NuGet.Core & NuGet.Clients License.txt clarification

[devlead]

Details about Problem

NuGet product used: NuGet.Core & NuGet.Clients projects ( https://github.com/NuGet/NuGet.Client/ )
NuGet version; 4.9.2
dotnet.exe --version (if appropriate): v2.1.6 SDK 2.1.500

Currently when compiling the NuGet.Core & NuGet.Clients projects you get an error because projects use licenseUrl element which as of a couple of weeks back with the 4.9.x release is deprecated.

- error NU5125: The 'licenseUrl' element will be deprecated. Consider using the 'license' element instead.

Currently the used settings are ( https://github.com/NuGet/NuGet.Client/blob/87f433bbf1240aaa42d91d2d5955767a857a4699/build/config.props#L46 )

<PackageLicenseUrl>https://aka.ms/nugetlicense</PackageLicenseUrl>

https://aka.ms/nugetlicense redirects to https://raw.githubusercontent.com/NuGet/NuGet.Client/dev/LICENSE.txt which at least at this moment means you get https://raw.githubusercontent.com/NuGet/NuGet.Client/87f433bbf1240aaa42d91d2d5955767a857a4699/LICENSE.txt, but that could be subject to change in the future.

New recommendation is to use Self-Contained NuGet Packages - License using new PackageLicenseExpression / license or PackageLicenseFile element. For NuGet this would mean for csproj

<PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>

and nuspec

<license type="expression">Apache-2.0</license>

according to NuGet License expressions & embedded licenses technical design.

I would happily propose a PR to address this.

A quick search resulted in these files

+ build\config.props:46
+ src\NuGet.Clients\NuGet.CommandLine\NuGet.CommandLine.nuspec:8
+ src\NuGet.Clients\NuGet.SolutionRestoreManager.Interop\NuGet.SolutionRestoreManager.Interop.csproj:12
+ src\NuGet.Clients\NuGet.VisualStudio\NuGet.VisualStudio.csproj:20
+ src\NuGet.Core\NuGet.Localization\NuGet.Localization.nuspec:9

Also noted assembly meta data says copyright Microsoft

<Copyright>&#169; Microsoft Corporation. All rights reserved.</Copyright>

whereas the license linked to in nupkg's says

Copyright (c) .NET Foundation and Contributors.

This might be in order, but if not I could correct that to in the PR.

[nkolev92]

Thanks for filing this @devlead

If you run "build.ps1" you should be able to avoid this.
Or /t:pack on the build.proj itself.

It's something that we plan on doing before the next release.
We are planning on using a license expression.

We need to rework our build scripts a bit before doing that, because right now we are a bit too machine dependent (we use the pack.targets on the build machine).

On our CI we use machines that normally contain the latest versions of VS but considering one shipped a day or two ago, it's possible that not all of them have been updated yet, leading to potential build failures.

tl;dr;
We'd be happy to take a PR, but we'd need to do a pass to make sure we don't get intermittent failures on our CI first.
edit 2: I am actually actively working on that issue, so those will follow soon :)

@karann-msft

Can you please revise the text of https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txt?

[devlead]

@nkolev92 Ok, I'll try to fork and take a look at this tomorrow.

[nkolev92]

@devlead I have a PR out to move to the license expressions.

The 2nd part of this issue is addressing the content of the license in our repo itself, so the PR won't auto close it.

[devlead]

Excellent 👍

[nkolev92]

Assigning to @karann-msft and @anangaur

Can you please help clarifying the below concern?

Also noted assembly meta data says copyright Microsoft

<Copyright>&#169; Microsoft Corporation. All rights reserved.</Copyright>

whereas the license linked to in nupkg's says

Copyright (c) .NET Foundation and Contributors.

This might be in order, but if not I could correct that to in the PR.

[nkolev92]

The client packages now use license expressions.

@anangaur @karann-msft Please help addressing the other concern raised in this issue.

[karann-msft]

@devlead - this should resolve the main ask for the packages we publish going forward. Feel free to close the issue if that is the case :)

https://aka.ms/nugetlicense redirects to https://raw.githubusercontent.com/NuGet/NuGet.Client/dev/LICENSE.txt which at least at this moment means you get https://raw.githubusercontent.com/NuGet/NuGet.Client/87f433bbf1240aaa42d91d2d5955767a857a4699/LICENSE.txt, but that could be subject to change in the future.

For existing published packages, I don't believe it is kosher to change the license from a legal standpoint which is why we now have self-contained licenses which make them immutable :)

Also noted assembly meta data says copyright Microsoft

Microsoft owns the license to the NuGet package and its contents - hence the assembly metadata says Microsoft copyright. The package and the DLLs are also signed by the Microsoft cert. However, the license governing the source code is the one at the root of the individual repo.

[devlead]

Ok, I see. Then I'll go ahead and close this issue.