Fix the LICENSE/NOTICES files with the missing dependencies/versions

[jbonofre]

This closes #16013

[mxm]

Thanks for addressing this promptly @jbonofre!

[manuzhang]

I suppose a lot of dependencies are missing from open-api/LICENSE based on #15872

[jbonofre]

@manuzhang I updated the LICENSE/NOTICE in the bundles and flink/spark runtimes. I'm gonna check open-api.

[jbonofre]

@manuzhang I updated LICENSE and NOTICE in open-api.

[manuzhang]

@jbonofre

Codex found 61 resolved module names missing from open-api/LICENSE. Confirmed packaged examples include (I verified some as well):

• software.amazon.s3.analyticsaccelerator:analyticsaccelerator-s3:1.3.0; the file ends after aws-s3-accessgrants-java-plugin at open-api/LICENSE:1873
• com.google.api:api-common:2.52.0, missing near the GCP section before gax at open-api/LICENSE:638
• com.google.protobuf:protobuf-java:4.29.4 and protobuf-java-util:4.29.4
• io.grpc:* modules, io.opentelemetry:* modules, io.opencensus:*
• org.junit.jupiter:, org.junit.platform:, org.opentest4j:opentest4j
• org.checkerframework:checker-qual, org.roaringbitmap:RoaringBitmap

High: Several entries that are present still have stale versions compared with the same resolved runtime classpath. Examples:

• Jackson is listed as 2.18.4 / 2.18.4.1 at open-api/LICENSE:596, but resolves to 2.21 / 2.21.2
• gson is listed as 2.11.0 at open-api/LICENSE:852, but resolves to 2.12.1
• error_prone_annotations is listed as 2.10.0 at open-api/LICENSE:857, but resolves to 2.38.0
• commons-codec is listed as 1.17.1 at open-api/LICENSE:1025, but resolves to 1.19.0
• commons-logging is listed as 1.2 at open-api/LICENSE:1043, but resolves to 1.3.0
• org.apache.httpcomponents:httpclient is listed as 4.5.13 at open-api/LICENSE:1319, but resolves to 4.5.14

[jbonofre]

@manuzhang did you check on the 1.10.x branch? I'm surprised: for instance, jackson is 2.18.x on the branch.

This PR is on the 1.10.x branch.

I forgot to push the new entries, let me do that.

[manuzhang]

@jbonofre I was the one that bumped jackson version in #15847 for 1.10.x :)

[jbonofre]

@manuzhang then, I suspect some other LICENSE should be updated. Let me do verify.

[jbonofre]

@manuzhang open-api LICENSE and NOTICE files should be good now. I'm doing a complete final pass.

[manuzhang]

@jbonofre We are getting closer but still some entries are missing and some stale.

Missing license entries:

• javax.servlet.jsp:jsp-api
• org.bouncycastle:bcprov-jdk18on
• org.eclipse.jetty.toolchain:jetty-jakarta-servlet-api
• org.junit.jupiter:junit-jupiter
• org.junit.jupiter:junit-jupiter-api
• org.junit.jupiter:junit-jupiter-engine
• org.junit.jupiter:junit-jupiter-params
• org.junit.platform:junit-platform-commons
• org.junit.platform:junit-platform-engine
• org.opentest4j:opentest4j
• org.roaringbitmap:RoaringBitmap

Stale license entries:

• open-api/LICENSE:596: jackson-annotations lists 2.21.2, resolved is 2.21
• open-api/LICENSE:908: gson lists 2.11.0, resolved is 2.12.1
• open-api/LICENSE:913: error_prone_annotations lists 2.10.0, resolved is 2.38.0
• open-api/LICENSE:929: failureaccess lists 1.0.3, resolved is 1.0.2; guava lists 33.4.8-jre, resolved is 33.4.0-jre
• open-api/LICENSE:1195: commons-codec lists 1.17.1, resolved is 1.19.0
• open-api/LICENSE:1213: commons-logging lists 1.2, resolved is 1.3.0
• open-api/LICENSE:1339: Netty entries list 4.2.4.Final, but resolved entries are 4.1.124.Final or 4.1.118.Final/4.1.112.Final depending on module
• open-api/LICENSE:1603: Arrow entries list 15.0.2, resolved is 17.0.0
• open-api/LICENSE:1699: httpclient lists 4.5.13, resolved is 4.5.14

[jbonofre]

@manuzhang good catch. I'm updating.

[jbonofre]

@manuzhang here we are 😄 It should be good now.

[manuzhang]

@jbonofre One final comment

open-api/LICENSE:2000 includes org.junit.platform:junit-platform-launcher and the junit-platform-suite-* entries, but those are not in testFixturesRuntimeClasspath,

[rdblue]

@jbonofre, this repo doesn't use the fix(...) convention for PR titles. Could you fix the summary?

[jbonofre]

@rdblue absolutely. Thanks for the reminder!

[amogh-jahagirdar]

@jbonofre @rdblue I also thought before we did all the LICENSE/NOTICE changes we were first going to do a vetting of all the dependencies we're shipping and scope that down wherever applicable? Then we'd update LICENSE/NOTICE.
I guess it's an open question if we want to do that work for a patch release or not, but since concern was expressed on what we're shipping in runtime jars I thought we'd do that first.

[jbonofre]

@amogh-jahagirdar my understanding is to do that on main. The dependencies set should not have changed on 1.10.x. But if you think so, I'm happy to do an analysis.

[jbonofre]

@rdblue PR title updated.

[amogh-jahagirdar]

Thanks @jbonofre so there were dependency upgrades to address CVEs (like the jackson upgrade that @manuzhang referenced earlier). Theoretically those patch releases shouldn't change anything but my understanding was any dependency upgrade needs to be scrutinized, or maybe my understanding there was wrong?

[rdblue]

Versions get stale and should not be included in the license files.

[jbonofre]

That's the change I did on main, but for 1.10.x, I keep the format consistently.

[rdblue]

Sounds reasonable to me, thanks for the context.

[rdblue]

This should be done in a separate PR. PRs should generally just do one thing.

[jbonofre]

As I consider it's a fix on the NOTICE, I included there. But fine to split.

[jbonofre]

I gonna split in two PRs: this one will content the minimal change to have the LICENSE/NOTICE correct (the PR title will be updated accordingly). Let me create another PR specific to copyright year update. Thanks for the suggestion @rdblue !

[jbonofre]

See #16099

[rdblue]

These changes are unnecessary and shouldn't be included here. We can talk about whether to have more information on this line, but it isn't related to the purpose of this PR, which is to update the files for correctness. Including unnecessary changes increases what needs to be reviewed (or in this case scrolled past) and that can cause things to be missed.

[jbonofre]

It was a request from @manuzhang for consistency.

I'm fine to revert.

[rdblue]

These are large enough without other changes. Style updates like this should be in separate PRs. Thanks!

[manuzhang]

Sorry, I feel the pain to go back and forth in such a large PR. Maybe we can just leave out the style issues for the patch release?

[jbonofre]

That makes sense to me (and it was my initial change 😄 ). I propose to take a step back here with the following:

1. Let me list the dependencies in each "modules" (bundle and runtime artifacts) with a first pass for dependencies requiring "discussions" (I'm thinking of Eclipse Collections for instance).
2. I'm updating this PR with the minimal changes to have LICENSE/NOTICE files correct.
3. Depending of our finding on 1, I will update the PR accordingly.

Does it work for you guys?

Thanks again for your help on this one!

[rdblue]

How is this used? Is it pulled in transitively?

We don't use Eclipse collections, so if this is a new direct dependency, we should remove it.

Also, for Spark we want to check what Jars are already included in the Spark bundle and exclude them so that we don't ship duplicates or conflicts.

[jbonofre]

It's directly bundled in the runtime jar:

....
  2913 Fri Feb 01 00:00:00 CET 1980 org/eclipse/collections/api/LazyIntIterable.class
  2961 Fri Feb 01 00:00:00 CET 1980 org/eclipse/collections/api/LazyFloatIterable.class
  2937 Fri Feb 01 00:00:00 CET 1980 org/eclipse/collections/api/LazyLongIterable.class
  2985 Fri Feb 01 00:00:00 CET 1980 org/eclipse/collections/api/LazyDoubleIterable.class
 13693 Fri Feb 01 00:00:00 CET 1980 org/eclipse/collections/api/ParallelIterable.class

This is coming from arrow-vector (transitive).

I believe that it has not been introduced for 1.10.2 but before.

[manuzhang]

Can we just fix license issues in the patch release and fix dependency issues on the main branch?

[jbonofre]

@amogh-jahagirdar I think it's reasonable indeed. I also think that several issues exist for a while and probably need a cleanup (I'm thinking on Eclipse Collections for instance).

[rdblue]

@rdblue PR title updated.

Sorry, I should have been more clear. This project doesn't follow the "conventional commits" conventions for PR titles. I'd be fine having a discussion about this in the community, but I don't think that it is helpful to have conflicting conventions.

The convention that we follow is to list the high-level areas that are being changed, like "API" and "Core", or "Spark 4.1", followed by a colon, and then a short and direct description.

[jbonofre]

@rdblue ok, good. I'm surprised it comes now because I saw several PRs (including mine) using conventional commits style (that's why I was confused, sorry about that). Fair enough, I'm updating to use the recommended format. Thanks!

[jbonofre]

@manuzhang @rdblue @amogh-jahagirdar I changed the PR to focus on the minimal changes needed to fix LICENSE and NOTICE files.

I'm preparing the dependencies list for each artifact (bundle and runtime) identifying the dependencies worth to discuss (probably excluding not necessary ones and so updating LICENSE and NOTICE files in a new iteration). I will do that for both 1.10.x and main branches.

[manuzhang]

I'm surprised it comes now because I saw several PRs (including mine) using conventional commits style (that's why I was confused, sorry about that).

That might be that other iceberg projects are following conventional commits style. I created #16101 to add PR title check workflow.

[manuzhang]

I will do that for both 1.10.x and main branches.

I'd suggest fixing dependencies issue just on the main branch, since it could be too many dependency changes for a bugfix release.