Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add notice file for python binding #920

Closed
wants to merge 1 commit into from
Closed

add notice file for python binding #920

wants to merge 1 commit into from

Conversation

houqp
Copy link
Member

@houqp houqp commented Aug 22, 2021

Which issue does this PR close?

From #875 (comment).

Relates to #887.

Rationale for this change

Since our python binding release artifacts will be binaries, we need to include all licenses used by our dependencies.

What changes are included in this PR?

Add notice file following https://github.com/apache/arrow/blob/master/NOTICE.txt

Are there any user-facing changes?

no

@jorgecarleitao
Copy link
Member

Thanks a lot for taking this, QP!

I was imagining that our notice would have to be something like "go to all our (transitive and non-transitive) dependencies, extract their licenses, create a notice based on the list of dependencies and respective licenses".

This offers the guarantees that anyone using the binary shipped from Apache that we verified that it can be used in the same or comparable terms as the Apache license itself (my understanding of why such notice exists in apache/arrow, but I am not very experienced here).

@houqp
Copy link
Member Author

houqp commented Aug 23, 2021

@kszucs it would be really helpful you can provide some insights here since I noticed you have made significant change to arrow's NOTICE.txt file. Do you know if arrow's NOTICE.txt file is managed manually or through automation? How deep do we need to get into the dependency graph to fish out all the downstream licenses?

The change in this PR only includes non-transitive dependencies.

@kszucs
Copy link
Member

kszucs commented Aug 24, 2021

We maintain the license and notice files manually. I think it's enough to mention the dependencies where we have vendored source code from. Otherwise we'd need to generate the whole cargo dependency tree since we statically link everything with cargo (if I'm not mistaken). cc @kou

@kou
Copy link
Member

kou commented Aug 25, 2021

These documents will help us:

@houqp houqp added this to the 5.1.0 milestone Sep 3, 2021
@houqp houqp mentioned this pull request Sep 3, 2021
Closed
@houqp
Copy link
Member Author

houqp commented Sep 3, 2021

Thanks @kszucs and @kou for the pointers. I went through the ASF docs, it looks like we do need to account for the full dependency tree for statically linked binary release :(

For source releases, we only need to take care of vendored source code.

Both LICENSE file and NOTICE needs to be updated for each compiled in dependency for the binary release.

@jorgecarleitao jorgecarleitao mentioned this pull request Sep 3, 2021
Merged
@houqp
Copy link
Member Author

houqp commented Sep 3, 2021

closing this in favor of #966

@houqp houqp closed this Sep 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jorgecarleitao jorgecarleitao Awaiting requested review from jorgecarleitao

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@houqp @jorgecarleitao @kszucs @kou