FoundriesFactory using Yocto Project to easily handle copyleft compliance for GPLv2 and GPLv3
The Yocto Project provides a set of tools to help with Open Source Software compliance. The FoundriesFactory is configured to use some of them by default and provides a good starting point when working with license requirements.
The focus here is to configure the Linux microPlatform (LmP) to avoid installing packages under the GPLv3 family license and to deploy the artifacts required by the GPLv2 family license.
This document focuses on some technical aspects of the Yocto Project build process and must not be considered legal advice. Always consult a lawyer.
When using secure boot, the hardware is configured to only execute a complete boot with unmodified software signed with a private key. GPLv3 family license requires that hardware restrictions cannot impact which software is being used.
Therefore, when the goal is to use FoundriesFactory with hardware configured with secure boot it is important to take care of the licencing requirements properly.
To configure the LmP to avoid using packages under GPL-3.0, LGPL-3.0 or AGPL-3.0 license in final image, change the file ci-scripts/factory-config.yml to include the variable DISABLE_GPLV3: "1". A reference is shown below:
lmp:
ref_options:
refs/heads/master:
params:
DISABLE_GPLV3: "1"
refs/heads/devel:
params:
DISABLE_GPLV3: "1"
mfg_tools:
- machine: <machine>
params:
DISTRO: lmp-mfgtool
EXTRA_ARTIFACTS: mfgtool-files.tar.gz
IMAGE: mfgtool-files
DISABLE_GPLV3: "0"
Both branches master and devel are configured to avoid the installation of GPLv3 family license packages. This can be configured according to the project requirements.
It is also possible to leave packages using the GPLv3 family license in specific builds, like mfg_tools. (None of the files used in the mfgtools build would be left on the device.)
In this way, you have flexibility when configuring different build targets.
It is important to note that this post applies to the default lmp-factory-image recipe as is generated during FoundriesFactory creation. If this recipe is customized, further changes might be needed. Error messages generated during the Yocto Project build refer to which packages under the GPLv3 family license are being installed.
ERROR: lmp-factory-image-1.0-r0 do_rootfs: Packages have blacklisted licenses:
libunistring (LGPLv3+ | GPLv2), bash (GPLv3+), time (GPLv3), mc (GPLv3),
mc-helpers (GPLv3), grep (GPLv3), dosfstools (GPLv3), coreutils (GPLv3+),
mc-fish (GPLv3), libelf (GPLv2 | LGPLv3+), tar (GPLv3), less (GPLv3+ |
BSD-2-Clause), sed (GPLv3+), gmp (GPLv2+ | LGPLv3+), libidn2 ((GPLv2+ |
LGPLv3)), parted (GPLv3+), readline (GPLv3+), gawk (GPLv3), coreutils-stdbuf
(GPLv3+), findutils (GPLv3+), bc (GPLv3+), cpio (GPLv3), gzip (GPLv3+), ed
(GPLv3+), mc-helpers-perl (GPLv3)
In the above example, there are several packages under the GPLv3 family license which are present in the final image. The second package listed is bash as it is licensed under GPLv3+. Using this error message as a guide, these packages (or packages that depend on them) can be removed from the FoundriesFactory customizations to satisfy licensing requirements.
A common requirement for some OSS licenses, such as the GPLv2 family license, is to provide:
The FoundriesFactory configures the LmP to provide the license manifest and the source code tarball by default.
The license manifest can be found at
https://app.foundries.io/factories/<factory>/targets/<version>/artifacts/<machine>/other/<image>-<machine>.license.manifest
All the package's source code under GPLv2 or GPLv3 license family can be found at
https://app.foundries.io/factories/<factory>/targets/<version>/artifacts/<machine>/other/<machine>-source-release.tar
Where:
<factory> is the FoundriesFactory name.<version> is the target version (and can be found in the first column of Targets).<machine> is the machine name as in the factory-config.yml.<image> is the image name as in the factory-config.yml.