[release/6.0] Update THIRD-PARTY-NOTICES.TXT

[NikolaMilosavljevic]

Update third-party-notices file for .NET 6.

Infra used to generate this file is in another PR: #60091

Here's the output of TPN regeneration process, specifying which repo contributes each new notice:

  New section to import: 'License notice for Angular v8.0  --------------------------------------------  The MIT License (MIT)' of https://github.com/raw/dotnet/aspnetcore/master/THIRD-PARTY-NOTICES.txt line 167
  New section to import: 'License notice for JavaScript queues' of https://github.com/raw/dotnet/runtime/master/THIRD-PARTY-NOTICES.TXT line 974
  New section to import: 'License notice for MSBuild Locator' of https://github.com/raw/dotnet/roslyn-analyzers/master/THIRD-PARTY-NOTICES.txt line 11
  New section to import: 'License notice for Newtonsoft.Json' of https://github.com/raw/dotnet/aspnetcore/master/THIRD-PARTY-NOTICES.txt line 322
  New section to import: 'License notice for NuGet.Client' of https://github.com/raw/dotnet/templating/master/THIRD-PARTY-NOTICES line 10
  New section to import: 'License notice for Roslyn Clr Heap Allocation Analyzer' of https://github.com/raw/dotnet/roslyn-analyzers/master/THIRD-PARTY-NOTICES.txt line 28
  New section to import: 'License notice for StyleCop Analyzers' of https://github.com/raw/dotnet/roslyn-analyzers/master/THIRD-PARTY-NOTICES.txt line 42
  New section to import: 'The MIT License (MIT)' of https://github.com/raw/dotnet/aspnetcore/master/THIRD-PARTY-NOTICES.txt line 194
  Importing 9 sections...

[joeloff]

Question... Visual Studio has a massive TPN. In the past it's something that's been updated whenever an external component like .NET is added to VS. jQuery and Bootstrap comes to mind for ASP.NET. Should we include the changes to our TPN in the VS TPN as well?

[NikolaMilosavljevic]

Updated the TPN to incorporate formatting/sorting changes due to updates in infra: a945962

Output of the tool:

  New section to import: 'License for fastmod (https://github.com/lemire/fastmod) and ibm-fpgen (https://github.com/nigeltao/parse-number-fxx-test-data)' of https://github.com/raw/dotnet/runtime/main/THIRD-PARTY-NOTICES.TXT line 682
  New section to import: 'License notice for Angular v8.0  --------------------------------------------  The MIT License (MIT)' of https://github.com/raw/dotnet/aspnetcore/main/THIRD-PARTY-NOTICES.txt line 167
  New section to import: 'License notice for JavaScript queues' of https://github.com/raw/dotnet/runtime/main/THIRD-PARTY-NOTICES.TXT line 974
  New section to import: 'License notice for MSBuild Locator' of https://github.com/raw/dotnet/roslyn-analyzers/main/THIRD-PARTY-NOTICES.txt line 11
  New section to import: 'License notice for Newtonsoft.Json' of https://github.com/raw/dotnet/aspnetcore/main/THIRD-PARTY-NOTICES.txt line 322
  New section to import: 'License notice for NuGet.Client' of https://github.com/raw/dotnet/templating/main/THIRD-PARTY-NOTICES line 10
  New section to import: 'License notice for Roslyn Clr Heap Allocation Analyzer' of https://github.com/raw/dotnet/roslyn-analyzers/main/THIRD-PARTY-NOTICES.txt line 28
  New section to import: 'License notice for StyleCop Analyzers' of https://github.com/raw/dotnet/roslyn-analyzers/main/THIRD-PARTY-NOTICES.txt line 42
  New section to import: 'The MIT License (MIT)' of https://github.com/raw/dotnet/aspnetcore/main/THIRD-PARTY-NOTICES.txt line 194
  Importing 9 sections...

[sharwell]

❔ Which one is this associated with?

[NikolaMilosavljevic]

This is coming from dotnet/aspnetcore/main/THIRD-PARTY-NOTICES.txt line 194

[dougbu]

https://github.com/dotnet/aspnetcore/blob/main/THIRD-PARTY-NOTICES.txt line 194 is blank and I suspect this should be under the License notice for corefx title above. See https://github.com/dotnet/runtime/pull/60092/files#diff-1f7876cafb24ce314004bb439a08320edba033f8a8a43d1961009f1088bd43d3R1350

[NikolaMilosavljevic]

Fixing.

[sharwell]

💭 While I have no objection to seeing this here, does it apply for cases where the referenced package is only a development dependency?

[NikolaMilosavljevic]

💭 While I have no objection to seeing this here, does it apply for cases where the referenced package is only a development dependency?

Good question - I'm not sure, but it would be easy to remove this one.

[danmoseley]

@richlander do we need to include dev-time dependencies in our shipping TPN? Presumably not.

[hoyosjs]

LGTM other than the comment from Sam, where it's not clear what the last license is for.

[danmoseley]

@NikolaMilosavljevic is this mergeable?

[NikolaMilosavljevic]

@NikolaMilosavljevic is this mergeable?

Quite a few reviews are missing, but otherwise it's mergeable.

[Anipik]

@NikolaMilosavljevic can you tag the reviewers again ? (which are required for the final merge)

[NikolaMilosavljevic]

@mkArtakMSFT , @dougbu - we are missing aspnetcore sign-off - can you review new entries coming from dotnet/aspnetcore?

[NikolaMilosavljevic]

@NikolaMilosavljevic can you tag the reviewers again ? (which are required for the final merge)

aspnetcore is the only one missing - I've added and tagged more reviewers for that repo.

[dougbu]

I don't know exactly how or why some of these items are used and probably shouldn't be the approver. @mkArtakMSFT who else needs to look at this❔

[dougbu]

https://github.com/dotnet/aspnetcore/blob/main/THIRD-PARTY-NOTICES.txt line 194 is blank and I suspect this should be under the License notice for corefx title above. See https://github.com/dotnet/runtime/pull/60092/files#diff-1f7876cafb24ce314004bb439a08320edba033f8a8a43d1961009f1088bd43d3R1350

[dougbu]

This may also be a dev / build dependency. We build (an installer?) for Linux MUSL on an Alpine image but I'm not sure exactly how that uses MUSL libraries.

[NikolaMilosavljevic]

Fixed the empty line and moved under corefx.

[dougbu]

@NikolaMilosavljevic was this a response to https://github.com/dotnet/runtime/pull/60092#discussion_r728315386❔

[NikolaMilosavljevic]

@NikolaMilosavljevic was this a response to https://github.com/dotnet/runtime/pull/60092#discussion_r728315386❔

Yes, that is correct - fixing the issue above. There was no way to add a comment right underneath that issue.

[akoeplinger]

musl gets compiled into every WebAssembly app via emscripten. We should probably mention emscripten too /cc @lewing

[dougbu]

Add a blank line after this for consistency

[NikolaMilosavljevic]

This is coming from dotnet/aspnetcore - we could fix it here, but it should also be fixed in source location to not regress in the future.

[NikolaMilosavljevic]

Fixed.

[dougbu]

Shorten and add a blank line after this

[NikolaMilosavljevic]

Fixed - also removed duplicate 'Angular 8.0' notice.

[dougbu]

This is a dangling header

[NikolaMilosavljevic]

Fixed - removed.

[dougbu]

Side question: Why do you need ASP.NET sign-off on a Runtime PR❔ Is this TPN.txt file going to be used for every published asset from any repo❔

[NikolaMilosavljevic]

Side question: Why do you need ASP.NET sign-off on a Runtime PR❔ Is this TPN.txt file going to be used for every published asset from any repo❔

Yes, this is a merged TPN, that is installed under dotnet folder - it covers everything we install there, including ASP.NET.

[NikolaMilosavljevic]

@dougbu changes requested in your review were implemented and pushed on Friday. Can you approve for aspnetcore, or do we need someone else to do it? This is the last approval before we merge, and we'd prefer to not wait any longer.

@Anipik - fyi

[mkArtakMSFT]

Side question: Why do you need ASP.NET sign-off on a Runtime PR❔ Is this TPN.txt file going to be used for every published asset from any repo❔

Yes, this is a merged TPN, that is installed under dotnet folder - it covers everything we install there, including ASP.NET.

@NikolaMilosavljevic, given that's the case, what about all the other dependencies that ASP.NET Core has? Shouldn't these also be listed here?

[NikolaMilosavljevic]

Side question: Why do you need ASP.NET sign-off on a Runtime PR❔ Is this TPN.txt file going to be used for every published asset from any repo❔

Yes, this is a merged TPN, that is installed under dotnet folder - it covers everything we install there, including ASP.NET.

@NikolaMilosavljevic, given that's the case, what about all the other dependencies that ASP.NET Core has? Shouldn't these also be listed here?

All ASP.NET dependencies are here, in the shared file. We avoid duplication and only include a single instance of the same dependency. It's likely that many of those dependencies are also present in other repos and included in a different section of this unified file.

Is there a specific dependency of ASP.NET that should be included but it is not present?

[Pilchie]

This looks fine for aspnetcore. @dougbu is OOF today, so don't feel you have to wait for his sign-off.

[NikolaMilosavljevic]

Unless I hear objections in the the 15 minutes, I'm going to merge this PR. @Pilchie , @mkArtakMSFT your questions have replies, can you help resolve those concerns (conversations)?