summaryrefslogtreecommitdiffstats
path: root/documentation
diff options
context:
space:
mode:
authorMichael Opdenacker <michael.opdenacker@bootlin.com>2023-09-13 16:11:58 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2023-09-19 15:57:35 +0100
commit39f02bdc8dc1817220268aed0357d16450ee9bc8 (patch)
treea0ba7636487110f9aa9f33181ddfd8d7a18eee8d /documentation
parent8f6f37b37bf3f062b15d4a57663f56f6d946276b (diff)
downloadpoky-39f02bdc8dc1817220268aed0357d16450ee9bc8.tar.gz
dev-manual: licenses: mention SPDX for license compliance
(From yocto-docs rev: a34626dd59617a32f6c20aa9ac11f15db2795a75) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> CC: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation')
-rw-r--r--documentation/dev-manual/licenses.rst30
1 files changed, 22 insertions, 8 deletions
diff --git a/documentation/dev-manual/licenses.rst b/documentation/dev-manual/licenses.rst
index f28baf57d1..3b9190d47f 100644
--- a/documentation/dev-manual/licenses.rst
+++ b/documentation/dev-manual/licenses.rst
@@ -305,14 +305,28 @@ There are other requirements beyond the scope of these three and the
305methods described in this section (e.g. the mechanism through which 305methods described in this section (e.g. the mechanism through which
306source code is distributed). 306source code is distributed).
307 307
308As different organizations have different methods of complying with open 308As different organizations have different ways of releasing software,
309source licensing, this section is not meant to imply that there is only 309there can be multiple ways of meeting license obligations. At
310one single way to meet your compliance obligations, but rather to 310least, we describe here two methods for achieving compliance:
311describe one method of achieving compliance. The remainder of this 311
312section describes methods supported to meet the previously mentioned 312- The first method is to use OpenEmbedded's ability to provide
313three requirements. Once you take steps to meet these requirements, and 313 the source code, provide a list of licenses, as well as
314prior to releasing images, sources, and the build system, you should 314 compilation scripts and source code modifications.
315audit all artifacts to ensure completeness. 315
316 The remainder of this section describes supported methods to meet
317 the previously mentioned three requirements.
318
319- The second method is to generate a *Software Bill of Materials*
320 (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section.
321 Not only do you generate :term:`SPDX` output which can be used meet
322 license compliance requirements (except for sharing the build system
323 and layers sources for the time being), but this output also includes
324 component version and patch information which can be used
325 for vulnerability assessment.
326
327Whatever method you choose, prior to releasing images, sources,
328and the build system, you should audit all artifacts to ensure
329completeness.
316 330
317.. note:: 331.. note::
318 332