Compliance in a complex Yocto/Bitbake-based operating system
Compliance with copyright can be a nightmare, especially if the project faces it late in development. Everybody is now figuring out how to use tools and how this could help. We have been tasked with doing it for an entire operating system, something that would take months/man if not years. If you start late, you will finish late. But the gold standard is today to integrate compliance in CI/CD. We present our solutions and those that we have considered or are considering.
3. HOW: FIRST LEVEL
HOW: FIRST LEVEL
1 - Making sure you are compliant
What’s inside your code base (what are you reusing)?
What is the licensing of inbound-outbound?
Through a process
2 - Making your downstream aware you are compliant, easier adoption:
ISO 5962
ISO 5230
FSFE
3 - In an automated way (machine readable)
‒
‒
‒
https://spdx.dev/
https://www.openchainproject.org/
https://reuse.software
5. WHAT (SUMMARY)
WHAT (SUMMARY)
Challenges:
An entire multikernel OS (mainly portable, IoT devices etc.)
‒
Based on Yocto / Bitbake: No software package manager
‒
Hundreds of packages, hundreds of thousands source files
‒
a complex build matrix
‒
6. HOW
HOW
Using Open Source Tools: Scancode, Fossology,
‒
Developing an Open Source Toolchain working with Gitlab CI/CD:
Aliens4Friends
‒
Using Open Standards: REUSE, SPDX, OpenChain
‒
The Real Open Source Way:
stop reinventing the wheel, use existing compliance work
reuse Debian Copyright and License information, on
matching software packages
‒
the first step of a long journey, with the help of the community
‒
8. THE PROBLEM
THE PROBLEM
hundreds of thousands of source files, with thousands of different
license statements
‒
automated license scanners (ScanCode)
‒
false positives, false negatives:
‒
license statements are intended for humans, machines lack
context and common sense
Fossology: a tool for human review of scanner results
‒
…but it’s still a lot of work!
‒
hundreds thousand of license findings to review mean
hundreds of man-days (auditing)
9. THE SOLUTION
THE SOLUTION
Do it the Open Source way, avoiding reinventing the wheel and
reusing others’ (trusted) work
‒
Debian provides full license and copyright metadata for many of the
software components that we are using
‒
10. DEBIAN MATCHING
DEBIAN MATCHING
Debian is like a trusted “friend” that vouches for the “alien”
packages
‒
reuse copyright/license information which has already been
collected and maintained by humans@Debian, and are machine
readable (DEP5)
‒
DEP5 specs: every file must have a copyright and a license in the
debian/copyright file of the Debian package
‒
debian/copyright is machine readable, we can reuse all
metadata!
‒
11. DEBIAN MATCHING
DEBIAN MATCHING
it does not solve everything:
‒
not always a full match in Debian
not all packages may be found in Debian
not all debian/copyright files are machine readable :(
but it really helps and saves a substantial amount of human work
‒
17. BACK TO THE COMMUNITY (STILL THE OPEN
BACK TO THE COMMUNITY (STILL THE OPEN
SOURCE WAY)
SOURCE WAY)
Aliens4Friends (open source)
‒
All compliance documents, procedures, artifacts
‒
Dashboard
‒
All under Apache license, where permitted
‒
Including SBOM (CC-0) + Database of decisions
‒
Upstream to ClearlyDefined (very likely)
‒
Upstream REUSE fix / MR
‒
18. This work is licensed under a 4.0
Presentation made using and a workflow with
Creative Commons - Attribution - ShareAlike
Reveal.js Markdown reveal-md