blob: 9629dc53293d82fe79d9bb45c72f5fce778fa2b9 [file] [log] [blame]
Andrew Geissler517393d2023-01-13 08:55:19 -06001.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
2
3Working With Licenses
4*********************
5
6As mentioned in the ":ref:`overview-manual/development-environment:licensing`"
7section in the Yocto Project Overview and Concepts Manual, open source
8projects are open to the public and they consequently have different
9licensing structures in place. This section describes the mechanism by
10which the :term:`OpenEmbedded Build System`
11tracks changes to
12licensing text and covers how to maintain open source license compliance
13during your project's lifecycle. The section also describes how to
14enable commercially licensed recipes, which by default are disabled.
15
16Tracking License Changes
17========================
18
19The license of an upstream project might change in the future. In order
20to prevent these changes going unnoticed, the
21:term:`LIC_FILES_CHKSUM`
22variable tracks changes to the license text. The checksums are validated
23at the end of the configure step, and if the checksums do not match, the
24build will fail.
25
26Specifying the ``LIC_FILES_CHKSUM`` Variable
27--------------------------------------------
28
29The :term:`LIC_FILES_CHKSUM` variable contains checksums of the license text
30in the source code for the recipe. Following is an example of how to
31specify :term:`LIC_FILES_CHKSUM`::
32
33 LIC_FILES_CHKSUM = "file://COPYING;md5=xxxx \
34 file://licfile1.txt;beginline=5;endline=29;md5=yyyy \
35 file://licfile2.txt;endline=50;md5=zzzz \
36 ..."
37
38.. note::
39
40 - When using "beginline" and "endline", realize that line numbering
41 begins with one and not zero. Also, the included lines are
42 inclusive (i.e. lines five through and including 29 in the
43 previous example for ``licfile1.txt``).
44
45 - When a license check fails, the selected license text is included
46 as part of the QA message. Using this output, you can determine
47 the exact start and finish for the needed license text.
48
49The build system uses the :term:`S`
50variable as the default directory when searching files listed in
51:term:`LIC_FILES_CHKSUM`. The previous example employs the default
52directory.
53
54Consider this next example::
55
56 LIC_FILES_CHKSUM = "file://src/ls.c;beginline=5;endline=16;\
57 md5=bb14ed3c4cda583abc85401304b5cd4e"
58 LIC_FILES_CHKSUM = "file://${WORKDIR}/license.html;md5=5c94767cedb5d6987c902ac850ded2c6"
59
60The first line locates a file in ``${S}/src/ls.c`` and isolates lines
61five through 16 as license text. The second line refers to a file in
62:term:`WORKDIR`.
63
64Note that :term:`LIC_FILES_CHKSUM` variable is mandatory for all recipes,
65unless the :term:`LICENSE` variable is set to "CLOSED".
66
67Explanation of Syntax
68---------------------
69
70As mentioned in the previous section, the :term:`LIC_FILES_CHKSUM` variable
71lists all the important files that contain the license text for the
72source code. It is possible to specify a checksum for an entire file, or
73a specific section of a file (specified by beginning and ending line
74numbers with the "beginline" and "endline" parameters, respectively).
75The latter is useful for source files with a license notice header,
76README documents, and so forth. If you do not use the "beginline"
77parameter, then it is assumed that the text begins on the first line of
78the file. Similarly, if you do not use the "endline" parameter, it is
79assumed that the license text ends with the last line of the file.
80
81The "md5" parameter stores the md5 checksum of the license text. If the
82license text changes in any way as compared to this parameter then a
83mismatch occurs. This mismatch triggers a build failure and notifies the
84developer. Notification allows the developer to review and address the
85license text changes. Also note that if a mismatch occurs during the
86build, the correct md5 checksum is placed in the build log and can be
87easily copied to the recipe.
88
89There is no limit to how many files you can specify using the
90:term:`LIC_FILES_CHKSUM` variable. Generally, however, every project
91requires a few specifications for license tracking. Many projects have a
92"COPYING" file that stores the license information for all the source
93code files. This practice allows you to just track the "COPYING" file as
94long as it is kept up to date.
95
96.. note::
97
98 - If you specify an empty or invalid "md5" parameter,
99 :term:`BitBake` returns an md5
100 mis-match error and displays the correct "md5" parameter value
101 during the build. The correct parameter is also captured in the
102 build log.
103
104 - If the whole file contains only license text, you do not need to
105 use the "beginline" and "endline" parameters.
106
107Enabling Commercially Licensed Recipes
108======================================
109
110By default, the OpenEmbedded build system disables components that have
111commercial or other special licensing requirements. Such requirements
112are defined on a recipe-by-recipe basis through the
113:term:`LICENSE_FLAGS` variable
114definition in the affected recipe. For instance, the
115``poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly`` recipe
116contains the following statement::
117
118 LICENSE_FLAGS = "commercial"
119
120Here is a
121slightly more complicated example that contains both an explicit recipe
122name and version (after variable expansion)::
123
124 LICENSE_FLAGS = "license_${PN}_${PV}"
125
126In order for a component restricted by a
127:term:`LICENSE_FLAGS` definition to be enabled and included in an image, it
128needs to have a matching entry in the global
129:term:`LICENSE_FLAGS_ACCEPTED`
130variable, which is a variable typically defined in your ``local.conf``
131file. For example, to enable the
132``poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly`` package, you
133could add either the string "commercial_gst-plugins-ugly" or the more
134general string "commercial" to :term:`LICENSE_FLAGS_ACCEPTED`. See the
135":ref:`dev-manual/licenses:license flag matching`" section for a full
136explanation of how :term:`LICENSE_FLAGS` matching works. Here is the
137example::
138
139 LICENSE_FLAGS_ACCEPTED = "commercial_gst-plugins-ugly"
140
141Likewise, to additionally enable the package built from the recipe
142containing ``LICENSE_FLAGS = "license_${PN}_${PV}"``, and assuming that
143the actual recipe name was ``emgd_1.10.bb``, the following string would
144enable that package as well as the original ``gst-plugins-ugly``
145package::
146
147 LICENSE_FLAGS_ACCEPTED = "commercial_gst-plugins-ugly license_emgd_1.10"
148
149As a convenience, you do not need to specify the
150complete license string for every package. You can use
151an abbreviated form, which consists of just the first portion or
152portions of the license string before the initial underscore character
153or characters. A partial string will match any license that contains the
154given string as the first portion of its license. For example, the
155following value will also match both of the packages
156previously mentioned as well as any other packages that have licenses
157starting with "commercial" or "license"::
158
159 LICENSE_FLAGS_ACCEPTED = "commercial license"
160
161License Flag Matching
162---------------------
163
164License flag matching allows you to control what recipes the
165OpenEmbedded build system includes in the build. Fundamentally, the
166build system attempts to match :term:`LICENSE_FLAGS` strings found in
167recipes against strings found in :term:`LICENSE_FLAGS_ACCEPTED`.
168A match causes the build system to include a recipe in the
169build, while failure to find a match causes the build system to exclude
170a recipe.
171
172In general, license flag matching is simple. However, understanding some
173concepts will help you correctly and effectively use matching.
174
175Before a flag defined by a particular recipe is tested against the
176entries of :term:`LICENSE_FLAGS_ACCEPTED`, the expanded
177string ``_${PN}`` is appended to the flag. This expansion makes each
178:term:`LICENSE_FLAGS` value recipe-specific. After expansion, the
179string is then matched against the entries. Thus, specifying
180``LICENSE_FLAGS = "commercial"`` in recipe "foo", for example, results
181in the string ``"commercial_foo"``. And, to create a match, that string
182must appear among the entries of :term:`LICENSE_FLAGS_ACCEPTED`.
183
184Judicious use of the :term:`LICENSE_FLAGS` strings and the contents of the
185:term:`LICENSE_FLAGS_ACCEPTED` variable allows you a lot of flexibility for
186including or excluding recipes based on licensing. For example, you can
187broaden the matching capabilities by using license flags string subsets
188in :term:`LICENSE_FLAGS_ACCEPTED`.
189
190.. note::
191
192 When using a string subset, be sure to use the part of the expanded
193 string that precedes the appended underscore character (e.g.
194 ``usethispart_1.3``, ``usethispart_1.4``, and so forth).
195
196For example, simply specifying the string "commercial" in the
197:term:`LICENSE_FLAGS_ACCEPTED` variable matches any expanded
198:term:`LICENSE_FLAGS` definition that starts with the string
199"commercial" such as "commercial_foo" and "commercial_bar", which
200are the strings the build system automatically generates for
201hypothetical recipes named "foo" and "bar" assuming those recipes simply
202specify the following::
203
204 LICENSE_FLAGS = "commercial"
205
206Thus, you can choose to exhaustively enumerate each license flag in the
207list and allow only specific recipes into the image, or you can use a
208string subset that causes a broader range of matches to allow a range of
209recipes into the image.
210
211This scheme works even if the :term:`LICENSE_FLAGS` string already has
212``_${PN}`` appended. For example, the build system turns the license
213flag "commercial_1.2_foo" into "commercial_1.2_foo_foo" and would match
214both the general "commercial" and the specific "commercial_1.2_foo"
215strings found in the :term:`LICENSE_FLAGS_ACCEPTED` variable, as expected.
216
217Here are some other scenarios:
218
219- You can specify a versioned string in the recipe such as
220 "commercial_foo_1.2" in a "foo" recipe. The build system expands this
221 string to "commercial_foo_1.2_foo". Combine this license flag with a
222 :term:`LICENSE_FLAGS_ACCEPTED` variable that has the string
223 "commercial" and you match the flag along with any other flag that
224 starts with the string "commercial".
225
226- Under the same circumstances, you can add "commercial_foo" in the
227 :term:`LICENSE_FLAGS_ACCEPTED` variable and the build system not only
228 matches "commercial_foo_1.2" but also matches any license flag with
229 the string "commercial_foo", regardless of the version.
230
231- You can be very specific and use both the package and version parts
232 in the :term:`LICENSE_FLAGS_ACCEPTED` list (e.g.
233 "commercial_foo_1.2") to specifically match a versioned recipe.
234
235Other Variables Related to Commercial Licenses
236----------------------------------------------
237
238There are other helpful variables related to commercial license handling,
239defined in the
240``poky/meta/conf/distro/include/default-distrovars.inc`` file::
241
242 COMMERCIAL_AUDIO_PLUGINS ?= ""
243 COMMERCIAL_VIDEO_PLUGINS ?= ""
244
Andrew Geissler6aa7eec2023-03-03 12:41:14 -0600245If you want to enable these components, you can do so by making sure you have
246statements similar to the following in your ``local.conf`` configuration file::
Andrew Geissler517393d2023-01-13 08:55:19 -0600247
248 COMMERCIAL_AUDIO_PLUGINS = "gst-plugins-ugly-mad \
249 gst-plugins-ugly-mpegaudioparse"
250 COMMERCIAL_VIDEO_PLUGINS = "gst-plugins-ugly-mpeg2dec \
251 gst-plugins-ugly-mpegstream gst-plugins-bad-mpegvideoparse"
252 LICENSE_FLAGS_ACCEPTED = "commercial_gst-plugins-ugly commercial_gst-plugins-bad commercial_qmmp"
253
Andrew Geissler6aa7eec2023-03-03 12:41:14 -0600254Of course, you could also create a matching list for those components using the
255more general "commercial" string in the :term:`LICENSE_FLAGS_ACCEPTED` variable,
256but that would also enable all the other packages with :term:`LICENSE_FLAGS`
Andrew Geissler517393d2023-01-13 08:55:19 -0600257containing "commercial", which you may or may not want::
258
259 LICENSE_FLAGS_ACCEPTED = "commercial"
260
261Specifying audio and video plugins as part of the
Andrew Geissler6aa7eec2023-03-03 12:41:14 -0600262:term:`COMMERCIAL_AUDIO_PLUGINS` and :term:`COMMERCIAL_VIDEO_PLUGINS` statements
263(along with :term:`LICENSE_FLAGS_ACCEPTED`) includes the plugins or
264components into built images, thus adding support for media formats or
265components.
266
267.. note::
268
269 GStreamer "ugly" and "bad" plugins are actually available through
270 open source licenses. However, the "ugly" ones can be subject to software
271 patents in some countries, making it necessary to pay licensing fees
272 to distribute them. The "bad" ones are just deemed unreliable by the
273 GStreamer community and should therefore be used with care.
Andrew Geissler517393d2023-01-13 08:55:19 -0600274
275Maintaining Open Source License Compliance During Your Product's Lifecycle
276==========================================================================
277
278One of the concerns for a development organization using open source
279software is how to maintain compliance with various open source
280licensing during the lifecycle of the product. While this section does
281not provide legal advice or comprehensively cover all scenarios, it does
282present methods that you can use to assist you in meeting the compliance
283requirements during a software release.
284
285With hundreds of different open source licenses that the Yocto Project
286tracks, it is difficult to know the requirements of each and every
287license. However, the requirements of the major FLOSS licenses can begin
288to be covered by assuming that there are three main areas of concern:
289
290- Source code must be provided.
291
292- License text for the software must be provided.
293
294- Compilation scripts and modifications to the source code must be
295 provided.
296
297There are other requirements beyond the scope of these three and the
298methods described in this section (e.g. the mechanism through which
299source code is distributed).
300
301As different organizations have different methods of complying with open
302source licensing, this section is not meant to imply that there is only
303one single way to meet your compliance obligations, but rather to
304describe one method of achieving compliance. The remainder of this
305section describes methods supported to meet the previously mentioned
306three requirements. Once you take steps to meet these requirements, and
307prior to releasing images, sources, and the build system, you should
308audit all artifacts to ensure completeness.
309
310.. note::
311
312 The Yocto Project generates a license manifest during image creation
313 that is located in ``${DEPLOY_DIR}/licenses/``\ `image_name`\ ``-``\ `datestamp`
314 to assist with any audits.
315
316Providing the Source Code
317-------------------------
318
319Compliance activities should begin before you generate the final image.
320The first thing you should look at is the requirement that tops the list
321for most compliance groups --- providing the source. The Yocto Project has
322a few ways of meeting this requirement.
323
324One of the easiest ways to meet this requirement is to provide the
325entire :term:`DL_DIR` used by the
326build. This method, however, has a few issues. The most obvious is the
327size of the directory since it includes all sources used in the build
328and not just the source used in the released image. It will include
329toolchain source, and other artifacts, which you would not generally
330release. However, the more serious issue for most companies is
331accidental release of proprietary software. The Yocto Project provides
332an :ref:`ref-classes-archiver` class to help avoid some of these concerns.
333
334Before you employ :term:`DL_DIR` or the :ref:`ref-classes-archiver` class, you
335need to decide how you choose to provide source. The source
336:ref:`ref-classes-archiver` class can generate tarballs and SRPMs and can
337create them with various levels of compliance in mind.
338
339One way of doing this (but certainly not the only way) is to release
340just the source as a tarball. You can do this by adding the following to
341the ``local.conf`` file found in the :term:`Build Directory`::
342
343 INHERIT += "archiver"
344 ARCHIVER_MODE[src] = "original"
345
346During the creation of your
347image, the source from all recipes that deploy packages to the image is
348placed within subdirectories of ``DEPLOY_DIR/sources`` based on the
349:term:`LICENSE` for each recipe.
350Releasing the entire directory enables you to comply with requirements
351concerning providing the unmodified source. It is important to note that
352the size of the directory can get large.
353
354A way to help mitigate the size issue is to only release tarballs for
355licenses that require the release of source. Let us assume you are only
356concerned with GPL code as identified by running the following script:
357
358.. code-block:: shell
359
360 # Script to archive a subset of packages matching specific license(s)
361 # Source and license files are copied into sub folders of package folder
362 # Must be run from build folder
363 #!/bin/bash
364 src_release_dir="source-release"
365 mkdir -p $src_release_dir
366 for a in tmp/deploy/sources/*; do
367 for d in $a/*; do
368 # Get package name from path
369 p=`basename $d`
370 p=${p%-*}
371 p=${p%-*}
372 # Only archive GPL packages (update *GPL* regex for your license check)
373 numfiles=`ls tmp/deploy/licenses/$p/*GPL* 2> /dev/null | wc -l`
374 if [ $numfiles -ge 1 ]; then
375 echo Archiving $p
376 mkdir -p $src_release_dir/$p/source
377 cp $d/* $src_release_dir/$p/source 2> /dev/null
378 mkdir -p $src_release_dir/$p/license
379 cp tmp/deploy/licenses/$p/* $src_release_dir/$p/license 2> /dev/null
380 fi
381 done
382 done
383
384At this point, you
385could create a tarball from the ``gpl_source_release`` directory and
386provide that to the end user. This method would be a step toward
387achieving compliance with section 3a of GPLv2 and with section 6 of
388GPLv3.
389
390Providing License Text
391----------------------
392
393One requirement that is often overlooked is inclusion of license text.
394This requirement also needs to be dealt with prior to generating the
395final image. Some licenses require the license text to accompany the
396binary. You can achieve this by adding the following to your
397``local.conf`` file::
398
399 COPY_LIC_MANIFEST = "1"
400 COPY_LIC_DIRS = "1"
401 LICENSE_CREATE_PACKAGE = "1"
402
403Adding these statements to the
404configuration file ensures that the licenses collected during package
405generation are included on your image.
406
407.. note::
408
409 Setting all three variables to "1" results in the image having two
410 copies of the same license file. One copy resides in
411 ``/usr/share/common-licenses`` and the other resides in
412 ``/usr/share/license``.
413
414 The reason for this behavior is because
415 :term:`COPY_LIC_DIRS` and
416 :term:`COPY_LIC_MANIFEST`
417 add a copy of the license when the image is built but do not offer a
418 path for adding licenses for newly installed packages to an image.
419 :term:`LICENSE_CREATE_PACKAGE`
420 adds a separate package and an upgrade path for adding licenses to an
421 image.
422
423As the source :ref:`ref-classes-archiver` class has already archived the
424original unmodified source that contains the license files, you would have
425already met the requirements for inclusion of the license information
426with source as defined by the GPL and other open source licenses.
427
428Providing Compilation Scripts and Source Code Modifications
429-----------------------------------------------------------
430
431At this point, we have addressed all we need to prior to generating the
432image. The next two requirements are addressed during the final
433packaging of the release.
434
435By releasing the version of the OpenEmbedded build system and the layers
436used during the build, you will be providing both compilation scripts
437and the source code modifications in one step.
438
439If the deployment team has a :ref:`overview-manual/concepts:bsp layer`
440and a distro layer, and those
441those layers are used to patch, compile, package, or modify (in any way)
442any open source software included in your released images, you might be
443required to release those layers under section 3 of GPLv2 or section 1
444of GPLv3. One way of doing that is with a clean checkout of the version
445of the Yocto Project and layers used during your build. Here is an
446example:
447
448.. code-block:: shell
449
450 # We built using the dunfell branch of the poky repo
451 $ git clone -b dunfell git://git.yoctoproject.org/poky
452 $ cd poky
453 # We built using the release_branch for our layers
454 $ git clone -b release_branch git://git.mycompany.com/meta-my-bsp-layer
455 $ git clone -b release_branch git://git.mycompany.com/meta-my-software-layer
456 # clean up the .git repos
457 $ find . -name ".git" -type d -exec rm -rf {} \;
458
459One thing a development organization might want to consider for end-user
460convenience is to modify
461``meta-poky/conf/templates/default/bblayers.conf.sample`` to ensure that when
462the end user utilizes the released build system to build an image, the
463development organization's layers are included in the ``bblayers.conf`` file
464automatically::
465
466 # POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
467 # changes incompatibly
468 POKY_BBLAYERS_CONF_VERSION = "2"
469
470 BBPATH = "${TOPDIR}"
471 BBFILES ?= ""
472
473 BBLAYERS ?= " \
474 ##OEROOT##/meta \
475 ##OEROOT##/meta-poky \
476 ##OEROOT##/meta-yocto-bsp \
477 ##OEROOT##/meta-mylayer \
478 "
479
480Creating and
481providing an archive of the :term:`Metadata`
482layers (recipes, configuration files, and so forth) enables you to meet
483your requirements to include the scripts to control compilation as well
484as any modifications to the original source.
485
486Compliance Limitations with Executables Built from Static Libraries
487-------------------------------------------------------------------
488
489When package A is added to an image via the :term:`RDEPENDS` or :term:`RRECOMMENDS`
490mechanisms as well as explicitly included in the image recipe with
491:term:`IMAGE_INSTALL`, and depends on a static linked library recipe B
492(``DEPENDS += "B"``), package B will neither appear in the generated license
493manifest nor in the generated source tarballs. This occurs as the
494:ref:`ref-classes-license` and :ref:`ref-classes-archiver` classes assume that
495only packages included via :term:`RDEPENDS` or :term:`RRECOMMENDS`
496end up in the image.
497
498As a result, potential obligations regarding license compliance for package B
499may not be met.
500
501The Yocto Project doesn't enable static libraries by default, in part because
502of this issue. Before a solution to this limitation is found, you need to
503keep in mind that if your root filesystem is built from static libraries,
504you will need to manually ensure that your deliveries are compliant
505with the licenses of these libraries.
506
507Copying Non Standard Licenses
508=============================
509
510Some packages, such as the linux-firmware package, have many licenses
511that are not in any way common. You can avoid adding a lot of these
512types of common license files, which are only applicable to a specific
513package, by using the
514:term:`NO_GENERIC_LICENSE`
515variable. Using this variable also avoids QA errors when you use a
516non-common, non-CLOSED license in a recipe.
517
518Here is an example that uses the ``LICENSE.Abilis.txt`` file as
519the license from the fetched source::
520
521 NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
522