We face the same issue when creating Eclipse help output that we deliver to customers. Black Duck
complains about two CSS files (commonltr.css
) from the com.oxygenxml.webhelp
plugin that contain the following reference to the Apache license:
Code: Select all
* The Oxygen Webhelp plugin redistributes this file under the terms of the
* Apache Software Foundation License v2.0:
Please note that each output (i.e Eclise help output or WebHelp output) is an aggregate work that is created by an automated process from two works:
 an work derived from the customer's input (i.e DITA source files), that may be governed by the customer proprietary license
 an work copied from the third party libraries or generated by OxygenXML which is permissively licensed to be redistributed (e.g under Apache 2.0 license)
The files in question here are from the second category.
The same files in the org.dita.xhtml plugin don't contain this reference.
Although their source code from org.dita.xhtml plugin do not explictly specify Apache2.0, their distribution license is Apache 2.0 because they come from the DITA-OT project, a project distributed under Apache 2.0 and which Oxygen uses it as a third party software in order to generate these output formats. The above cited snippet reiterates that the file is distributed under the Apache 2.0 license, thus making clear the license terms under which this file is redistributed.
a) Are we allowed to remove this license from the deliverable Eclipse help output?
You need to preserve the original copyright/license notice at the top of each source code file. If you need to change the file, add your copyright after the original ones, and state some words about the change. The Apache license refers only to that file content and does not have a bad influence on the overall output licensing terms because it is a permissive open source software license.
b) Are we allowed to replace this by customer-specific legal disclaimer?
You do not need to replace the notice from these files in order to add a customer-specific legal disclaimer or a different license for the generated output.
Actually, the work input supplied by customer  to the automated process is affecting the license of the output (e.g. if the input source code is licensed under a proprietary license), and not the third party components that are licensed for redistribution under a permissive open source software license that is not viral (and only require preservation of their copyright/license notices).
Therefore, you can use a custom specific license for the output, as long as the other requirements of the included third-party licenses are met (such as informing the users of the output that some parts of the aggregated work are licensed under non-viral open-source licenses). An option is to create a notice file in the root of the output containing the list of third party components and their licensing terms and to reference it from the customer specific license as being the additional third party components list. The Webhelp output already contains such file (under the name of license-3rd-party.txt).
If you require further clarification on licensing terms, please direct your questions to firstname.lastname@example.org