Add NOTICE file with copyright information

[tobi5775]

For a customer project an OpenSource report has to be generated. Therefore a scanner was created to extract the copyright and licence information from our dependencies. During the process, we found that no copyright information was available for this project.

Can you please add a NOTICE file which includes the copyright notice (including your details as copyright owner) and license claim from the Appendix of the Apache 2.0 License? This will make the use of the license valid and help to get applications using this module through legal review.

Your help here would be much appreciated.

From https://www.apache.org/licenses/LICENSE-2.0:

Include a copy of the Apache License, typically in a file called LICENSE, in your work, and consider also including a NOTICE file that references the License.

To apply the Apache License to specific files in your work, attach the following boilerplate declaration, replacing the fields enclosed by brackets "[]" with your own identifying information. (Don't include the brackets!) Enclose the text in the appropriate comment syntax for the file format. We also recommend that you include a file or class name and description of purpose on the same "printed page" as the copyright notice for easier identification within third-party archives.

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

[pjfanning]

the NOTICE file is not mandatory with Apache license

[tobi5775]

But copyright information must be available. According to my understanding even in every source file.

[robertschubert]

I guess both of you are right.
A NOTICE file is not mandatory with the Apache license.

As I understood Tobias he asks you to add a file into the jar file containing a copyright notice (and not a NOTICE file). The name of the file can also be copyright.txt or something else. It would also be ok to add it into the pom.xml as comment.

In my opinion Tobias is also right with the previous comment. In my opion the Apache license asks the developers to put the block

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

as a header (comment) into each source code file. Looking into a sample source code file (e. g. JacksonAnnotation.java) shows that the header (comment) is not there.
It would be great if you could add this header into each source file (and also the pom.xml). This would be much appreciated.

[cowtowncoder]

I can add NOTICE in jar similar to jackson-core. Not a big deal.

But I definitely do not want to add tons of boilerplate in source files, that is pure unnecessary fluff.
It is not required at all. I do not really care about security scanners requiring this; that's their problem. As long as pom.xml has LICENSE info (at least via parent poms it does; if it must be duplicated directly, fine) that should be fine.

[cowtowncoder]

Actually, existing NOTICEs refer to Apache License (in jackson-core, jackson-databind).
Will add that; there is already META-INF/LICENSE in all 3 jars, including annotations.

[robertschubert]

@cowtowncoder
I understand your argumentation, that you do not want to add the boilerplate comments into the java source files. I also hate stupid copy/pasting.
But:
The apache 2.0 license asks you to do so in the appendix of the license text, please see:
https://www.apache.org/licenses/LICENSE-2.0

I'm not a lawyer but I guess the apache license is not applied as intended by apache.
To underline it: other libraries running with apache 2.0 have it in the code. Just randomly picked some e. g.

• https://github.com/google/gson/blob/master/proto/src/main/java/com/google/gson/protobuf/ProtoTypeAdapter.java
• https://github.com/spring-projects/spring-framework/blob/main/spring-beans/src/main/java/org/springframework/beans/AbstractPropertyAccessor.java
• https://github.com/micrometer-metrics/micrometer/blob/main/implementations/micrometer-registry-dynatrace/src/main/java/io/micrometer/dynatrace/DynatraceMeterRegistry.java

[pjfanning]

@robertschubert you are asking for a lot of work - would you be willing to do it? There is not just this repo, there are dozens of similar repos in https://github.com/FasterXML. In the end of the day, there are arguments in favour of adding these headers to thousands of files across all these repos but of the thousands of users out there, not many are concerned.

Most users are using jackson via the jars published to maven and the pom and the jars themselves fully assert the use of the Apache license.

[cowtowncoder]

I do not plan on adding this boilerplate, nor would accept a PR here.
License can ask nicely that's fine. Notification as an external LICENSE will have to do.

[robertschubert]

@pjfanning Would not be a problem for me to do a contribution (with a tiny automation). But obviously it is not wanted by @cowtowncoder . Fine with that.

@cowtowncoder
Since you do not have any personal copyright notice at all on source code level you should consider to add a copyright notice (I mean the "Copyright [year] [your name]" sentence) at least into the notice file (which is already there). This should be enough to apply the license.
As example see the following article regarding Apache 2.0 and the copyright notice, chapter "Copyright notice":
https://www.linkedin.com/pulse/how-apply-apache-20-license-your-open-source-software-vladim%C3%ADr-gorej?trk=pulse-article_more-articles_related-content-card

Have a great day.

[robertschubert]

@cowtowncoder
what do you think about adding your copyright notice (Copyright [yyyy] [name of copyright owner]) to your notice file?

[pjfanning]

@robertschubert did you not read the answer from Feb 8?

[cowtowncoder]

@robertschubert That sounds reasonable. Would #219 work?

[robertschubert]

@cowtowncoder: Thanks! I like it :) ! Fits perfectly for me!
Do you also plan to do it for your other repositories besides Jackson-annotations? I would very much appreciate that.

[robertschubert]

and: thanks for being that open for the request even if the discussion was closed already!

[cowtowncoder]

@robertschubert Yes, I would want to do it over time. Although if you had time and could help, I'd be happy to merge PRs to do that. But I will start with 3 core components at least.

Also: thank you for the suggestion -- I think it makes sense and hopefully helps.

[robertschubert]

@cowtowncoder
no problem!
As far as I can see following modules having a notice file are left for update:
[jackson-module-kotlin]
[java-classmate]
Am I missing something?
The others already have your copyright or do not have a NOTICE at all.
I will create the PRs on Friday or weekend.

[cowtowncoder]

There's quite a few more repos with NOTICE (I think I added it to all jackson ones a month or so ago). But we can start with those; it's been 15 years until this was added so there's probably not super urgency here.

[tobi5775]

I have created PullRequests for the modules @robertschubert mentioned:
FasterXML/jackson-module-kotlin#664
FasterXML/java-classmate#71

[cowtowncoder]

Merged, thank you @tobi5775

[robertschubert]

thanks @tobi5775 and @cowtowncoder