Add content (README, licenses, TPN...) for the VMR (#14848)

2022-11-09 20:14:07 +01:00 · 2022-11-09 20:14:07 +01:00 · 272c314308
commit 272c314308
parent 198829ed34
5 changed files with 243 additions and 0 deletions
--- a/src/SourceBuild/tarball/content/CODE_OF_CONDUCT.md
+++ b/src/SourceBuild/tarball/content/CODE_OF_CONDUCT.md
@ -0,0 +1,6 @@
+# Code of Conduct
+
+This project has adopted the code of conduct defined by the Contributor Covenant
+to clarify expected behavior in our community.
+
+For more information, see the [.NET Foundation Code of Conduct](https://dotnetfoundation.org/code-of-conduct).
--- a/src/SourceBuild/tarball/content/LICENSE.TXT
+++ b/src/SourceBuild/tarball/content/LICENSE.TXT
@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (c) .NET Foundation and Contributors
+
+All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/src/SourceBuild/tarball/content/SECURITY.md
+++ b/src/SourceBuild/tarball/content/SECURITY.md
@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.3 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/src/SourceBuild/tarball/content/eng/bootstrap/README.template.md
+++ b/src/SourceBuild/tarball/content/eng/bootstrap/README.template.md
@ -0,0 +1,160 @@
+# dotnet/dotnet - Home of the .NET VMR
+
+This repository is a **Virtual Monolithic Repository (VMR)** which includes all the source code and infrastructure needed to build the .NET SDK.
+
+What this means:
+- **Monolithic** - a join of multiple repositories that make up the whole product, such as [dotnet/runtime](https://github.com/dotnet/runtime) or [dotnet/sdk](https://github.com/dotnet/sdk).
+- **Virtual** - a mirror (not replacement) of product repos where sources from those repositories are synchronized into.
+- **Experimental** - not to be depended on as we reserve the right to delete the current instance and create a new, different one in its stead. See [Limitations](#limitations).
+
+In the VMR, you can find:
+- source files of [each product repository](#list-of-components) which are mirrored inside of their respective directories under [`src/`](https://github.com/dotnet/dotnet/tree/main/src),
+- tooling that enables [building the whole .NET product from source](https://github.com/dotnet/source-build) on Linux platforms,
+- small customizations, in the form of [patches](https://github.com/dotnet/dotnet/tree/main/src/installer/src/SourceBuild/tarball/patches), applied on top of the original code to make the build possible,
+- *[in future]* E2E tests for the whole .NET product.
+
+Just like the development repositories, the VMR will have a release branch for every feature band (e.g. `release/8.0.1xx-preview1`).
+Similarly, VMR's `main` branch will follow `main` branches of product repositories (see [Synchronization Based on Declared Dependencies](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#synchronization-based-on-declared-dependencies)).
+
+More in-depth documentation about the VMR can be found in [VMR Design And Operation](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#layout).
+See also [dotnet/source-build](https://github.com/dotnet/source-build) for more information about our whole-product source-build.
+
+## Goals
+
+- The main purpose of the [dotnet/dotnet](https://github.com/dotnet/dotnet) repository is to have all source code necessary to build the .NET product available in one repository and identified by a single commit.
+- The VMR also aims to become the place from which we release and service future versions of .NET to reduce the complexity of the product construction process. This should allow our partners and and 3rd parties to easily build, test and modify .NET using their custom infrastructure as well as make the process available to the community.
+- Lastly, we hope to solve other problems that the current multi-repo setup brings:
+    - Enable the standard [down-/up-stream open-source model](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Upstream-Downstream.md).
+    - Fulfill requirements of .NET distro builders such as RedHat or Canonical to natively include .NET in their distribution repositories.
+    - Simplify scenarios such as client-run testing of bug fixes and improvements. The build should work in an offline environment too for certain platforms.
+    - Enable developers to make and test changes spanning multiple repositories.
+    - More efficient pipeline for security fixes during the CVE pre-disclosure process.
+
+## Limitations
+
+**This is a work-in-progress and an experiment.**
+There are considerable limitations to what is possible at the moment. For an extensive list of current limitations, please see [Temporary Mechanics](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#temporary-mechanics).
+
+The VMR is expected to become non-experimental by .NET 8 Preview 1 (Februrary, 2023).
+This means it won't be short-lived anymore and we won't be reserving the right to delete and re-create it anymore.
+Other limitations might apply until the .NET 9 timeframe.
+See the [Unified Build roadmap](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/Roadmap.md) for more details.
+
+### Supported platforms
+
+The VMR only supports .NET 8.0 and higher. Additionally, source-build currently supports Linux only.  
+It is expected that Mac and Window will be supported in the .NET 9.0.
+
+For the latest information about Source-Build support for new .NET versions, please check our [GitHub Discussions page](https://github.com/dotnet/source-build/discussions) for announcements.
+
+### Online build only
+
+Building the product offline is not fully working at the moment. The `--online` switch is needed when building the VMR as not all dependencies are currently built from source.
+
+### Code flow
+For the time being, the source code only flows one way - from the development repos into the VMR.
+More details on this process:
+
+- [Source Synchronization Process](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#source-synchronization-process)
+- [Synchronization Based on Declared Dependencies](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#synchronization-based-on-declared-dependencies)
+- [Moving Code and Dependencies between the VMR and Development Repos](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#moving-code-and-dependencies-between-the-vmr-and-development-repos)
+
+We expect the code flow to start working both ways in the .NET 9 timeframe.
+See the [Unified Build roadmap](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/Roadmap.md) for more details.
+
+### Contribution
+
+At this time, the VMR will not accept any changes and is a read-only mirror of the development repositories only.
+Please, make the changes in the respective development repositories (e.g., [dotnet/runtime](https://github.com/dotnet/runtime) or [dotnet/sdk](https://github.com/dotnet/sdk)) and they will get synchronized into the VMR automatically.
+
+## Dev instructions
+
+Please note that **this repository is an experiment and a work-in-progress so it is possible that the build is broken**.
+For the latest information about Source-Build support, please watch for announcements posted on our [GitHub Discussions page](https://github.com/dotnet/source-build/discussions).
+
+### Prerequisites
+
+The dependencies for building .NET from source can be found [here](https://github.com/dotnet/runtime/blob/main/docs/workflow/requirements/linux-requirements.md).
+
+### Building
+
+1. **Clone the VMR**
+
+   ```bash
+   git clone https://github.com/dotnet/dotnet dotnet-dotnet
+   ```
+
+2. **Prep the source to build on your distro**  
+   This downloads a .NET SDK and a number of .NET packages needed to build .NET from source.
+
+    ```bash
+    cd dotnet-dotnet
+    ./prep.sh
+    ```
+
+3. **Build the .NET SDK**
+
+    ```bash
+    ./build.sh --clean-while-building --online
+    ```
+
+    This builds the entire .NET SDK from source.
+    The resulting SDK is placed at `artifacts/x64/Release/dotnet-sdk-8.0.100-your-RID.tar.gz`.
+
+    Currently, the `--online` flag is required to allow NuGet restore from online sources during the build.
+    This is useful for testing unsupported releases that don't yet build without downloading pre-built binaries from the internet.
+
+    Run `./build.sh --help` to see more information about supported build options.
+
+4. *(Optional)* **Unpack and install the .NET SDK**
+
+    ```bash
+    mkdir -p $HOME/dotnet
+    tar zxf artifacts/x64/Release/dotnet-sdk-8.0.100-your-RID.tar.gz -C $HOME/dotnet
+    ln -s $HOME/dotnet/dotnet /usr/bin/dotnet
+    ```
+    
+    To test your source-built SDK, run the following:
+
+    ```bash
+    dotnet --info
+    ```
+
+## List of components
+
+To enable full offline source-building of the VMR, we have no other choice than to synchronize all the necessary code into the VMR. This also includes any code referenced via git submodules. More details on why and how this is done can be found here:
+- [Strategy for managing external source dependencies](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Strategy-For-External-Source.md)
+- [Source Synchronization Process](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md#source-synchronization-process)
+
+### Detailed list
+
+<!-- component list beginning -->
+
+> Auto-generated list of components will go here
+
+<!-- component list end -->
+
+The repository also contains a [JSON manifest](https://github.com/dotnet/dotnet/blob/main/src/source-manifest.json) listing all components in a machine-readable format.
+
+## Filing Issues
+
+This repo does not accept issues as of now. Please file issues to the appropriate development repos.
+For issues with the VMR itself, please use the [source-build repository](https://github.com/dotnet/source-build).
+
+## Useful Links
+
+- Design documentation for the VMR - a set of documents describing the high-level design and the why's and how's
+  - [Design and Operation](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Design-And-Operation.md)
+  - [Upstream/Downstream Relationships](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Upstream-Downstream.md)
+  - [Code and Build Workflow](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Code-And-Build-Workflow.md)
+  - [Strategy for Managing External Source Dependencies](https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Strategy-For-External-Source.md)
+- [.NET Source-Build](https://github.com/dotnet/source-build)
+- [What is .NET](https://dotnet.microsoft.com)
+
+## .NET Foundation
+
+.NET Runtime is a [.NET Foundation](https://www.dotnetfoundation.org/projects) project.
+
+## License
+
+.NET is licensed under the [MIT](LICENSE.TXT) license.
--- a/src/SourceBuild/tarball/content/eng/bootstrap/THIRD-PARTY-NOTICES.template.txt
+++ b/src/SourceBuild/tarball/content/eng/bootstrap/THIRD-PARTY-NOTICES.template.txt
@ -0,0 +1,13 @@
+.NET Core uses third-party libraries or other resources that may be
+distributed under licenses different than the .NET Core software.
+
+Attributions and licence notices for test cases originally authored by
+third parties can be found in the respective test directories.
+
+In the event that we accidentally failed to list a required notice, please
+bring it to our attention. Post an issue or email us:
+
+           dotnet@microsoft.com
+
+The attached notices are provided for information only.
+