Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should non-OSS licenses and associated source be stripped by prep-source-build.sh? #4736

Open
MichaelSimons opened this issue Nov 14, 2024 · 5 comments
Labels
area-dev-ux Developer user experience

Comments

@MichaelSimons
Copy link
Member

This issue stems from a discussion in dotnet/sdk#44828.

The VMR contains source to build the Windows installers. In some cases there are non-OSS licenses included in the VMR for these installers. Currently these licenses have to be special cased when scanning the source for non-OSS licenses - e.g. https://github.com/dotnet/sdk/blob/262b9c3d6cf67287f649e38d83e6c5d9d08feb8a/src/SourceBuild/content/test/Microsoft.DotNet.SourceBuild.Tests/assets/LicenseScanTests/LicenseExclusions.txt#L144. This adds a tax for each distro maintainer who scans the source before building around analyzing and ensuring the source is not part of the source built product. To provide a better UX, should the prep-source-build.sh strip these licenses and the associated source similar to how binaries are stripped today?

Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@MichaelSimons MichaelSimons added area-dev-ux Developer user experience and removed untriaged labels Nov 14, 2024
@MichaelSimons MichaelSimons moved this from Backlog to 10.0 in .NET Source Build Nov 14, 2024
@MichaelSimons
Copy link
Member Author

@dotnet/distro-maintainers - Do you have thoughts on this? Would this be helpful to you?

@mateusrodrigues
Copy link
Member

Yes, I believe this would be helpful.

We do run our own source scan before every package upload and analyze such cases that non-free licenses are found, e.g. #4590. If the script is able to strip those beforehand, that's even better.

And similar to the binary removal tool, one could simply skip that step if they want to.

@omajid
Copy link
Member

omajid commented Nov 19, 2024

To provide a better UX, should the prep-source-build.sh strip these licenses and the associated source similar to how binaries are stripped today?

In Fedora, we have two conflicting goals when it comes to building .NET from source:

  • We want to use the pristine upstream sources, and validate that they haven't been tampered with
  • We don't want to ever include non-OSS sources or binaries

To address the first goal, we use the github tarball, which contains the full source of the VMR, with nothing added or removed.

To address the second goal, we scan everything in the source tarball. This happens in a context where nothing (like prep-source-build.sh) has executed, and we are only working with inputs to the build system. Today, this includes license assets and binaries in the VMR.

So this change, which strips up things after extracting from the original/unmodified/pristine tarball, doesn't really affect us.If it helps others users, then +1 for making this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-dev-ux Developer user experience
Projects
Status: 10.0 Preview 1
Development

No branches or pull requests

3 participants