jquery-validation-unobstrusive in samples is licensed under a non-open source license

[omajid]

Describe the bug

ASP.NET Core is licensed under an Open Source License (Apache or MIT). However, some samples in this repository are under a proprietary license. Anyone looking to build and distribute ASP.NET Core from source (for example, Linux distributions as part of the source-build work) is at risk of accidentally violating the license.

Specifically, anumber of .bower.json files contain this license entry:

"license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",

And the license that it points to is not an Open Source License.

Since these are just samples, anyone looking to build and distribute ASP.NET Core can, as a workaround, delete the files and avoid packaging them, but it would be much easier and safer for everyone if the licenses were fixed (or the files were re-licensed or, failing that, any non-open source files were removed).

To Reproduce

$ git remote -v
origin  https://github.com/dotnet/aspnetcore (fetch)
origin  https://github.com/dotnet/aspnetcore (push)

$ git rev-parse HEAD
7739f93951d4e71f61825b5f1380c421bd8c1499

$ grep -ir 'eula.*.htm'
src/Security/samples/PathSchemeSelection/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",
src/Security/samples/DynamicSchemes/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",
src/Security/samples/ClaimsTransformation/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",
src/Security/samples/Identity.ExternalClaims/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",
src/Security/samples/Cookies/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",
src/Security/samples/StaticFilesAuth/wwwroot/lib/jquery-validation-unobtrusive/.bower.json:  "license": "http://www.microsoft.com/web/webpi/eula/net_library_eula_enu.htm",

[omajid]

cc @dseefeld @dleeapho @leecow

[javiercn]

/cc: @Pilchie

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[omajid]

Hey, @mkArtakMSFT ! I wanted to provide more context around the potential impact of this bug.

We (Red Hat) use source-build to build .NET fully from source, trusting that it is only open source code. We do not (and can not) use non-open (or proprietary) source code.

These files, even though they are just samples/docs, contain a non-open source license. They end up in the source compilation produced by source-build. The way we see it, that results in the source-build compilation itself being non-open source. And that means we can't use source-built at all!

For now, we work around that by deleting all the samples as manual step from the source-build compilation to avoid any risk of using non-open source code. But any other consumer of source-build (and this repo) might miss that. Even we could forget this manual step. That could result in somone accidentally using non-open source code and risk violating the license terms of some of the code in this repo.

I understand it's too late to fix this for 6.0.0 GA. Would it be possible to re-evaluate this bug and the impact for a followup/bugfix release, please?