f825847c82
Whew, lots of work to track down again all the license requirements, but this ought to be a pretty good pass. Below, find a writeup on how I approached it for future reference. - LICENSE and NOTICE and licenses/ now reflect the *source* release - LICENSE-binary and NOTICE-binary and licenses-binary now reflect the binary release - Recreated all the license info from scratch - Added notes about how this was constructed for next time - License-oriented info was moved from NOTICE to LICENSE, esp. for Cat B deps - Some seemingly superfluous or stale license info was removed, especially for test-scope deps - Updated release script to put binary-oriented versions in binary releases ---- # Principles ASF projects distribute source and binary code under the Apache License 2.0. However these project distributions frequently include copies of source or binary code from third parties, under possibly other license terms. This triggers conditions of those licenses, which essentially amount to including license information in a LICENSE and/or NOTICE file, and including copies of license texts (here, in a directory called `license/`). See http://www.apache.org/dev/licensing-howto.html and https://www.apache.org/legal/resolved.html#required-third-party-notices # In Spark Spark produces source releases, and also binary releases of that code. Spark source code may contain source from third parties, possibly modified. This is true in Scala, Java, Python and R, and in the UI's JavaScript and CSS files. These must be handled appropriately per above in a LICENSE and NOTICE file created for the source release. Separately, the binary releases may contain binary code from third parties. This is very much true for Scala and Java, as Spark produces an 'assembly' binary release which includes all transitive binary dependencies of this part of Spark. With perhaps the exception of py4j, this doesn't occur in the same way for Python or R because of the way these ecosystems work. (Note that the JS and CSS for the UI will be in both 'source' and 'binary' releases.) These must also be handled in a separate LICENSE and NOTICE file for the binary release. # Binary Release License ## Transitive Maven Dependencies We'll first tackle the binary release, and that almost entirely means assessing the transitive dependencies of the Scala/Java backbone of Spark. Run `project-info-reports:dependencies` with essentially all profiles: a set that would bring in all different possible transitive dependencies. However, don't activate any of the '-lgpl' profiles as these would bring in LGPL-licensed dependencies that are explicitly excluded from Spark binary releases. ``` mvn -Phadoop-2.7 -Pyarn -Phive -Pmesos -Pkubernetes -Pflume -Pkinesis-asl -Pdocker-integration-tests -Phive-thriftserver -Pkafka-0-8 -Ddependency.locations.enabled=false project-info-reports:dependencies ``` Open `assembly/target/site/dependencies.html`. Find "Project Transitive Dependencies", and find "compile" and "runtime" (if exists). This is a list of all the dependencies that Spark is going to ship in its binary "assembly" distro and therefore whose licenses need to be appropriately considered in LICENSE and NOTICE. Copy this table into a spreadsheet for easy management. Next job is to fill in some blanks, as a few projects will not have clearly declared their licenses in a POM. Sort by license. This is a good time to verify all the dependencies are at least Cat A/B licenses, and not Cat X! http://www.apache.org/legal/resolved.html ### Apache License 2 The Apache License 2 variants are typically easiest to deal with as they will not require you to modify LICENSE, nor add to license/. It's still good form to list the ALv2 dependencies in LICENSE for completeness, but optional. They may require you to propagate bits from NOTICE. It's tedious to track down all the NOTICE files and evaluate what if anything needs to be copied to NOTICE. Fortunately, this can be made easier as the assembly module can be temporarily modified to produce a NOTICE file that concatenates all NOTICE files bundled with transitive dependencies. First change the packaging of `assembly/spark-assembly_2.11/pom.xml` to `<packaging>jar</packaging>`. Next add this stanza somewhere in the body of the same POM file: ``` <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-shade-plugin</artifactId> <configuration> <shadedArtifactAttached>false</shadedArtifactAttached> <artifactSet> <includes> <include>*:*</include> </includes> </artifactSet> </configuration> <executions> <execution> <phase>package</phase> <goals> <goal>shade</goal> </goals> <configuration> <transformers> <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheNoticeResourceTransformer"/> </transformers> </configuration> </execution> </executions> </plugin> ``` Finally execute `mvn ... package` with all of the same `-P` profile flags as above. In the JAR file at `assembly/target/spark-assembly_2.11....jar` you'll find a file `META-INF/NOTICE` that concatenates all NOTICE files bundled with transitive dependencies. This should be the starting point for the binary release's NOTICE file. Some elements in the file are from Spark itself, like: ``` Spark Project Assembly Copyright 2018 The Apache Software Foundation Spark Project Core Copyright 2018 The Apache Software Foundation ``` These can be removed. Remove elements of the combined NOTICE file that aren't relevant to Spark. It's actually rare that we are sure that some element is completely irrelevant to Spark, because each transitive dependency includes all its transitive dependencies. So there may be nothing that can be done here. Of course, some projects may not publish NOTICE in their Maven artifacts. Ideally, search for the NOTICE file of projects that don't seem to have produced any text in NOTICE, but, there is some argument that projects that don't produce a NOTICE in their Maven artifacts don't entail an obligation on projects that depend solely on their Maven artifacts. ### Other Licenses Next are "Cat A" permissively licensed (BSD 2-Clause, BSD 3-Clause, MIT) components. List the components grouped by their license type in LICENSE. Then add the text of the license to licenses/. For example if you list "foo bar" as a BSD-licensed dependency, add its license text as licenses/LICENSE-foo-bar.txt. Public domain and similar works are treated like permissively licensed dependencies. And the same goes for all Cat B licenses too, like CDDL. However these additional require at least a URL pointer to the project's page. Use the artifact hyperlink in your spreadsheet if possible; if non-existent or doesn't resolve, do your best to determine a URL for the project's source. ### Shaded third-party dependencies Some third party dependencies actually copy in other dependencies rather than depend on them as Maven artifacts. This means they don't show up in the process above. These can be quite hard to track down, but are rare. A key example is reflectasm, embedded in kryo. ### Examples module The above _almost_ considers everything bundled in a Spark binary release. The main assembly won't include examples. The same must be done for dependencies marked as 'compile' for the examples module. See `examples/target/site/dependencies.html`. At the time of this writing however this just adds one dependency: `scopt`. ### provided scope Above we considered just compile and runtime scope dependencies, which makes sense as they are the ones that are packaged. However, for complicated reasons (shading), a few components that Spark does bundle are not marked as compile dependencies in the assembly. Therefore it's also necessary to consider 'provided' dependencies from `assembly/target/site/dependencies.html` actually! Right now that's just Jetty and JPMML artifacts. ## Python, R Don't forget that Py4J is also distributed in the binary release, actually. There should be no other R, Python code in the binary release. That's it. ## Sense checking Compare the contents of `jars/`, `examples/jars/` and `python/lib` from a recent binary release to see if anything appears there that doesn't seem to have been covered above. These additional components will have to be handled manually, but should be few or none of this type. # Source Release License While there are relatively fewer third-party source artifacts included as source code, there is no automated way to detect it, really. It requires some degree of manual auditing. Most third party source comes from included JS and CSS files. At the time of this writing, some places to look or consider: `build/sbt-launch-lib.bash`, `python/lib`, third party source in `python/pyspark` like `heapq3.py`, `docs/js/vendor`, and `core/src/main/resources/org/apache/spark/ui/static`. The principles are the same as above. Remember some JS files copy in other JS files! Look out for Modernizr. # One More Thing: JS and CSS in Binary Release Now that you've got a handle on source licenses, recall that all the JS and CSS source code will *also* be part of the binary release. Copy that info from source to binary license files accordingly. Author: Sean Owen <srowen@gmail.com> Closes #21640 from srowen/SPARK-24654.
121 lines
6.9 KiB
Plaintext
121 lines
6.9 KiB
Plaintext
Creative Commons Legal Code
|
|
|
|
CC0 1.0 Universal
|
|
|
|
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
|
|
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
|
|
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
|
|
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
|
|
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
|
|
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
|
|
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
|
|
HEREUNDER.
|
|
|
|
Statement of Purpose
|
|
|
|
The laws of most jurisdictions throughout the world automatically confer
|
|
exclusive Copyright and Related Rights (defined below) upon the creator
|
|
and subsequent owner(s) (each and all, an "owner") of an original work of
|
|
authorship and/or a database (each, a "Work").
|
|
|
|
Certain owners wish to permanently relinquish those rights to a Work for
|
|
the purpose of contributing to a commons of creative, cultural and
|
|
scientific works ("Commons") that the public can reliably and without fear
|
|
of later claims of infringement build upon, modify, incorporate in other
|
|
works, reuse and redistribute as freely as possible in any form whatsoever
|
|
and for any purposes, including without limitation commercial purposes.
|
|
These owners may contribute to the Commons to promote the ideal of a free
|
|
culture and the further production of creative, cultural and scientific
|
|
works, or to gain reputation or greater distribution for their Work in
|
|
part through the use and efforts of others.
|
|
|
|
For these and/or other purposes and motivations, and without any
|
|
expectation of additional consideration or compensation, the person
|
|
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
|
|
is an owner of Copyright and Related Rights in the Work, voluntarily
|
|
elects to apply CC0 to the Work and publicly distribute the Work under its
|
|
terms, with knowledge of his or her Copyright and Related Rights in the
|
|
Work and the meaning and intended legal effect of CC0 on those rights.
|
|
|
|
1. Copyright and Related Rights. A Work made available under CC0 may be
|
|
protected by copyright and related or neighboring rights ("Copyright and
|
|
Related Rights"). Copyright and Related Rights include, but are not
|
|
limited to, the following:
|
|
|
|
i. the right to reproduce, adapt, distribute, perform, display,
|
|
communicate, and translate a Work;
|
|
ii. moral rights retained by the original author(s) and/or performer(s);
|
|
iii. publicity and privacy rights pertaining to a person's image or
|
|
likeness depicted in a Work;
|
|
iv. rights protecting against unfair competition in regards to a Work,
|
|
subject to the limitations in paragraph 4(a), below;
|
|
v. rights protecting the extraction, dissemination, use and reuse of data
|
|
in a Work;
|
|
vi. database rights (such as those arising under Directive 96/9/EC of the
|
|
European Parliament and of the Council of 11 March 1996 on the legal
|
|
protection of databases, and under any national implementation
|
|
thereof, including any amended or successor version of such
|
|
directive); and
|
|
vii. other similar, equivalent or corresponding rights throughout the
|
|
world based on applicable law or treaty, and any national
|
|
implementations thereof.
|
|
|
|
2. Waiver. To the greatest extent permitted by, but not in contravention
|
|
of, applicable law, Affirmer hereby overtly, fully, permanently,
|
|
irrevocably and unconditionally waives, abandons, and surrenders all of
|
|
Affirmer's Copyright and Related Rights and associated claims and causes
|
|
of action, whether now known or unknown (including existing as well as
|
|
future claims and causes of action), in the Work (i) in all territories
|
|
worldwide, (ii) for the maximum duration provided by applicable law or
|
|
treaty (including future time extensions), (iii) in any current or future
|
|
medium and for any number of copies, and (iv) for any purpose whatsoever,
|
|
including without limitation commercial, advertising or promotional
|
|
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
|
|
member of the public at large and to the detriment of Affirmer's heirs and
|
|
successors, fully intending that such Waiver shall not be subject to
|
|
revocation, rescission, cancellation, termination, or any other legal or
|
|
equitable action to disrupt the quiet enjoyment of the Work by the public
|
|
as contemplated by Affirmer's express Statement of Purpose.
|
|
|
|
3. Public License Fallback. Should any part of the Waiver for any reason
|
|
be judged legally invalid or ineffective under applicable law, then the
|
|
Waiver shall be preserved to the maximum extent permitted taking into
|
|
account Affirmer's express Statement of Purpose. In addition, to the
|
|
extent the Waiver is so judged Affirmer hereby grants to each affected
|
|
person a royalty-free, non transferable, non sublicensable, non exclusive,
|
|
irrevocable and unconditional license to exercise Affirmer's Copyright and
|
|
Related Rights in the Work (i) in all territories worldwide, (ii) for the
|
|
maximum duration provided by applicable law or treaty (including future
|
|
time extensions), (iii) in any current or future medium and for any number
|
|
of copies, and (iv) for any purpose whatsoever, including without
|
|
limitation commercial, advertising or promotional purposes (the
|
|
"License"). The License shall be deemed effective as of the date CC0 was
|
|
applied by Affirmer to the Work. Should any part of the License for any
|
|
reason be judged legally invalid or ineffective under applicable law, such
|
|
partial invalidity or ineffectiveness shall not invalidate the remainder
|
|
of the License, and in such case Affirmer hereby affirms that he or she
|
|
will not (i) exercise any of his or her remaining Copyright and Related
|
|
Rights in the Work or (ii) assert any associated claims and causes of
|
|
action with respect to the Work, in either case contrary to Affirmer's
|
|
express Statement of Purpose.
|
|
|
|
4. Limitations and Disclaimers.
|
|
|
|
a. No trademark or patent rights held by Affirmer are waived, abandoned,
|
|
surrendered, licensed or otherwise affected by this document.
|
|
b. Affirmer offers the Work as-is and makes no representations or
|
|
warranties of any kind concerning the Work, express, implied,
|
|
statutory or otherwise, including without limitation warranties of
|
|
title, merchantability, fitness for a particular purpose, non
|
|
infringement, or the absence of latent or other defects, accuracy, or
|
|
the present or absence of errors, whether or not discoverable, all to
|
|
the greatest extent permissible under applicable law.
|
|
c. Affirmer disclaims responsibility for clearing rights of other persons
|
|
that may apply to the Work or any use thereof, including without
|
|
limitation any person's Copyright and Related Rights in the Work.
|
|
Further, Affirmer disclaims responsibility for obtaining any necessary
|
|
consents, permissions or other rights required for any use of the
|
|
Work.
|
|
d. Affirmer understands and acknowledges that Creative Commons is not a
|
|
party to this document and has no duty or obligation with respect to
|
|
this CC0 or use of the Work. |