[SPARK-24654][BUILD] Update, fix LICENSE and NOTICE, and specialize for source vs binary

[srowen]

Whew, lots of work to track down again all the license requirements, but this ought to be a pretty good pass. Below, find a writeup on how I approached it for future reference.

• LICENSE and NOTICE and licenses/ now reflect the source release
• LICENSE-binary and NOTICE-binary and licenses-binary now reflect the binary release
• Recreated all the license info from scratch
• Added notes about how this was constructed for next time
• License-oriented info was moved from NOTICE to LICENSE, esp. for Cat B deps
• Some seemingly superfluous or stale license info was removed, especially for test-scope deps
• Updated release script to put binary-oriented versions in binary releases

---

Principles

ASF projects distribute source and binary code under the Apache License 2.0. However these project distributions frequently include copies of source or binary code from third parties, under possibly other license terms. This triggers conditions of those licenses, which essentially amount to including license information in a LICENSE and/or NOTICE file, and including copies of license texts (here, in a directory called license/).

See http://www.apache.org/dev/licensing-howto.html and https://www.apache.org/legal/resolved.html#required-third-party-notices

In Spark

Spark produces source releases, and also binary releases of that code. Spark source code may contain source from third parties, possibly modified. This is true in Scala, Java, Python and R, and in the UI's JavaScript and CSS files. These must be handled appropriately per above in a LICENSE and NOTICE file created for the source release.

Separately, the binary releases may contain binary code from third parties. This is very much true for Scala and Java, as Spark produces an 'assembly' binary release which includes all transitive binary dependencies of this part of Spark. With perhaps the exception of py4j, this doesn't occur in the same way for Python or R because of the way these ecosystems work. (Note that the JS and CSS for the UI will be in both 'source' and 'binary' releases.) These must also be handled in a separate LICENSE and NOTICE file for the binary release.

Binary Release License

Transitive Maven Dependencies

We'll first tackle the binary release, and that almost entirely means assessing the transitive dependencies of the Scala/Java backbone of Spark.

Run project-info-reports:dependencies with essentially all profiles: a set that would bring in all different possible transitive dependencies. However, don't activate any of the '-lgpl' profiles as these would bring in LGPL-licensed dependencies that are explicitly excluded from Spark binary releases.

mvn -Phadoop-2.7 -Pyarn -Phive -Pmesos -Pkubernetes -Pflume -Pkinesis-asl -Pdocker-integration-tests -Phive-thriftserver -Pkafka-0-8 -Ddependency.locations.enabled=false project-info-reports:dependencies

Open assembly/target/site/dependencies.html. Find "Project Transitive Dependencies", and find "compile" and "runtime" (if exists). This is a list of all the dependencies that Spark is going to ship in its binary "assembly" distro and therefore whose licenses need to be appropriately considered in LICENSE and NOTICE. Copy this table into a spreadsheet for easy management.

Next job is to fill in some blanks, as a few projects will not have clearly declared their licenses in a POM. Sort by license.

This is a good time to verify all the dependencies are at least Cat A/B licenses, and not Cat X! http://www.apache.org/legal/resolved.html

Apache License 2

The Apache License 2 variants are typically easiest to deal with as they will not require you to modify LICENSE, nor add to license/. It's still good form to list the ALv2 dependencies in LICENSE for completeness, but optional.

They may require you to propagate bits from NOTICE. It's tedious to track down all the NOTICE files and evaluate what if anything needs to be copied to NOTICE.

Fortunately, this can be made easier as the assembly module can be temporarily modified to produce a NOTICE file that concatenates all NOTICE files bundled with transitive dependencies.

First change the packaging of assembly/spark-assembly_2.11/pom.xml to <packaging>jar</packaging>. Next add this stanza somewhere in the body of the same POM file:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-shade-plugin</artifactId>
  <configuration>
    <shadedArtifactAttached>false</shadedArtifactAttached>
    <artifactSet>
      <includes>
        <include>*:*</include>
      </includes>
    </artifactSet>
  </configuration>
  <executions>
    <execution>
      <phase>package</phase>
      <goals>
        <goal>shade</goal>
      </goals>
      <configuration>
        <transformers>
          <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheNoticeResourceTransformer"/>
        </transformers>
      </configuration>
    </execution>
  </executions>
</plugin>

Finally execute mvn ... package with all of the same -P profile flags as above. In the JAR file at assembly/target/spark-assembly_2.11....jar you'll find a file META-INF/NOTICE that concatenates all NOTICE files bundled with transitive dependencies. This should be the starting point for the binary release's NOTICE file.

Some elements in the file are from Spark itself, like:

Spark Project Assembly
Copyright 2018 The Apache Software Foundation

Spark Project Core
Copyright 2018 The Apache Software Foundation

These can be removed.

Remove elements of the combined NOTICE file that aren't relevant to Spark. It's actually rare that we are sure that some element is completely irrelevant to Spark, because each transitive dependency includes all its transitive dependencies. So there may be nothing that can be done here.

Of course, some projects may not publish NOTICE in their Maven artifacts. Ideally, search for the NOTICE file of projects that don't seem to have produced any text in NOTICE, but, there is some argument that projects that don't produce a NOTICE in their Maven artifacts don't entail an obligation on projects that depend solely on their Maven artifacts.

Other Licenses

Next are "Cat A" permissively licensed (BSD 2-Clause, BSD 3-Clause, MIT) components. List the components grouped by their license type in LICENSE. Then add the text of the license to licenses/. For example if you list "foo bar" as a BSD-licensed dependency, add its license text as licenses/LICENSE-foo-bar.txt.

Public domain and similar works are treated like permissively licensed dependencies.

And the same goes for all Cat B licenses too, like CDDL. However these additional require at least a URL pointer to the project's page. Use the artifact hyperlink in your spreadsheet if possible; if non-existent or doesn't resolve, do your best to determine a URL for the project's source.

Shaded third-party dependencies

Some third party dependencies actually copy in other dependencies rather than depend on them as Maven artifacts. This means they don't show up in the process above. These can be quite hard to track down, but are rare. A key example is reflectasm, embedded in kryo.

Examples module

The above almost considers everything bundled in a Spark binary release. The main assembly won't include examples. The same must be done for dependencies marked as 'compile' for the examples module. See examples/target/site/dependencies.html. At the time of this writing however this just adds one dependency: scopt.

provided scope

Above we considered just compile and runtime scope dependencies, which makes sense as they are the ones that are packaged. However, for complicated reasons (shading), a few components that Spark does bundle are not marked as compile dependencies in the assembly. Therefore it's also necessary to consider 'provided' dependencies from assembly/target/site/dependencies.html actually! Right now that's just Jetty and JPMML artifacts.

Python, R

Don't forget that Py4J is also distributed in the binary release, actually. There should be no other R, Python code in the binary release. That's it.

Sense checking

Compare the contents of jars/, examples/jars/ and python/lib from a recent binary release to see if anything appears there that doesn't seem to have been covered above. These additional components will have to be handled manually, but should be few or none of this type.

Source Release License

While there are relatively fewer third-party source artifacts included as source code, there is no automated way to detect it, really. It requires some degree of manual auditing. Most third party source comes from included JS and CSS files.

At the time of this writing, some places to look or consider: build/sbt-launch-lib.bash, python/lib, third party source in python/pyspark like heapq3.py, docs/js/vendor, and core/src/main/resources/org/apache/spark/ui/static.

The principles are the same as above.

Remember some JS files copy in other JS files! Look out for Modernizr.

One More Thing: JS and CSS in Binary Release

Now that you've got a handle on source licenses, recall that all the JS and CSS source code will also be part of the binary release. Copy that info from source to binary license files accordingly.

[SparkQA]

Test build #92313 has finished for PR 21640 at commit 6aafdc5.

• This patch fails RAT tests.
• This patch merges cleanly.
• This patch adds the following public classes (experimental):
• QuadraticMinimizer class in package breeze.optimize.proximal is distributed with Copyright (c)
• NonlinearMinimizer class in package breeze.optimize.proximal is distributed with Copyright (c)

[vanzin]

That looks like a lot of work. Did a cursory review and just noticed two licenses that could be updated, otherwise as far as I can tell this looks good.

[vanzin]

Copy from https://github.com/jquery/jquery/blob/master/LICENSE.txt instead?

[vanzin]

Similarly: https://github.com/scopt/scopt/blob/scopt3/LICENSE.md

[SparkQA]

Test build #92316 has finished for PR 21640 at commit 1928112.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #92321 has finished for PR 21640 at commit e07f387.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #92499 has finished for PR 21640 at commit 198b208.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[srowen]

Merged to master

[wangyum]

Hi @srowen , Do we need to add these libs for current master branch?
org.apache.hive:hive-beeline
org.apache.hive:hive-cli
org.apache.hive:hive-exec
org.apache.hive:hive-jdbc
org.apache.hive:hive-metastore

[srowen]

These are listed in the current license file in master. If they are it's because they showed up in the transitive dependencies in compile/runtime scope. Are you asking if they can be removed?

Heh, I've lost track, do we use this Hive fork anymore now? if not, they can be removed.

You can look at mvn dependency:tree to see if they still appear, if in doubt.

[wangyum]

I mean these jars:

[root@spark-3267648 apache-spark]# mvn dependency:tree -Phadoop-3.2 | grep "org.apache.hive" | sort | uniq
[INFO] +- org.apache.hive.hcatalog:hive-hcatalog-core:jar:2.3.6:test
[INFO] +- org.apache.hive:hive-common:jar:2.3.6:compile
[INFO] |  +- org.apache.hive:hive-common:jar:2.3.6:provided
[INFO] +- org.apache.hive:hive-contrib:jar:2.3.6:test
[INFO] +- org.apache.hive:hive-exec:jar:core:2.3.6:compile
[INFO] |  +- org.apache.hive:hive-exec:jar:core:2.3.6:provided
[INFO] +- org.apache.hive:hive-llap-client:jar:2.3.6:test
[INFO] +- org.apache.hive:hive-llap-common:jar:2.3.6:compile
[INFO] |  \- org.apache.hive:hive-llap-common:jar:2.3.6:provided
[INFO] +- org.apache.hive:hive-metastore:jar:2.3.6:compile
[INFO] |  +- org.apache.hive:hive-metastore:jar:2.3.6:provided
[INFO] +- org.apache.hive:hive-serde:jar:2.3.6:compile
[INFO] |  +- org.apache.hive:hive-serde:jar:2.3.6:provided
[INFO] |  +- org.apache.hive:hive-service-rpc:jar:2.3.6:compile
[INFO] |  |  \- org.apache.hive:hive-service-rpc:jar:2.3.6:provided
[INFO] +- org.apache.hive:hive-shims:jar:2.3.6:compile
[INFO] |  +- org.apache.hive:hive-shims:jar:2.3.6:provided
[INFO] \- org.apache.hive:hive-storage-api:jar:2.6.0:compile
[INFO] |  +- org.apache.hive:hive-vector-code-gen:jar:2.3.6:compile
[INFO] |  |  +- org.apache.hive:hive-vector-code-gen:jar:2.3.6:provided
[INFO] |  |  +- org.apache.hive.shims:hive-shims-0.23:jar:2.3.6:provided
[INFO] |  +- org.apache.hive.shims:hive-shims-0.23:jar:2.3.6:runtime
[INFO] |  +- org.apache.hive.shims:hive-shims-common:jar:2.3.6:compile
[INFO] |  |  +- org.apache.hive.shims:hive-shims-common:jar:2.3.6:provided
[INFO] |  |  \- org.apache.hive.shims:hive-shims-scheduler:jar:2.3.6:provided
[INFO] |  \- org.apache.hive.shims:hive-shims-scheduler:jar:2.3.6:runtime

[srowen]

We might need to list anything that's in compile scope. Really the question is whether these end up in any artifact that we distribute. Really these would appear in the binary distribution of Spark if anywhere. If we are going to distribute a binary release based on Hadoop 3.2 / Hive 2.3, and I'm guessing we must, then yeah these compile scope deps should be listed, and technically we need to add their NOTICE contents to our NOTICE file. I can talk to you about ways to do that if necessary.

As a sanity check, do all of those compile scope dependencies look like they are directly needed by Spark?

[wangyum]

Thank you @srowen