On Wed, 29 May 2024 at 05:06, Hanke Fabian (DC/PAR) via lists.yoctoproject.org <fabian.hanke=bosch....@lists.yoctoproject.org> wrote:
> Hello, > we were wondering if anyone has experiences / best practices on how to > detect if packages link to a library from another GPL licensed package? We > know that there are ways to completely filter out some licenses via > INCOMPATIBLE_LICENSE. But from our (limited) legal knowledge it is okay to > include them in our image, if we fulfill all the obligations. One > obligation implies that code linked to a GPL library will need to have the > same license (derivative work). Hence we would like to avoid that packages > containing our own closed source software link by accident to a GPL based > library. Has anyone experiences / best practices on how to detect this > automatically during the bitbake build? > > I wanted to bring up a nuance because you are saying 'GPL based library'. There are several different GPL licenses which need to be evaluated when linking to. The lawyers at Bosch can give the best advice, but this following rule of thumb may be useful: Linking to licenses with AGPL -> must be a compatible source license (aka source must be available and modifiable by user) and must meet additional requirements for delivery Linking to licenses with GPL -> must be a compatible source license (aka source must be available and modifiable by user) Linking to licenses with LGPL -> can be a closed source library in many cases. [again get a lawyer's review] Then there are the GPL and LGPL with exception licenses. Those exceptions might be something 'slight' so that licenses incompatibilities between the OpenSSL or Apache can be still 'excepted' for use. And then there are the exceptions which basically allow any closed source to link against it. Those need a lawyer's review. There are also differences between version 2 and version 3 of the licenses that again need lawyer's advice. On many Linux operating systems the libc is based off of glibc which is LGPL2+ with exceptions and GPL2+ with exceptions for various binaries. Other libraries that are in common use may also be. There are also example layer's like the one that Etienne Cordonnier brought up which can help cut down potential conflicts. And my apologies for bringing up 'lawyers review' so much. Various parts of Bosch have worked in this space for a long time so I figured there was a dedicated counsel who can help guide engineering projects through GPL and other license linking and compliance. Best regards, > Fabian Hanke > -------------------------------- > Bosch Rexroth AG > Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart > HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland > Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of > the Supervisory Board: Dr. Markus Forschner > > > > -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63224): https://lists.yoctoproject.org/g/yocto/message/63224 Mute This Topic: https://lists.yoctoproject.org/mt/106365537/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
