From mboxrd@z Thu Jan 1 00:00:00 1970 From: Baruch Siach Date: Fri, 17 Aug 2018 06:48:59 +0300 Subject: [Buildroot] [PATCH 1/8] package/mender: update legal info In-Reply-To: References: <20180814231337.19114-1-mirza.krak@northern.tech> <20180814231337.19114-2-mirza.krak@northern.tech> <0d11b4c6-40ac-5a3a-69d4-a1dda529d43f@mind.be> <1377b705-71cf-3649-5bf1-f31a307d74fd@mind.be> Message-ID: <876009odp0.fsf@tkos.co.il> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Hi Mirza, Mirza Krak writes: > On Thu, Aug 16, 2018 at 5:36 PM, Arnout Vandecappelle wrote: >> On 15/08/2018 09:37, Mirza Krak wrote: >>> On Wed, Aug 15, 2018 at 1:32 AM, Arnout Vandecappelle wrote: >>>> On 15-08-18 01:13, Mirza Krak wrote: >> >> [snip] >>>>> +MENDER_LICENSE_FILES = LICENSE LIC_FILES_CHKSUM.sha256 >>>> >>>> Instead of LIC_FILES_CHKSUM.sha256, we should actually include all the files >>>> mentioned in there in our license list. Well, actually, we can optimize it a >>>> little bit because there are some identical files. >>>> >>>> Alternatively, you could include all of them, and for the .hash file you can >>>> just prepend 'sha256 ' to every line of LIC_FILES_CHKSUM.sha256 and append it >>>> to the .hash file, with the comment >>>> >>>> # From LIC_FILES_CHKSUM.sha256 >>>> >>>> >>>> On second thought, actually it is a good idea to include >>>> LIC_FILES_CHKSUM.sha256 as well, to detect when a new subpackage with a new >>>> license is added. >>> >>> I would really like to keep this as-is to avoid a heavy maintenance >>> burden. This file is maintained in the upstream package and would >>> rather not duplicate the work by extracting the information from >>> LIC_FILES_CHKSUM.sha256 to put it in mender.hash. >>> >>> The checksum check of LIC_FILES_CHKSUM.sha256 will handle the sanity >>> check of the LICENSE files, and all the licenses that are in >>> LIC_FILES_CHKSUM.sha256 are already mentioned in the mender.mk file: >>> >>> MENDER_LICENSE = Apache-2.0, BSD-2-Clause, BSD-3-Clause, MIT, OLDAP-2.8 >>> >>> This should cover it. Or are there any big drawbacks with this >>> approach that I am not seeing? >> >> Well, we really want to collect the license text for all applicable licenses. >> So you should include at least one file for each license mentioned in >> MENDER_LICENSE. Since the checksums are already available, I thought the easiest >> would be to create part of the hash file from the existing file. Like: >> >> # Generated with sed '/^[A-Za-z0-9_]/s/^/sha256 /' LIC_FILES_CHKSUM.sha256 >> # Apache-2.0 license. >> sha256 ceb1b36ff073bd13d9806d4615b931707768ca9023805620acc32dd1cfc2f680 LICENSE > > Hmm, though I having some issues with trying to accommodate this. > > Adding the following line to mender.hash: > > # BSD 2 Clause license. > sha256 8d427fd87bc9579ea368fde3d49f9ca22eac857f91a9dec7e3004bdfab7dee86 > vendor/github.com/pkg/errors/LICENSE > > Does not do anything, when I run: > > $ make mender-legal-info > >>> mender 1.4.0 Collecting legal info > LICENSE: OK (sha256: > ceb1b36ff073bd13d9806d4615b931707768ca9023805620acc32dd1cfc2f680) > LIC_FILES_CHKSUM.sha256: OK (sha256: > 54d6f54a2815cc2e3cef4f7dde5a3aae20f09b2cde394d8d3f1dce5d8a79d738) > > Inspecting other *.hash files in Buildroot, no one seems to reference > files that are outside of the "root source". Or should I specify the > path differently? There are a number of packages with license files in subdirectories. For example: make alsa-lib-legal-info ... >>> alsa-lib 1.1.6 Collecting legal info COPYING: OK (sha256: 32434afcc8666ba060e111d715bfdb6c2d5dd8a35fa4d3ab8ad67d8f850d2f2b) aserver/COPYING: OK (sha256: bfe16cf823bcff261fc6a062c07ee96660e3c39678f42f39a788a68dbc234ced) baruch -- http://baruch.siach.name/blog/ ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -