CII Best practives
The Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The CII Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software. The Yocto Project is registered and has the following badge level:
If a distribution isn’t specific about which packages to pull in to support dependencies, or their order, build systems can arbitrarily include packages based on when dependencies are filled. This harms build reproducibility. The Yocto Project® controls dependencies avoiding contamination and has achieved reproducibility of 99.8% in “core-image minimal” and slightly less in expanded tests. Timestamps have been addressed in a number of cases and other cases are an ongoing effort.
Cross Platform Development Framework: CROPS
CROPS is an open source, cross-platform development framework that leverages Docker containers to provide an easily managed, extensible environment which allows developers to build binaries for a variety of architectures of Windows, Linux and Mac OS X hosts.
The Yocto Project Extensible SDK (eSDK) has tools that allow you to easily add new applications and libraries to an image, modify the source of an existing component and test changes on the target hardware. The main benefit over the standard SDK is improved team workflow due to tighter integration with the OpenEmbedded build system.
Toaster is a web interface to the Yocto Project’s OpenEmbedded build system. The interface enables you to configure and run your builds. Information about builds is collected and stored in a database. You can use Toaster to configure and start builds on multiple remote build servers. What is fascinating about Toaster is its forensics ability.
The build system can automatically and efficiently build multiple specified architectures with one command.
The Yocto Project allows binary files to be included in the build without including the corresponding source code files.
Open Source License Manifest Generation
The Yocto Project can keep track of all open source licenses used in the build and provide you with a manifest of those licenses and source references.