The Free Dictionary defines attribution as "The act of attributing, especially the act of establishing a particular person as the creator of a work of art." This definition can also be applied to software. Open source attribution obligations, as specified in the most common licenses, are usually very simply stated, and subject to a great deal of interpretation. Here are a few examples:
Apache 1.1 License: "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution."
MIT License: "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."
GPL 2.0: "1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program."
MPL 1.1: "3.6. Distribution of Executable Versions. You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or collateral in which You describe recipients' rights relating to the Covered Code."
Apache 2.0: "(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License."
In addition to the obvious requirement to document your usage of an open source package, there are a couple of concepts referenced in these licenses that benefit from a bit of exploration:
These concepts require interpretation: What is actually legally required? What is the best way to meet the attribution obligations? To answer these questions, we should first think about the purposes (goals, objectives) of software attribution.
Open source software is not sold; it is free. So what is the motivation to create and release software under an open source license? The complete motivation spectrum is beyond the scope of this essay, but it is clear that open source developers want credit for their work, perhaps stated as: "I created this software and I want everyone who benefits from it to know that." Thus the spirit of an attribution obligation suggests the following guidelines:
How are software suppliers providing attribution? Are they meeting the minimum legal obligations, or do they respond to the spirit of software attribution? An informal survey reveals a variety of formats, with varying results.
Two major software providers, Mozilla and Google, provide some excellent examples of very different approaches to software attribution.
In Mozilla Firefox, you can click on "About Firefox" and then click the Licensing information link, which takes you to an "about:license" page. The information is organized by license name, and each license name is a link that takes you to the corresponding details, including the pathname of the component subject to that license as used in Firefox, the copyright statement, and the texts of the licenses and notices. A glance at this page should convince any software developer that there is some value to a good copyright statement in order to be acknowledged beyond the mere name of a package. Regarding the license names, Mozilla provides the official license name from the license text when available, or it constructs a license name from the project name followed by "license".
In Google Chrome, you can click on "About Google Chrome" and then click the "open source software" link, which takes you to a "chrome://credits/" page, which is a very clean and efficient display organized by the open source projects used in Chrome. Each project entry provides quick links to the project home page and the project license. The links to the project home pages provide a very nice thank-you to the project contributors. Of particular interest, Google makes no attempt to name the licenses, and simply presents the copyright and license text. You only see the license name if it is part of the license text.
On an Android-based device, you can typically go to "Settings > About phone > Legal information > Open source licenses". Note that Android organizes attribution by Deployed components, in contrast to Mozilla Firefox and Google Chrome which base the contents of the attribution documentation on their respective Development codebases. Android presents a list of deployed component links, and each link takes you to a detail page with a clear presentation of the copyright and license information. This is an excellent model for attribution on a small device.
The following software projects generally illustrate the spirit of software attribution.
In the Amazon Music desktop application, you can click on "About Amazon Music". You get a nicely formatted information window, and you can click on the Legal Notices link to get to a page in your default browser with a couple of clearly identified link choices, one of which takes you to the attribution notices. The presentation is easy to read, organized by component (or project), but without TOC or links. Typical of Amazon, you have the chance to say if the page was helpful (Yes/No choice) at the bottom, and a place to enter comments.
The following software projects arguably comply with basic software attribution obligations, but would benefit from some improvements to promote the spirit of software attribution.
You can construct your attribution notices manually, especially if your software project is relatively small and uncomplicated, but a manual process does not scale up very well. There are a number of resources that can help you.