Is there a better way to include the copyright and license notices than prepending it all to subtitles-octopus.js?

I think simply include a license header point to build/license_fullnotice file in subtitle-octopus.js might be enough.

It would be good, if someone could check that the way the attribution is done is actually correct de jure;
same for the LGPL-3.0-or-later tag in package.json

The license in package.json must include all licenses used in this project, using SPDX expressions, see an example

If anyone else also already looked into this: Are there other tools to detect copyright and licence than licensecheck? How do they compare in accuracy, coverage and availability in repos?

In a quick search, I found this project https://github.com/licensee/licensee, I don't know if it's better than licensecheck, but its used by Github.

I think simply include a license header point to build/license_fullnotice file in subtitle-octopus.js might be enough.

How would build/license_fullnotice be distributed in both the npm package and to end-users watching subs with JSO?
Also _fullnotice only has the license notice or full texts not the copyright notices crediting the people whose work is being used, so it alone is not sufficient I think?

In a quick search, I found this project https://github.com/licensee/licensee

Apart from having extra ruby dependeciey and afaik being packaged nowhere, at first glance this appears to only categorise LICENSE files, not copyright notices and licenses headers inside source files.

The license in package.json must include all licenses used in this project, using SPDX expressions, see an example

The reasoning for LGPL-3.0-or-later is, that to my knowledge (ianal and so) the effective total license for the binary is LGPL-3.0+ as everything else could be (implicitly) relicensed to it without violating or dropping any prior terms. But then again, eg Apache-2.0 requires redistribution of its license text — I don't know how this plays with the implicit relicensing I assumed.
While I only see examples of dual-licensing (or not and) in the linked examples, I guess listing all would be safer (but more cumbersome to figure out for users).

New version:

• Copyright notices are no longer connected to individual source files, only licence and project
  Afaict this should be fine, but ianal. This made the copyright acknowledgments more compact.
• Split NTP and NTP~disclaimer; they are basically identical just the warranty disclaimer is more verbose in the latter, but to be safe both full texts are now included. (SPDX doesn't have an identifier for NTP~disclaimer, it only knows about NTP and NTP-0, yet another variant)
• package.json now lists all licences with SPDX (using NTP for NTP~disclaimer)
• Added info about SPDX-names to full notices (somewhat confusingly Harfbuzz itself and Debian call Harfbuzz' licence Old MIT/MIT~old, but SPDX and Fedora refer to it as MIT-Modern-Variant/Modern Variant MIT)
• excluded mroe paths for licensecheck

Personally (and assuming it is legally fine), I'm content with the copyright+license acknowledgement itself now. It could be further compressed by merging copyright notices from the same person but different years, but I'm not sure that's worth the effort (consider that sometimes a single copyright notices also lists multiple people).

Remaining issues:

• some minor cleanup Done.
• is there a better way to distribute the notices than merging into subtitlesoctopus.js?
• add (separate) Apache-2.0 licence to repo or prominently point to build/license_fullnotices to satisfy src/unbrotli.js
• needs review

@TheOneric I've reviewed here, looks good, but:

is there a better way to distribute the notices than merging into subtitlesoctopus.js?

• Include the full text license make the file 3.5x bigger than before, i think its better to only include the copyright notices and a link to each license.

add (separate) Apache-2.0 licence to repo or prominently point to build/license_fullnotices to satisfy src/unbrotli.js

• We can move unbrotli.js to its own folder in lib and include the Apache License copy there, also include a point to it in the main LICENSE file

Resulted file: subtitles-octopus.txt

Include the full text license make the file 3.5x bigger than before, i think its better to only include the copyright notices and a link to each license.

No. As written before some (most, actually) license require redistribution of the full license text together with the distributed binaries or source. Of the licences used in JSO, only FTL allows a shorter notices with a link t othe full text for binary (but not source!) distribution; as you may have noted this is also the only licence to do exactly this as per the introductory comment of license_fullnotice:

# The following section contains the full license text or
# where permitted a shorter notice for all works contained
# in JavascriptSubtitlesOctopus listed above

The full texts must be included.
Also while the relative size increase of just subtitles-octopus.js is large, the absolute increase compared to the absolute size of the worker binaries is marginal.

Now to explain why a separate file is no good (in itself) and why the subtitles-octopus.js-preamble is also not ideal either:

As hinted in this pr's first post, there are two distribution processes here that we want to take into account.
The first one is us distributing the binaries as an npm-package and via GitHub-build-artifacts. For this step including a separate copyright file (and perhaps even separate files for each licence) would be fine, as all who receive the binaries also recieve the copyright file and it is easy to notice.

However, the second step is distribution from the server's of those who incorporated JSO into their webpages/webapps/… . Just like before, the full texts must be distributed alongside the binaries. Separate licence and copyright files from the npm-package will never get send to the end user, so if this were to be the only thing we do we'd set up all JSO users to commit copyright violations.
subtitles-octopus.js is iiuc a prerequisite to obtain any other binaries, therefore prepending the notices and license text to this file is the easiest way to ensure the text gets distributed to all end users in this second distribution step as well. But though easy the notices are now less discoverable in the package of the first step. Discoverability in the second distribution step is innately hard, so I'm not sure we can do much better there.
If possible, we could in theory also make sure a seperate copyright file gets send to the end-users, but that would even harder to discover and connect to JSO htan merging into the js file as now (consider: one would need to monitor the net request from the webpage, notices that there's a copyright file loaded (but never shown on the site itself) and then figure out which f iles got requested together with it).

From my limited knowledge about how JSO integration works, it appears to me like prepending to subtitles-octopus.js is the best approach for the second distribution step, but there might be other, better possibilities I'm not aware of.
However, for the first distribution-step (and the source distribution of unbrotli.js) this prepending is suboptimal as the notice is hard to discover. We could eg also include an additional seperate notices, prominently placed in the npm- and GH-packages and our repo to deal with this. This standalone notice would only be distributed in the first but not the second step; in the second step only the still present subtitles-octopus.js-preamble would be distributed to end-users. This is however also not ideal as it duplicates the notices.

We can move unbrotli.js to its own folder in lib and include the Apache License copy there

Where does unbrotli.js even come from? The brotli-submodule also has a JavaScript subdir which we aren't currently using (and which borks out licensecheck's copyright notice detection). If with putting it into its own subfolder you mean using a submodule to also allow us to easily update it in the future, then this sounds good. If it just remains a regular static file however, I don't see which benefit there is in a separate subfolder just for this one file. There aren't many files in src/ to begin with.
Can you elaborate on what you're intending?

also include a point to it in the main LICENSE file

If with “main LICENSE file” you mean LICENSE in the repo's root, then there's no need for that I think.

Where does unbrotli.js even come from?

I don't remember why i used this file, but it works with brotli submodule copy with a little mod in decode.js.

We can remove unbrotli.js file and use the Brotli submodule implementation

I don't remember why i used this [src/unbrotli.js] file, but it works with brotli submodule copy with a little mod in decode.js.
We can remove unbrotli.js file and use the Brotli submodule implementation

The minified javascript implemntation (lib/brotli/js__/decode.min.js) bugs licensecheck's copyright notice detection, instead using a chunk of code as the "copyright holder", if you want to change it this way, make sure to not use this (emscripten can do its own minisation anayway) and adjust LIB_LICENSES_FINDOPT_brotli in Makefile to not exclude anything contained in the build, but still exclude the buggy file.
Though, since we already use the brotli C library, why not use this via WASM¹ instead of yet another brotli implementation, this time in pure JS?

Either way, if desired, this should be done separately as it is out of scope for this pr.

1: Ofc, there's the "fun" disparity with JS using native endianess, but WASM for some reason requiring Little-Endian for its types, but since this only decompresses files byte per byte iinm, this shouldn't be a problem here, or is it?

Rebased after the brotli change and excluded the unused decode.min.js which borks the copyright detection.
Also bumped JSO's copyright year.