SlideShare a Scribd company logo

Open Source License Compliance with AGL

Download as PPTX, PDF
P
Paul Barker

If you distribute a product that runs an open source software stack such as Automotive Grade Linux (AGL) then you have obligations to fulfill under the GPL and other open source licenses. Thankfully, AGL is built upon the Yocto Project which provides tooling to help you achieve this. Paul will present an overview of the license compliance tools available to users of AGL and show how they can be used. Paul will highlight best practices to follow and potential pitfalls to avoid. Paul will discuss how to handle modern programming languages such as Go, Javascript, and Rust and how to deal with common concerns such as commercially licensed media codecs and GPLv3 licensed software components. He will also bring the audience up to date with the latest developments and ongoing upstream work in Yocto Project which will be available to AGL users in the future. This talk will not give legal advice.

Software
1 of 36
Paul Barker Principal Engineer Konsulko Group Open Source License Compliance with AGL
About Me •Involved in Yocto Project since 2013 •Work across the whole embedded stack •Principal Engineer @ Konsulko Group •Web: https://www.konsulko.com/ •Email: pbarker@konsulko.com
Disclaimer •I am not a lawyer •This presentation is not legal advice •Best practices are given based on my experience as a developer and an open source community member •If in doubt, consult an appropriate lawyer
About This Talk •Best practices and pitfalls to avoid • Not specific to AGL •License Compliance in AGL & Yocto Project • Available tools • Ongoing and future work
Why Care •Selling an embedded device typically involves distribution of open source software •This carries the risk of legal action if not done properly •Doing this right gives you standing in the community •Need to keep sources anyway so you can rebuild old releases with minor changes • For debugging • To satisfy customer requests •Sources often disappear from the internet
The Fundamentals •Provide license text and notices (BSD, MIT, etc) • On device? • In documentation? • On website? •Provide Complete Corresponding Source (GPL) • Published directly? • Via an offer letter?
The Distributed Image •This is the image that’s actually distributed •For devices: What is on the device when it is shipped to a customer? •For downloads: What is in the file a customer downloads?
Single Command Build •Probably the most important practice •Reduces human error in build/release process
Test Your Releases! •Your build/release process is non trivial •It needs tests! • Check for expected artifacts • Check inside tarballs as well • Check you can rebuild from source releases •Automate your tests
Use Your Build System •Build the Distributed Image with Yocto Project, Buildroot, etc •Avoid modifying this image in a post-build script • Lose access to the tools in your build system • Easy to break license compliance this way •You can move, copy, compress, etc the image in a post-build script
Factory Test •What happens on device between initial image programming and distribution? •On-device package management at this stage complicates things • Again, very easy to break license compliance •Try to limit additional data added at this stage • Configuration data, calibration data, etc is fine
Proprietary Components •License compliance also means not releasing source for proprietary components • You need some filtering •Test for accidental release! •May be useful to have a separate pure open source image
Source Patches •Remember to include these with sources •Watch out for hidden patches • Use of sed or similar tools in recipes or build scripts •Make sure your system records the patch order
Recipes and Build Scripts •GPLv2 says to include “scripts used to control compilation and installation” •This may include full Yocto Project layers & bitbake, full buildroot tree, etc as appropriate •There are different interpretations here • I am not a lawyer
Docker •A Dockerfile is not the Complete Corresponding Source for an image •You may not even know exactly what is installed in your base image (FROM statement) •Watch out when using containers in Embedded Linux
Pre-compiled Toolchains •E.g. ARM toolchain, Linaro toolchain • Built around gcc, glibc, etc •Libraries from this toolchain typically end up in the distributed image •Remember to capture the source code for this • May not be well automated
Language-Specific Package Managers •E.g. NPM, Cargo, etc •These often have issues • May not support offline compilation well • May not offer an easy way to get the license text and/or correct source for dependencies •You need to do your own research here
Makefiles •Watch out for unadvertised network access in Makefiles or other build scripts • May download additional sources with different license conditions • May use online tools during build process, breaking offline builds •Every sin you can think of exists in a project Makefile somewhere
Metadata Bugs •Licenses given in recipes may be incorrect or incomplete • This does happen! •Follow stable updates where possible •For major commercial projects you should do your own verification • Fossology can be useful here
Metadata Advice •Avoid `LICENSE = “CLOSED”` • Give your proprietary license a name and include it • CLOSED disables license checksum verification •Avoid `SRCREV = “AUTOREV”` in releases • Too easy to mismatch images and released source • Rebuilding the image in several months may give a different result
Common Licenses •LICENSE_PATH is a space separated list of directories to search for generic license text •A layer can have its own directory for license text • Extend LICENSE_PATH in layer.conf •Use this instead of `CLOSED` or `Proprietary` licenses if possible
Unique Licenses •NO_GENERIC_LICENSE allows license text to be copied from the package source • Set `LICENSE = "blah"` • Set `NO_GENERIC_LICENSE[blah] = "blah_license.txt"` •Use this rather than ignoring warnings • Makes it easier to audit and to capture license text properly later
Providing License Text •Many licenses require you to provide the license text and copyright notice(s) along with compiled binaries. •Copy ${DEPLOY_DIR}/licenses after building an image • May need some pre- & post-processing •Include license text in images • Set COPY_LIC_MANIFEST = "1" & COPY_LIC_DIRS = "1" • Places files into /usr/share/common-licenses •Create license packages • Set LICENSE_CREATE_PACKAGE = "1" • Places license text in /usr/share/licenses • Provides an upgrade path for license text
Providing Sources •Copyleft licenses typically require you to provide source code (including any modifications) along with compiled binaries. •Yocto Project supports this with the archiver class •Set `INHERIT += "archiver"` and choose the mode: • ARCHIVER_MODE = "original" • ARCHIVER_MODE = "patched" • ARCHIVER_MODE = "configured" • ARCHIVER_MODE = "mirror" •The archiver can be configured further
Shallow Mirror Tarballs •By default, git mirror tarballs contain full history •Set the following to enable: • BB_GIT_SHALLOW = "1" • BB_GENERATE_SHALLOW_TARBALLS = "1" •Can save a lot of space in a mirror • 7.5 GB -> 1 GB in one recent project • Works well with the mirror archiver
Copyleft Filtering •COPYLEFT_LICENSE_INCLUDE • Defaults to `GPL* LGPL* AGPL*` •COPYLEFT_LICENSE_EXCLUDE • Defaults to `CLOSED Proprietary` •COPYLEFT_RECIPE_TYPES • Defaults to target only • Can add native, nativesdk, cross, crosssdk, cross-canadian
Providing Layers •The best way to capture recipes and patches •Publish as much of your layers as possible • Either as tarballs or full git repositories • Add them to the layer index if they’re open source (https://layers.openembedded.org) •Isolate proprietary recipes from open source recipes
Local Configuration •When providing layers, watch out for changes in local.conf •Two possible solutions: • Version control local.conf • Capture local.conf as part of the build •Also consider including bblayers.conf
Excluding Unwanted Licenses •The INCOMPATIBLE_LICENSE variable allows recipes to be excluded by license • Prevents accidental inclusion of unwanted code •Applies to target packages only •meta-gplv2 layer may be needed if excluding GPL 3.0 or later •Values should be standardised on the SPDX License List to avoid confusion • See https://spdx.org/licenses/
License Flags •Another method of excluding recipes by license class •May be used to highlight non-copyright issues • Patented algorithms • Commercial license / EULA •Flagged recipes are excluded by default • Set LICENSE_FLAGS_WHITELIST to enable them
Issues with Language Package Managers •Many newer languages use their own package managers • Go, NPM (nodejs), Cargo (Rust) •These present issues for Embedded development and license compliance • These just don’t seem to be first class concerns •Features we need from these package managers • Offline build support • Download source archive • Including license text & other collateral • HTTP/HTTPS proxy support • Source mirror support
Generating SPDX Documents •SPDX (https://spdx.dev/) is “An open standard for communicating software bill of material information, including components, licenses, copyrights, and security references.” •SPDX is supported in Yocto Project by the meta-spdxscanner layer • Provides tools to scan source code for licenses and work with SPDX documents • These processes are typically slow • May extend build times by several hours • Usable on release builds, may be intolerable on day-to-day dev builds • See http://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/ •Supports scancode-toolkit for SPDX document generation • Set INHERIT += "scancode-tk" in local.conf • Or use inherit scancode-tk in desired recipes • See https://scancode-toolkit.readthedocs.io/en/latest/
Integrating with Fossology •Fossology is a more fully featured system for compliance scanning and signoff • Runs as a service with a web interface and an API •Integration is also provided by the meta-spdxscanner layer • fossology-python or fossology-rest bbclasses may be used • Upload source code to a Fossology instance •Scanning, review and document generation is done asynchronously through the Fossology interface • SPDX documents are not generated directly as part of the Yocto Project build •See https://www.fossology.org/
Future Work •Better integration with language package managers • May require changes to NPM, Cargo, etc •Automatic generation of a plain text or HTML license document for an image •Integration with other license compliance tooling • OSS Review Toolkit (https://github.com/oss-review-toolkit/ort) •License scanning & SPDX document generation for Yocto Project releases • Provide a feedback loop to confirm license metadata in recipes is correct • Non-trivial!
Q & A

Recommended

Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017
Clark Everetts
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
E. Camden Fisher
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)
yalini97
 
Artifactory Essentials Workshop on August 27, 2020 by JFrog
Artifactory Essentials Workshop on August 27, 2020 by JFrogArtifactory Essentials Workshop on August 27, 2020 by JFrog
Artifactory Essentials Workshop on August 27, 2020 by JFrog
Cloud Study Network
 
BP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
BP-10 Keeping Your Sanity – Rapid Development & Deployment ToolsBP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
BP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
Alfresco Software
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and Tricks
Kellyn Pot'Vin-Gorman
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
nexB Inc.
 

Recommended

Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017
Clark Everetts
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
E. Camden Fisher
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)
yalini97
 
Artifactory Essentials Workshop on August 27, 2020 by JFrog
Artifactory Essentials Workshop on August 27, 2020 by JFrogArtifactory Essentials Workshop on August 27, 2020 by JFrog
Artifactory Essentials Workshop on August 27, 2020 by JFrog
Cloud Study Network
 
BP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
BP-10 Keeping Your Sanity – Rapid Development & Deployment ToolsBP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
BP-10 Keeping Your Sanity – Rapid Development & Deployment Tools
Alfresco Software
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and Tricks
Kellyn Pot'Vin-Gorman
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
nexB Inc.
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
Jeremy Brown
 
Creating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryCreating and Maintaining an Open Source Library
Creating and Maintaining an Open Source Library
Nicholas Schweitzer
 
Repository Management with JFrog Artifactory
Repository Management with JFrog ArtifactoryRepository Management with JFrog Artifactory
Repository Management with JFrog Artifactory
Stephen Chin
 
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
Baruch Sadogursky
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
Morgan Roman
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?
Bruno Capuano
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub Explained
Howard Greenberg
 
Continuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsContinuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applications
Sunil Dalal
 
Enterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private RegistryEnterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private Registry
Chris Riley ☁
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
adamleff
 
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
Symphony Software Foundation
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
Vincent Mercier
 
Giving back with GitHub - Putting the Open Source back in iOS
Giving back with GitHub - Putting the Open Source back in iOSGiving back with GitHub - Putting the Open Source back in iOS
Giving back with GitHub - Putting the Open Source back in iOS
Madhava Jay
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
John Smith
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
Howard Greenberg
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
Stefano Bonetta
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
Howard Greenberg
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 
License compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectLicense compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto project
Paul Barker
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 

More Related Content

What's hot

Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
Jeremy Brown
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
Howard Greenberg
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
Stefano Bonetta
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
dotCloud
 

What's hot (20)

Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
Creating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryCreating and Maintaining an Open Source Library
Creating and Maintaining an Open Source Library
 
Repository Management with JFrog Artifactory
Repository Management with JFrog ArtifactoryRepository Management with JFrog Artifactory
Repository Management with JFrog Artifactory
 
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
[Webinar] The Frog And The Butler: CI Pipelines For Modern DevOps
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?Que nos espera a los ALM Dudes para el 2013?
Que nos espera a los ALM Dudes para el 2013?
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub Explained
 
Continuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applicationsContinuous integration and delivery for java based web applications
Continuous integration and delivery for java based web applications
 
Enterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private RegistryEnterprise Docker Requires a Private Registry
Enterprise Docker Requires a Private Registry
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
 
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
Gabriele Columbro - Maurizio Pillitu - Get your Alfresco project from Zero to...
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
 
Giving back with GitHub - Putting the Open Source back in iOS
Giving back with GitHub - Putting the Open Source back in iOSGiving back with GitHub - Putting the Open Source back in iOS
Giving back with GitHub - Putting the Open Source back in iOS
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17x
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
 

Similar to Open Source License Compliance with AGL

License compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectLicense compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto project
Paul Barker
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your Testing
TechWell
 
yocto_scale_handout-with-notes
yocto_scale_handout-with-notesyocto_scale_handout-with-notes
yocto_scale_handout-with-notes
Steve Arnold
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
Dave Ward
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFi
DataWorks Summit
 

Similar to Open Source License Compliance with AGL (20)

License compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectLicense compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto project
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Building and Releasing a Golang CLI Tool
Building and Releasing a Golang CLI ToolBuilding and Releasing a Golang CLI Tool
Building and Releasing a Golang CLI Tool
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your Testing
 
yocto_scale_handout-with-notes
yocto_scale_handout-with-notesyocto_scale_handout-with-notes
yocto_scale_handout-with-notes
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Security for devs
Security for devsSecurity for devs
Security for devs
 
Building foundations
Building foundationsBuilding foundations
Building foundations
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Beyond Domino Designer
Beyond Domino DesignerBeyond Domino Designer
Beyond Domino Designer
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFi
 
vBrownBag - Scripting and Versioning with PowerShell ISE and Git Shell
vBrownBag - Scripting and Versioning with PowerShell ISE and Git ShellvBrownBag - Scripting and Versioning with PowerShell ISE and Git Shell
vBrownBag - Scripting and Versioning with PowerShell ISE and Git Shell
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Sitecore development approach evolution – destination helix
Sitecore development approach evolution – destination helixSitecore development approach evolution – destination helix
Sitecore development approach evolution – destination helix
 
habitat at docker bud
habitat at docker budhabitat at docker bud
habitat at docker bud
 
GitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceGitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open source
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
 

Recently uploaded

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Recently uploaded (20)

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
 

Open Source License Compliance with AGL

  • 1.
  • 2. Paul Barker Principal Engineer Konsulko Group Open Source License Compliance with AGL
  • 3. About Me •Involved in Yocto Project since 2013 •Work across the whole embedded stack •Principal Engineer @ Konsulko Group •Web: https://www.konsulko.com/ •Email: pbarker@konsulko.com
  • 4. Disclaimer •I am not a lawyer •This presentation is not legal advice •Best practices are given based on my experience as a developer and an open source community member •If in doubt, consult an appropriate lawyer
  • 5. About This Talk •Best practices and pitfalls to avoid • Not specific to AGL •License Compliance in AGL & Yocto Project • Available tools • Ongoing and future work
  • 6. Why Care •Selling an embedded device typically involves distribution of open source software •This carries the risk of legal action if not done properly •Doing this right gives you standing in the community •Need to keep sources anyway so you can rebuild old releases with minor changes • For debugging • To satisfy customer requests •Sources often disappear from the internet
  • 7. The Fundamentals •Provide license text and notices (BSD, MIT, etc) • On device? • In documentation? • On website? •Provide Complete Corresponding Source (GPL) • Published directly? • Via an offer letter?
  • 8. The Distributed Image •This is the image that’s actually distributed •For devices: What is on the device when it is shipped to a customer? •For downloads: What is in the file a customer downloads?
  • 9. Single Command Build •Probably the most important practice •Reduces human error in build/release process
  • 10. Test Your Releases! •Your build/release process is non trivial •It needs tests! • Check for expected artifacts • Check inside tarballs as well • Check you can rebuild from source releases •Automate your tests
  • 11. Use Your Build System •Build the Distributed Image with Yocto Project, Buildroot, etc •Avoid modifying this image in a post-build script • Lose access to the tools in your build system • Easy to break license compliance this way •You can move, copy, compress, etc the image in a post-build script
  • 12. Factory Test •What happens on device between initial image programming and distribution? •On-device package management at this stage complicates things • Again, very easy to break license compliance •Try to limit additional data added at this stage • Configuration data, calibration data, etc is fine
  • 13. Proprietary Components •License compliance also means not releasing source for proprietary components • You need some filtering •Test for accidental release! •May be useful to have a separate pure open source image
  • 14. Source Patches •Remember to include these with sources •Watch out for hidden patches • Use of sed or similar tools in recipes or build scripts •Make sure your system records the patch order
  • 15. Recipes and Build Scripts •GPLv2 says to include “scripts used to control compilation and installation” •This may include full Yocto Project layers & bitbake, full buildroot tree, etc as appropriate •There are different interpretations here • I am not a lawyer
  • 16. Docker •A Dockerfile is not the Complete Corresponding Source for an image •You may not even know exactly what is installed in your base image (FROM statement) •Watch out when using containers in Embedded Linux
  • 17. Pre-compiled Toolchains •E.g. ARM toolchain, Linaro toolchain • Built around gcc, glibc, etc •Libraries from this toolchain typically end up in the distributed image •Remember to capture the source code for this • May not be well automated
  • 18. Language-Specific Package Managers •E.g. NPM, Cargo, etc •These often have issues • May not support offline compilation well • May not offer an easy way to get the license text and/or correct source for dependencies •You need to do your own research here
  • 19. Makefiles •Watch out for unadvertised network access in Makefiles or other build scripts • May download additional sources with different license conditions • May use online tools during build process, breaking offline builds •Every sin you can think of exists in a project Makefile somewhere
  • 20. Metadata Bugs •Licenses given in recipes may be incorrect or incomplete • This does happen! •Follow stable updates where possible •For major commercial projects you should do your own verification • Fossology can be useful here
  • 21. Metadata Advice •Avoid `LICENSE = “CLOSED”` • Give your proprietary license a name and include it • CLOSED disables license checksum verification •Avoid `SRCREV = “AUTOREV”` in releases • Too easy to mismatch images and released source • Rebuilding the image in several months may give a different result
  • 22. Common Licenses •LICENSE_PATH is a space separated list of directories to search for generic license text •A layer can have its own directory for license text • Extend LICENSE_PATH in layer.conf •Use this instead of `CLOSED` or `Proprietary` licenses if possible
  • 23. Unique Licenses •NO_GENERIC_LICENSE allows license text to be copied from the package source • Set `LICENSE = "blah"` • Set `NO_GENERIC_LICENSE[blah] = "blah_license.txt"` •Use this rather than ignoring warnings • Makes it easier to audit and to capture license text properly later
  • 24. Providing License Text •Many licenses require you to provide the license text and copyright notice(s) along with compiled binaries. •Copy ${DEPLOY_DIR}/licenses after building an image • May need some pre- & post-processing •Include license text in images • Set COPY_LIC_MANIFEST = "1" & COPY_LIC_DIRS = "1" • Places files into /usr/share/common-licenses •Create license packages • Set LICENSE_CREATE_PACKAGE = "1" • Places license text in /usr/share/licenses • Provides an upgrade path for license text
  • 25. Providing Sources •Copyleft licenses typically require you to provide source code (including any modifications) along with compiled binaries. •Yocto Project supports this with the archiver class •Set `INHERIT += "archiver"` and choose the mode: • ARCHIVER_MODE = "original" • ARCHIVER_MODE = "patched" • ARCHIVER_MODE = "configured" • ARCHIVER_MODE = "mirror" •The archiver can be configured further
  • 26. Shallow Mirror Tarballs •By default, git mirror tarballs contain full history •Set the following to enable: • BB_GIT_SHALLOW = "1" • BB_GENERATE_SHALLOW_TARBALLS = "1" •Can save a lot of space in a mirror • 7.5 GB -> 1 GB in one recent project • Works well with the mirror archiver
  • 27. Copyleft Filtering •COPYLEFT_LICENSE_INCLUDE • Defaults to `GPL* LGPL* AGPL*` •COPYLEFT_LICENSE_EXCLUDE • Defaults to `CLOSED Proprietary` •COPYLEFT_RECIPE_TYPES • Defaults to target only • Can add native, nativesdk, cross, crosssdk, cross-canadian
  • 28. Providing Layers •The best way to capture recipes and patches •Publish as much of your layers as possible • Either as tarballs or full git repositories • Add them to the layer index if they’re open source (https://layers.openembedded.org) •Isolate proprietary recipes from open source recipes
  • 29. Local Configuration •When providing layers, watch out for changes in local.conf •Two possible solutions: • Version control local.conf • Capture local.conf as part of the build •Also consider including bblayers.conf
  • 30. Excluding Unwanted Licenses •The INCOMPATIBLE_LICENSE variable allows recipes to be excluded by license • Prevents accidental inclusion of unwanted code •Applies to target packages only •meta-gplv2 layer may be needed if excluding GPL 3.0 or later •Values should be standardised on the SPDX License List to avoid confusion • See https://spdx.org/licenses/
  • 31. License Flags •Another method of excluding recipes by license class •May be used to highlight non-copyright issues • Patented algorithms • Commercial license / EULA •Flagged recipes are excluded by default • Set LICENSE_FLAGS_WHITELIST to enable them
  • 32. Issues with Language Package Managers •Many newer languages use their own package managers • Go, NPM (nodejs), Cargo (Rust) •These present issues for Embedded development and license compliance • These just don’t seem to be first class concerns •Features we need from these package managers • Offline build support • Download source archive • Including license text & other collateral • HTTP/HTTPS proxy support • Source mirror support
  • 33. Generating SPDX Documents •SPDX (https://spdx.dev/) is “An open standard for communicating software bill of material information, including components, licenses, copyrights, and security references.” •SPDX is supported in Yocto Project by the meta-spdxscanner layer • Provides tools to scan source code for licenses and work with SPDX documents • These processes are typically slow • May extend build times by several hours • Usable on release builds, may be intolerable on day-to-day dev builds • See http://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/ •Supports scancode-toolkit for SPDX document generation • Set INHERIT += "scancode-tk" in local.conf • Or use inherit scancode-tk in desired recipes • See https://scancode-toolkit.readthedocs.io/en/latest/
  • 34. Integrating with Fossology •Fossology is a more fully featured system for compliance scanning and signoff • Runs as a service with a web interface and an API •Integration is also provided by the meta-spdxscanner layer • fossology-python or fossology-rest bbclasses may be used • Upload source code to a Fossology instance •Scanning, review and document generation is done asynchronously through the Fossology interface • SPDX documents are not generated directly as part of the Yocto Project build •See https://www.fossology.org/
  • 35. Future Work •Better integration with language package managers • May require changes to NPM, Cargo, etc •Automatic generation of a plain text or HTML license document for an image •Integration with other license compliance tooling • OSS Review Toolkit (https://github.com/oss-review-toolkit/ort) •License scanning & SPDX document generation for Yocto Project releases • Provide a feedback loop to confirm license metadata in recipes is correct • Non-trivial!
  • 36. Q & A