From: Joshua Watt <jpewhacker@gmail.com>
To: Christian Ege <k4230r6@gmail.com>,
Yocto list discussion <yocto@yoctoproject.org>
Subject: Re: How to generate SPDX Information
Date: Tue, 28 Nov 2017 08:29:23 -0600 [thread overview]
Message-ID: <1511879363.16998.16.camel@gmail.com> (raw)
In-Reply-To: <CAALGJZY3j17rTPo8r4iYxt6D1Gcy-5_dy79Ge7xg9=mqsDsS2g@mail.gmail.com>
On Tue, 2017-11-28 at 14:57 +0100, Christian Ege wrote:
> Hello,
>
> due to the fact there is a license troll who actively sue German
> companies. I did some research to comply ith the need to provide the
> copyright information within my YOCTO builds. My research ended up
> with the spdx.class which includes support for the fossology tool.
> But
> the current version of fossology does not support the spdx plugin
> used
> in the spdx.class anymore [1] This plugin is not updated since 4
> years. As an alternative there is the DoSOCSv2 tool [2] for which a
> Patch by Lei Maohui exists which was not accepted and Lei ended up in
> a separate layer called meta-spdxscanner [3].
>
> So my specific question is, what are the recommended actions to
> comply
> to provide copyright information with the sourcecode/binary? What is
> the state of the art at the moment and how do the users of oe/yocto
> solve this requirement.
Not sure if it is the best method, but we include all the license
information in our (readonly) rootfs image by adding
COPY_LIC_MANIFEST = "1"
COPY_LIC_DIRS = "1"
to local.conf. Our UI application then parses /usr/share/common-
licenses/license.manifest show a scrollable list of software with a
short blurb for each like:
"licensed under one or more of the following licence(s): ${SPDX list
from license manifest}"
If the SPDX list contains the text "GPL" (and maybe some others, can't
remember right now), we add "Source code may be downloaded from http://
www.company.com/foss". We upload a monolithic tarball containing all
the GPL code to this site every release. This tarball is generated by
adding:
INHERIT += "archiver"
ARCHIVER_MODE[dumpdata] = "1"
ARCHIVER_MODE[recipe] = "1"
to local.conf, then filtering out the copyleft software with some post-
processing scripts.
Finally, for each package, we add the text from the actual licenses
files for each package (from the directories under /usr/share/common-
licenses/<PACKAGE>/ so that the user can see the full terms.
Not sure if it is the best method, but it works for us. I think it
covers all the license requirements (mainly, attribution and making the
copyleft source available).
>
> Thanks in advance,
> Christian
>
> --
> [1] https://github.com/FOSSology-SPDX/fossology-spdx
> [2] https://github.com/DoSOCSv2/DoSOCSv2
> [3] https://layers.openembedded.org/layerindex/branch/master/layer/me
> ta-spdxscanner/
prev parent reply other threads:[~2017-11-28 14:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-28 13:57 How to generate SPDX Information Christian Ege
2017-11-28 14:29 ` Joshua Watt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511879363.16998.16.camel@gmail.com \
--to=jpewhacker@gmail.com \
--cc=k4230r6@gmail.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.