flict (FOSS License Compatibility Tool) can check if the license of your software, and its dependencies, are compatible and if they are in line with your license policy.
This presentation will show you how to get started with flict, check a project for license compatibility, apply a license policy, how to get a graph of the compatibility between licenses in your project and finally show how a package, and its dependencies, as built with Yocto can be checked for compatibility.
17. Introducing flict
●
flict checks compatibility between
two licenses (at a time)
●
Handles dependencies / “linked”
software
– checks compatibility for all licenses
in the combined work
27. Introducing flict - outbound
$ flict outbound-candidate GPL-2.0-or-later AND MIT
GPL-2.0-or-later, GPL-3.0-or-later
# no relicensing: -nr
$ flict -nr outbound-candidate GPL-2.0-or-later AND MIT
GPL-2.0-or-later
29. Introducing flict - verify
$ flict verify -le Apache-2.0 AND GPL-3.0-only AND MIT
The licenses in the expression "Apache-2.0 AND GPL-3.0-only AND MIT"
are compatible.
Outbound license candidates: GPL-3.0-only
NOTE: the suggested outbound candidate licenses need to be manually
reviewed.
30. Introducing flict - verify
$ flict verify -le Apache-2.0 AND GPL-2.0-only
The licenses in the expression "Apache-2.0 AND GPL-2.0-only" are not
compatible.
No outbound license candidate could be identified due to license
incompatibility.
41. flict – bigger projects
●
Epiphany
– Plain Yocto + Epiphany
– Build and analyse epiphany to identify
dependencies
42.
43. flict – bigger projects
Dependency tree has 1145 OR (|) statements
●
2^1145 combinations
●
47790880853786773025025307593129474069637354487063124257965154352281
01390319684243889598745168591546274675352099492894261285860027737199
26955731381954770513172378695089692359789920181226687143746969162594
85803064131342014120963827022693853247109392847578001538964659274706
87703399660312352581695982025565426761424466315198692552978000735706
80832 combinations
44. flict – bigger projects
●
Dependency tree has 1145 OR (|) statements
– 2^1145 combinations
– 47790880853786773025025307593129474069637354487063124257965154352281
01390319684243889598745168591546274675352099492894261285860027737199
26955731381954770513172378695089692359789920181226687143746969162594
85803064131342014120963827022693853247109392847578001538964659274706
87703399660312352581695982025565426761424466315198692552978000735706
80832 combinations
●
Flatten the dependency tree
●
75 deps 9 combinations
45. flict
Yocto build
●
identify packages
●
for each package
– identify dependencies
– (c)
– License
– create flict project files
– check compatibility
“Can we use this and
that software?”
46. flict – SBoM (SPDX)
Verify SBoM (SPDX 2.2, JSON) with
dependencies (relationships)
Not straight out of the box,
but with spdx-validator
48. flict – in the making
●
One more attempt at codifying the terms – possibly starting with OSADL’s work
●
Looking at defining classifications (groups) and using Scancode’s license database
– e.g. “Permissive”
$ flict -of text -es list | grep Permissive | wc -l
731
●
Possible integration with other tools :)
●
Verify RPM
rpm2flict.sh cairo | jq ….
GPL-2.0-or-later
GPL-3.0-or-later
49. Problems with licenses
●
a project license is not always correct on the
homepage or in the LICENSE file - you need to
check for yourself
●
a project can consist of many packages (e.g
Cairo has libcairo2, libcairo-gobject2 ...) not
always under the same license
●
dependencies not always easy to find - may need
to be identified during build