Remove license metadata from pyproject.toml to avoid misleading SPDX compliance

[abravalheri]

Despite the fact that the setuptools own code is distributed under the MIT license, the project includes third-party code under different licenses.

For some downstream users, adding license = "MIT" to pyproject.toml is problematic under the lenses of PEP 639 because it may imply that all the files distributed by setuptools are licensed under MIT, which is not the case. See discussion in #5049.

By removing that metadata, setuptools should be "in the clear".

I understand that consumers of the package would prefer a complete SPDX license expression. However, as explained in #5049, this is currently not viable. In the future, setuptools may adopt SPDX expressions once tools exist in the Python ecosystem that can automatically compute them from a given set of files and directories.

For the time being, consumers interested in knowing license information should refer to the text in the license files being distributed.

Summary of changes

Closes #5049

Pull Request Checklist

• Changes have tests
• News fragment added in newsfragments/.
  (See documentation for details)

[jaraco]

In my opinion, the SPDX is for Setuptools. Maybe there should be a note in the _vendor folder that notes that these packages not covered by the Setuptools-indicated license, but are covered by their own licenses. These vendored packages are kept as a necessity and we wish them gone and their presence should not be influencing the core of the project.

[abravalheri]

Thank you very much for the review @jaraco.

While I agree with you (I also think tha the license expression should reflect only the license of setuptools), there has been some push in the community from people that want the license expression to reflect all files present in the whole sdist/wheel archive.

After a clarification provided by the PEP 639 author and discussion in the PyPA forum, the part of the community pushing for that specific interpretation managed to pass a change in the text of the standard (see pypa/packaging.python.org#1908), and now it explicitly says:

This key should only be specified if the license expression for any and all distribution files created by a build backend using the pyproject.toml is the same as the one specified. If the license expression will differ then it should either be specified as dynamic or not set at all.

(the emphasis is mine, i.e. it recommends removing this SPDX specifier if it does not apply to all the files or dynamically calculating it)

Since dynamically calculating the license expression is not a trivial task, this PR proposes the other solution mentioned in the standard (i.e. omitting the license expression).