FOSS license compliance for Zephyr based products

[rettichschnidi]

I'd like to know whether there are any good real-world examples of how companies selling (proprietary) Zephyr-based products achieve compliance with its FOSS requirements?

Background

Zephyr is licensed under the Apache-2.0 (or compatible licenses). It is quite permissive, yet carries some obligations for (binary only) distribution, such as:

(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and

Seems easy, just include the Apache 2.0 license text?

(b) You must cause any modified files to carry prominent notices stating that You changed the files; and

Not sure if this has an effect when distributing only the binary form?

(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and

Not sure if this has an effect when distributing only the binary form?

 (d) If the Work includes a "NOTICE" text file as part of its
     distribution, then any Derivative Works that You distribute must
     include a readable copy of the attribution notices contained
     within such NOTICE file, excluding those notices that do not
     pertain to any part of the Derivative Works, in at least one
     of the following places: within a NOTICE text file distributed
     as part of the Derivative Works; within the Source form or
     documentation, if provided along with the Derivative Works; or,
     within a display generated by the Derivative Works, if and
     wherever such third-party notices normally appear. The contents
     of the NOTICE file are for informational purposes only and
     do not modify the License. You may add Your own attribution
     notices within Derivative Works that You distribute, alongside
     or as an addendum to the NOTICE text from the Work, provided
     that such additional attribution notices cannot be construed
     as modifying the License.

Zephyr itself does not, but some modules do have one (e.g. mcuboot). Including those should be enough?

Bottom line: How does everyone out there comply with the license obligations? Not just Apache 2.0, but also e.g. the BSD licenses used in certain modules.

Related

• Automate find missing SPDX tags in source files

[wickywaka]

Did you manage to find an answer? Interested to know the answer as well.

[ndrs-pst]

I just came across this link: https://fossa.com/blog/open-source-licenses-101-apache-license-2-0/

I'm not able to answer this question, but the clue is in the following statement from the above link. 🤔

---

Requirements
Anyone who uses open source software licensed under Apache 2.0 must include the following in their copy of the code, whether they have modified it or not:

1. The original copyright notice
2. A copy of the license itself
3. If applicable, a statement of any significant changes made to the original code
4. A copy of the NOTICE file with attribution notes (if the original library has one)

The third requirement listed above is a major differentiator between the Apache License 2.0 and other permissive licenses. If you make any major modifications to the licensed code, you must disclose those changes in any updated version that you distribute.

However, you do not need to release the modified code under Apache 2.0. Simply including any modification notifications is enough to comply with the license terms.