wuchong commented on code in PR #2674: URL: https://github.com/apache/fluss/pull/2674#discussion_r2810475733
########## fluss-filesystems/fluss-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE: ########## @@ -9,28 +9,33 @@ This project bundles the following dependencies under the Apache Software Licens - com.fasterxml.jackson.core:jackson-annotations:2.15.3 - com.fasterxml.jackson.core:jackson-core:2.15.3 - com.fasterxml.jackson.core:jackson-databind:2.15.3 -- com.fasterxml.woodstox:woodstox-core:5.3.0 +- com.fasterxml.woodstox:woodstox-core:5.4.0 - com.google.guava:failureaccess:1.0 - com.google.guava:guava:27.0-jre - com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava - com.google.j2objc:j2objc-annotations:1.1 - commons-beanutils:commons-beanutils:1.9.4 - commons-collections:commons-collections:3.2.2 -- commons-io:commons-io:2.8.0 -- commons-logging:commons-logging:1.1.3 -- org.apache.commons:commons-compress:1.21 -- org.apache.commons:commons-configuration2:2.1.1 +- commons-io:commons-io:2.16.1 +- commons-logging:commons-logging:1.2 +- io.dropwizard.metrics:metrics-core:3.2.4 Review Comment: `io.dropwizard.metrics:metrics-core` is not used by `hadoop-common` (https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html), can you remove it from all the NOTICE files in filesystem modules? ########## fluss-filesystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java: ########## @@ -70,31 +70,34 @@ public S3DelegationTokenProvider(String scheme, Configuration conf) { public ObtainedSecurityToken obtainSecurityToken() { LOG.info("Obtaining session credentials token with access key: {}", accessKey); - AWSSecurityTokenService stsClient = - AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(region) - .withCredentials( - new AWSStaticCredentialsProvider( - new BasicAWSCredentials(accessKey, secretKey))) + StsClient stsClient = Review Comment: @luoyuxia , do you have other solutions to resolve the rustfs issue? ########## fluss-filesystems/fluss-fs-gs/src/main/resources/META-INF/NOTICE: ########## @@ -75,21 +85,25 @@ This project bundles the following dependencies under the Apache Software Licens - io.opencensus:opencensus-impl-core:0.31.0 - io.opencensus:opencensus-proto:0.2.0 - io.perfmark:perfmark-api:0.26.0 -- org.apache.commons:commons-compress:1.21 -- org.apache.commons:commons-configuration2:2.1.1 +- org.apache.commons:commons-compress:1.26.1 +- org.apache.commons:commons-configuration2:2.10.1 - org.apache.commons:commons-lang3:3.18.0 -- org.apache.commons:commons-text:1.4 -- org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.1.1 -- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:1.1.1 -- org.apache.hadoop:hadoop-annotations:3.3.4 -- org.apache.hadoop:hadoop-auth:3.3.4 -- org.apache.hadoop:hadoop-common:3.3.4 +- org.apache.commons:commons-text:1.10.0 +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.3.0 +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:1.3.0 +- org.apache.hadoop:hadoop-annotations:3.4.1 +- org.apache.hadoop:hadoop-auth:3.4.1 +- org.apache.hadoop:hadoop-common:3.4.1 - org.apache.httpcomponents:httpclient:4.5.13 - org.apache.httpcomponents:httpcore:4.4.13 -- org.apache.kerby:kerb-core:1.0.1 -- org.apache.kerby:kerby-asn1:1.0.1 -- org.apache.kerby:kerby-pkix:1.0.1 -- org.apache.kerby:kerby-util:1.0.1 +- org.apache.kerby:kerb-core:2.0.3 +- org.apache.kerby:kerb-crypto:2.0.3 +- org.apache.kerby:kerb-util:2.0.3 +- org.apache.kerby:kerby-asn1:2.0.3 +- org.apache.kerby:kerby-config:2.0.3 +- org.apache.kerby:kerby-pkix:2.0.3 +- org.apache.kerby:kerby-util:2.0.3 +- org.codehaus.jettison:jettison:1.5.4 Review Comment: `org.codehaus.jettison:jettison` is not used by `hadoop-common` (https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html), can you remove it from all the NOTICE files in filesystem modules? ########## fluss-filesystems/fluss-fs-s3/src/main/resources/META-INF/NOTICE: ########## @@ -3,57 +3,96 @@ Copyright 2025-2026 The Apache Software Foundation This project bundles the following dependencies under the Apache Software License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) -- com.amazonaws:aws-java-sdk-core:1.12.319 -- com.amazonaws:aws-java-sdk-dynamodb:1.12.319 -- com.amazonaws:aws-java-sdk-kms:1.12.319 -- com.amazonaws:aws-java-sdk-s3:1.12.319 -- com.amazonaws:aws-java-sdk-sts:1.12.319 -- com.amazonaws:jmespath-java:1.12.319 - com.fasterxml.jackson.core:jackson-annotations:2.15.3 - com.fasterxml.jackson.core:jackson-core:2.15.3 - com.fasterxml.jackson.core:jackson-databind:2.15.3 -- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.15.3 -- com.fasterxml.woodstox:woodstox-core:5.3.0 +- com.fasterxml.woodstox:woodstox-core:5.4.0 - com.google.guava:failureaccess:1.0 - com.google.guava:guava:27.0-jre - com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava - com.google.j2objc:j2objc-annotations:1.1 - commons-beanutils:commons-beanutils:1.9.4 - commons-codec:commons-codec:1.15 - commons-collections:commons-collections:3.2.2 -- commons-io:commons-io:2.8.0 -- commons-logging:commons-logging:1.1.3 -- joda-time:joda-time:2.8.1 -- org.apache.commons:commons-compress:1.21 -- org.apache.commons:commons-configuration2:2.1.1 +- commons-io:commons-io:2.16.1 +- commons-logging:commons-logging:1.2 +- io.dropwizard.metrics:metrics-core:3.2.4 +- io.netty:netty-buffer:4.1.100.Final +- io.netty:netty-codec:4.1.100.Final +- io.netty:netty-codec-http:4.1.100.Final +- io.netty:netty-codec-http2:4.1.100.Final +- io.netty:netty-common:4.1.100.Final +- io.netty:netty-handler:4.1.100.Final +- io.netty:netty-resolver:4.1.100.Final +- io.netty:netty-transport:4.1.100.Final +- io.netty:netty-transport-classes-epoll:4.1.100.Final +- io.netty:netty-transport-native-epoll:4.1.100.Final +- io.netty:netty-transport-native-unix-common:4.1.100.Final Review Comment: Please remove all the netty dependency in the NOTICE files (including NOTICE files in other filesystem modules). See the warning log https://github.com/apache/fluss/actions/runs/22016381283/job/63618691913?pr=2674 ########## fluss-filesystems/fluss-fs-s3/src/main/resources/META-INF/NOTICE: ########## @@ -3,57 +3,96 @@ Copyright 2025-2026 The Apache Software Foundation This project bundles the following dependencies under the Apache Software License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) -- com.amazonaws:aws-java-sdk-core:1.12.319 -- com.amazonaws:aws-java-sdk-dynamodb:1.12.319 -- com.amazonaws:aws-java-sdk-kms:1.12.319 -- com.amazonaws:aws-java-sdk-s3:1.12.319 -- com.amazonaws:aws-java-sdk-sts:1.12.319 -- com.amazonaws:jmespath-java:1.12.319 - com.fasterxml.jackson.core:jackson-annotations:2.15.3 - com.fasterxml.jackson.core:jackson-core:2.15.3 - com.fasterxml.jackson.core:jackson-databind:2.15.3 -- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.15.3 -- com.fasterxml.woodstox:woodstox-core:5.3.0 +- com.fasterxml.woodstox:woodstox-core:5.4.0 - com.google.guava:failureaccess:1.0 - com.google.guava:guava:27.0-jre - com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava - com.google.j2objc:j2objc-annotations:1.1 - commons-beanutils:commons-beanutils:1.9.4 - commons-codec:commons-codec:1.15 - commons-collections:commons-collections:3.2.2 -- commons-io:commons-io:2.8.0 -- commons-logging:commons-logging:1.1.3 -- joda-time:joda-time:2.8.1 -- org.apache.commons:commons-compress:1.21 -- org.apache.commons:commons-configuration2:2.1.1 +- commons-io:commons-io:2.16.1 +- commons-logging:commons-logging:1.2 +- io.dropwizard.metrics:metrics-core:3.2.4 +- io.netty:netty-buffer:4.1.100.Final +- io.netty:netty-codec:4.1.100.Final +- io.netty:netty-codec-http:4.1.100.Final +- io.netty:netty-codec-http2:4.1.100.Final +- io.netty:netty-common:4.1.100.Final +- io.netty:netty-handler:4.1.100.Final +- io.netty:netty-resolver:4.1.100.Final +- io.netty:netty-transport:4.1.100.Final +- io.netty:netty-transport-classes-epoll:4.1.100.Final +- io.netty:netty-transport-native-epoll:4.1.100.Final +- io.netty:netty-transport-native-unix-common:4.1.100.Final +- org.apache.commons:commons-compress:1.26.1 +- org.apache.commons:commons-configuration2:2.10.1 - org.apache.commons:commons-lang3:3.18.0 -- org.apache.commons:commons-text:1.4 -- org.apache.hadoop:hadoop-annotations:3.3.4 -- org.apache.hadoop:hadoop-auth:3.3.4 -- org.apache.hadoop:hadoop-aws:3.3.4 -- org.apache.hadoop:hadoop-common:3.3.4 -- org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.1.1 -- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:1.1.1 +- org.apache.commons:commons-text:1.10.0 +- org.apache.hadoop:hadoop-annotations:3.4.1 +- org.apache.hadoop:hadoop-auth:3.4.1 +- org.apache.hadoop:hadoop-aws:3.4.1 +- org.apache.hadoop:hadoop-common:3.4.1 +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.3.0 +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:1.3.0 - org.apache.httpcomponents:httpclient:4.5.13 - org.apache.httpcomponents:httpcore:4.4.13 -- org.apache.kerby:kerb-core:1.0.1 -- org.apache.kerby:kerby-asn1:1.0.1 -- org.apache.kerby:kerby-pkix:1.0.1 -- org.apache.kerby:kerby-util:1.0.1 -- org.wildfly.openssl:wildfly-openssl:1.0.7.Final +- org.apache.kerby:kerb-core:2.0.3 +- org.apache.kerby:kerb-crypto:2.0.3 +- org.apache.kerby:kerb-util:2.0.3 +- org.apache.kerby:kerby-asn1:2.0.3 +- org.apache.kerby:kerby-config:2.0.3 +- org.apache.kerby:kerby-pkix:2.0.3 +- org.apache.kerby:kerby-util:2.0.3 +- org.codehaus.jettison:jettison:1.5.4 +- org.wildfly.openssl:wildfly-openssl:1.1.3.Final - org.xerial.snappy:snappy-java:1.1.10.4 -- software.amazon.ion:ion-java:1.0.2 - -This project bundles the following dependencies under BSD-2 License (https://opensource.org/licenses/BSD-2-Clause). -See bundled license files for details. - -- dnsjava:dnsjava:2.1.7 +- software.amazon.awssdk:annotations:2.24.6 +- software.amazon.awssdk:apache-client:2.24.6 +- software.amazon.awssdk:arns:2.24.6 +- software.amazon.awssdk:auth:2.24.6 +- software.amazon.awssdk:aws-core:2.24.6 +- software.amazon.awssdk:aws-json-protocol:2.24.6 +- software.amazon.awssdk:aws-query-protocol:2.24.6 +- software.amazon.awssdk:aws-xml-protocol:2.24.6 +- software.amazon.awssdk:checksums:2.24.6 +- software.amazon.awssdk:checksums-spi:2.24.6 +- software.amazon.awssdk:crt-core:2.24.6 +- software.amazon.awssdk:dynamodb:2.24.6 +- software.amazon.awssdk:endpoints-spi:2.24.6 +- software.amazon.awssdk:http-auth:2.24.6 +- software.amazon.awssdk:http-auth-aws:2.24.6 +- software.amazon.awssdk:http-auth-spi:2.24.6 +- software.amazon.awssdk:http-client-spi:2.24.6 +- software.amazon.awssdk:identity-spi:2.24.6 +- software.amazon.awssdk:json-utils:2.24.6 +- software.amazon.awssdk:kms:2.24.6 +- software.amazon.awssdk:metrics-spi:2.24.6 +- software.amazon.awssdk:netty-nio-client:2.24.6 +- software.amazon.awssdk:profiles:2.24.6 +- software.amazon.awssdk:protocol-core:2.24.6 +- software.amazon.awssdk:regions:2.24.6 +- software.amazon.awssdk:s3:2.24.6 +- software.amazon.awssdk:sdk-core:2.24.6 +- software.amazon.awssdk:sts:2.24.6 +- software.amazon.awssdk:third-party-jackson-core:2.24.6 +- software.amazon.awssdk:utils:2.24.6 +- software.amazon.eventstream:eventstream:1.0.1 This project bundles the following dependencies under the MIT (https://opensource.org/licenses/MIT) See bundled license files for details. - org.checkerframework:checker-qual:2.5.2 - org.codehaus.mojo:animal-sniffer-annotations:1.17 +- org.reactivestreams:reactive-streams:1.0.4 Review Comment: Which dependency is bringing in this transitive dependency? Can we avoid including it? If it must be included, we are required by ASF policy to add a reference to its license in `META-INF/licenses`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
