Clean up derivative works

[chadwhitacre]

We've been loosey-goosey on copy/paste code re-use, time to tighten up. Need to .

Policy is basically - isolate to a separate file, and include OSS attribution in the file header.

• [x] update policy doc🔒 - added a section
• [ ] remediate
  • [ ] https://github.com/getsentry/sentry/issues/46196
  • [ ] https://github.com/getsentry/sentry-php/blob/master/src/Util/SentryUid.php#L17
  • [ ] https://github.com/getsentry/sentry-go/tree/master/internal/otel/baggage
  • [ ] https://github.com/getsentry/sentry-php/tree/master/stubs
  • [x] https://github.com/getsentry/sentry-javascript/issues/7560
  • [x] https://github.com/getsentry/team-mobile/issues/96
• [x] educate
  • [x] Slack
  • [x] email

[chadwhitacre]

Additional guidance:

if theres no attribution, retain the license and add attribution dont need to ask just link to repo

yeah I'm fine with link to the repo as attribution

also i would ALWAYS link to repo fwiw so retain license, attribute link to repo no matter what its just good hygiene

[evanpurkhiser]

AFAIK that bootstrap stuff is just completely vendored. So whatever doc string was in there when the file was copied is what was in it

[JoshFerge]

FWIW https://github.com/getsentry/sentry/blob/master/src/sentry/apidocs/spectacular_ports.py#L29-L30 is not copy/pasted, but a modified version of the libraries function. I've also partly contributed part of this vendored file upstream to the library

[JonasBa]

@chadwhitacre this renders weirdly for me, but I just took care of the fzf port. I ported that manually, so idk if we technically need the license, but since it's just a translation I dont mind keeping it.

[mitsuhiko]

@JonasBa if it's not a clean-room reimplementation it counts as a derivative work and thus needs to retain the original license.

[AbhiPrasad]

Opened https://github.com/getsentry/sentry-javascript/issues/7560 to track this in JS. From inspecting all the JS SDK packages we have attribution links everywhere - but including the license text is inconsistent.

[antonpirker]

Python SDK: https://github.com/getsentry/sentry-python/pull/1973

[chadwhitacre]

Current policy:

Derivative Works

Sometimes you want to copy and paste a snippet of code from another project without installing a library or package. Maybe you make some modifications to it, maybe you don’t, but we always could in the future. Other times you reference another work without directly copying it, for example, if you’re porting an algorithm from one language to another. All of these cases count as a “derivative work.” If it's not a clean-room reimplementation, it is a derivative work, and we need to respect the author and license of the original. Here’s how:

1. Don't derive code from tiny competitors even though technically it's legal, because it makes us look bad.
2. Isolate the code in its own file or directory. Don’t mix derivative code with non-derivative code.
3. Add attribution and the text of their license at the top of the file or in a LICENSE file in the directory:
   1. Link to their repo for attribution.
   2. If there is no license, don’t use it.
4. Here’s an example.

Please watch for this in code reviews.

[AbhiPrasad]

@chadwhitacre can we add this policy to https://develop.sentry.dev/?

[chadwhitacre]

Seems reasonable, but this is one small section of a large policy, would be best to look at the whole.