Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Khem Raj <raj.khem@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 3405 bytes --]

On 4/21/25 9:41 PM, Aleksandar Nikolic via lists.yoctoproject.org wrote:
> On Fri, May 31, 2024 at 03:40 PM, Hanke Fabian (DC/PAR) wrote:
> 
>     Hello,
> 
>     thank you for all the responses so far. I guess we will have a look
>     at fossology and fossas, but we would prefer a solution which does
>     not require an additional thirdparty service. We know that there are
>     different types of GPL licenses which bring different obligations.
> 
>     We are searching for an automatic mechanism to detect linking to a
>     shared library from a GPL package. We thought there might be a way
>     to utilize the build system’s shared library resolver which is used
>     for the automatic runtime added runtime dependencies [1].

Having such mechanism would be aiding in licensing policy in some 
circumstances. shlibs deals with shared libraries so technically there
can be a hook to do some analysis of this sort, there are perhaps more 
licenses that can also be considered for similar policy.

> 
>     For static libraries we found that they are disabled by default [2].
> 
> Could someone explain what it means that static libraries are disabled? 
> Does this refer to staticdev-pkgs in IMAGE_FEATURES?

No, this means that we do not generate static libraries when the package 
allows building both static and shared versions, see DISABLE_STATIC 
variable and how it is used. We build and use shared version. That also 
means that we are dependent on how package's build system is designed, 
it may not allow one or the other so we have to adjust accordingly.

See meta/conf/distro/include/no-static-libs.inc

for exceptions and you need to map the license to these packages to find 
if it is something your licensing policy would not allow. And this file 
is only for core layer, if you consume other layers they might or might 
not have such global file in that case you have to look through your 
dependency chain and analyse the packages

> Cheers,
> Aleksandar
> 
> 
>     [1] https://docs.yoctoproject.org/overview-manual/
>     concepts.html#automatically-added-runtime-dependencies <https://
>     docs.yoctoproject.org/overview-manual/concepts.html#automatically-
>     added-runtime-dependencies>
>     [2] https://docs.yoctoproject.org/dev/dev-manual/
>     licenses.html#compliance-limitations-with-executables-built-from-
>     static-libraries <https://docs.yoctoproject.org/dev/dev-manual/
>     licenses.html#compliance-limitations-with-executables-built-from-
>     static-libraries>
>     --------------------------------
> 
>     Bosch Rexroth AG
> 
>     Registered Office: Stuttgart, Registration Court: Amtsgericht
>     Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President),
>     Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard
>     Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> You automatically follow any topics you start or reply to.
> View/Reply Online (#65217): https://lists.yoctoproject.org/g/yocto/message/65217
> Mute This Topic: https://lists.yoctoproject.org/mt/106365537/1997914
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2613 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]