Should non-OSS licenses and associated source be stripped by prep-source-build.sh?

[MichaelSimons]

This issue stems from a discussion in dotnet/sdk#44828.

The VMR contains source to build the Windows installers. In some cases there are non-OSS licenses included in the VMR for these installers. Currently these licenses have to be special cased when scanning the source for non-OSS licenses - e.g. https://github.com/dotnet/sdk/blob/262b9c3d6cf67287f649e38d83e6c5d9d08feb8a/src/SourceBuild/content/test/Microsoft.DotNet.SourceBuild.Tests/assets/LicenseScanTests/LicenseExclusions.txt#L144. This adds a tax for each distro maintainer who scans the source before building around analyzing and ensuring the source is not part of the source built product. To provide a better UX, should the prep-source-build.sh strip these licenses and the associated source similar to how binaries are stripped today?

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[MichaelSimons]

@dotnet/distro-maintainers - Do you have thoughts on this? Would this be helpful to you?

[mateusrodrigues]

Yes, I believe this would be helpful.

We do run our own source scan before every package upload and analyze such cases that non-free licenses are found, e.g. #4590. If the script is able to strip those beforehand, that's even better.

And similar to the binary removal tool, one could simply skip that step if they want to.

[omajid]

To provide a better UX, should the prep-source-build.sh strip these licenses and the associated source similar to how binaries are stripped today?

In Fedora, we have two conflicting goals when it comes to building .NET from source:

• We want to use the pristine upstream sources, and validate that they haven't been tampered with
• We don't want to ever include non-OSS sources or binaries

To address the first goal, we use the github tarball, which contains the full source of the VMR, with nothing added or removed.

To address the second goal, we scan everything in the source tarball. This happens in a context where nothing (like prep-source-build.sh) has executed, and we are only working with inputs to the build system. Today, this includes license assets and binaries in the VMR.

So this change, which strips up things after extracting from the original/unmodified/pristine tarball, doesn't really affect us.If it helps others users, then +1 for making this.