Summary
sqlc embeds code from several Apache-2.0–licensed transitive dependencies that ship a NOTICE file, but sqlc itself does not include a NOTICE propagating those attributions. Apache License 2.0 §4(d) requires that redistributors carry over notices from any upstream NOTICE file.
The most visible example today is github.com/coreos/go-semver, pulled in via github.com/pingcap/tidb/pkg/parser/mysql. Its NOTICE reads:
CoreOS Project
Copyright 2018 CoreOS, Inc
This product includes software developed at CoreOS, Inc.
(http://www.coreos.com/).
GitHub's Licensee-based license detector classifies the go-semver module as Apache-2.0 AND LicenseRef-github-NOASSERTION because of this NOTICE plus other unclassified files. Organizations with strict license policies (we're one) end up unable to consume sqlc as a build-time tool when this expression is on the blocklist.
Impact
- Downstream projects depending on sqlc (especially in module-aware build setups where sqlc is in a Go
tool block) inherit the transitive Apache-2.0 deps and are then blamed for the missing NOTICE.
- For us specifically, this blocks bumping past sqlc v1.30.0 because v1.31.x's updated
pingcap/tidb/pkg/parser started pulling in coreos/go-semver.
Suggested fix
Add a top-level NOTICE file to the sqlc repository that aggregates the attribution notices from upstream Apache-2.0 deps that ship one. At minimum:
github.com/coreos/go-semver (NOTICE)
A quick way to audit is:
go mod download -json all | jq -r 'select(.Dir!=null) | .Dir' | xargs -I{} sh -c 'test -f "{}/NOTICE" && echo {}'…and concatenate any results into a single top-level NOTICE (with clear per-component headings). This is a common pattern — see e.g. Kubernetes, OpenTelemetry, and Hashicorp projects.
Why this matters
Even though Go source distribution makes it tempting to treat upstream LICENSE/NOTICE files as self-carried by the module cache, §4(d) speaks to "derivative works" distribution, which includes binary releases on the sqlc releases page. Those binaries today bundle the Apache-2.0 deps without their NOTICE text.
Happy to send a PR if maintainers agree on the approach.
Summary
sqlc embeds code from several Apache-2.0–licensed transitive dependencies that ship a
NOTICEfile, but sqlc itself does not include aNOTICEpropagating those attributions. Apache License 2.0 §4(d) requires that redistributors carry over notices from any upstreamNOTICEfile.The most visible example today is github.com/coreos/go-semver, pulled in via
github.com/pingcap/tidb/pkg/parser/mysql. Its NOTICE reads:GitHub's Licensee-based license detector classifies the go-semver module as
Apache-2.0 AND LicenseRef-github-NOASSERTIONbecause of this NOTICE plus other unclassified files. Organizations with strict license policies (we're one) end up unable to consume sqlc as a build-time tool when this expression is on the blocklist.Impact
toolblock) inherit the transitive Apache-2.0 deps and are then blamed for the missing NOTICE.pingcap/tidb/pkg/parserstarted pulling incoreos/go-semver.Suggested fix
Add a top-level
NOTICEfile to the sqlc repository that aggregates the attribution notices from upstream Apache-2.0 deps that ship one. At minimum:github.com/coreos/go-semver(NOTICE)A quick way to audit is:
…and concatenate any results into a single top-level
NOTICE(with clear per-component headings). This is a common pattern — see e.g. Kubernetes, OpenTelemetry, and Hashicorp projects.Why this matters
Even though Go source distribution makes it tempting to treat upstream
LICENSE/NOTICEfiles as self-carried by the module cache, §4(d) speaks to "derivative works" distribution, which includes binary releases on the sqlc releases page. Those binaries today bundle the Apache-2.0 deps without their NOTICE text.Happy to send a PR if maintainers agree on the approach.