FoundriesFactory using Yocto Project to easily handle copyleft compliance for GPLv2 and GPLv3

The Yocto Project provides a set of tools to help with Open Source Software compliance. The FoundriesFactory is configured to use some of them by default and provides a good starting point when working with license requirements.

The focus here is to configure the Linux microPlatform (LmP) to avoid installing packages under the GPLv3 family license and to deploy the artifacts required by the GPLv2 family license.

This document focuses on some technical aspects of the Yocto Project build process and must not be considered legal advice. Always consult a lawyer.

Configuring FoundriesFactory to avoid GPLv3 installation

When using secure boot, the hardware is configured to only execute a complete boot with unmodified software signed with a private key. GPLv3 family license requires that hardware restrictions cannot impact which software is being used.

Therefore, when the goal is to use FoundriesFactory with hardware configured with secure boot it is important to take care of the licencing requirements properly.

To configure the LmP to avoid using packages under GPL-3.0, LGPL-3.0 or AGPL-3.0 license in final image, change the file ci-scripts/factory-config.yml to include the variable DISABLE_GPLV3: "1". A reference is shown below:

  lmp:
    ref_options:
      refs/heads/master:
        params:
          DISABLE_GPLV3: "1"
      refs/heads/devel:
        params:
          DISABLE_GPLV3: "1"

  mfg_tools:
    - machine: <machine>
      params:
        DISTRO: lmp-mfgtool
        EXTRA_ARTIFACTS: mfgtool-files.tar.gz
        IMAGE: mfgtool-files
        DISABLE_GPLV3: "0"

Both branches master and devel are configured to avoid the installation of GPLv3 family license packages. This can be configured according to the project requirements.

It is also possible to leave packages using the GPLv3 family license in specific builds, like mfg_tools. (None of the files used in the mfgtools build would be left on the device.)

In this way, you have flexibility when configuring different build targets.

It is important to note that this post applies to the default lmp-factory-image recipe as is generated during FoundriesFactory creation. If this recipe is customized, further changes might be needed. Error messages generated during the Yocto Project build refer to which packages under the GPLv3 family license are being installed.

  ERROR: lmp-factory-image-1.0-r0 do_rootfs: Packages have blacklisted licenses:
  libunistring (LGPLv3+ | GPLv2), bash (GPLv3+), time (GPLv3), mc (GPLv3),
  mc-helpers (GPLv3), grep (GPLv3), dosfstools (GPLv3), coreutils (GPLv3+),
  mc-fish (GPLv3), libelf (GPLv2 | LGPLv3+), tar (GPLv3), less (GPLv3+ |
  BSD-2-Clause), sed (GPLv3+), gmp (GPLv2+ | LGPLv3+), libidn2 ((GPLv2+ |
  LGPLv3)), parted (GPLv3+), readline (GPLv3+), gawk (GPLv3), coreutils-stdbuf
  (GPLv3+), findutils (GPLv3+), bc (GPLv3+), cpio (GPLv3), gzip (GPLv3+), ed
  (GPLv3+), mc-helpers-perl (GPLv3)

In the above example, there are several packages under the GPLv3 family license which are present in the final image. The second package listed is bash as it is licensed under GPLv3+. Using this error message as a guide, these packages (or packages that depend on them) can be removed from the FoundriesFactory customizations to satisfy licensing requirements.

Providing source code, and license manifest

A common requirement for some OSS licenses, such as the GPLv2 family license, is to provide:

  • A license manifest: all the projects used and their license.
  • The source code: some licenses, such as GPLv2, require that all the source code, including scripts and changes, be available (accessible) to the user.
  • The license text and the copyright information: a copy of the license for each project (required by some licenses such as GPLv2 and others) and the copyright information for attribution.

The FoundriesFactory configures the LmP to provide the license manifest and the source code tarball by default.

The license manifest can be found at

https://app.foundries.io/factories/<factory>/targets/<version>/artifacts/<machine>/other/<image>-<machine>.license.manifest

All the package's source code under GPLv2 or GPLv3 license family can be found at

https://app.foundries.io/factories/<factory>/targets/<version>/artifacts/<machine>/other/<machine>-source-release.tar

Where:

  • <factory> is the FoundriesFactory name.
  • <version> is the target version (and can be found in the first column of Targets).
  • <machine> is the machine name as in the factory-config.yml.
  • <image> is the image name as in the factory-config.yml.

Reference Links

Keep up to date with Foundries.io