-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should non-OSS licenses and associated source be stripped by prep-source-build.sh? #4736
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
@dotnet/distro-maintainers - Do you have thoughts on this? Would this be helpful to you? |
Yes, I believe this would be helpful. We do run our own source scan before every package upload and analyze such cases that non-free licenses are found, e.g. #4590. If the script is able to strip those beforehand, that's even better. And similar to the binary removal tool, one could simply skip that step if they want to. |
In Fedora, we have two conflicting goals when it comes to building .NET from source:
To address the first goal, we use the github tarball, which contains the full source of the VMR, with nothing added or removed. To address the second goal, we scan everything in the source tarball. This happens in a context where nothing (like prep-source-build.sh) has executed, and we are only working with inputs to the build system. Today, this includes license assets and binaries in the VMR. So this change, which strips up things after extracting from the original/unmodified/pristine tarball, doesn't really affect us.If it helps others users, then +1 for making this. |
This issue stems from a discussion in dotnet/sdk#44828.
The VMR contains source to build the Windows installers. In some cases there are non-OSS licenses included in the VMR for these installers. Currently these licenses have to be special cased when scanning the source for non-OSS licenses - e.g. https://github.com/dotnet/sdk/blob/262b9c3d6cf67287f649e38d83e6c5d9d08feb8a/src/SourceBuild/content/test/Microsoft.DotNet.SourceBuild.Tests/assets/LicenseScanTests/LicenseExclusions.txt#L144. This adds a tax for each distro maintainer who scans the source before building around analyzing and ensuring the source is not part of the source built product. To provide a better UX, should the prep-source-build.sh strip these licenses and the associated source similar to how binaries are stripped today?
The text was updated successfully, but these errors were encountered: