Ensure we bundle a copy of every license used by 3rd-party dependencies into our container image.

[tobz]

Context

While we currently generate our SBOM to track used dependencies and their licenses, we don't include copy of each of those licenses. We should do that, as doing so ensures that there's no confusion over what the license's terms are at the time the image was built, and it also ensures we're satisfying the relevant clause in some licenses that require a copy of the license to be included with usages or derivative works, etc.

[tobz]

A note: we might end up needing to depend on something like https://github.com/spdx/license-list-data, since I could foresee scenarios where we can't simply grab the license file from the code dependencies themselves. This would at least mean we have a consistent (and trustworthy) source to pull the license files from, although we would end up needing to do a little bit of parsing of LICENSE-3rdparty.csv to build the list of licenses to copy...

Anyways.

[tobz]

Actually keeping this open because our current solution captures like 95% of what we need, but we still need to handle some other areas / scenarios:

• custom licenses (sometimes denoted via the Custom SPDX identifier; relevant to ring)
• paying attention to whether or not a dependency specifies license or license-file in Cargo.toml (since license-file would be a good heuristic to treat as "this might be custom, so just copy it directly")
• considering if there's relevant copyright notices to copy over above and beyond the straight SPDX identifier-based license