[HN Gopher] GoLic, injects license into source code files
___________________________________________________________________
GoLic, injects license into source code files
Author : kure256
Score : 23 points
Date : 2024-10-26 09:33 UTC (2 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| jchw wrote:
| Neat. There's a lot of hand rolled implementations of this idea,
| would be nice to have something to standardize on. I am sure it
| can be done with custom templates but a good idea IMO might be
| supporting declarations using SPDX IDs. You see them in some
| source code, e.g. KDE source code. More info here:
|
| https://spdx.dev/learn/handling-license-info/
|
| For anyone wondering if this (license information in source
| files) is necessary, I think the answer is "maybe". Some licenses
| (e.g. Apache 2) seem to be written such that the license itself
| requires the disclaimer, and even having copyright information
| (e.g. users that make substantial contribution adding the name of
| whoever is assigned the copyright for their contribution to the
| header) is a good idea. I used to be against this for aesthetic
| reasons, viewing it somewhat similarly to those annoying
| corporate email footers, but over time it's become more obvious
| to me that it not only is great for keeping the license very
| explicit everywhere but may also be legally a good idea. (IANAL.)
| chrismorgan wrote:
| > _Some licenses (e.g. Apache 2) seem to be written such that
| the license itself requires the disclaimer_
|
| I don't believe this is actually true. These instructions are
| not in the actual license terms and conditions, but rather in a
| distinct information section _after_ that. In GPL-3.0, "How to
| Apply These Terms to Your New Programs"; in Apache-2.0, "How to
| apply the Apache License to your work". My understanding is
| that such prescriptions and sections are not normative.
|
| From a pure copyright law perspective: no, you definitely don't
| need to put the license in each source file. Copyright is
| automatic these many years, so you don't even need a copyright
| line; and license can be (and practically always _is_ )
| independent of the code. This would _obviously_ 1 hold for
| warranty disqualification too. Bigger businesses may like to do
| it for their own convenience of license management, and
| individuals or groups may like to do it on their work in case
| individual files are lifted (... as distinct from smaller
| units, or even taking a file and stripping the header), but
| basically the era where this sort of thing could _arguably_ be
| relevant as a mandate is long-past.
|
| There's even more definitely no need for a dozen lines. If you
| really want to put anything, one line for a copyright
| declaration and one line for SPDX-License-Identifier seems
| fair.
|
| As for copyright lines[?] bah, they're such a bunch of
| _drivel_. The way people use year ranges, or just bump the
| year, it's almost all such legal nonsense. As in, "if this
| stuff _actually_ mattered, you'd probably have lost your
| copyright protection" nonsense. The fact of the matter is that
| copyright year stuff wasn't designed for such easily-edited
| stuff as software. It was designed for "first edition copyright
| 1925; renewed 1935; second edition copyright 1945", that kind
| of thing.
|
| --***--
|
| 1 "Obviously" here means what a normal person would mean; but I
| acknowledge that some jurisdictions sometimes hold positions
| that are obvious nonsense.
| jchw wrote:
| Firstly, if you are not a legal professional, please temper
| your statements somewhat. There are very few absolutes when
| it comes to interpreting legalese, and what is true for one
| jurisdiction may not be true for all of them. (Obligatory:
| yes, I am aware of the existence of international copyright
| treaties/Berne Convention.) That said, as I denoted, I am
| (also?) not a lawyer. I will try to follow my own advice and
| not make any strong claims I am not qualified to make.
|
| Now with that said...
|
| > I don't believe this is actually true. These instructions
| are not in the actual license terms and conditions, but
| rather in a distinct information section after that. In
| GPL-3.0, "How to Apply These Terms to Your New Programs"; in
| Apache-2.0, "How to apply the Apache License to your work".
| My understanding is that such prescriptions and sections are
| not normative.
|
| There are a few lines in Apache 2 itself which are normative
| and make reference to obligations regarding notices attached
| directly to source files. Most notably, see section 4.a[1]:
|
| > You must cause any modified files to carry prominent
| notices stating that You changed the files; [...]
|
| Of course, you can argue about what might qualify or not
| qualify here, e.g. maybe Git metadata is good enough, but
| then a tarball produced by your Git host of choice would
| suddenly violate the copyright license obligations.
|
| > From a pure copyright law perspective: no, you definitely
| don't need to put the license in each source file. Copyright
| is automatic these many years, so you don't even need a
| copyright line; and license can be (and practically always
| is) independent of the code.
|
| I have no idea what you mean by this. First of all, of course
| you don't have to put the entire copyright license into each
| source file; this is solely about copyright _notices_ , which
| typically point to a more complete LICENSE/NOTICE file.
| Secondly,
|
| > license can be (and practically always is) independent of
| the code.
|
| I'm not sure what this means. Each file of a project either
| needs to be in the public domain or has to be covered under
| some kind of copyright license for anyone (aside from the
| original authors) to be able to distribute it. At least from
| a conceptual sense, the code and the copyright license are
| definitely not independent (This still holds with dual
| licensing schemes.)
|
| > There's even more definitely no need for a dozen lines. If
| you really want to put anything, one line for a copyright
| declaration and one line for SPDX-License-Identifier seems
| fair.
|
| Some projects do basically just do this, but many of them do
| both. The SPDX identifier is great because it is machine-
| readable, and it might help you if you're ever in a situation
| where it's necessary.
|
| > As for copyright lines[?] bah, they're such a bunch of
| drivel. The way people use year ranges, or just bump the
| year, it's almost all such legal nonsense. As in, "if this
| stuff actually mattered, you'd probably have lost your
| copyright protection" nonsense. The fact of the matter is
| that copyright year stuff wasn't designed for such easily-
| edited stuff as software. It was designed for "first edition
| copyright 1925; renewed 1935; second edition copyright 1945",
| that kind of thing.
|
| While registering copyrights or including copyright notices
| explicitly is not necessary to have protection under
| copyright law, my layperson understanding is that it does
| indeed afford you additional protection under law in some
| cases. My understanding is that since Berne Convention,
| pretty much anywhere on Earth anything you produce that's
| eligible for copyright protection does implicitly get it.
| However, if you ever actually wind up in court over copyright
| issues, the lack of clarity on what licenses go where could
| possibly create reasonable doubt. It's a lot of risk for what
| ultimately amounts to an aesthetic concern.
|
| P.S.: Also, just so it's clear, I am mainly concerned about
| the copyright notices because they explicitly denote the
| copyright license, not because they denote the existence of
| copyright protection. This is especially nice to have when
| people contribute patches to your projects, so that it can be
| as explicit as possible that their contributions are under
| the same license as the original file.
|
| I will stress again that I am not a legal professional, I
| don't study law, and at best I have spoken to people who do
| irregularly. However, I haven't found anyone that would
| disagree that it is a good idea to provide a full-fat
| copyright notice when possible. All else the same, it's just
| good hygiene at a cost of a kilobyte or so per file.
|
| [1]:
| https://www.apache.org/licenses/LICENSE-2.0#redistribution
| tempfile wrote:
| > > From a pure copyright law perspective: no, you
| definitely don't need to put the license in each source
| file.
|
| > I have no idea what you mean by this.
|
| I think they interpret your original comment as "do you
| need to do this [to obtain copyright protection]? Maybe"
| rather than "do you need to do this [to comply with the
| license terms]? Maybe", which is what I think you intended.
| If I'm right, this explains a lot of the stuff in their
| comment that doesn't really make sense.
| kelnos wrote:
| > _I have no idea what you mean by this. First of all, of
| course you don 't have to put the entire copyright license
| into each source file; this is solely about copyright
| notices, which typically point to a more complete
| LICENSE/NOTICE file._
|
| You don't even need a copyright notice. Under current US
| law (and that of many other countries that have harmonized
| their copyright regimes), copyright is automatic, and
| requires no notice at all. Obviously it is better/safer for
| you to put a copyright notice on everything you create, but
| it is not required. You will hold copyright on a work you
| create and distribute today, even if you don't put your
| name or the magic "Copyright 2024 $NAME" bit anywhere on
| it.
|
| I think there's some confusion here about copyright vs.
| licensing: those two things are independent, except of
| course that you need to hold the copyright to be able to
| set licensing terms. The default, without any provided
| license, is the most restrictive of one: that no one else
| has any rights toward the covered work.
|
| > _While registering copyrights or including copyright
| notices explicitly is not necessary to have protection
| under copyright law, my layperson understanding is that it
| does indeed afford you additional protection under law in
| some cases._
|
| Registering does, yes. In the US, at least, you cannot file
| suit to protect your copyright unless it is registered. I
| don't believe the presence or absence of a copyright notice
| matters one bit; ultimately regardless of the presence or
| absence of a copyright notice, if it ends up in court,
| everyone will be providing more documentation as to the
| provenance of the work in question.
|
| The dates you list in the copyright notice are perhaps
| useful for readers, but if a dispute ends up in court, part
| of the proceedings may involve determining the creation
| date/year of any bits under dispute, independent of what
| you put in the copyright notice. But in practice, with
| software, considering the stupid-long time things remain
| under copyright these days, the exact date doesn't matter
| much, as pretty much anything anyone is going to bring a
| dispute about is going to still be under copyright.
|
| > _However, if you ever actually wind up in court over
| copyright issues, the lack of clarity on what licenses go
| where could possibly create reasonable doubt_
|
| "Beyond a reasonable doubt" is a standard applied to
| criminal cases; civil cases have a lower burden of proof.
| But yes, you're always better off with things documented
| than not. A judge/jury will certainly appreciate a
| plaintiff or defendant who has all their ducks in a row vs.
| one that is disorganized. But they'll also be cognizant of
| (and try to determine) what the copyright holder _intended_
| to do, even if the documentation doesn 't spell it out as
| clearly as one would like.
|
| The law is not a computer; you're not likely to get away
| with copyright infringement just because the copyright
| holder missed some detail.
|
| > _I am mainly concerned about the copyright notices
| because they explicitly denote the copyright license_
|
| No they don't. A "copyright notice"[0] is simply something
| that says "Copyright $YEAR $NAME". A "copyright license" is
| a list of terms that give people more rights to use and
| distribute the work than they would get under copyright
| law.
|
| You don't need to put licensing information in each source
| file. If everything in a project is released under the same
| license, noting the license in a single place is fine. If
| different files have different licenses, of course you'll
| need to note things specifically; though, again, if you
| don't want to put licensing information in each file, you
| can still note in a single place which files are under
| which license.
|
| But as I mentioned above, more documentation is
| better/safer than less. Personally I put licensing
| information in every source file of the things I release,
| even if every file is under the same license as the project
| as a whole.
|
| [0] https://en.wikipedia.org/wiki/Copyright_notice#Form_of_
| notic...
| jchw wrote:
| > You don't even need a copyright notice. Under current
| US law (and that of many other countries that have
| harmonized their copyright regimes), copyright is
| automatic, and requires no notice at all. Obviously it is
| better/safer for you to put a copyright notice on
| everything you create, but it is not required. You will
| hold copyright on a work you create and distribute today,
| even if you don't put your name or the magic "Copyright
| 2024 $NAME" bit anywhere on it.
|
| > I think there's some confusion here about copyright vs.
| licensing: those two things are independent, except of
| course that you need to hold the copyright to be able to
| set licensing terms. The default, without any provided
| license, is the most restrictive of one: that no one else
| has any rights toward the covered work.
|
| There is no such confusion on my part, rather it's simply
| that I should've said "copyright and license notices"
| instead of just "copyright notice", but my entire point
| in that line is that the notice and the license are two
| different things. The only case where you'd put the
| entire license inline into the source code files is when
| the license notice _is_ the entire license, for short
| licenses like 3BSD or MIT.
|
| > Registering does, yes. In the US, at least, you cannot
| file suit to protect your copyright unless it is
| registered. I don't believe the presence or absence of a
| copyright notice matters one bit; ultimately regardless
| of the presence or absence of a copyright notice, if it
| ends up in court, everyone will be providing more
| documentation as to the provenance of the work in
| question.
|
| > The dates you list in the copyright notice are perhaps
| useful for readers, but if a dispute ends up in court,
| part of the proceedings may involve determining the
| creation date/year of any bits under dispute, independent
| of what you put in the copyright notice. But in practice,
| with software, considering the stupid-long time things
| remain under copyright these days, the exact date doesn't
| matter much, as pretty much anything anyone is going to
| bring a dispute about is going to still be under
| copyright.
|
| As to whether including a copyright notice on each file
| is useful, I will defer to the U.S. Copyright Office,
| which lists a few points in which a copyright notice is
| still useful.
|
| https://www.copyright.gov/circs/circ03.pdf
|
| > "Beyond a reasonable doubt" is a standard applied to
| criminal cases; civil cases have a lower burden of proof.
| But yes, you're always better off with things documented
| than not. A judge/jury will certainly appreciate a
| plaintiff or defendant who has all their ducks in a row
| vs. one that is disorganized. But they'll also be
| cognizant of (and try to determine) what the copyright
| holder intended to do, even if the documentation doesn't
| spell it out as clearly as one would like.
|
| I'll quote from the document I linked above:
|
| "In the case of a published work, a notice may prevent a
| defendant in a copyright infringement action from
| attempting to limit his or her liability for damages or
| injunctive relief based on an innocent infringement
| defense."
|
| So yes, it definitely does matter. This is especially
| true if there's a possibility your source code could wind
| up being distributed in some fashion that you did not
| originally intend, e.g. outside of source control,
| possibly copied into a bigger repository, where it's
| easier to miss the separate NOTICE/LICENSE/etc.
|
| > The law is not a computer; you're not likely to get
| away with copyright infringement just because the
| copyright holder missed some detail.
|
| Yes, I know, color of your bits, whatever. (The notice I
| _really_ need is a 8 paragraph long disclaimer I can
| affix to my posts to cover all of the things I already
| understand and don 't need described to me again in a
| mildly condescending fashion.)
|
| However, I will note that being legally boned due to a
| technicality is _absolutely_ a thing that exists. Hell,
| this _was_ the reality prior to the Berne Convention:
| even if you intended for something to have copyright
| protection, failing to put a copyright notice on it could
| indeed cause you to lose out on copyright protection. So
| I 'm not sure what this has to do with anything here.
| Technicalities exist just as much in law and bureaucracy
| as they do in computers...
|
| > No they don't. A "copyright notice"[0] is simply
| something that says "Copyright $YEAR $NAME". A "copyright
| license" is a list of terms that give people more rights
| to use and distribute the work than they would get under
| copyright law.
|
| > You don't need to put licensing information in each
| source file. If everything in a project is released under
| the same license, noting the license in a single place is
| fine. If different files have different licenses, of
| course you'll need to note things specifically; though,
| again, if you don't want to put licensing information in
| each file, you can still note in a single place which
| files are under which license.
|
| > But as I mentioned above, more documentation is
| better/safer than less. Personally I put licensing
| information in every source file of the things I release,
| even if every file is under the same license as the
| project as a whole.
|
| I re-iterate again that I should have said "copyright and
| license notices". I really wish I had done that, because
| it could've saved a lot of typing to have gotten that
| part right.
| tempfile wrote:
| > for anyone wondering if this is necessary
|
| It's not necessary (for you). But if you want to share your
| work, it can be very important for those people you share it
| with!
|
| The reason is quite simple. Some downstream user, who should be
| able to use your code, may not have it conveyed to them in the
| way you imagine. They might only receive a single file out of
| the project, since that's what they needed. Technically, the
| person who distributed the file to them has violated the
| license by not sending the license text in-band. This is not
| good for the community, since it produces confusion about who
| is allowed to use free software -- it should be everyone, not
| just people who understand the details of licensing.
| VonGallifrey wrote:
| > Technically, the person who distributed the file to them
| has violated the license by not sending the license text in-
| band.
|
| That person might also just send parts of a file instead of
| the entire file with the license at the top.
| Tomte wrote:
| There is a related oddity in GPL 2: when distributing modified
| source code you must put a mini changelog in the file itself
| (clause 2. b).
|
| Nobody does that anymore. We have git, and before that we had
| SVN and CVS and so on.
|
| The legal commentaries I know simply say "in principle that
| requirement is legally valid and you must do it this way, it
| practice no programmer seems to do that, so _shrug_ ".
| jchw wrote:
| > There is a related oddity in GPL 2: when distributing
| modified source code you must put a mini changelog in the
| file itself (clause 2. b).
|
| Are you referencing the right license/clause? I don't
| actually see how GPLv2's clause 2. b would require this
| actually.
|
| > Nobody does that anymore. We have git, and before that we
| had SVN and CVS and so on.
|
| Yep, I will agree with you that pretty much nobody actually
| does this, and it does not seem like it is an obstacle so
| far, e.g. I have not seen legal contention over this, mostly
| just discussion.
|
| And honestly, writing a mini-changelog definitely seems like
| overkill with version control, and perhaps in most cases
| version control metadata is a perfectly acceptable
| substitute. However, since the file(s) might be distributed
| outside of version control where the version control data
| might not be present (e.g. like a release tarball) having _at
| least_ the copyright information in each file seems useful.
| Whether it satisfies the "prominent notice that the file is
| changed" requirement is actually not 100% certain, but I
| can't imagine it puts you in a _worse_ position to do so.
| Tomte wrote:
| Yes, I meant 2. a:
|
| "You must cause the modified files to carry prominent
| notices stating that you changed the files and the date of
| any change."
| tempfile wrote:
| I don't think clause 2b says that, do you perhaps mean clause
| 2a? In GPLv2 that says:
|
| > a) You must cause the modified files to carry prominent
| notices stating that you changed the files and the date of
| any change.
|
| while in GPLv3 it says
|
| > a) The work must carry prominent notices stating that you
| modified it, and giving a relevant date.
|
| Note that git/svn are not always relevant. In particular, it
| is not uncommon to distribute release code with the .git
| directory stripped - this does not excuse you from the
| requirement.
|
| Having said that, I had a quick glance at Linux, and picking
| a file at random it did have _a_ copyright header, but
| certainly not one that included a record of every change. htt
| ps://github.com/torvalds/linux/blob/master/init/calibrate...
|
| So it doesn't look like this is peculiar to v2. But it does
| seem like people don't follow the letter of the requirement.
| I wonder if the FSF has ever clarified this.
| JamesCoyne wrote:
| Could use a (2021) in the title. No activity since then in the
| repo
| IshKebab wrote:
| There's no legal reason to do this.
| tyleo wrote:
| I've heard from lawyers there is a reason but I've never heard
| the explanation so I'm sorry that I can't share one :(
|
| Is there any chance someone else could clear this up?
| gtirloni wrote:
| I've opted to simply add the SPDX license identifier [0] , just
| like it's done in the Linux kernel [1]
|
| [0] https://spdx.org/licenses/
|
| [1]
| https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...
| dangoor wrote:
| Ideally, this would follow the format of reuse.software so that
| there's a machine-readable standard for these:
| https://reuse.software
|
| I'm working on tooling that involves automated reading of this
| info, and it's a lot easier if the tools don't have to do fuzzier
| matching.
___________________________________________________________________
(page generated 2024-10-28 23:01 UTC)