tar.gz release does not contain LICENSE

[jku]

Description of issue or feature request:
Release tarballs (like tuf-0.14.0.tar.gz) do not contain a LICENSE file

This prevents vendoring tuf using the vendoring tool: I could patch the license in but unfortunately the license file check is done on unpatched sources

python3 setup.py sdist produces a tarball with the LICENSE file (and many other files that are not in our release tarball) -- what's this about?

[jku]

Wow. python2 setup.py sdist and python3 setup.py sdist produce radically different results 😮 I guess the 'universal' in universal wheels only refers to target python...

I have no idea why but setuptools3 seems to include all files in project root directory -- this seems to not be documented. The documentation says we should add files into MANIFEST.in if we want to distribute but not install (which seems to be what most projects do with LICENSE files).

[joshuagl]

Yikes. I thought I had produced the last two release tarballs with Python 3's setuptools3...

We should update the docs/RELEASE.md to strongly recommend using python3 and add LICENSE to MANIFEST.in.

I can make those changes today.

[jku]

I think at least being explicit about LICENSE* in MANIFEST.in makes sense.

I don't think I understand how these different results happen yet: distutils is the one that actually does the sdist building and I can't see anything in the dosc (https://docs.python.org/3/distutils/sourcedist.html#specifying-the-files-to-distribute) or the code that would imply that what I saw with python3 is intentional: no mention of including all files in root by default as an example.

[jku]

Documenting for posterity: the differences between py3 and py2 were the results of having setuptools_scm installed: that will by default add all files from git.

The original issue tar.gz release does not contain LICENSE is still valid.