From: michael.opdenacker@bootlin.com
To: docs@lists.yoctoproject.org
Cc: Michael Opdenacker <michael.opdenacker@bootlin.com>,
Joshua Watt <JPEWhacker@gmail.com>
Subject: [PATCH 2/2] dev-manual: licenses: mention SPDX for license compliance
Date: Wed, 13 Sep 2023 16:50:57 +0200 [thread overview]
Message-ID: <20230913145057.3100143-2-michael.opdenacker@bootlin.com> (raw)
In-Reply-To: <20230913145057.3100143-1-michael.opdenacker@bootlin.com>
From: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
CC: Joshua Watt <JPEWhacker@gmail.com>
---
documentation/dev-manual/licenses.rst | 30 ++++++++++++++++++++-------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/documentation/dev-manual/licenses.rst b/documentation/dev-manual/licenses.rst
index f28baf57d1..3b9190d47f 100644
--- a/documentation/dev-manual/licenses.rst
+++ b/documentation/dev-manual/licenses.rst
@@ -305,14 +305,28 @@ There are other requirements beyond the scope of these three and the
methods described in this section (e.g. the mechanism through which
source code is distributed).
-As different organizations have different methods of complying with open
-source licensing, this section is not meant to imply that there is only
-one single way to meet your compliance obligations, but rather to
-describe one method of achieving compliance. The remainder of this
-section describes methods supported to meet the previously mentioned
-three requirements. Once you take steps to meet these requirements, and
-prior to releasing images, sources, and the build system, you should
-audit all artifacts to ensure completeness.
+As different organizations have different ways of releasing software,
+there can be multiple ways of meeting license obligations. At
+least, we describe here two methods for achieving compliance:
+
+- The first method is to use OpenEmbedded's ability to provide
+ the source code, provide a list of licenses, as well as
+ compilation scripts and source code modifications.
+
+ The remainder of this section describes supported methods to meet
+ the previously mentioned three requirements.
+
+- The second method is to generate a *Software Bill of Materials*
+ (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section.
+ Not only do you generate :term:`SPDX` output which can be used meet
+ license compliance requirements (except for sharing the build system
+ and layers sources for the time being), but this output also includes
+ component version and patch information which can be used
+ for vulnerability assessment.
+
+Whatever method you choose, prior to releasing images, sources,
+and the build system, you should audit all artifacts to ensure
+completeness.
.. note::
--
2.34.1
prev parent reply other threads:[~2023-09-13 14:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-13 14:50 [PATCH 1/2] dev-manual: licenses: update license manifest location michael.opdenacker
2023-09-13 14:50 ` michael.opdenacker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230913145057.3100143-2-michael.opdenacker@bootlin.com \
--to=michael.opdenacker@bootlin.com \
--cc=JPEWhacker@gmail.com \
--cc=docs@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox