fix: #510: third-party licenses

[BatmanAoD]

In this PR:

• Generated and reviewed licensing data for third-party packages
• Added license data for Rust itself
• Added NOTICE files for Apache-2.0 projects, where present
• Resolved open questions with Luke
• Bundled the license texts with our binary artifacts that we distribute via PyPI
• Resolved CI issues for cargo deny and Python-publishing

TBD, not necessarily in this PR:

• rendering this as Markdown or similar
• automatically updating the THIRDPARTY.yml file in each MR

[github-actions]

PR Preview Action v1.4.8
🚀 Deployed preview to https://rigetti.github.io/qcs-sdk-rust/pr-preview/pr-511/
on branch qcs-sdk-python-docs at 2024-11-14 19:26 UTC

[kalzoo]

rendering this as Markdown or similar

what's the interest in doing this? Do we expect anyone to care about the readability?

bundling the license texts with our binary artifacts that we distribute via PyPI

This should be as simple as listing the files in the pyproject.toml

automatically updating the THIRDPARTY.yml file in each MR

Seems like this might be a release CI step rather than in the MR, right? Things always get a little messy when the MR pipeline commits files back to its branch.

Seems like the way to go would be:

• Have a manually-written file for any exceptions that the bundling tool can't handle
• Auto-generate the primary thirdparty file in CI (and don't commit to source control, since that'll never get updated)
• (TBD) some way to detect new gaps between the two

Then those artifacts are always up to date for publication and no one has to edit them or wonder if they are supposed to edit them.

[BatmanAoD]

Do we expect anyone to care about the readability?

Well, Luke hasn't actually commented on the draft version I sent him back when I first discovered bundle-licenses, and the example third-party files I've seen do seem more readable. But the YAML is readable enough except for cases where it renders the Apache license as one long in-line string with \n escapes. (For some reason it does this for some packages but not others.)

Seems like this might be a release CI step rather than in the MR, right?

I think we always want to be able to review changes made by our tooling, and do so before merging to main, or at least before doing a release.

(TBD) some way to detect new gaps between the two

I mentioned this in slack as well, but bundle-licenses is designed to do that; the bug I linked causes a false-positive, though.

[BatmanAoD]

This should be as simple as listing the files in the pyproject.toml

I've added it for sdist and whl files. I'm struggling to test that CI produces the right thing (and I needed to fix an unrelated issue with the grpc-web bundling), but locally I can see that it does.