Monthly Archives: November 2018

Tips for Preparing Open Source Software Attribution Statements

Most open source software licenses require a credit to the authors of the open source software to be provided along with the software itself when it is distributed. This is part of the bargain of using open source software. Credits also enable other users to obtain their own copies of the open source software, which furthers the free sharing and use of the software.

Such credits are often called “attribution statements” or “open source notices.” They typically consist of (a) copyright notices in the names of the authors of the open source software, and (b) the text of the open source software license. For a list of commonly-used open source licenses, including a standardized short license identifier and official text of each license, see the SPDX License List.

Finding and gathering the attribution statements can be time-consuming. If you are lucky, the open source software will have a well-organized single document of attribution statements. Otherwise, the statements may appear in various directories at different levels in the source code of the software. They frequently appear in files named LICENSE, COPYING, COPYRIGHT, NOTICE, LEGAL NOTICES or README, or on the home page of the source code repository for the software (such as GitHub). The statements may also appear in the end user menu of the software under “About this software” or similar.

Depending on the size and complexity of the software, attribution statements can range from a single page all the way to many thousands of pages. In a basic software project, such as a simple app, the attribution statements can be collected manually and displayed in a page of the “About this app” section of the app. For more complicated software, such as an entire operating system, the attribution statements may need to be collected and formatted using automated tools. There is no single accepted practice for formatting attribution statements. For a very comprehensive example, see Amazon’s Kindle for iOS Legal Notices. For an overview and examples from other companies, see OSS Attribution Best Practices (although I don’t agree with everything in that article).

Automated tools are available for generating attribution statements. The OSS Attribution Builder by Amazon works from license information that you input into the tool. A special-purpose OSS attribution generator is intended for generating attribution statements from Javascript because those attribution statements are difficult to create manually. Another approach is to manually embed license information into the source code itself, and then compile attribution statements from that information. For example, the AboutCode Toolkit sponsored by nexB Inc. works from license summary information placed in ABOUT files.

Here are some other tips:

  • When deciding on an approach, consider how often the open source software may change. For a complex code base that changes periodically, an automated solution to collect and format the statements makes it easier to maintain them. Keep in mind that open source projects sometimes change from one open source license to another, which would require an updated attribution statement.
  • In addition to open source licenses, commercial licenses may require the licensee to distribute notices, such as copyright or patent notices, or even other open source attribution statements. You may need to find those statements in the commercial license agreement, not in the commercial code itself.
  • Copyleft licenses, such as the GNU General Public License (GPL) and Mozilla Public License (MPL), also require distribution of the source code (including modifications) of the open source software, in addition to attribution statements. I have not addressed that topic here.