GPL License Compliance - Automatically detect linking against GPL libraries

GPL License Compliance - Automatically detect linking against GPL libraries

[Hanke Fabian (DC/PAR)]

Hello,
we were wondering if anyone has experiences / best practices on how to detect if packages link to a library from another GPL licensed package? We know that there are ways to completely filter out some licenses via INCOMPATIBLE_LICENSE. But from our (limited) legal knowledge it is okay to include them in our image, if we fulfill all the obligations. One obligation implies that code linked to a GPL library will need to have the same license (derivative work). Hence we would like to avoid that packages containing our own closed source software link by accident to a GPL based library. Has anyone experiences / best practices on how to detect this automatically during the bitbake build?

Best regards,
Fabian Hanke 
--------------------------------
Bosch Rexroth AG
Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Etienne Cordonnier]

[-- Attachment #1: Type: text/plain, Size: 2550 bytes --]

Hi Fabian,
one commercial option for this use-case is
https://github.com/fossas/meta-fossa

Étienne

On Wed, May 29, 2024 at 11:06 AM Hanke Fabian (DC/PAR) via
lists.yoctoproject.org <fabian.hanke=bosch.com@lists.yoctoproject.org>
wrote:

> Hello,
> we were wondering if anyone has experiences / best practices on how to
> detect if packages link to a library from another GPL licensed package? We
> know that there are ways to completely filter out some licenses via
> INCOMPATIBLE_LICENSE. But from our (limited) legal knowledge it is okay to
> include them in our image, if we fulfill all the obligations. One
> obligation implies that code linked to a GPL library will need to have the
> same license (derivative work). Hence we would like to avoid that packages
> containing our own closed source software link by accident to a GPL based
> library. Has anyone experiences / best practices on how to detect this
> automatically during the bitbake build?
>
> Best regards,
> Fabian Hanke
> --------------------------------
> Bosch Rexroth AG
> Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart
> HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland
> Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of
> the Supervisory Board: Dr. Markus Forschner
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#63222):
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.yoctoproject.org_g_yocto_message_63222&d=DwIFaQ&c=ncDTmphkJTvjIDPh0hpF_4vCHvabgGkICC2epckfdiw&r=AhkbNonVuMIGRfPx_Qj9TsRih1DULJTKUkSGa66m67E&m=iBVJk0qE2jSVe8hpVUCp4tUbQAuMmUa_ilYT6CSzR40yIxixG_M_uFw58gyZhitZ&s=8QGouii8utL2R7Oej299g-epRwVJC1DNkvIUGJEtYDg&e=
> Mute This Topic:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.yoctoproject.org_mt_106365537_7048771&d=DwIFaQ&c=ncDTmphkJTvjIDPh0hpF_4vCHvabgGkICC2epckfdiw&r=AhkbNonVuMIGRfPx_Qj9TsRih1DULJTKUkSGa66m67E&m=iBVJk0qE2jSVe8hpVUCp4tUbQAuMmUa_ilYT6CSzR40yIxixG_M_uFw58gyZhitZ&s=FEG9SZsbw_he72lLTr24UNfykx-aFKsPDo3KEEFv3qM&e=
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.yoctoproject.org_g_yocto_unsub&d=DwIFaQ&c=ncDTmphkJTvjIDPh0hpF_4vCHvabgGkICC2epckfdiw&r=AhkbNonVuMIGRfPx_Qj9TsRih1DULJTKUkSGa66m67E&m=iBVJk0qE2jSVe8hpVUCp4tUbQAuMmUa_ilYT6CSzR40yIxixG_M_uFw58gyZhitZ&s=1WKXyqu5_3k6qoX-wjbZUk-WVCC6xTi7w1JmowK3UXo&e=
> [ecordonnier@snap.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 4282 bytes --]

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Stephen John Smoogen]

[-- Attachment #1: Type: text/plain, Size: 3468 bytes --]

On Wed, 29 May 2024 at 05:06, Hanke Fabian (DC/PAR) via
lists.yoctoproject.org <fabian.hanke=bosch.com@lists.yoctoproject.org>
wrote:

> Hello,
> we were wondering if anyone has experiences / best practices on how to
> detect if packages link to a library from another GPL licensed package? We
> know that there are ways to completely filter out some licenses via
> INCOMPATIBLE_LICENSE. But from our (limited) legal knowledge it is okay to
> include them in our image, if we fulfill all the obligations. One
> obligation implies that code linked to a GPL library will need to have the
> same license (derivative work). Hence we would like to avoid that packages
> containing our own closed source software link by accident to a GPL based
> library. Has anyone experiences / best practices on how to detect this
> automatically during the bitbake build?
>
>
I wanted to bring up a nuance because you are saying 'GPL based library'.
There are several different GPL licenses which need to be evaluated when
linking to. The lawyers at Bosch can give the best advice, but this
following rule of thumb may be useful:
Linking to licenses with AGPL -> must be a compatible source license (aka
source must be available and modifiable by user) and must meet additional
requirements for delivery
Linking to licenses with GPL -> must be a compatible source license (aka
source must be available and modifiable by user)
Linking to licenses with LGPL -> can be a closed source library in many
cases. [again get a lawyer's review]

Then there are the GPL and LGPL with exception licenses. Those exceptions
might be something 'slight' so that licenses incompatibilities between the
OpenSSL or Apache can be still 'excepted' for use. And then there are the
exceptions which basically allow any closed source to link against it.
Those need a lawyer's review. There are also differences between version 2
and version 3 of the licenses that again need lawyer's advice.

On many Linux operating systems the libc is based off of glibc which is
LGPL2+ with exceptions and GPL2+ with exceptions for various binaries.
Other libraries that are in common use may also be. There are also example
layer's like the one that Etienne Cordonnier brought up which can help cut
down potential conflicts.

And my apologies for bringing up 'lawyers review' so much. Various parts of
Bosch have worked in this space for a long time so I figured there was a
dedicated counsel who can help guide engineering projects through GPL and
other license linking and compliance.

Best regards,
> Fabian Hanke
> --------------------------------
> Bosch Rexroth AG
> Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart
> HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland
> Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of
> the Supervisory Board: Dr. Markus Forschner
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#63222):
> https://lists.yoctoproject.org/g/yocto/message/63222
> Mute This Topic: https://lists.yoctoproject.org/mt/106365537/6036588
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> smooge@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren

[-- Attachment #2: Type: text/html, Size: 4988 bytes --]

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Alexander Kanavin]

On Wed, 29 May 2024 at 13:18, Stephen John Smoogen via
lists.yoctoproject.org <smooge=gmail.com@lists.yoctoproject.org>
wrote:
> I wanted to bring up a nuance because you are saying 'GPL based library'. There are several different GPL licenses which need to be evaluated when linking to. The lawyers at Bosch can give the best advice, but this following rule of thumb may be useful:
> Linking to licenses with AGPL -> must be a compatible source license (aka source must be available and modifiable by user) and must meet additional requirements for delivery
> Linking to licenses with GPL -> must be a compatible source license (aka source must be available and modifiable by user)
> Linking to licenses with LGPL -> can be a closed source library in many cases. [again get a lawyer's review]
>
> Then there are the GPL and LGPL with exception licenses. Those exceptions might be something 'slight' so that licenses incompatibilities between the OpenSSL or Apache can be still 'excepted' for use. And then there are the exceptions which basically allow any closed source to link against it. Those need a lawyer's review. There are also differences between version 2 and version 3 of the licenses that again need lawyer's advice.
>
> On many Linux operating systems the libc is based off of glibc which is LGPL2+ with exceptions and GPL2+ with exceptions for various binaries. Other libraries that are in common use may also be. There are also example layer's like the one that Etienne Cordonnier brought up which can help cut down potential conflicts.
>
> And my apologies for bringing up 'lawyers review' so much. Various parts of Bosch have worked in this space for a long time so I figured there was a dedicated counsel who can help guide engineering projects through GPL and other license linking and compliance.
>

The question was how to figure out programmatically what actually
links with gpl pieces without doing a laborious manual review of every
component in the product. And doing it at the yocto integration point
where the problem is introduced, and not after the fact in legal
review where the cost of correcting that mistake is going to be 10x or
100x.

Sounds like this could be a test in package_qa task? I'm not aware of
anything in oe-core that does it, but experiments in that direction
welcome.

Alex

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Stephen John Smoogen]

[-- Attachment #1: Type: text/plain, Size: 2901 bytes --]

On Wed, 29 May 2024 at 07:34, Alexander Kanavin <alex.kanavin@gmail.com>
wrote:

> On Wed, 29 May 2024 at 13:18, Stephen John Smoogen via
> lists.yoctoproject.org <smooge=gmail.com@lists.yoctoproject.org>
> wrote:
> > I wanted to bring up a nuance because you are saying 'GPL based
> library'. There are several different GPL licenses which need to be
> evaluated when linking to. The lawyers at Bosch can give the best advice,
> but this following rule of thumb may be useful:
> > Linking to licenses with AGPL -> must be a compatible source license
> (aka source must be available and modifiable by user) and must meet
> additional requirements for delivery
> > Linking to licenses with GPL -> must be a compatible source license (aka
> source must be available and modifiable by user)
> > Linking to licenses with LGPL -> can be a closed source library in many
> cases. [again get a lawyer's review]
> >
> > Then there are the GPL and LGPL with exception licenses. Those
> exceptions might be something 'slight' so that licenses incompatibilities
> between the OpenSSL or Apache can be still 'excepted' for use. And then
> there are the exceptions which basically allow any closed source to link
> against it. Those need a lawyer's review. There are also differences
> between version 2 and version 3 of the licenses that again need lawyer's
> advice.
> >
> > On many Linux operating systems the libc is based off of glibc which is
> LGPL2+ with exceptions and GPL2+ with exceptions for various binaries.
> Other libraries that are in common use may also be. There are also example
> layer's like the one that Etienne Cordonnier brought up which can help cut
> down potential conflicts.
> >
> > And my apologies for bringing up 'lawyers review' so much. Various parts
> of Bosch have worked in this space for a long time so I figured there was a
> dedicated counsel who can help guide engineering projects through GPL and
> other license linking and compliance.
> >
>
> The question was how to figure out programmatically what actually
> links with gpl pieces without doing a laborious manual review of every
> component in the product. And doing it at the yocto integration point
>

Yes, I misread the intent of the original question and went on a tangent. I
have had several times had to explain the differentiation because people
try to remove all GPL without understanding that LGPL can be used for most
things. I should have reread and engaged only after that.


> where the problem is introduced, and not after the fact in legal
> review where the cost of correcting that mistake is going to be 10x or
> 100x.
>
> Sounds like this could be a test in package_qa task? I'm not aware of
> anything in oe-core that does it, but experiments in that direction
> welcome.
>
> Alex
>


-- 
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren

[-- Attachment #2: Type: text/html, Size: 4104 bytes --]

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Stefano Babic]

Hi Fabian,

On 29.05.24 11:06, Hanke Fabian (DC/PAR) via lists.yoctoproject.org wrote:
> Hello,
> we were wondering if anyone has experiences / best practices on how to detect if packages link to a library from another GPL licensed package? We know that there are ways to completely filter out some licenses via INCOMPATIBLE_LICENSE. But from our (limited) legal knowledge it is okay to include them in our image, if we fulfill all the obligations. One obligation implies that code linked to a GPL library will need to have the same license (derivative work). Hence we would like to avoid that packages containing our own closed source software link by accident to a GPL based library. Has anyone experiences / best practices on how to detect this automatically during the bitbake build?

Is not what fossology is thought to solve ?

Best regards,
Stefano

> 
> Best regards,
> Fabian Hanke
> --------------------------------
> Bosch Rexroth AG
> Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#63222): https://lists.yoctoproject.org/g/yocto/message/63222
> Mute This Topic: https://lists.yoctoproject.org/mt/106365537/3618551
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [sbabic@denx.de]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

-- 
=====================================================================
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich,   Office: Kirchenstr.5, 82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de
=====================================================================

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Hanke Fabian (DC/PAR)]

Hello,

thank you for all the responses so far. I guess we will have a look at fossology and fossas, but we would prefer a solution which does not require an additional thirdparty service. We know that there are different types of GPL licenses which bring different obligations. 

We are searching for an automatic mechanism to detect linking to a shared library from a GPL package. We thought there might be a way to utilize the build system’s shared library resolver which is used for the automatic runtime added runtime dependencies [1].

For static libraries we found that they are disabled by default [2].

[1] https://docs.yoctoproject.org/overview-manual/concepts.html#automatically-added-runtime-dependencies
[2] https://docs.yoctoproject.org/dev/dev-manual/licenses.html#compliance-limitations-with-executables-built-from-static-libraries
--------------------------------

Bosch Rexroth AG

Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Richard Purdie]

On Fri, 2024-05-31 at 06:40 -0700, Hanke Fabian (DC/PAR) via
lists.yoctoproject.org wrote:
> Hello,
> 
> thank you for all the responses so far. I guess we will have a look
> at fossology and fossas, but we would prefer a solution which does
> not require an additional thirdparty service. We know that there are
> different types of GPL licenses which bring different obligations. 
> 
> We are searching for an automatic mechanism to detect linking to a
> shared library from a GPL package. We thought there might be a way to
> utilize the build system’s shared library resolver which is used for
> the automatic runtime added runtime dependencies [1].
> 
> For static libraries we found that they are disabled by default [2].
> 
> [1]
> https://docs.yoctoproject.org/overview-manual/concepts.html#automatically-added-runtime-dependencies
> [2]
> https://docs.yoctoproject.org/dev/dev-manual/licenses.html#compliance-limitations-with-executables-built-from-static-libraries

It can definitely be done and we have a lot of the information there.
Our packaging code does already look at linking as you mention. Nobody
has proposed a solution that could be merged to OE-Core though. I'd
love to see one.

Cheers,

Richard

RE: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Hanke Fabian (DC/PAN-St)]

Hello,

I would like to pick up this topic. We want to invest more time and effort trying to solve the linking compliance withing Yocto which we would also be very happy to contribute. @vinhtruong.huynh@stud.h-da.de  wants to research and implement a solution as part of his master thesis.

We were wondering if there is some further documentation or helpful material about the architecture design of bitbake? Is there someone Hunyh could contact about this topic?

Best regards

Fabian Hanke
Product Area New Business Hub Stuttgart DC/PAN-St

Mobile +49 152 22843520
Fabian.Hanke@de.bosch.com
www.boschrexroth.com

Bosch Rexroth AG
Grönerstraße 5/1
71636 Ludwigsburg
GERMANY

Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart HRB 23192
Executive Board: Dr. Steffen Haack (President), Roland Bittenauer, Thomas Fechner, Dr. Christina Franke, Holger von Hebel
Chairman of the Supervisory Board: Dr. Tanja Rückert

> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Friday, May 31, 2024 3:55 PM
> To: yocto@lists.yoctoproject.org; Hanke Fabian (DC/PAN-St)
> <fabian.hanke@bosch.com>; Stefano Babic <sbabic@denx.de>
> Subject: Re: [yocto] GPL License Compliance - Automatically detect linking
> against GPL libraries
> 
> On Fri, 2024-05-31 at 06:40 -0700, Hanke Fabian (DC/PAR) via
> lists.yoctoproject.org wrote:
> > Hello,
> >
> > thank you for all the responses so far. I guess we will have a look at
> > fossology and fossas, but we would prefer a solution which does not
> > require an additional thirdparty service. We know that there are
> > different types of GPL licenses which bring different obligations.
> >
> > We are searching for an automatic mechanism to detect linking to a
> > shared library from a GPL package. We thought there might be a way to
> > utilize the build system's shared library resolver which is used for
> > the automatic runtime added runtime dependencies [1].
> >
> > For static libraries we found that they are disabled by default [2].
> >
> > [1]
> >
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .yoctoproject.org%2Foverview-manual%2Fconcepts.html%23automatically-
> ad
> > ded-runtime-
> dependencies&data=05%7C02%7Cfabian.hanke%40bosch.com%7C7b9
> >
> 9b3a05dca4f3fdbff08dc81793e6a%7C0ae51e1907c84e4bbb6d648ee58410
> f4%7C0%7
> >
> C0%7C638527604970412048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLC
> >
> JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata
> =SLcY5%
> > 2B0gwkYYDv3HbgttS9B%2FFM1t9MlweJ1h7OLSFbQ%3D&reserved=0
> > [2]
> >
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .yoctoproject.org%2Fdev%2Fdev-manual%2Flicenses.html%23compliance-
> limi
> > tations-with-executables-built-from-static-libraries&data=05%7C02%7Cfa
> >
> bian.hanke%40bosch.com%7C7b99b3a05dca4f3fdbff08dc81793e6a%7C0ae
> 51e1907
> >
> c84e4bbb6d648ee58410f4%7C0%7C0%7C638527604970422301%7CUnkn
> own%7CTWFpbG
> >
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%
> >
> 3D%7C0%7C%7C%7C&sdata=p1Q9TwRCgFDhHWI1yVYjdXbDJM%2BXxn8P5
> zWeqJ3LDas%3D
> > &reserved=0
> 
> It can definitely be done and we have a lot of the information there.
> Our packaging code does already look at linking as you mention. Nobody has
> proposed a solution that could be merged to OE-Core though. I'd love to see
> one.
> 
> Cheers,
> 
> Richard

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Aleksandar Nikolic]

[-- Attachment #1: Type: text/plain, Size: 1465 bytes --]

On Fri, May 31, 2024 at 03:40 PM, Hanke Fabian (DC/PAR) wrote:

> 
> Hello,
> 
> thank you for all the responses so far. I guess we will have a look at
> fossology and fossas, but we would prefer a solution which does not
> require an additional thirdparty service. We know that there are different
> types of GPL licenses which bring different obligations.
> 
> We are searching for an automatic mechanism to detect linking to a shared
> library from a GPL package. We thought there might be a way to utilize the
> build system’s shared library resolver which is used for the automatic
> runtime added runtime dependencies [1].
> 
> For static libraries we found that they are disabled by default [2].

Could someone explain what it means that static libraries are disabled? Does this refer to staticdev-pkgs in IMAGE_FEATURES?

Cheers,
Aleksandar

> 
> 
> [1] https://docs.yoctoproject.org/overview-manual/concepts.html#automatically-added-runtime-dependencies
> 
> [2] https://docs.yoctoproject.org/dev/dev-manual/licenses.html#compliance-limitations-with-executables-built-from-static-libraries
> 
> --------------------------------
> 
> Bosch Rexroth AG
> 
> Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart
> HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland
> Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of
> the Supervisory Board: Dr. Markus Forschner

[-- Attachment #2: Type: text/html, Size: 1886 bytes --]

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Alexander Kanavin]

On Thu, 17 Apr 2025 at 13:14, Hanke Fabian (DC/PAR) via
lists.yoctoproject.org <fabian.hanke=bosch.com@lists.yoctoproject.org>
wrote:
> I would like to pick up this topic. We want to invest more time and effort trying to solve the linking compliance withing Yocto which we would also be very happy to contribute. @vinhtruong.huynh@stud.h-da.de  wants to research and implement a solution as part of his master thesis.
>
> We were wondering if there is some further documentation or helpful material about the architecture design of bitbake? Is there someone Hunyh could contact about this topic?

You don't need to study bitbake's architecture design for this. What
you need is to:

- learn basic yocto (e.g. set up a build and run it, and learn what is
happening and where inputs and outputs are)
- learn the particular tasks that are relevant to the subject:
package, packagedata, package_qa, package_write_*, what they take as
input, what they do, and what is their output and where it goes.

Then you can start thinking about extending them with the linking check.

Also, let's state this upfront: this is an open source project, and no
one owes you answers. Source is available, study it, and ask specific
questions here in the public forums. Never direct them at particular
people involved in the project, until they had previously agreed to
help you, or you are in a commercial support contract with them.

Cheers,
Alex

Re: [yocto] GPL License Compliance - Automatically detect linking against GPL libraries

[Khem Raj]

[-- Attachment #1.1.1: Type: text/plain, Size: 3405 bytes --]

On 4/21/25 9:41 PM, Aleksandar Nikolic via lists.yoctoproject.org wrote:
> On Fri, May 31, 2024 at 03:40 PM, Hanke Fabian (DC/PAR) wrote:
> 
>     Hello,
> 
>     thank you for all the responses so far. I guess we will have a look
>     at fossology and fossas, but we would prefer a solution which does
>     not require an additional thirdparty service. We know that there are
>     different types of GPL licenses which bring different obligations.
> 
>     We are searching for an automatic mechanism to detect linking to a
>     shared library from a GPL package. We thought there might be a way
>     to utilize the build system’s shared library resolver which is used
>     for the automatic runtime added runtime dependencies [1].

Having such mechanism would be aiding in licensing policy in some 
circumstances. shlibs deals with shared libraries so technically there
can be a hook to do some analysis of this sort, there are perhaps more 
licenses that can also be considered for similar policy.

> 
>     For static libraries we found that they are disabled by default [2].
> 
> Could someone explain what it means that static libraries are disabled? 
> Does this refer to staticdev-pkgs in IMAGE_FEATURES?

No, this means that we do not generate static libraries when the package 
allows building both static and shared versions, see DISABLE_STATIC 
variable and how it is used. We build and use shared version. That also 
means that we are dependent on how package's build system is designed, 
it may not allow one or the other so we have to adjust accordingly.

See meta/conf/distro/include/no-static-libs.inc

for exceptions and you need to map the license to these packages to find 
if it is something your licensing policy would not allow. And this file 
is only for core layer, if you consume other layers they might or might 
not have such global file in that case you have to look through your 
dependency chain and analyse the packages

> Cheers,
> Aleksandar
> 
> 
>     [1] https://docs.yoctoproject.org/overview-manual/
>     concepts.html#automatically-added-runtime-dependencies <https://
>     docs.yoctoproject.org/overview-manual/concepts.html#automatically-
>     added-runtime-dependencies>
>     [2] https://docs.yoctoproject.org/dev/dev-manual/
>     licenses.html#compliance-limitations-with-executables-built-from-
>     static-libraries <https://docs.yoctoproject.org/dev/dev-manual/
>     licenses.html#compliance-limitations-with-executables-built-from-
>     static-libraries>
>     --------------------------------
> 
>     Bosch Rexroth AG
> 
>     Registered Office: Stuttgart, Registration Court: Amtsgericht
>     Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President),
>     Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard
>     Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> You automatically follow any topics you start or reply to.
> View/Reply Online (#65217): https://lists.yoctoproject.org/g/yocto/message/65217
> Mute This Topic: https://lists.yoctoproject.org/mt/106365537/1997914
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2613 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]