diff options
| author | Michael Opdenacker <michael.opdenacker@bootlin.com> | 2023-09-13 16:11:58 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-19 15:57:35 +0100 |
| commit | 39f02bdc8dc1817220268aed0357d16450ee9bc8 (patch) | |
| tree | a0ba7636487110f9aa9f33181ddfd8d7a18eee8d /documentation/dev-manual | |
| parent | 8f6f37b37bf3f062b15d4a57663f56f6d946276b (diff) | |
| download | poky-39f02bdc8dc1817220268aed0357d16450ee9bc8.tar.gz | |
dev-manual: licenses: mention SPDX for license compliance
(From yocto-docs rev: a34626dd59617a32f6c20aa9ac11f15db2795a75)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
CC: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
| -rw-r--r-- | documentation/dev-manual/licenses.rst | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/documentation/dev-manual/licenses.rst b/documentation/dev-manual/licenses.rst index f28baf57d1..3b9190d47f 100644 --- a/documentation/dev-manual/licenses.rst +++ b/documentation/dev-manual/licenses.rst | |||
| @@ -305,14 +305,28 @@ There are other requirements beyond the scope of these three and the | |||
| 305 | methods described in this section (e.g. the mechanism through which | 305 | methods described in this section (e.g. the mechanism through which |
| 306 | source code is distributed). | 306 | source code is distributed). |
| 307 | 307 | ||
| 308 | As different organizations have different methods of complying with open | 308 | As different organizations have different ways of releasing software, |
| 309 | source licensing, this section is not meant to imply that there is only | 309 | there can be multiple ways of meeting license obligations. At |
| 310 | one single way to meet your compliance obligations, but rather to | 310 | least, we describe here two methods for achieving compliance: |
| 311 | describe one method of achieving compliance. The remainder of this | 311 | |
| 312 | section describes methods supported to meet the previously mentioned | 312 | - The first method is to use OpenEmbedded's ability to provide |
| 313 | three requirements. Once you take steps to meet these requirements, and | 313 | the source code, provide a list of licenses, as well as |
| 314 | prior to releasing images, sources, and the build system, you should | 314 | compilation scripts and source code modifications. |
| 315 | audit all artifacts to ensure completeness. | 315 | |
| 316 | The remainder of this section describes supported methods to meet | ||
| 317 | the previously mentioned three requirements. | ||
| 318 | |||
| 319 | - The second method is to generate a *Software Bill of Materials* | ||
| 320 | (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section. | ||
| 321 | Not only do you generate :term:`SPDX` output which can be used meet | ||
| 322 | license compliance requirements (except for sharing the build system | ||
| 323 | and layers sources for the time being), but this output also includes | ||
| 324 | component version and patch information which can be used | ||
| 325 | for vulnerability assessment. | ||
| 326 | |||
| 327 | Whatever method you choose, prior to releasing images, sources, | ||
| 328 | and the build system, you should audit all artifacts to ensure | ||
| 329 | completeness. | ||
| 316 | 330 | ||
| 317 | .. note:: | 331 | .. note:: |
| 318 | 332 | ||