library and release my source code under MIT. Only when compiled the final binary would be under GPL. If thats true, it would be kind of a trap.

There are tolls that collect the license information from all your dependencies. In the rust ecosystem, many crates are double-licensed under either MIT or Apache 2.0, and many licenses are compatible with those.

Try GitHub - onur/cargo-license: Cargo subcommand to see license of dependencies or GitHub - maghoff/cargo-license-hound: Tool to help sniffing out licenses from all crate dependencies or GitHub - EmbarkStudios/cargo-deny: ❌ Cargo plugin for linting your dependencies 🦀.

That way you can easily check if any dependencies are GPL-Licensed, for example.

I know about cargo-license. But this only shows what licenses are specifiedin the manifests of the dependencies.

My problem is that I am unsure when and how I have to acknowledge and include the copyright licenses of dependencies.

Apache and MIT requires you to include the license file if you use that code.

However I see rust program repos usually having their own license files. I don't understand how this is complient with the used dependencies.

Only way I can think of is that in case the compiled binary is not shipped and the program is made avialable via cargo, the project is not shipping the dependencies and therfor not bound to provide the licenses.

The assumption that even popular tools are perfectly compliant with all software licenses in active use is probably where you're going wrong. They may not be! And who's to say? The only way to actually find out is to bring a case in front of a judge, ask for a ruling, go through appeals if necessary and all that. In practice, that rarely happens because it's extremely expensive. So if there is a problem, it might be resolved in other ways. Perhaps just as simple as calling them out in the town square or maybe sending a cease & desist. And for open source projects that don't make money, the choice of whether to comply with a C&D is usually a pretty simple calculus.

So in practice, people just do the best they can according to the norms established around them. If you flub this, you aren't going to be immediately penalized. That isn't how the system works. I've flubbed it before. Someone filed an issue and asked nicely to fix it with specific instructions. Then I did. Case closed.

Otherwise, if you're this concerned about software license compliance, then you're likely asking in the wrong place. You should be consulting a lawyer.

9 Likes

GitHub - EmbarkStudios/cargo-about: 📜 Cargo plugin to generate list of all licenses for a crate 🦀 is also worth mentioning, depending on what exactly you need (in particular what format you need your license data on).

1 Like

As I said, for the time being I am not really looking for tools, but more for guidance how to deal with licenses in different projects correctly, like when I have to deal with it and how it should be done.

My guidance to you: copy what others are doing. Otherwise, talk to a lawyer.

2 Likes

I appreciate that you took time to answer my question. And advising to just do what everybody else is doing (what you mentioned might be wrong in some cases) might be compliant.

But I wanted to understand why certain practice is valid and how practice has to differ between the different scenarios.

And I don't want to hire a lawyer. I think there have to be people who know what they do and why they are doing it and I hoped to get some feedback from one of those persons.

A key thing about those license agreements is that they grant you permission to reproduce, modify, and distribute the code they cover. If you aren't doing those things, then congratulations! You don't need to be worried about a license!

While this has not been heavily tested in court, you're likely safe from copyright disputes about your program's dependencies in scenarios 1 (distributing a library crate via Cargo) and 2 (distributing a binary crate via Cargo), because in both scenarios, you are doing no distribution of anyone else's code. You publish your program to crates.io with a note telling Cargo what other libraries your code needs, but it's Cargo on the end user's machine, and crates.io, that actually handles distribution of all of that code.

Case 3 (distributing a binary yourself) is a bit more complicated. The built binary is a derivative work of the code that went into building it, which includes the code for each dependency. You would need to ensure that, however you distribute your binary, you also comply with the licenses for all of the code that went into it. With deeply nested dependencies, it can be hard to keep track of all of the licenses you need to comply with, and in principle you need to read and understand each one individually once you do find them all.

Tools like cargo-license can help you with that to a degree, and licensing standards like the GPL or the Apache license are meant to save you time by being the same from package to package, which also helps. There are also practical realities that make license disputes relatively rare: going to court is expensive, so people generally only bother when the defendant has something worth going after. Most random developers don't, but if you're in a position where you have significant business or personal assets tied up in your project, it's prudent to talk to an intellectual property lawyer rather than relying on a free forum for legal advice.

5 Likes

We are programmers. Not lawyers. You need to go talk to a lawyer. If you don't want to pay for one, then you might not get the answer you're looking for. Otherwise, there are plenty of "legal advice" forums online that will probably be able to better answer your legal questions.

6 Likes

Thanks for explanation.

Of course, if I would do a big thing and make a business (what I am not doing), I would seek legal advice from a professional.

I just want to understand how to do it. So My guess was right that as long as I just use other code as dependencies and publish stuff in my repo and put it on crates.io I am fine.

I guess it's the same then like with python where also the end user pulls the dependencies themself.

So I think my take home lesson is never publish binaries or images, just the source code.

Here's a book from the former general counsel of the Open Source Initiative all about licensing, if you want to learn: oslbook

4 Likes

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.