Open Source license compliance

From RidgeRun Developer Wiki

Introduction

Nearly all software is controlled by a license, even Open Source software. The RidgeRun SDK makes it easier to comply with Open Source license requirements by:

  • Providing an easy-to-find license file for each Open Source package included with the SDK
  • Easily generating a source file tarball for all the Open Source packages that are enabled when you build your product's firmware image.

Two of the new features added to RidgeRun's SDK are Open Source package license support and the Open Source source code tarball generation. The first one consists of the additional XML file in each Open Source package downloaded and a tool that parses all these files and generates an html license file. The second feature creates a tarball with all the enabled Open Source package source code.

Package License support

Package license support creates HTML files based on the information from the copyrights.xml file associated with each enabled Open Source package. The license files are created manually by RidgeRun for each package. The license file includes the following information, with some of the information being optional:

  • Package name.
  • Version.
  • Release date: this is the date on which the package version was published. (Optional)
  • Manufacturer: This is the company that develops it. In the case that you don't know the manufacturer, you can write the official web page link of the package.
  • Summary: Brief description of the package.
  • Link: Official web page of the package or manufacturer.
  • Download Link: It is the link where the package can be downloaded. It is used only in packages that need special treatment. (Optional)
  • Issues: here you can write the link for the bug reports. (Optional)
  • License type: this is the type of package license, for example, MIT license, BSD license, LGPL license.
  • License link: web page link for the license.
  • License text: here you have to copy the license for this package.

An example of this license file can be seen below: 

<?xml version="1.0" encoding="UTF-8"?> 
<component>
         <name>Boost C++ Libraries</name>
         <version>1.52.0</version>
         <releaseDate>11.05.12</releaseDate>
         <manufacturer>Boost.org</manufacturer>
         <summary>The Boost C++ Libraries are a collection of free libraries that extend the functionality of C++.</summary>
         <link>official web page/</link>
         <issues>
                  <link><![CDATA[bug reports link]]></link>
         </issues>
         <license type="BSL-1.0">
                 <link>License Link</link>
                <text>
                            <![CDATA[Boost Software License - Version 1.0 - August 17th, 2003 
                                     Permission is hereby granted, free of charge, to any person or 
                                     organization obtaining a copy of the software and accompanying 
                                     documentation covered bythis license (the "Software") to use, 
                                     reproduce, display, distribute,execute, and transmit the Software, 
                                     and to prepare derivative works of theSoftware, and to permit 
                                     third-parties to whom the Software is furnished todo so, all 
                                     subject to the following: The copyright notices in the Software 
                                     and this entire statement, includingthe above license grant, 
                                     this restriction and the following disclaimer,must be included 
                                     in all copies of the Software, in whole or in part, andall 
                                     derivative works of the Software, unless such copies or derivative 
                                     works are solely in the form of machine-executable object code 
                                     generated bya source language processor. THE SOFTWARE IS PROVIDED 
                                     "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING 
                                     BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A 
                                     PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENTSHALL 
                                     THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE 
                                     FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR 
                                     OTHERWISE,ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE 
                                     OR THE USE OR OTHERDEALINGS IN THE SOFTWARE.
                            ]]>
                </text>
          </license>
</component>

RidgeRun created the copyrights.xml file by reading the LICENSE and README files in the src directory of each package. When the Open Source package didn't contain all the needed information, RidgeRun used online resources to make the license file as accurate as possible.


In the link https://spdx.org/licenses, you can find a list of the Common open-source software licenses that are well known. In the case where a package isn't Open Source, the license may be:

  • Proprietary: non standard license which requires notice in the software description.
  • Private: non standard license which must not be published.
  • RidgeRun: these are added to RidgeRun packages.

When the SDK is built, the build process creates the HTML license files based on the copyrights.xml files. The XML parser tool takes all the license files, reads the information, and creates the following files:

  • copyrights.html: shows the complete information of every package.
  • copyrigths-pico.html: shows the package name, version and the official web page link.
  • copyrights-short.xml: shows the package name, version, summary, official web page link, and the license type.
  • soup.html: it shows a chart with software basic documentation.
  • summary.html: shows the package name, version, web page link, license type, and the summary.
  • table.html: displays a table with the next information: component, version, license type, URL of the package, and the issues link.

These html files are created in the following folder: 

$(DEVDIR)/fs/fs/usr/share/copyrights

If you want to create the HTML files without building all the SDK, run the following command: 

cd $DEVDIR
make copyrights

Open source tarball generation

This feature creates a tarball with all the package source code that needs to be made available to persons who receive a binary version of the built code. The tarball contains all the packages that have an open-source license. For every package, the tarball will include:

  • Source code after the patches have been applied
  • Patches
  • Patch series file

The tarball contains the following packages:

  • Bootloader
  • Kernel
  • All the applications that have an open source license
  • The Glibc package of the toolchain


To figure out which packages need to be included, the RidgeRun SDK parses all the copyrights.xml files and reads the license type. If the license is proprietary or private, the package is excluded from the tarball, otherwise, it is included.


To create the Open Source source code tarball, run the following command: 

cd $DEVDIR
make sourcedistro

You have to run this target when the SDK has not been built to include only the necessary information and avoid including files generated when the package is built.

The tarball will be save in the file: 

$(DEVIDR)/images/sourcedistro.tar.gz
Retrieved from "http://developer.ridgerun.com/wiki/index.php?title=Open_Source_license_compliance&oldid=38497"