License Infrastructure Interest Group

Overview

This group is for discussion of all things having to do with licenses, specifically, license wrangling, field parsing, possible SPDX implementation, etc.

• Contact Eflanagan for more info

SPDX

The Software Package Data Exchange® (SPDX™) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. For the common-licenses used for the Yocto Project, we should, when possible, use the SPDX generic licenses for Yocto's license wrangling. As well, we should also use the SPDX Identifier field to identify the license fields within LICENSE

• http://spdx.org/licenses/ for more info on common-license text and the Identifier field.
• http://spdx.org/ for more info on SPDX

LICENSE Field Standard

Packages with known LICENSE issues

• none

Naming

All names should adhere to the textfile name of the common-license as defined in poky/meta/files/common-licenses. These file names follow the SPDX naming standard when an SPDX license file is available. If no SPDX file exists, we should:

• Attempt to get a generic license from the license provider
• Offer the generic upstream to SPDX (to be defined)

This following is a list of all liceneses currently registered with SPDX.

Licenses

Parsing operations

The LICENSE field is parsed by converting the field to a Python Abstract Syntax Tree. ASTs are internal to the python compiler and are used by python in the generation of python bytecode. We create, from the LICENSE field after attempting to turn it more "pythonesque", an abstract syntax tree via ast.parse. Using an AST Visitor class, we then dump the ast and visit each node of the tree.

What this means is that, since we are using the python compiler components to parse the LICENSE field, it should be syntactically valid python.

License v2

Current License Issues

• Parallel bitbake causes inconsistent license reporting
  • This is because we're doing this in the wrong place. During do_rootfs is where we need to do this as the package populates the rootfs.
• License decision making is non-existent
  • Right now, we just grab all licenses listed in the license field. We need to have a decision made based on:
    • Tie this in to incompatible license. If something is dual licensed and we *can* restrict this to a different license, do so
    • License legal priority (Which license overrides another license?)
    • License user priority (All things being equal try to provide something under X license first and Y license second)
• Add licenses to the image as a conf option
• Possible (generate spdx license files as part of the manifest). SPDX or not, we need a manifest.
• We have some problematic licenses. License Audit

License v2 Plan

Stage One - Fix current defects:

• Fix where the license collection occurs. This needs to occur during the creation of the rootfs.
• Ensure that we can use this during a parallel bitbake
• Incorporate a flag to allow the image to contain collected licenses.
• Ensure that we've gotten rid of all license WARNINGS. (Add license text, correct recipes)
• Create a way to add additional licenses.

Stage Two - License decision making:

• Check to see if the package license field contains an incompatible license. If it does, toss a warning.
• Check user/legal license priority.
  • When given FOOv2 | BARv1, where the user has weighted BARv1 as higher than FOOv2, we would choose BAR.
  • When given FOOv2 & BARv1, where FOOv2 overrides BARv1, use FOOv2 even if the user has weighted BARv1 as higher.

Stage Three - Manifest:

• As we do_rootfs we should:
  • Check to see if the package has an SPDX meta-data file.
    • If it does, use it.
    • If it doesn't, generate one but mark it as automatically generated and not an official spdx file.
  • Gather up spdx files into a work dir
• Once the image is finished gather up all the spdx licenses and create an spdx manifest for the image
• Once the image is finished gather up all the spdx licenses and create a raw text manifest for the image