In the fourth edition of the Witekio and Mender: Yocto Master Class – we deep-dove into (apparently) everyone’s favourite subject: Considerations for License Compliance.
When I say this was our busiest one ever – I really mean it In the end, we had nearly 20 full minutes of questions to answer from the community.
As the host and a non-engineer, it’s my pleasure to create top takeaways each webinar, for everyone who doesn’t have an hour to scan.
You become a distributor of the software
When it comes to any project using Yocto for a connected device, developers become distributors of software, which means that you have to fulfil the requirements of open-source licenses.
Yes, Yocto is free to use, but you still need to be aware and stick to the legal implications of distributing the software, especially for commercial gain – or else your ‘free’ framework may suddenly cost you in lawyer fees.
Give credit where credit is due
One of the core requirements of open-source Yocto licenses is to fulfil the copyright notices and license texts, which means that developers have to include this information with the software they distribute.
This used to be straightforward when the software was distributed in physical boxes with booklets, but with the rise of online distribution, it has become more challenging.
Yocto, a build system for creating custom Linux-based systems, provides means to include copyright notices and license texts by creating pseudo packages for licenses and installing them on the target.
No idea where your Yocto source comes from? No problem.
You’ve inherited a distribution and have no idea where it came from – don’t panic. There is light at the end of the tunnel.
Developers can ensure that they fulfil the requirements of open-source licenses even in cases where they have custom patches or when they receive no sources from a supplier.
All you have to do is insist on S-bombs (Software Bill of Materials) and conformity documents, which provide information on the components used and their licenses. By doing this, developers can easily replicate the build system and ensure that they are compliant moving forward.
Top tip – ensure machine-readable metadata
A top tip that I think is worth talking about is the importance of machine-readable metadata. Our speakers suggest using the SPDX standard.
But why do you need to do that? Machine-readable metadata allows for automated compliance checks and can help ensure that all dependencies are properly licensed.
By including SPDX data in the headers of source code files, developers can also make it easier for others to understand and comply with the open-source licenses associated with their code (so that you avoid the last issue above ☝)
Webinar Overview
Event: Yocto Master Class: Considerations for License Compliance
Duration: 1 hour
Presenters:
- Konrad Weihmann , Embedded Software Developer – Witekio
- Josef Holzmayr, Head of Developer Relations – Mender.io
Topics:
▪ How to create a license package
▪ What you need to know about allowing/blocklist licenses
▪ The Software Bill of Materials (SBOMs)
▪ What to do if you don’t have access to the original Yocto build sources
▪ Software auditing 101 and more