Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-3604

License management in Yocto for Mender components

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Days in progress:
      0

      Description

      There are a couple of features in the Yocto Project which can simplify management of OSS license compliance.

      You can read a bit more here.

      But I wanted to focus on the Providing License Text feature, which can be enabled as such:

      COPY_LIC_MANIFEST = "1"
      COPY_LIC_DIRS = "1"
      LICENSE_CREATE_PACKAGE = "1"
      

      This generates a new directory which contains the aggregated package names and their license text.

      tmp/deploy/licenses
      

      One "good" example is the json-c-native directory:

      $ tree json-c-native/
      json-c-native/
      ├── COPYING
      ├── generic_MIT
      └── recipeinfo
      
      0 directories, 3 files
      
      • generic_MIT - This is a generic MIT license text (template). Copied based on the LICENSE variable in the recipe
      • COPYING - Copied from the source of the package, MIT license text with Copyright notice. This is copied based on the LIC_FILES_CHKSUM variable in the recipe

      So strictly speaking, if the license has a requirement that you ship the license text together with the binary, you would need to ship COPYING and not the generic text.

      So if we take a look at the Mender client:

      mender
      ├── LIC_FILES_CHKSUM.sha256
      ├── generic_Apache-2.0
      ├── generic_BSD-2-Clause
      ├── generic_BSD-3-Clause
      ├── generic_ISC
      ├── generic_MIT
      ├── generic_OLDAP-2.8
      └── recipeinfo
      
      0 directories, 8 files
      

      Only the generic texts are provided because we bundle everything in LIC_FILES_CHKSUM.sha256.

      The more appropriate thing to do is probably to utilize the LIC_FILES_CHKSUM variable in the recipe to point to vendor licenses directly, this way bitbake would pick them up and copy them.

      The more extreme solution, would be to package each go module in a separate recipe, hence each module/recipe would have their own LICENSE license management. This might solve other problems as well? This aligns better to the Yocto model but of course complicates things a bit since Yocto and GO are in conflict.

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mirzak Mirza Krak
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Summary Panel