[Buildroot] [PATCH] core/legal-info: Add package dependencies with licenses to the manifest

Michal Sojka sojkam1 at fel.cvut.cz
Fri Aug 10 13:53:11 UTC 2018


On Fri, Aug 10 2018, Matthew Weber wrote:
> Michal,
> On Fri, Aug 10, 2018 at 5:37 AM Michal Sojka <sojkam1 at fel.cvut.cz> wrote:
>>
>> Hi Matthew,
>>
>> On Thu, Aug 09 2018, Matthew Weber wrote:
>> > Michal,
>> >
>> > On Thu, Aug 9, 2018 at 12:08 PM <sojkam1 at fel.cvut.cz> wrote:
>> >>
>> >> From: Michal Sojka <michal.sojka at cvut.cz>
>> >>
>> >> This adds one column to the legal-info manifest table. It contains the
>> >> dependencies of the given package and their licenses. This information
>> >> is useful when assessing license compatibility of the packages and
>> >> their libraries.
>> >>
>> >> An example of the content of the new column for the MPD package is
>> >> shown below:
>> >>
>> >>     "alsa-lib (LGPL-2.1+ (library), GPL-2.0+ (aserver)),
>> >>     boost (BSL-1.0), libid3tag (GPL-2.0+), libmad (GPL-2.0+),
>> >>     libzlib (Zlib), skeleton-init-common (unknown),
>> >>     skeleton-init-sysv (unknown),
>> >>     toolchain-external-linaro-arm (unknown), "
>> >
>> > This output is definitely good verbose data to look at for possible
>> > licensing violations/inheritance.  Maybe it would be better show as a
>> > part of the dependency graph?
>>
>> I was also thinking about that, but my feeling is that lawyers and
>> managers prefer tables over graphs and I need this information for those
>> people.
>
> I didn't notice this initially, but this may point out that we need to
> tag the license info for buildroot items (skeleton, etc) and
> toolchain.  

Regarding the toolchain, I added a license. Skeleton seems to be so
simple (just a standard UNIX directory structure and a few files in etc)
that it is a question whether copyright applies to it.

> However that may not really matter as these dependencies
> don't reflect actual use (linking, etc).  So how are you using this
> data as it doesn't exactly reflect license interaction between those
> dependent packages?

Yes. I consider this output just as a hint. If a problematic license
combination is identified, one needs to go to the sources to see whether
the problem is real or not.

-Michal



More information about the buildroot mailing list