On Wed, 29 May 2024 at 13:18, Stephen John Smoogen via lists.yoctoproject.org <smooge=gmail....@lists.yoctoproject.org> wrote: > I wanted to bring up a nuance because you are saying 'GPL based library'. > There are several different GPL licenses which need to be evaluated when > linking to. The lawyers at Bosch can give the best advice, but this following > rule of thumb may be useful: > Linking to licenses with AGPL -> must be a compatible source license (aka > source must be available and modifiable by user) and must meet additional > requirements for delivery > Linking to licenses with GPL -> must be a compatible source license (aka > source must be available and modifiable by user) > Linking to licenses with LGPL -> can be a closed source library in many > cases. [again get a lawyer's review] > > Then there are the GPL and LGPL with exception licenses. Those exceptions > might be something 'slight' so that licenses incompatibilities between the > OpenSSL or Apache can be still 'excepted' for use. And then there are the > exceptions which basically allow any closed source to link against it. Those > need a lawyer's review. There are also differences between version 2 and > version 3 of the licenses that again need lawyer's advice. > > On many Linux operating systems the libc is based off of glibc which is > LGPL2+ with exceptions and GPL2+ with exceptions for various binaries. Other > libraries that are in common use may also be. There are also example layer's > like the one that Etienne Cordonnier brought up which can help cut down > potential conflicts. > > And my apologies for bringing up 'lawyers review' so much. Various parts of > Bosch have worked in this space for a long time so I figured there was a > dedicated counsel who can help guide engineering projects through GPL and > other license linking and compliance. >
The question was how to figure out programmatically what actually links with gpl pieces without doing a laborious manual review of every component in the product. And doing it at the yocto integration point where the problem is introduced, and not after the fact in legal review where the cost of correcting that mistake is going to be 10x or 100x. Sounds like this could be a test in package_qa task? I'm not aware of anything in oe-core that does it, but experiments in that direction welcome. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63225): https://lists.yoctoproject.org/g/yocto/message/63225 Mute This Topic: https://lists.yoctoproject.org/mt/106365537/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
