[Buildroot] [PATCH] core/legal-info: Add package dependencies with licenses to the manifest
Michal Sojka
sojkam1 at fel.cvut.cz
Fri Aug 10 13:53:11 UTC 2018
On Fri, Aug 10 2018, Matthew Weber wrote:
> Michal,
> On Fri, Aug 10, 2018 at 5:37 AM Michal Sojka <sojkam1 at fel.cvut.cz> wrote:
>>
>> Hi Matthew,
>>
>> On Thu, Aug 09 2018, Matthew Weber wrote:
>> > Michal,
>> >
>> > On Thu, Aug 9, 2018 at 12:08 PM <sojkam1 at fel.cvut.cz> wrote:
>> >>
>> >> From: Michal Sojka <michal.sojka at cvut.cz>
>> >>
>> >> This adds one column to the legal-info manifest table. It contains the
>> >> dependencies of the given package and their licenses. This information
>> >> is useful when assessing license compatibility of the packages and
>> >> their libraries.
>> >>
>> >> An example of the content of the new column for the MPD package is
>> >> shown below:
>> >>
>> >> "alsa-lib (LGPL-2.1+ (library), GPL-2.0+ (aserver)),
>> >> boost (BSL-1.0), libid3tag (GPL-2.0+), libmad (GPL-2.0+),
>> >> libzlib (Zlib), skeleton-init-common (unknown),
>> >> skeleton-init-sysv (unknown),
>> >> toolchain-external-linaro-arm (unknown), "
>> >
>> > This output is definitely good verbose data to look at for possible
>> > licensing violations/inheritance. Maybe it would be better show as a
>> > part of the dependency graph?
>>
>> I was also thinking about that, but my feeling is that lawyers and
>> managers prefer tables over graphs and I need this information for those
>> people.
>
> I didn't notice this initially, but this may point out that we need to
> tag the license info for buildroot items (skeleton, etc) and
> toolchain.
Regarding the toolchain, I added a license. Skeleton seems to be so
simple (just a standard UNIX directory structure and a few files in etc)
that it is a question whether copyright applies to it.
> However that may not really matter as these dependencies
> don't reflect actual use (linking, etc). So how are you using this
> data as it doesn't exactly reflect license interaction between those
> dependent packages?
Yes. I consider this output just as a hint. If a problematic license
combination is identified, one needs to go to the sources to see whether
the problem is real or not.
-Michal
More information about the buildroot
mailing list