This policy was approved by the TSC on 12/19/18
EdgeX Foundry is an Apache 2.0 License product. Each EdgeX repository shall include an Apache 2.0 License file at the base of the project. This file will be named LICENSE.
Contributors are required to validate that any and all contributions made comply with the Apache 2.0 License agreement. Inclusion of 3rd party materials must be of Apache 2.0 or compatible license. BSD, MIT and other license agreements are typically compatible but contributors are encouraged to consult with the Linux Foundation and members of the EdgeX TSC before making a contribution that includes other than Apache 2.0 License material.
Contributors must insure that the LICENSE file (and the Attribution.txt file defined below) are included in the program artifacts associated to that contribution. This may include inclusion in Docker Image, snap package, Java JAR file, etc. Contributors are requested to check with the DevOps WG chairperson or other member of the TSC for assistance in getting these files included in the associated artifacts.
The LICENSE file will contain the Apache 2.0 text defined here: https://www.apache.org/licenses/LICENSE-2.0. For an example, see the following EdgeX repository: https://github.com/edgexfoundry/edgex-go/blob/master/LICENSE
Although EdgeX Foundry is an Apache 2.0 License product, it often uses other open source products, libraries and other works. This is not uncommon for open source efforts. When using other products, contributors must insure that products they use are compatible with the Apache 2.0 license.
Whenever a contributor adds a new dependency of a 3rd party programming library (i.e. C library, Go Lang or Java package, etc.) to any EdgeX service, the contributor must check that the addition is compatible with the Apache 2 License of EdgeX. When unsure, contributors should check with the TSC and the Linux Foundation about compatibility before including the addition in any Pull Request or other official artifact contribution.
If new non-EdgeX tools, applications, script, etc. are required at runtime, then the licenses of those products need to be included, but not in the Attribution.txt file.
Contributors must create an Attribution.txt file for each binary or external library package built from the repository when submitting the initial Pull Request for any new EdgeX Foundry repository. This Attribution file(s) should contain any used/referenced open source in the repository (see Contents below). This may include reference to other EdgeX Foundry products so that a user or other contributor can easily trace inclusion by association.
Contributors must update the Attribution.txt file(s) when submitting a Pull Request that adds, updates (for example uses a different version of a 3rd party library), or removes any referenced open source as a result of the Pull Request. This may include reference to other EdgeX Foundry products so that a user or other contributor can easily trace inclusion by association of associated EdgeX product. Contributors are to update the Attribution.txt file for each binary or external library package built from the modified repository.
Contributors must insure that the Attribution.txt file (and the license file) are included in the program artifacts associated to that contribution. This may include inclusion in Docker Image, snap package, Java JAR file, etc. Contributors are requested to check with the DevOps WG chairperson or other member of the TSC for assistance in getting these files included in the associated artifacts.
The Attribution.txt file should enumerate all used/referenced 3rd party libraries or packages for a given binary or library. It should contain the following:
"The following open source projects are referenced by [EdgeX Foundry service, package, or artifact containing this file]:"
Iterate the following for each open source product/project referenced:
"[package] (compatible license such as BSC-3, MIT, etc.) [URL to the resource]
[URL to the package's license file]"
Here is an example Attribution file contents
The following open source projects are referenced by Core Data Go:
pkg/errors (BSD-2) https://github.com/pkg/errors
gorilla/mux (BSD-3) https://github.com/gorilla/mux
gopkg.in/mgo.v2 (unspecified) https://gopkg.in/mgo.v2
The Attribution.txt file should be placed where it can be easily be incorporated into EdgeX project artifacts (Docker images, snap package, JAR files, etc.). Below is a list of the default placement of the Attribution file for different types of projects: