diff options
| author | Michael Opdenacker <michael.opdenacker@bootlin.com> | 2023-09-13 16:11:58 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-09-23 05:26:16 -1000 |
| commit | fde8ab5b90336b464bb4e12301ae0a638493190d (patch) | |
| tree | c496659bb5abe50d00e08bf613bdbd6eea145591 /documentation | |
| parent | 593618f139c0cf3a917e2c2e3285f586b0541e87 (diff) | |
| download | poky-fde8ab5b90336b464bb4e12301ae0a638493190d.tar.gz | |
dev-manual: licenses: mention SPDX for license compliance
(From yocto-docs rev: cdd98a93f36694404393279d29743d97edd9be22)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
CC: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'documentation')
| -rw-r--r-- | documentation/dev-manual/licenses.rst | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/documentation/dev-manual/licenses.rst b/documentation/dev-manual/licenses.rst index b485f77708..15e5c7396a 100644 --- a/documentation/dev-manual/licenses.rst +++ b/documentation/dev-manual/licenses.rst | |||
| @@ -300,14 +300,28 @@ There are other requirements beyond the scope of these three and the | |||
| 300 | methods described in this section (e.g. the mechanism through which | 300 | methods described in this section (e.g. the mechanism through which |
| 301 | source code is distributed). | 301 | source code is distributed). |
| 302 | 302 | ||
| 303 | As different organizations have different methods of complying with open | 303 | As different organizations have different ways of releasing software, |
| 304 | source licensing, this section is not meant to imply that there is only | 304 | there can be multiple ways of meeting license obligations. At |
| 305 | one single way to meet your compliance obligations, but rather to | 305 | least, we describe here two methods for achieving compliance: |
| 306 | describe one method of achieving compliance. The remainder of this | 306 | |
| 307 | section describes methods supported to meet the previously mentioned | 307 | - The first method is to use OpenEmbedded's ability to provide |
| 308 | three requirements. Once you take steps to meet these requirements, and | 308 | the source code, provide a list of licenses, as well as |
| 309 | prior to releasing images, sources, and the build system, you should | 309 | compilation scripts and source code modifications. |
| 310 | audit all artifacts to ensure completeness. | 310 | |
| 311 | The remainder of this section describes supported methods to meet | ||
| 312 | the previously mentioned three requirements. | ||
| 313 | |||
| 314 | - The second method is to generate a *Software Bill of Materials* | ||
| 315 | (:term:`SBoM`), as described in the ":doc:`/dev-manual/sbom`" section. | ||
| 316 | Not only do you generate :term:`SPDX` output which can be used meet | ||
| 317 | license compliance requirements (except for sharing the build system | ||
| 318 | and layers sources for the time being), but this output also includes | ||
| 319 | component version and patch information which can be used | ||
| 320 | for vulnerability assessment. | ||
| 321 | |||
| 322 | Whatever method you choose, prior to releasing images, sources, | ||
| 323 | and the build system, you should audit all artifacts to ensure | ||
| 324 | completeness. | ||
| 311 | 325 | ||
| 312 | .. note:: | 326 | .. note:: |
| 313 | 327 | ||