fix: #510: third-party licenses (#511)

* add THIRDPARTY yaml file with all third-party licenses
  * generate initial draft using cargo bundle-licenses
  * resolve all license warnings manually
  * manually add Rust stdlib section
* resolve CI issues
* bundle new YAML file in Python `wheel` and `sdist`
* add notes regarding manual resolutions

Author: BatmanAoD

.gitignore

@@ -37,3 +37,6 @@ crates/python/tests/__output__/
 
 # unversioned developer notes
 scratch/
+
+# un-consolidated updates to THIRDPARTY license data
+/THIRDPARTY-update.yaml

Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "qcs"
 description = "High level interface for running Quil on a QPU"
-version = "0.25.2"
+version = "0.25.3-rc.4"
 edition = "2018"
 license = "Apache-2.0"
 repository = "https://github.com/rigetti/qcs-sdk-rust"

crates/lib/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "qcs-sdk-python"
 description = "Python bindings to qcs-sdk-rust"
-version = "0.21.2"
+version = "0.21.3-rc.4"
 edition = "2021"
 license = "Apache-2.0"
 repository = "https://github.com/rigetti/qcs-sdk-rust"

crates/python/Cargo.toml

@@ -1,7 +1,7 @@
 # This is the metadata Maturin uploads to PyPI on publish
 [project]
 name = "qcs-sdk-python"
-version = "0.21.2"
+version = "0.21.3-rc.4"
 description = "Python interface for the QCS Rust SDK"
 readme = "README.md"
 license = { text = "Apache-2.0" }
@@ -27,7 +27,8 @@ dependencies = ["quil>=0.11.2", "qcs-api-client-common>=0.10.0"]
 features = ["pyo3/extension-module"]
 bindings = "pyo3"
 compatibility = "linux"
-sdist-include = ["README.md"]
+include = ["THIRDPARTY.yaml"]
+sdist-include = ["README.md", "THIRDPARTY.yaml"]
 
 [project.optional-dependencies]
 pyquil = [

crates/python/THIRDPARTY.yaml

@@ -1,6 +1,5 @@
 """
-Appends grpc-web to the project name of both Cargo.toml and pyproject.toml,
-and patches the `hyper-proxy` dependency to allow ppc64le wheel builds.
+Appends grpc-web to the project name of both Cargo.toml and pyproject.toml.
 
 This is used in CI to prepare grpc-web-specific python artifacts for publishing.
 """
@@ -29,11 +28,4 @@ def write(f: TextIOWrapper, data):
 with open(join(pycrate_path, "Cargo.toml"), "r+") as f:
     data = toml.load(f)
     data["package"]["name"] = "qcs-sdk-python-grpc-web"
-    write(f, data)
-
-# Patch the `hyper-proxy` dependency
-
-with open(join(workspace_path, "Cargo.toml"), "r+") as f:
-    data = toml.load(f)
-    data["patch"] = {"crates-io": {"hyper-proxy": {"git": "https://github.com/rigetti/hyper-proxy"}}}
-    write(f, data)
+    write(f, data)

crates/python/pyproject.toml

@@ -68,6 +68,7 @@ ignore = [
     { id = "RUSTSEC-2024-0375", reason = "introduced by atty, a transitive dependency of multiple dependencies, with no upgrade path" },
     { id = "RUSTSEC-2024-0006", reason = "introduced by shlex, a transitive dependency of bindgen with no upgrade path" },
     { id = "RUSTSEC-2021-0139", reason = "ansi_term is unmaintained, but used by clap" },
+    { id = "RUSTSEC-2024-0384", reason = "instant is unmaintained, but used by backoff" },
 ]
 yanked = "deny"
 # If this is true, then cargo deny will use the git executable to fetch advisory database.