[mickledore][PATCH 5/7] dev-manual: licenses: mention SPDX for license compliance

public inbox for docs@lists.yoctoproject.org
 help / color / mirror / Atom feed

From: michael.opdenacker@bootlin.com
To: docs@lists.yoctoproject.org
Cc: Michael Opdenacker <michael.opdenacker@bootlin.com>,
	Joshua Watt <JPEWhacker@gmail.com>
Subject: [mickledore][PATCH 5/7] dev-manual: licenses: mention SPDX for license compliance
Date: Wed, 20 Sep 2023 10:07:52 +0200	[thread overview]
Message-ID: <20230920080754.1225508-6-michael.opdenacker@bootlin.com> (raw)
In-Reply-To: <20230920080754.1225508-1-michael.opdenacker@bootlin.com>

From: Michael Opdenacker <michael.opdenacker@bootlin.com>

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
CC: Joshua Watt <JPEWhacker@gmail.com>
---
 documentation/dev-manual/licenses.rst | 30 ++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/documentation/dev-manual/licenses.rst b/documentation/dev-manual/licenses.rst
index 9629dc5329..200c3fc389 100644
--- a/documentation/dev-manual/licenses.rst
+++ b/documentation/dev-manual/licenses.rst
@@ -298,14 +298,28 @@ There are other requirements beyond the scope of these three and the
 methods described in this section (e.g. the mechanism through which
 source code is distributed).
 
-As different organizations have different methods of complying with open
-source licensing, this section is not meant to imply that there is only
-one single way to meet your compliance obligations, but rather to
-describe one method of achieving compliance. The remainder of this
-section describes methods supported to meet the previously mentioned
-three requirements. Once you take steps to meet these requirements, and
-prior to releasing images, sources, and the build system, you should
-audit all artifacts to ensure completeness.
+As different organizations have different ways of releasing software,
+there can be multiple ways of meeting license obligations. At
+least, we describe here two methods for achieving compliance:
+
+-  The first method is to use OpenEmbedded's ability to provide
+   the source code, provide a list of licenses, as well as
+   compilation scripts and source code modifications.
+
+   The remainder of this section describes supported methods to meet
+   the previously mentioned three requirements.
+
+-  The second method is to generate a *Software Bill of Materials*
+   (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section.
+   Not only do you generate :term:`SPDX` output which can be used meet
+   license compliance requirements (except for sharing the build system
+   and layers sources for the time being), but this output also includes
+   component version and patch information which can be used
+   for vulnerability assessment.
+
+Whatever method you choose, prior to releasing images, sources,
+and the build system, you should audit all artifacts to ensure
+completeness.
 
 .. note::
 
-- 
2.34.1

next prev parent reply	other threads:[~2023-09-20  8:08 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-20  8:07 [mickledore][PATCH 0/7] mickledore backports michael.opdenacker
2023-09-20  8:07 ` [mickledore][PATCH 1/7] sdk-manual: extensible.rst: fix multiple formatting issues michael.opdenacker
2023-09-20  8:07 ` [mickledore][PATCH 2/7] dev-manual: disk-space: improve wording for obsolete sstate cache files michael.opdenacker
2023-09-20  8:07 ` [mickledore][PATCH 3/7] dev-manual: new-recipe.rst fix inconsistency with contributor guide michael.opdenacker
2023-09-20  8:07 ` [mickledore][PATCH 4/7] contributor-guide: recipe-style-guide: add Upstream-Status michael.opdenacker
2023-09-20  8:07 ` michael.opdenacker [this message]
2023-09-20  8:07 ` [mickledore][PATCH 6/7] template: fix typo in section header michael.opdenacker
2023-09-20  8:07 ` [mickledore][PATCH 7/7] ref-manual: point outdated link to the new location michael.opdenacker

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9629dc532 dfblob:200c3fc38 )
 OR (
bs:"[mickledore][PATCH 5/7] dev-manual: licenses: mention SPDX for license compliance" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230920080754.1225508-6-michael.opdenacker@bootlin.com \
    --to=michael.opdenacker@bootlin.com \
    --cc=JPEWhacker@gmail.com \
    --cc=docs@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox