GitHub user srowen opened a pull request:
https://github.com/apache/spark/pull/21640
[SPARK-24654][BUILD] Update, fix LICENSE and NOTICE, and specialize for
source vs binary
Whew, lots of work to track down again all the license requirements, but
this ought to be a pretty good pass. Below, find a writeup on how I approached
it for future reference.
- LICENSE and NOTICE and licenses/ now reflect the *source* release
- LICENSE-binary and NOTICE-binary and licenses-binary now reflect the
binary release
- Recreated all the license info from scratch
- Added notes about how this was constructed for next time
- License-oriented info was moved from NOTICE to LICENSE, esp. for Cat B
deps
- Some seemingly superfluous or stale license info was removed, especially
for test-scope deps
- Updated release script to put binary-oriented versions in binary releases
----
# Principles
ASF projects distribute source and binary code under the Apache License
2.0. However these project distributions frequently include copies of source or
binary code from third parties, under possibly other license terms. This
triggers conditions of those licenses, which essentially amount to including
license information in a LICENSE and/or NOTICE file, and including copies of
license texts (here, in a directory called `license/`).
See http://www.apache.org/dev/licensing-howto.html and
https://www.apache.org/legal/resolved.html#required-third-party-notices
# In Spark
Spark produces source releases, and also binary releases of that code.
Spark source code may contain source from third parties, possibly modified.
This is true in Scala, Java, Python and R, and in the UI's JavaScript and CSS
files. These must be handled appropriately per above in a LICENSE and NOTICE
file created for the source release.
Separately, the binary releases may contain binary code from third parties.
This is very much true for Scala and Java, as Spark produces an 'assembly'
binary release which includes all transitive binary dependencies of this part
of Spark. With perhaps the exception of py4j, this doesn't occur in the same
way for Python or R because of the way these ecosystems work. (Note that the JS
and CSS for the UI will be in both 'source' and 'binary' releases.) These must
also be handled in a separate LICENSE and NOTICE file for the binary release.
# Binary Release License
## Transitive Maven Dependencies
We'll first tackle the binary release, and that almost entirely means
assessing the transitive dependencies of the Scala/Java backbone of Spark.
Run `project-info-reports:dependencies` with essentially all profiles: a
set that would bring in all different possible transitive dependencies.
However, don't activate any of the '-lgpl' profiles as these would bring in
LGPL-licensed dependencies that are explicitly excluded from Spark binary
releases.
```
mvn -Phadoop-2.7 -Pyarn -Phive -Pmesos -Pkubernetes -Pflume -Pkinesis-asl
-Pdocker-integration-tests -Phive-thriftserver -Pkafka-0-8
-Ddependency.locations.enabled=false project-info-reports:dependencies
```
Open `assembly/target/site/dependencies.html`. Find "Project Transitive
Dependencies", and find "compile" and "runtime" (if exists). This is a list of
all the dependencies that Spark is going to ship in its binary "assembly"
distro and therefore whose licenses need to be appropriately considered in
LICENSE and NOTICE. Copy this table into a spreadsheet for easy management.
Next job is to fill in some blanks, as a few projects will not have clearly
declared their licenses in a POM. Sort by license.
This is a good time to verify all the dependencies are at least Cat A/B
licenses, and not Cat X! http://www.apache.org/legal/resolved.html
### Public Domain
Can be ignored. These works have no licensing terms.
### Apache License 2
The Apache License 2 variants are typically easiest to deal with as they
will not require you to modify LICENSE, nor add to license/. It's still good
form to list the ALv2 dependencies in LICENSE for completeness, but optional.
They may require you to propagate bits from NOTICE. It's tedious to track
down all the NOTICE files and evaluate what if anything needs to be copied to
NOTICE.
Fortunately, this can be made easier as the assembly module can be
temporarily modified to produce a NOTICE file that concatenates all NOTICE
files bundled with transitive dependencies.
First change the packaging of `assembly/spark-assembly_2.11/pom.xml` to
`<packaging>jar</packaging>`. Next add this stanza somewhere in the body of the
same POM file:
```
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<configuration>
<shadedArtifactAttached>false</shadedArtifactAttached>
<artifactSet>
<includes>
<include>*:*</include>
</includes>
</artifactSet>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<transformers>
<transformer
implementation="org.apache.maven.plugins.shade.resource.ApacheNoticeResourceTransformer"/>
</transformers>
</configuration>
</execution>
</executions>
</plugin>
```
Finally execute `mvn ... package` with all of the same `-P` profile flags
as above. In the JAR file at `assembly/target/spark-assembly_2.11....jar`
you'll find a file `META-INF/NOTICE` that concatenates all NOTICE files bundled
with transitive dependencies. This should be the starting point for the binary
release's NOTICE file.
Some elements in the file are from Spark itself, like:
```
Spark Project Assembly
Copyright 2018 The Apache Software Foundation
Spark Project Core
Copyright 2018 The Apache Software Foundation
```
These can be removed.
Remove elements of the combined NOTICE file that aren't relevant to Spark.
It's actually rare that we are sure that some element is completely irrelevant
to Spark, because each transitive dependency includes all its transitive
dependencies. So there may be nothing that can be done here.
Of course, some projects may not publish NOTICE in their Maven artifacts.
Ideally, search for the NOTICE file of projects that don't seem to have
produced any text in NOTICE, but, there is some argument that projects that
don't produce a NOTICE in their Maven artifacts don't entail an obligation on
projects that depend solely on their Maven artifacts.
### Other Licenses
Next are permissively licensed (BSD 2-Clause, BSD 3-Clause, MIT)
components. List the components grouped by their license type in LICENSE. Then
add the text of the license to licenses/. For example if you list "foo bar" as
a BSD-licensed dependency, add its license text as licenses/LICENSE-foo-bar.txt.
And the same goes for all Cat B licenses too, like CDDL. However these
additional require at least a URL pointer to the project's page. Use the
artifact hyperlink in your spreadsheet if possible; if non-existent or doesn't
resolve, do your best to determine a URL for the project's source.
### Shaded third-party dependencies
Some third party dependencies actually copy in other dependencies rather
than depend on them as Maven artifacts. This means they don't show up in the
process above. These can be quite hard to track down, but are rare. A key
example is reflectasm, embedded in kryo.
### Examples module
The above _almost_ considers everything bundled in a Spark binary release.
The main assembly won't include examples. The same must be done for
dependencies marked as 'compile' for the examples module. See
`examples/target/site/dependencies.html`. At the time of this writing however
this just adds one dependency: `scopt`.
### provided scope
Above we considered just compile and runtime scope dependencies, which
makes sense as they are the ones that are packaged. However, for complicated
reasons (shading), a few components that Spark does bundle are not marked as
compile dependencies in the assembly. Therefore it's also necessary to consider
'provided' dependencies from `assembly/target/site/dependencies.html` actually!
Right now that's just Jetty and JPMML artifacts.
## Python, R
Don't forget that Py4J is also distributed in the binary release, actually.
There should be no other R, Python code in the binary release. That's it.
## Sense checking
Compare the contents of `jars/`, `examples/jars/` and `python/lib` from a
recent binary release to see if anything appears there that doesn't seem to
have been covered above. These additional components will have to be handled
manually, but should be few or none of this type.
# Source Release License
While there are relatively fewer third-party source artifacts included as
source code, there is no automated way to detect it, really. It requires some
degree of manual auditing. Most third party source comes from included JS and
CSS files.
At the time of this writing, some places to look or consider:
`build/sbt-launch-lib.bash`, `python/lib`, third party source in
`python/pyspark` like `heapq3.py`, `docs/js/vendor`, and
`core/src/main/resources/org/apache/spark/ui/static`.
The principles are the same as above.
Remember some JS files copy in other JS files! Look out for Modernizr.
# One More Thing: JS and CSS in Binary Release
Now that you've got a handle on source licenses, recall that all the JS and
CSS source code will *also* be part of the binary release. Copy that info from
source to binary license files accordingly.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/srowen/spark SPARK-24654
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/21640.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #21640
----
commit 6aafdc57aa7d171d935fb77bf7ed2f831491982f
Author: Sean Owen <srowen@...>
Date: 2018-06-25T22:09:32Z
- LICENSE and NOTICE and licenses/ now reflect the *source* release
- LICENSE-binary and NOTICE-binary and licenses-binary now reflect the
binary release
- Recreated all the license info from scratch
- License-oriented info was moved from NOTICE to LICENSE, esp. for Cat B
deps
- Some seemingly superfluous or stale license info was removed, especially
for test-scope deps
- Updated release script to put binary-oriented versions in binary releases
----
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
