[yocto] How to generate SPDX Information

Joshua Watt jpewhacker at gmail.com
Tue Nov 28 06:29:23 PST 2017 

On Tue, 2017-11-28 at 14:57 +0100, Christian Ege wrote:
> Hello,
> 
> due to the fact there is a license troll who actively sue German
> companies. I did some research to comply ith the need to provide the
> copyright information within my YOCTO builds. My research ended up
> with the spdx.class which includes support for the fossology tool.
> But
> the current version of fossology does not support the spdx plugin
> used
> in the spdx.class anymore [1] This plugin is not updated since 4
> years. As an alternative there is the DoSOCSv2 tool [2] for which a
> Patch by Lei Maohui exists which was not accepted and Lei ended up in
> a separate layer called meta-spdxscanner [3].
> 
> So my specific question is, what are the recommended actions to
> comply
> to provide copyright information with the sourcecode/binary? What is
> the state of the art at the moment and how do the users of oe/yocto
> solve this requirement.

Not sure if it is the best method, but we include all the license
information in our (readonly) rootfs image by adding 

 COPY_LIC_MANIFEST = "1"
 COPY_LIC_DIRS = "1"

to local.conf. Our UI application then parses /usr/share/common-
licenses/license.manifest show a scrollable list of software with a
short blurb for each like:
"licensed under one or more of the following licence(s): ${SPDX list
from license manifest}"

If the SPDX list contains the text "GPL" (and maybe some others, can't
remember right now), we add "Source code may be downloaded from http://
www.company.com/foss". We upload a monolithic tarball containing all
the GPL code to this site every release. This tarball is generated by
adding:

 INHERIT += "archiver"
 ARCHIVER_MODE[dumpdata] = "1"
 ARCHIVER_MODE[recipe] = "1"

to local.conf, then filtering out the copyleft software with some post-
processing scripts.

Finally, for each package, we add the text from the actual licenses
files for each package (from the directories under /usr/share/common-
licenses/<PACKAGE>/ so that the user can see the full terms.

Not sure if it is the best method, but it works for us. I think it
covers all the license requirements (mainly, attribution and making the
copyleft source available).

> 
> Thanks in advance,
> Christian
> 
> -- 
> [1] https://github.com/FOSSology-SPDX/fossology-spdx
> [2] https://github.com/DoSOCSv2/DoSOCSv2
> [3] https://layers.openembedded.org/layerindex/branch/master/layer/me
> ta-spdxscanner/

More information about the yocto mailing list