Make pip's licensing metadata more comprehensive

* Include all license files for the vendored dependencies inside the wheel,
  and in the `License-File` package metadata field.

* Replace the deprecated `License` metadata field with `License-Expression`,
  set to an intersection of all vendored dependency licenses, as well as pip's
  own license. Remove the deprecated `License :: OSI Approved :: MIT License`
  classifier.

License files are included in distributions automatically, so remove them from
`MANIFEST.in`.

Author: SpecLad

MANIFEST.in

@@ -1,5 +1,3 @@
-include AUTHORS.txt
-include LICENSE.txt
 include NEWS.rst
 include README.rst
 include SECURITY.md
@@ -12,8 +10,6 @@ include build-project/.python-version
 
 include src/pip/_vendor/README.rst
 include src/pip/_vendor/vendor.txt
-recursive-include  src/pip/_vendor *LICENSE*
-recursive-include  src/pip/_vendor *COPYING*
 
 include docs/requirements.txt
 

news/13335.feature.rst

@@ -0,0 +1,2 @@
+pip's own licensing metadata now follows PEP 639 and includes information on
+vendored dependencies.

pyproject.toml

@@ -4,11 +4,25 @@ dynamic = ["version"]
 name = "pip"
 description = "The PyPA recommended tool for installing Python packages."
 readme = "README.rst"
-license = {text = "MIT"}
+
+# Apache-2.0 OR BSD-2-Clause: packaging
+# Apache-2.0: cachecontrol, distro, msgpack, requests
+# BSD-2-Clause: pygments
+# BSD-3-Clause: idna
+# ISC: resolvelib
+# MIT: dependency-groups, pip, platformdirs, pyproject-hooks, rich, setuptools,
+#   urllib3, tomli, truststore
+# MPL-2.0: certifi
+# PSF-2.0: distlib, typing-extensions
+license = "Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 AND PSF-2.0"
+
+license-files = [
+  "AUTHORS.txt", "LICENSE.txt",
+  "src/pip/_vendor/**/*LICENSE*", "src/pip/_vendor/**/*COPYING*",
+]
 classifiers = [
   "Development Status :: 5 - Production/Stable",
   "Intended Audience :: Developers",
-  "License :: OSI Approved :: MIT License",
   "Topic :: Software Development :: Build Tools",
   "Programming Language :: Python",
   "Programming Language :: Python :: 3",
@@ -40,8 +54,7 @@ Source = "https://github.com/pypa/pip"
 Changelog = "https://pip.pypa.io/en/stable/news/"
 
 [build-system]
-# The lower bound is for <https://github.com/pypa/setuptools/issues/3865>.
-requires = ["setuptools>=67.6.1"]
+requires = ["setuptools>=77"]
 build-backend = "setuptools.build_meta"
 
 [tool.setuptools]

src/pip/_vendor/README.rst

@@ -9,6 +9,8 @@ Vendoring Policy
 * Vendored libraries **MUST** be available under a license that allows
   them to be integrated into ``pip``, which is released under the MIT license.
 * Vendored libraries **MUST** be accompanied with LICENSE files.
+* The licenses of vendored libraries **MUST** be added to the value of
+  the `license` key in `pyproject.toml`.
 * The versions of libraries vendored in pip **MUST** be reflected in
   ``pip/_vendor/vendor.txt``.
 * Vendored libraries **MUST** function without any build steps such as ``2to3``