Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guidance for license headers and NOTICE file on DataDog contributed code #305

Closed
trask opened this issue Feb 29, 2020 · 26 comments · Fixed by open-telemetry/opentelemetry-java-instrumentation#281
Assignees

Comments

@trask
Copy link
Member

trask commented Feb 29, 2020

Hi all!

Based on #113, we are adding the standard license header to all files in https://github.com/open-telemetry/opentelemetry-auto-instr-java:

/*
 * Copyright 2020, OpenTelemetry Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

I realized though that I wasn't sure about the copyright line, and wanted to confirm that applying this copyright to code written at DataDog is covered under DataDog's contribution, or if we should be using something different?

Also, what should we do about the NOTICE file? E.g. is removing this file allowed under DataDog's contribution, or should we leave it as-is?

Datadog dd-trace-java
Copyright 2017 Datadog, Inc.

This product includes software developed at Datadog (https://www.datadoghq.com/).

Thanks,
Trask

@bhs
Copy link
Contributor

bhs commented Feb 29, 2020

@trask this is a good question and I am not sufficiently well-versed to provide a confident answer... my overall "sense" (i.e., "don't hold me to this") is that it's possible to remove things like that NOTICE file as long as there is some sort of well-advertised 2w+ comment period and nobody objects (from DD or otherwise). But frankly I'm not sure.

@tigrannajaryan
Copy link
Member

tigrannajaryan commented Mar 2, 2020

[UPDATE] Ignore this comment, since it is based on incorrect understanding of current situation.

Disclaimer: I am not a lawyer, the following is just my opinion:

  1. We must keep the NOTICE file. From Apache license:
          If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file
  1. Any other files that we modify must clearly state that they were changed:
You must cause any modified files to carry prominent notices
          stating that You changed the files;
  1. We cannot remove existing copyright, etc notices:
You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works;

My understanding is that all these requirement may be lifted if Datadog explicitly grants additional rights to do so, in effect making a contribution under non-Apache license, otherwise we have to follow Apache license requirements.

@yurishkuro
Copy link
Member

My advice is to follow the Apache license rules as @tigrannajaryan described above. It's not only the legally required thing to do without any additional grants, but also gives Datadog credit for their donation. I.e. at the beginning all files should contain two copyright lines, OpenTelemetry, and the original Datadog copyright (because their copyright does not disappear). This is very common in OSS, e.g. you can easily find files in Linux code that have copyright lines by Apple, Microsoft, a IBM, one after another.

NB: it's ok to add OTel copyright to all files at once because package names are changing.

@trask
Copy link
Member Author

trask commented Mar 2, 2020

Thanks @yurishkuro! Does this mean that we should be adding other vendors' copyrights to these files as they make contributions also?

@yurishkuro
Copy link
Member

yurishkuro commented Mar 2, 2020

Not necessarily. In CNCF projects, it is common to contributions under 'Copyright {year} The {Project} Authors'. OpenTelemetry makes this even more relevant because it has a CLA by which contributors assign the copyright to the project. But the same reasoning does not apply to code that is initially copied from another Apache-licensed project, as that happens without copyright assignment (and Datadog alone may not be in the position to provide such assignment unless every single contributor to their project was their employee).

@trask
Copy link
Member Author

trask commented Mar 2, 2020

Thanks for the responses!

I'm not totally clear on this yet.

DataDog contributed this code to OpenTelemetry[1], as opposed to OpenTelemetry going out and copying it from them.

I think it's great to cite them for their contribution, but in that case, I'm not following why we wouldn't cite other vendors for their contributions also.

[1] "we are contributing our tracing libraries to the OpenTelemetry project"

@SergeyKanzhelev
Copy link
Member

CC: @caniszczyk can you provide support on this question.

@yurishkuro
Copy link
Member

@trask when code exists elsewhere with a copyright notice, you cannot copy that code without retaining the notice. This is different from contributing new code to a project under a CLA that assigns copyright.

@trask
Copy link
Member Author

trask commented Mar 2, 2020

@yurishkuro, we didn't copy that code. DataDog contributed it (see link above).

@yurishkuro
Copy link
Member

You mean a link to a blog post? That's not a legal document.

@trask
Copy link
Member Author

trask commented Mar 2, 2020

You're right.

I believe the blog post outlines the spirit of the contribution, but it is not a legal document.

From a legal perspective (in order to follow through on the spirit of the contribution), we have had DataDog employees perform the initial code push to https://github.com/open-telemetry/opentelemetry-auto-instr-java and all subsequent merges, so that the contributions would fall under the DataDog-signed CLA.

@trask
Copy link
Member Author

trask commented Mar 3, 2020

The reason I'm focused on the spirit of the contribution is because there are ways to dot the i's and cross the t's legally speaking to align with the spirit (such as what we've done in opentelemetry-auto-instr-java by having the contributions performed by DataDog representative under the DataDog CLA).

It is my hope for OpenTelemetry to be a vendor-neutral space, and to me that means either all vendors are explicitly credited for their contributions, or no vendors are explicitly credited for their contributions.

That said, I strongly believe in crediting all of the DataDog developers for their contributions, and to do that, we have maintained the entire repository history as opposed to just importing the latest code, so that their contributions to the project are not erased.

@bhs
Copy link
Contributor

bhs commented Mar 5, 2020

@trask my two cents (and this is not a strongly-held opinion): Datadog's donation is different, in that they put the work in before OTel existed and are thus repurposing something that was previously developed outside of the OTel repos. Hence the justification for an "exception" re credits.

I agree that subsequent commits (regardless of the contributor's affiliation) need no explicit vendor credits beyond the domain name of the committer email addresses.

@trask
Copy link
Member Author

trask commented Mar 5, 2020

This would be disappointing, because we were under the impression that this was a vendor neutral space, and there were other very viable alternatives to DataDog's initial contribution, at least in the Java space.

@bhs
Copy link
Contributor

bhs commented Mar 5, 2020

I may be missing something here – my understanding (please correct me if I'm wrong, I am not following this closely / in detail) is that the java auto-instr work was seeded with a large volume of DD code. That's the sole basis for my comment.

I'm also curious if this is primarily a question of legal T's and C's, or if it's primarily a question of "credit" (very different things IMO).

@trask
Copy link
Member Author

trask commented Mar 5, 2020

My feeling is that having "Copyright DataDog" in the license headers and in the NOTICE file, while at the same time not attributing other vendors in these same places, does not lead to this being a vendor-neutral space, and de-motivates other vendors in this competitive space from contributing.

I think that maintaining the repository history (instead of truncating it and starting fresh) preserves and publicly credits DataDog's (and their developers') prior work. I know this was important to them when we started the project so that their contributions would not get erased (e.g. see https://github.com/open-telemetry/opentelemetry-auto-instr-java/graphs/contributors).

@bhs
Copy link
Contributor

bhs commented Mar 5, 2020

So @trask, what exactly are you proposing, just so that we understand the alternative?

@trask
Copy link
Member Author

trask commented Mar 5, 2020

I would propose that no vendors are cited in the license headers or NOTICE file, only "OpenTelemetry Authors".

I would propose that DataDog's contributions be performed under their CLA, same as all other vendors' contributions. I think technically this is what we have done already in auto-instr-java by having someone from DataDog perform all contributions coming from their repository, including the initial import.

@tigrannajaryan
Copy link
Member

I agree with the spirit of what @trask is saying.

I am not certain about the legal aspect of it, but I think if DataDog submitted the source code under the CLA it likely means they contributed a full copy of their code to OpenTelemetry, who is now the licensor. From legal standpoint this is now a different Intellectual Property that has a different licensor, DataDog is no longer the licensor, they are merely an author. Anyone forking from OpenTelemetry will have to follow Apache license requirements, but not OpenTelemetry itself, because OpenTelemetry is the licensor. As a licensor obviously you do not add notices to your own code when you modify it.

Things would different if OpenTelemetry forked DataDog's source code. In that case we would need to follow Apache license requirements and do the attributions, etc. This is not the case, we did not fork it.

Again, IANAL, just my understanding of copyright and licenses.

Perhaps we can have DataDog legal or CNCF legal shine some light?

@bhs
Copy link
Contributor

bhs commented Mar 5, 2020

@tigrannajaryan that is very helpful (at least for me), thank you... What does that mean about the LICENSE file as it stands in the OTel repo? Is it vestigial from a legal/licensing standpoint?

@tigrannajaryan
Copy link
Member

I think we (CNCF/OpenTelemetry) are free to put anything we want in LICENSE file as long as it does not contradict the CLA that are signed by contributors. Reading CNCF CLA I do not see anything that puts any obligations on us on how exactly we should sublicense the contributed code. Quote from CLA:

You hereby grant to the Foundation and to recipients of software distributed by the Foundation a perpetual, worldwide, non­exclusive, no­charge, royalty­free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.

(substitute You=DataDog above)

I think it is our choice to sublicense it as Apache license (and CLA says we are free to sublicense) and thus the LICENSE file in our repo is a copy of Apache license.

(Do note that my first comment in this thread said something else because I originally misunderstood how exactly the DataDog's source code came to be OpenTelemetry source code).

Again, I am not a lawyer and I am not qualified to give a legal advise. It would be great if we could get legal help from a lawyer.

@tedsuo
Copy link
Contributor

tedsuo commented Mar 9, 2020

In a relevant thread, we are moving towards consolidating a single license file per project, and removing the individual license headers:

For this particular project, the licenses in question come from donated code. The CNCF guidelines on copyright notices (https://github.com/cncf/foundation/blob/master/copyright-notices.md) has some relevant information.

Note that "copyright notices are not mandatory in order for the contributor to retain ownership of their copyright." So it is okay to remove the notices without changing the underlying copyright.

Also note that "You should not change or remove someone else's copyright notice unless they have expressly permitted you to do so. This includes third parties' notices in pre-existing code."

This suggests that it would be best if @tylerbenson or someone else from Datadog removed the notices. Let's request guidance from @jeremy-lq before pulling the trigger on any of this.

In general, I think it would be best if we cleaned up all of these headers now, and normalized how we handle licensing across the project (by moving to a single, root-level license for each repo).

@jeremy-lq
Copy link

jeremy-lq commented Mar 11, 2020

Hello. As the CNCF copyright guidelines indicate, the CNCF CLA does not contain a copyright assignment clause. That said, we at Datadog very much want this to be a collaborative community-driven project with engagement from all vendors and users alike. The suggestion by @bhs seems reasonable to us (and we're in no way opposed to adding additional copyright), but we're happy to discuss further.

@bhs
Copy link
Contributor

bhs commented Mar 12, 2020

@jeremy-lq reading the entire thread above (esp the responses to my suggestion), a number of folks who are spending considerable effort contributing both net-new code as well as incorporating ideas from other prior art (e.g., Glowroot from @trask, though there are others) don't feel great about any one vendor getting "special treatment" from a NOTICE file standpoint (and nobody is trying to single out Datadog here! I believe the same argument would go for any other commercial entity / vendor).

Is Datadog comfortable removing that NOTICE file from the OTel repo? From a legal/CLA standpoint, it is vestigial, at least if I understand the above correctly.

Of course attribution at the line level is not up for debate here, and Datadog is very well-represented on that front!

PS: OSS licensing is very far from my lingua franca here... I would like to advance the topic here so am proposing a path forward... if anything I'm suggesting is nonsensical, please don't be shy letting me know. :)

@jeremy-lq
Copy link

Thank you for the patience. We approve the project proceeding with the removal of the NOTICE file, and attributing the copyright to "OpenTelemetry Authors". open-telemetry/opentelemetry-java-instrumentation#281

@SergeyKanzhelev
Copy link
Member

I'm closing issue - will coordinate NOTICE file removal in appropriate repositories.

SergeyKanzhelev added a commit to open-telemetry/opentelemetry-java-instrumentation that referenced this issue Mar 24, 2020
Remove notice file - keep copyright in individual file headers

See discussion here: open-telemetry/community#305
SergeyKanzhelev added a commit to open-telemetry/opentelemetry-python-contrib that referenced this issue Mar 24, 2020
Remove notice file - keep copyright in individual file headers

See discussion here: open-telemetry/community#305
codeboten pushed a commit to open-telemetry/opentelemetry-python-contrib that referenced this issue Mar 26, 2020
Remove notice file - keep copyright in individual file headers

See discussion here: open-telemetry/community#305
MrAlias added a commit to open-telemetry/opentelemetry-go-contrib that referenced this issue May 14, 2020
Based on [this](open-telemetry/community#305 (comment))
approval, changing attribution to the OpenTelemetry authors.
jmacd pushed a commit to open-telemetry/opentelemetry-go-contrib that referenced this issue May 14, 2020
* Add an instrumentation for gin-gonic web framework

* Add an example use of the gin-gonic instrumentation

* Update attribution and remove NOTICE

Based on [this](open-telemetry/community#305 (comment))
approval, changing attribution to the OpenTelemetry authors.

* Update to v0.5.0 release

Use new `kv` and `value` packages.

Co-authored-by: Tyler Yahn <[email protected]>
MrAlias added a commit to rnburn/opentelemetry-go-contrib that referenced this issue May 14, 2020
Based on [this](open-telemetry/community#305 (comment))
comment, updating attribution to be to The OpenTelemetry Authors.
jmacd pushed a commit to open-telemetry/opentelemetry-go-contrib that referenced this issue May 15, 2020
* Copy mongo driver

* Add an updated copy of otel-go mock tracer

* Integrate mock tracer

* Update tests

* Update copyright

* Move to plugins dir

* Move mongo plugin to go.mongodb.org dir

* Upgrade to v0.5.0

* Run make

Includes fixes needed to past testing.

* Update attribution

Based on [this](open-telemetry/community#305 (comment))
comment, updating attribution to be to The OpenTelemetry Authors.

* package.go -> doc.go

* Update package name

* Update package docs

* Suggested fix for docs

* Apply feedback

* Remove unneeded go.mod replaces

* Update testing service name

Co-authored-by: Krzesimir Nowak <[email protected]>
Co-authored-by: Tyler Yahn <[email protected]>
Co-authored-by: Tyler Yahn <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants