On Wed, 2020-07-08 at 17:48 +0200, Christian Eggers wrote:
> According to [1], a license manifest is generated during image
> creation:
>
> "The Yocto Project generates a license manifest during image creation
> that is located in ${DEPLOY_DIR}/licenses/image_name-datestamp to
> assist with any audits."
>
> This manifest lists all packages installed on the target (either
> being installed
> directly via IMAGE_INSTALL or due to other packages RDEPENDS).
>
> The manifest seems to miss header-only libraries (like tclap or big
> parts
> of boost), which were used during compilation (headers) but do not
> contain dynamic libraries required at runtime. I guess that the same
> may be true for libraries linked statically.
>
> Setting RDEPENDS_${PN} += "tclap" in my own applications recipe
> seems to improve the situation as now the (empty) package tclap
> is included in my image and in the license.manifest. But this
> requires
> manual work and cannot do this for all recipes shipped by OE.
> Additionally this doesn't work for boost, as rdepending on boost
> will pull in ALL boost library packages.
>
> Is there a reliable way to get the header-only/static libraries into
> the manifest file?
The image manifest is a list of the things actually shipping in the
image and their corresponding licenses. Most images don't ship
development headers so they'll not be included there.
You can certainly get a list of everything used during the build
instead. I'm not sure how you'd decide that a set of headers were used
or not, compared to say the cross toolchain binaries or a native tool
though so anything in between these two is harder.
There is some work I did a while back which traces all SPDX identifiers
referenced by debug symbols in the code to better audit license
information but the lack of SPDX headers in much of the code we use
makes that less useful right now.
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=rpurdie/license-experiments-osls
(and a presentation/slides at OSLS 2019)
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#140426):
https://lists.openembedded.org/g/openembedded-core/message/140426
Mute This Topic: https://lists.openembedded.org/mt/75379155/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
