Let’s assume within my project which is GPLv3 based I’m using a single library called a-lib.jar. That jar itself is licensed using Apache v2 license, so I should be fine with the GPL as long as I respect the Apache v2 terms (basicly inclueding the license file).
Now when I look into the a-lib.jar that I’m using I see that it is using many other dependencies (packaged within a-lib.jar):
- b-lib.jar
- c-lib.jar
- d-lib.jar
All of them are licensed on open source licenses, but the licenses may differ. E.g.:
- b-lib.jar is licensed under MIT
- c-lib.jar is licensed under Apache v2
- d-lib.jar is licensed under some “custom made” open source license
The resulting file that I would like to release would look like this then:
myproject.jar
|--a-lib.jar
|--b-lib.jar
|--c-lib.jar
|--d-lib.jar
My question is: in order to avoid legal issues, do I have to comply with all the terms of the dependencies of the library that my project depends on? E.g. do I have to place some NOTICE file somewhere, saying that I’m using b-lib.jar and that it is under MIT? Then again: you can play that game forever: b-lib.jar may also include other 3rd-party licenses and so on and on.
Do I have to check EVERY SINGLE component and comply with it’s terms, even if MY software is not useing it but instead a lib that I’m using is useing it? Or am I fine if I just take care of my projects dependencies and don’t have to care about 3rd party dependencies? (Basic idea behind that would be that the creator of the a-lib.jar which released it under apache v2 is responsible for it’s content).
Besides of that: is the situation of the example above any different if the 3rd party dependencies are not child-jars within the a-lib.jar but instead a-lib would be delivered as a maven project with dependencies to b-lib, c-lib and d-lib and those 3rd party dependencies would be packaged directly into my project *.jar file? So the resulting file would be:
myproject.jar
|--a-lib.jar
|--b-lib.jar
|--c-lib.jar
|--d-lib.jar
2
Surviving the treacherous landscape of open-source licenses can be difficult at times but you should respect the reason why programmers licence their software in the first place. In most instances they write open-source software out of the kindness of their heart. They don’t get paid for it. They do get a warm fuzzy feeling from the fact they may have contributed something of value to society.
I have sat through countless hours of intellectual property presentations at work and I have a nice colourful matrix on my desk describing good and bad licenses for the creation of proprietary software (yes I have sold my soul and I get paid to write software). Generally we stick to MIT and BSD licensed software libraries because they’re not infectious.
I could easily recommend that you simply concern yourself with the licencing of your immediate dependencies but you do expose yourself to a risk. Usually programmers to take care to make sure their licensing is compatible with dependencies (like you should be doing) but on the off chance, they may have made a mistake.
The bottom line is this, if you intend to make money from the software you write, you need to make sure you have permission tell sell other peoples work, implied by the licenses they ship with their libraries.
2