THIRD-PARTY-NOTICES.TXT needed for SDK repo? #24542
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
|
@leecow is the one in installer not sufficient? https://github.com/dotnet/installer/blob/8c476b58df6032c6713c69535d2679632abac9ba/THIRD-PARTY-NOTICES |
|
If the installer TPN already covers everything from /sdk then, yes, that would be sufficient. |
|
@marcpopMSFT - can you confirm the Installer TPN covers the SDK as well? If so, I'll close this issue and make a note of it. |
|
@leecow I assumed it did but I haven't done an analysis as I don't know what other dependencies other teams might have added into the SDK. Does the SBOM provide that? |
|
I don't know @mmitche , do you know if SBOM include 3rd party info? |
|
The SBOM will include some level of third party info for the installer official build pipeline (since those third party dependencies are restored in the build). But it doesn't necessarily know what is third party, what is not, what is used in the build vs. redistributed, etc. |
|
See |
|
@marcpopMSFT, yes, that should satisfy the requirement. |
|
Analysis has been done and shared with @leecow offline for follow-up. |
|
Looks like SDK is good to go. Closing this tracking issue. |
If third-party components are used in a .NET repo, a THIRD-PARTY-NOTICES.TXT detailing any third-party source code included in final built artifacts, along with the controlling license information must be included and maintained at the root of the affected repo (dotnet/runtime example).
During product build, these files are used to create a unified TPN file and included in the final installer builds (example) and source-build offerings.
Some repos will not need this notice as no third-party code is included in the final build artifacts.
Tracking issue: dotnet/runtime#61466
The text was updated successfully, but these errors were encountered: