GCP: Fix LICENSE, NOTICE, and runtime-deps for gcp-bundle

[kevinjqliu]

Fixes license compliance gaps in gcp-bundle found by auditing the shadow JAR contents against LICENSE/NOTICE declarations.

Exclude logging dependencies, following same pattern in #16105

Build and verify

./gradlew :iceberg-gcp-bundle:shadowJar -x test
./gradlew :iceberg-gcp-bundle:checkRuntimeDeps
JAR=gcp-bundle/build/libs/iceberg-gcp-bundle-1.11.0-SNAPSHOT.jar

LICENSE

(In the order of changes in LICENSE)

• FastDoubleParser + fast_float + bigint (MIT / BSD 2-Clause) — Shaded into Jackson Core at com/fasterxml/jackson/core/internal/shaded/fdp/. Jackson ships a FastDoubleParser-NOTICE declaring the code derives from fast_float (MIT, Copyright 2021 The fast_float authors) and bigint (BSD 2-Clause, Copyright 2020 Tim Buktu). Those licenses require preserving copyright notices in redistributions. Required: consistent with all other Iceberg modules.

  jar tf "$JAR" | grep -c "internal/shaded/fdp/"
  # FastDoubleParser-NOTICE declares the original licenses:
  unzip -p "$JAR" META-INF/FastDoubleParser-NOTICE

• Added trailing period on "Google Cloud Open-Telemetry..." entry — Cosmetic, for consistency.
• Mozilla Public Suffix List (MPL 2.0) — Data file bundled by Guava. Required: Category B license, must include full text and labeling.

  jar tf "$JAR" | grep "mozilla/public-suffix-list"
  unzip -p "$JAR" mozilla/public-suffix-list.txt

• Apache Tomcat Native + BoringSSL (Apache 2.0 / BSD 3-Clause) — Native libs statically linked into netty-tcnative-boringssl-static via grpc-netty-shaded. BoringSSL is Apache 2.0 but contains portions under the Go License (BSD 3-Clause). Removed redundant inline Apache 2.0 full text (Iceberg is already Apache 2.0), keeping only the BSD 3-Clause Go Authors portion. Tomcat Native (Apache 2.0) is a URL pointer consistent with existing convention.

  jar tf "$JAR" | grep -E "META-INF/(native/.*tcnative|license/LICENSE.boringssl)"
  unzip -p "$JAR" META-INF/license/LICENSE.boringssl.txt

• CDDL → CDDL 1.1 for javax.annotation-api — Required: Category B license, corrected imprecise reference, full text now included.
• checker-qual → checker-qual and checker-compat-qual — compat-qual classes are present. Required: checker-compat-qual is MIT-licensed, must be declared.

  jar tf "$JAR" | grep "checkerframework/checker/nullness/compatqual"

• CEL spec, xDS, UDPA definitions (Apache 2.0) — Shaded by grpc-xds. Not strictly required but consistent with existing convention (file already lists ~30 Apache 2.0 deps).

  jar tf "$JAR" | grep -c "^io/grpc/xds/shaded/dev/cel/"        # CEL: 123 classes
  jar tf "$JAR" | grep -c "^io/grpc/xds/shaded/io/envoyproxy/"  # xDS: 2980 classes
  jar tf "$JAR" | grep -c "^io/grpc/xds/shaded/udpa/"           # UDPA: 46 classes

• JCTools (via Netty) → JCTools (via Netty and OpenTelemetry) — JCTools (Apache 2.0, v3.1.0) is shaded into three locations: io/grpc/netty/shaded/ (117 classes, via grpc-netty-shaded → Netty), io/opentelemetry/internal/shaded/ (32 classes, via OpenTelemetry), and org/apache/iceberg/gcp/shaded/ (91 classes, Iceberg relocation of Netty). The old LICENSE only credited Netty. Not strictly required but improves accuracy.

  # Shaded locations:
  jar tf "$JAR" | grep "jctools" | grep -oE "^[^/]+/[^/]+" | sort -u
  # Version from embedded pom.properties:
  unzip -p "$JAR" META-INF/maven/org.jctools/jctools-core/pom.properties  # 3.1.0
  # Upstream license: https://github.com/JCTools/JCTools/blob/master/LICENSE
  # Maven Central POM: https://repo1.maven.org/maven2/org/jctools/jctools-core/3.1.0/jctools-core-3.1.0.pom

• WeakConcurrentMap (Apache 2.0) — Shaded by OpenTelemetry. Not strictly required but consistent with existing convention.

  jar tf "$JAR" | grep "opentelemetry/context/internal/shaded/WeakConcurrentMap"

• MSV xsdlib, isorelax, RELAX NG Datatype API (BSD 3-Clause / CDDL 1.1) — Shaded by Woodstox into com/ctc/wstx/shaded/. Woodstox bundles four MSV artifacts (msv-core, xsdlib, isorelax, relaxngDatatype) and relocates them. Required: xsdlib and RELAX NG Datatype are BSD 3-Clause; isorelax is CDDL 1.1. Non-Apache licenses need full text in LICENSE.

  # Shaded classes present in JAR:
  jar tf "$JAR" | grep -E "^com/ctc/wstx/shaded/(msv_core|msv/org_isorelax|msv/relaxng_datatype)" | head -5
  # Embedded pom.properties confirm artifact versions:
  unzip -p "$JAR" META-INF/maven/net.java.dev.msv/xsdlib/pom.properties       # xsdlib 2022.7
  unzip -p "$JAR" META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.properties # isorelax 20090621
  # Upstream licenses:
  #   xsdlib (BSD 3-Clause):       https://github.com/xmlark/msv/blob/main/xsdlib/LICENSE
  #   isorelax (CDDL 1.1):         POM header at https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb/isorelax/20090621/isorelax-20090621.pom
  #   RELAX NG Datatype (BSD 3-Clause): https://github.com/relaxng/relaxng-datatype-java/blob/main/LICENSE

NOTICE

• Jackson — Added missing FastDoubleParser attribution section and missing copyright section. The upstream jackson-core NOTICE references the shaded FastDoubleParser copy and its MIT copyright and includes Copyright 2007-, Tatu Saloranta (tatu.saloranta@iki.fi) but the old gcp-bundle NOTICE omitted it. Required: ASF policy mandates propagating upstream NOTICE contents.

  # Upstream NOTICE from Maven Central jackson-core-2.18.3.jar:
  curl -sL "https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.18.3/jackson-core-2.18.3.jar" -o /tmp/jc.jar && unzip -p /tmp/jc.jar META-INF/NOTICE

• GCS Analytics Core — Removed entry. The upstream gcs-analytics-core-1.2.3.jar and client-1.2.3.jar contain no META-INF/NOTICE file, so per ASF policy there is nothing to propagate. The previous entry appeared to be sourced from the project's GitHub README/license header rather than an actual NOTICE file. Not required: Only dependencies whose JARs contain a substantive (non-boilerplate) NOTICE file need an entry.

  # Exact JARs used by gcp-bundle (com.google.cloud.gcs.analytics:gcs-analytics-core:1.2.3
  # and its dependency com.google.cloud.gcs.analytics:client:1.2.3):
  unzip -l ~/.gradle/caches/modules-2/files-2.1/com.google.cloud.gcs.analytics/gcs-analytics-core/1.2.3/caf5e8c6f3f71e73b4cfe4ec3720127cdd6d5ac7/gcs-analytics-core-1.2.3.jar | grep -i notice
  # (no output — no NOTICE file present)
  
  unzip -l ~/.gradle/caches/modules-2/files-2.1/com.google.cloud.gcs.analytics/client/1.2.3/562ef94aa74e00f3cf37a9d84a4dff8c2b8f7413/client-1.2.3.jar | grep -i notice
  # (no output — no NOTICE file present)

[kevinjqliu]

https://github.com/xmlark/msv/blob/main/LICENSE.md?plain=1

[kevinjqliu]

matches aws-bundle

iceberg/aws-bundle/NOTICE

Lines 35 to 60 in 6ce5026

	This product bundles Jackson JSON Processor with the following in its NOTICE file:
	| # Jackson JSON processor
	|
	| Jackson is a high-performance, Free/Open Source JSON processing library.
	| It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
	| been in development since 2007.
	| It is currently developed by a community of developers.
	|
	| ## Copyright
	|
	| Copyright 2007-, Tatu Saloranta (tatu.saloranta@iki.fi)
	|
	| ## Licensing
	|
	| Jackson 2.x core and extension components are licensed under Apache License 2.0
	| To find the details that apply to this artifact see the accompanying LICENSE file.
	|
	| ## Credits
	|
	| A list of contributors may be found from CREDITS(-2.x) file, which is included
	| in some artifacts (usually source distributions); but is always available
	| from the source code management (SCM) system project uses.
	|
	| ## FastDoubleParser
	|
	| jackson-core bundles a shaded copy of FastDoubleParser <https://github.com/wrandelshofer/FastDoubleParser>.

[kevinjqliu]

https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb/isorelax/20090621/isorelax-20090621.pom

https://spdx.org/licenses/CDDL-1.1.html

[kevinjqliu]

Thanks for the reviews, added some formatting changes. Remove GCS Analytics Core entry from NOTICE, added justification to the PR description