Produce license compliant binary distributions

[schneems]

Expected

I expect that libcnb produces binaries that comply with its own license

Actual

Per our license https://github.com/heroku/libcnb.rs/blob/a9759eef8e356f6396f1df8b16afe591645251d5/LICENSE, section two says:

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

This can be accomplished by either having the license in the binary, or along side of it (a text file that it ships with). AFAIK this isn't happening.

Sketches

To accommodate it, we should either intern the license string in the Rust code and ensure it doesn't get compiled away or obfsucated (like a string literal in a C source file), or produce a compliant text file alongside of the binaries and ensure that our release automation includes this file in our distribution.

[edmorley]

Shipping the buildpack's LICENSE file in the packaged .cnb and OCI image seem like the best approach to me.

The assembling of libcnb.rs powered component buildpacks occurs here: https://github.com/heroku/libcnb.rs/blob/a9759eef8e356f6396f1df8b16afe591645251d5/libcnb-package/src/lib.rs#L48

For composite buildpacks the buildpack.toml and package.toml are assembled here: https://github.com/heroku/libcnb.rs/blob/414b9f774132c956a8868bc0dff09cba2d011f36/libcnb-package/src/package.rs#L119C1-L119C1

[edmorley]

So the licence wording actually says "Redistributions" not "Distributions". I tried searching for the definition of that term but didn't find anything. To me, "redistributions" would be someone else shipping your own buildpack, not yourself, since the canonical distribution would be a "distribution" not a "redistribution".

Another issue - we don't actually know what licence the end buildpack is using, or the location of their licence file (in the case of some of our own CNBs, they are in a monorepo layout with the licence in the root of the repo).