Add missing Paket license. Remove replaced bash dependencies generation script

[bpintea]

This PR adds the missing Paket license info.
It also removes the bash dependencies generation script, now replaced with a batch equivalent (complementing #126).

[droberts195]

I think it's called "Paket" (with no "c").

[droberts195]

There are also the licenses of the components downloaded by Paket to consider. @codebrain said:

We can configure the paket.dependencies file such that it will download licenses as well: https://fsprojects.github.io/Paket/dependencies-file.html#License-download - it would then be possible to collect and bundle these files.

But then dependency_report.bat would need to include entries for those components into the single CSV file it produces for release manager. Maybe the code to do all this is then too complicated for a .bat file.

[bpintea]

There are also the licenses of the components downloaded by Paket to consider.

There are and @codebrain and I had a quick discussion earlier on it.

Now, if the criteria for inclusion is based on repository and shipped product contents, I believe we only need to include Paket still.
If we need to list all build requirements - i.e. which software packages we use during the build process - we would need to add a longer list, not just those listed in https://github.com/elastic/open-source/issues/28#issuecomment-472263420 (at least CMake, maybe Gradle, Vagrant etc.?)

[droberts195]

If we need to list all build requirements - i.e. which software packages we use during the build process

We don't need to list these in the CSV file for release manager. It only needs to list components that the end user who runs the installer will end up with on their system.

But that makes me wonder if Paket needs to be redistributed. If we are only using it to download components used during the build, do we really need to redistribute it? Given the permissive license it doesn't hurt to redistribute it. But if it's not being used to download any packages that the end user needs on their system it seems superfluous.

[bpintea]

But that makes me wonder if Paket needs to be redistributed. If we are only using it to download components used during the build, do we really need to redistribute it?

I'm trying to add it only to comply with https://github.com/elastic/open-source/issues/28:
"Third-party code contained in product repositories (including vendored code and copy/pasted code) is appropriately marked and exports NOTICE.txt and license information like other dependencies"

[droberts195]

I think the key bit is:

like other dependencies

All the other stuff listed in (for example) https://artifacts.elastic.co/reports/dependencies/dependencies-6.6.2.html is stuff that end users will have on their systems if they install the relevant Elastic component. It doesn't include tools that are purely used during the build process.

It sounds like an equivalent component for Elasticsearch would be gradlew. That is committed to the elasticsearch repo and used during the build process, but not shipped as part of the distribution. And that does not appear in https://artifacts.elastic.co/reports/dependencies/dependencies-6.6.2.html.

The CSV file that release manager obtains by running the script in this repo will be used to create future pages like https://artifacts.elastic.co/reports/dependencies/dependencies-6.6.2.html. So I do not think the CSV file obtained from this repo during a release needs to include Paket as we do not redistribute it.

As for the license and notice files though I think you could be right that they should be somewhere in the repo. But maybe the installer/.paket directory would be a better place, to make clear that they relate to that tool we use internally rather than mixed with the licenses for the components we redistribute.

But to be honest I am probably the wrong person to be reviewing this PR. @tomcallahan and @legalastic what do you think?

[tomcallahan]

But that makes me wonder if Paket needs to be redistributed. If we are only using it to download components used during the build, do we really need to redistribute it?

I'm trying to add it only to comply with elastic/open-source#28:
"Third-party code contained in product repositories (including vendored code and copy/pasted code) is appropriately marked and exports NOTICE.txt and license information like other dependencies"

Based on the fact that it is build-time only and is MIT, we're OK and don't need to add it to a NOTICE.txt file assuming we haven't vendored any of its code.

[droberts195]

Based on @tomcallahan’s feedback LGTM