Output Doesn't Include Full Content of NOTICE File As Required by Apache 2.0

[zicklag]

Hey there!

I'm considering using this for a closed-source Rust project in order to comply with the license obligations for Open Source code that I use, but it seems like there is something that this crate doesn't collect as required by the Apache 2.0 license:

          If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works,

While this crate searches through NOTICE files for copyright declarations, it doesn't include the entirety of the NOTICE file, which, while not exactly required by the verbiage above, seems required by an automated tool because there may be attributions in the NOTICE file that don't match a copyright regex, and they would still need to be included.

Of course I'm not a lawyer so I could be wrong, but as far as I can tell it seems like we may need to make an exception for the NOTICE file and include the whole thing for purposes of attribution.

[jszwedko]

Hey @zicklag ! You are right. When we used this recently with https://github.com/vectordotdev/vector I actually went through all Apache 2.0 projects and I additionally ensured all NOTICE files were included.

I think that would be a reasonable feature for this tool to have to generate a concatenated NOTICE file. We'd be open to contributions if you feel motivated.

[zicklag]

For my project I ended up needing both cargo and pnpm license attributions, so I threw together my own tool, which is working for me so far. It's unlicensed if anybody wants to steal any code from it, though! https://github.com/katharostech/make-notices

[jszwedko]

Awesome! Thanks for sharing!