FOSSA is missing license information on many licenses

There is a major bug in FOSSA that drops licenses for packages that it used to find them for. This is scheduled to be fixed by FOSSA by the end of April.

Original Guidance

When we first discovered this, guidance was to ignore the fossa-check-notice output. That checker was suggesting that many attributions (often hundreds) be removed from the NOTICE file. Obviously, we didn't remove these libraries from the projects, so removing the attributions was an error. We decided it was better to have a stale / non-updating NOTICE file that was right at some point in the recent past; than to have an "up-to-date" known-wrong NOTICE.

One Way Diffs

Given the long time estimate for a fix, we need a better approach in the meantime. We need to do as much as we can to keep these up to date with changing package dependencies to make sure that all the projects we use are getting proper attribution, but with limited tooling support.

The best idea suggested is to effectively perform a "one way diff". If the generated NOTICE has a new entry, we flag it to be included in the commited version. But, if it suggests removing one, we ignore that suggestion. This will lead to over-attributing, but this is better than under-attributing. If a dependency was known to be removed, it can be manually deleted from the NOTICE file.

Eventually, after FOSSA fixes their scanners, we can reset the NOTICE to match the current result.

New Guidance

After this issue is implemented, we should begin applying FOSSA NOTICE files that are suggested by the fossa-check-notice stage once again. Because of the specifics of the implementation, caching is turned off for a while. Which could lead to some back-to-back NOTICE failures -- sorry -- but with the NOTICE in grow-only mode, it should stabilize before too long.