Properly attributing FLOSS projects

Sometimes you want to include another project directly in your source tree, and not just as a git subproject or similar. That's fine, but there are some steps to follow.


The commit message needs to contain at least:

  • License of the upstream package
  • Original checksum of all files
  • Upstream URL
  • Upstream git/svn/tracker
  • Author / Others
  • exact version number of the release

Checksum should be sha1 or sha256 sums of the upstream files, in unmodified form. This is for future protection in case of legal issues.


The commit needs to include the valid license file for the upstream project. All common licenses that I know about require you to ship a copy of the license with the source. In the future, if you change this file, you should always do it in separate commits, keeping the license in mind.


Make sure that no other files are changed in this commit. No modifications to the upstream project, no additions to build systems or documentation.

Make sure that the information in the commit message is enough to reliably reproduce this checkout. If the upstream package is a git checksum, include that and the original tree URL. (pointing at this release, tag, or blob, not at head/master)

Working Form

In the case of LGPL, GPL and others, make sure that you include a copy of the "preferred working form". That is not minified JS, if it's for example a CoffeeScript project, you have to include the original working form, as well as the produced Javascript library.

These are all pretty much basic legal requirements when working with other's code.

Then, if you ever make changes to the included files (adding modules or stripping parts, etc.) those have to be done in separate commits.

Release 3.8

Release 3.7